Can Cloud Defend Against DDoS Attacks?
If you've been thinking about moving your applications into the cloud but weren't sure how to best justify the investment, you can probably thank the North Koreans for helping to write your business case.
The distributed denial of service (DDoS) attacks - allegedly instigated by North Korea or its backers - that disrupted service for many federal agencies this month were successful because most of these agencies still publish web content on small, easily-saturated network links. Take a look at the two federal offices that were able to sustain the attack for the duration without loss of service - the websites for the White House and the Defense Department. It's no mystery that the White House site sits on servers hosted by Akamai, a distributed content delivery network that provides geo-centric services for content delivery. This means that a person accessing whitehouse.gov from San Francisco will talk to different servers than someone in Washington. The Akamai content network effectively load balances traffic, and this design was likely a key reason the White House wasn't affected by the attacks.
While the definition of cloud computing is still under development, I consider Akamai to be truly one of the original architects of the cloud computing model (although you won't find their site emblazoned with cloud computing marketing 'hype').
The capability that helped the White House fend off these attacks is closely related to another networking concept -- Anycast networking. Anycast is a concept that allows the same content to be served from different physical and geographic locations. This is at the heart of the denial of service problem. When an attacker directs an army of rogue computers at a target website, the hosts are in different locations, but their collective traffic is aggregated to overwhelm the target. However, if each bot in this group talks to a different server depending on its physical location, then you can reduce the overall effectiveness of the mob. This is an effective divide-and-conquer strategy that can help address the problem of DDoS attacks.
Similarly, cloud computing services, such as Google's App Engine and Amazon's Elastic Compute Cloud, or EC2, provide flexible hosting resources that can grow to accommodate a surge in demand. Imagine if the agencies that were affected by the attacks had been sitting in the cloud when the malicious traffic started rolling in. The ability to disrupt agency websites becomes a function of how much capacity Google and Amazon have to support the requests. These providers likely have plenty of bandwidth to sustain the attack and provide service with little to no service disruption.
There are plenty of technical options available to help agencies move to platforms that are resilient against blunt-force style attacks like DDoS. DDoS has been around for a while, and will continue to be used against federal IT systems until they are no longer effective. Cloud computing platforms may be one approach to consider.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.
Other blogs from Fiterman:
