Volumetric attacks were the reason for the birth and growth of cloud based DDoS attack mitigation service providers. With the recent research related to the CloudPiercer tool, a major flaw in the current solutions has been uncovered. The paper linked here exposes critical weaknesses in the mechanisms for cloud-based DDoS attack mitigation as well as the weaknesses of the vendors in the space.
Cloud based security providers base their value around a few key points:
Attacks should be blocked closer to the source via a globally distributed network of mitigation nodes.
The globally distributed network of mitigation nodes have sufficient network capacity which an individual data center (under attack) may not have.
Traffic can be redirected to the scrubbing centers before they reach the customer’s real data center and the attackers cannot guess the real IP of the customer’s network. Even if the customer’s real IP is guessed, traffic can be restricted from unknown IPs. This essentially bases the solution on security through obscurity.
With the detailed research exposing the holes related to point 3 above using the CloudPiercer tool, a large scale analysis of the global risk of origin exposure has been done. This exposure and associated vulnerabilities prove that DDoS mitigation by cloud based service providers is not adequately addressed.
With the availability of customer premises DDoS attack mitigation solutions that can handle large attacks, it is high time that customers think of on premises hardware as the first solution to this complex problem. A hybrid approach to DDoS attack mitigation is a must for any large scale attack. For customers that don’t expect a very large scale attack, a simple customer premises equipment (CPE) solution may be enough or at least the first step. For those who primarily foresee application layer attacks, a CPE solution may be the only solution available.