Re: Pros and Cons of Cloud Computing in dealing with DDoS

[Roland Dobbins <rdobbins () arbor net>]

On Nov 6, 2009, at 2:11 AM, Stefan Fouant wrote:

> Obviously the cloud is no different than any other infrastructure  
> insofar as
> implementing protection mechanisms.  Ample bandwidth (typically more  
> so than
> in the enterprise) should make it easier to absorb larger amounts of  
> the bad
> stuff.

Actually, no - the miscreants are always going to have more bandwidth  
at their disposal, plus they utilize attack vectors which provide a  
great deal of amplification (including at layer-7) which make  
bandwidth largely irrelevant.

>  why they think DDoS is the single biggest threat to the cloud  
> computing model,

Availability is the one thing which *must* be guaranteed at all costs  
in order for the cloud model to work, and by definition, most cloud  
infrastructure isn't going to be within the span of control of the end- 
customer.  Look at all the apps/services we all use and depend upon  
every day - Webmail, IM, various Web 2.0ish AJAXy things, Skype, SIP,  
et al.  When these things are DDoSed either deliberately or  
inadvertently, directly or indirectly (i.e., zorching authoritative  
DNS a la Baofeng), lots and lots of folks end up getting hosed.

Now, expand this to your back-end line-of-business apps, your IP  
PBXes, your customer databases, your ERP software, your CAM/CAM  
system, your basic file/print services, and the picture becomes much  
clearer.

The movement towards 'cloud' - starting with things like VPS and VPDC  
and SaaS for specific applications - largely consists of end-customer  
organizations jettisoning their internal data centers/WAN links/ops  
staff and subscribing to these apps/services on a recurring basis,  
with said apps/services either residing within a public-facing IDC or  
in a multitenanted IDC made available to the end-customer via an MPLS  
NGN.  It entails shutting down locally-/internally-owned-and-operated  
DCs and moving into

> again this is counter to a lot of evidence which points to the  
> corollary

Which evidence is that?  [You meant 'contrary', yes?]

> - think DNS Root Servers and you'll have an idea what I'm talking  
> about...

There's a heck of a lot of engineering which has gone into protecting  
the roots - I'm sure you'll recall the high-visibility DDoS attacks  
which affected multiple roots in the past.  The root operators learned  
from that experience and took proactive measures to ensure that they  
can continue to maintain availability in the face of constant  
onslaughts.

The bottom line is that it's easy to achieve perfect confidentiality  
and integrity if availability is lacking, heh.  All three legs of the  
classical information security triad are of import, but it's always  
been my view that availability is the first among equals, which  
translates into the need for robust, scalable architecture and the  
willingness to devote time and resources to the operational security  
art.

Paul's comment about botnets being 'cloud' services is dead-on; and of  
course, miscreants using stolen credit-cards to purchase IaaS for  
spamming/phishing purposes has already been seen in the wild, just as  
they do so with their nonsense domains for botnet C&C.  IaaS abused to  
launch DDoS won't be far behind.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

Sorry, sometimes I mistake your existential crises for technical
insights.

                        -- xkcd #625