Are you currently experiencing an attack?

Are you currently experiencing an attack?

DDoS Protection in the Cloud

According to a recent global survey of security professionals, DDoS is the most common form of attack on the web today. As the frequency, size, and severity of attacks have risen, vendors have responded by offering a wide variety of DDoS protection solutions.

The top-tier CSPs (cloud service providers) offer their own tools and services for this purpose:

  • AWS Shield
  • Azure DDoS Protection
  • Google Cloud Armor

These services offer various DDoS protection strategies, essential features, and multi/hybrid cloud protection capabilities.

In this article, we’ll examine these native security tools and services, and we’ll compare their capabilities, their relative strengths, and their limitations. We’ll conclude with a discussion of how to achieve effective DDoS protection for cloud, multicloud, and hybrid workloads.

AWS Shield

AWS Shield is available in two different tiers of DDoS protection: Standard and Advanced. 

  • AWS Shield Standard is the default DDoS protection available for AWS workloads, to defend them against common types of network and transport layer attacks. 
  • AWS Shield Advanced is a premium service that offers better protection and visibility against volumetric bots, vulnerability exploitation, and DDoS attacks including UDP reflection attacks, TCP SYN floods, DNS query floods, and HTTP flood/cache-busting.

The Advanced service supports AWS WAF integration and uses ACLs and rules to protect services like Amazon CloudFront distribution, Application Load Balancer, and Amazon Gateway REST APIs from DDoS attacks. Additional features include the ability to automate protection for new resources in AWS by including them in protection groups via predefined criteria; you can then configure the service to automatically mitigate Amazon CloudFront from layer 7 attacks using AWS WAF rules that block the DDoS requests. You also get support for health-based detection and protection for layer 3, 4, and 7 endpoints configured in Route 53. Unhealthy endpoints and deviations in traffic patterns can trigger alerts and mitigation steps. 

AWS Shield customers who have subscribed to a Business or Enterprise support plan also get access to the AWS Shield Response Team (SRT) in the event of a DDoS attack. SRT can assist with the development of custom network mitigations to protect against layer 3 attacks, as well as align your infrastructure with AWS recommended best practices for DDoS protection. 

Drawbacks and Limitations

Customers can use AWS Firewall Manager to deploy AWS WAF ACLs and automatically apply protection settings to new resources. Centralized monitoring and reporting, on the other hand, necessitates the integration of the AWS Firewall with the AWS Security Hub or the AWS Simple Notification Service (SNS). This can add additional operational overhead, especially in larger enterprise landscapes. Additionally, AWS Shield Advanced protects up to 1,000 supported resource types by default, but you would need to request support for any additional resources. 

Other than AWS Route 53-hosted zones, AWS Shield does not support the protection of resources outside of AWS, which can be a challenge for organizations with multi/hybrid cloud deployments. AWS Shield also lacks advanced self-learning capabilities that leverage machine learning/AI. It uses a basic approach with traditional honeypot mechanisms that may not suffice to protect you from advanced DDoS attacks. Capabilities like device analytics, user and behavioral analytics, and device fingerprinting are also not available currently in AWS Shield to address evolving DDoS attack vectors. 

Also, customers who need mobile and API security have to use services like Amplify, Lambda, and API Gateway, thus adding to the potential complexity of the solution. As a proprietary AWS solution, using Shield also increases the chances of vendor lock-in with minimal to no hybrid/multi-cloud cloud protection capabilities.

Fee Structure

Unlike other AWS services, AWS Shield Advanced does not follow a pay-as-you-go model. Instead, there is a 1-year subscription model and a monthly fee of $3,000, which may not be affordable for all organizations. This is in addition to the data transfer charges associated with other services like AWS CloudFront, EC2, and any load balancers integrated with the service. 

There is also no trial period available for customers to evaluate the product. 

Azure DDoS Protection

Although Azure WAF includes some basic DDoS protection capabilities, it’s recommended that Azure WAF users take advantage of Microsoft’s separate service, Azure DDoS Protection. There are two tiers available: DDoS Protection Basic and Standard. 

DDoS Protection Basic is available for all Azure services exposed to the internet through Public IP or PaaS services with no additional configuration required by the user. Basic protection is enabled for Azure regions and not at a specific resource level; it is a best-effort service that monitors traffic patterns to detect and mitigate DDoS attacks. It integrates well with Microsoft Defender for Cloud.

DDoS Protection Standard provides enhanced protection for Azure resources through features like intelligent traffic profiling and adaptive tuning. Multi-layer protection from volumetric and protocol attacks that target layers 3 and 4, as well as application attacks at layer 7, is possible with the standard service and a web application firewall. Customers can create protection plans that can be scoped at the subscription/management group/resource group level. The DDoS policies are auto-tuned based on these protection plans to protect against common DDoS attack patterns. It also uses machine learning algorithms on traffic patterns to optimize protection. 

DDoS Standard can provide out-of-the-box protection from over 60 types of attacks, with identified attacks automatically mitigated. Plus, it can integrate with services like Azure Monitor, Azure Sentinel, and other third-party tools for logging, reporting, alerts, and diagnostics. Logged data is retained for 30 days.

Support from Azure’s DDoS Rapid Response team is available for DDoS Protection Standard customers to investigate and analyze DDoS attacks.

Drawbacks and Limitations

Comprehensive real-time reporting and analysis require the integration and configuration of additional services like Azure Sentinel, which adds to the cost of the solution. The standard option can only protect Azure resources connected to a Virtual Network and hence does not fit in well with hybrid/multi-cloud deployments. Customers will have to depend on additional tools for capabilities like bot management, API security, and behavioral analysis.

Fee Structure

DDoS Protection Standard follows a monthly pricing model of $2,944/month for 100 resources. Any additional resource to be protected will incur an average monthly charge of $29.50 per resource, making it costly for enterprises with a large resource footprint.

Google Cloud Armor 

Google Cloud Armor protects workloads deployed on GCP from threats like cross-site scripting, SQL injection, and DDoS attacks. The service implements the same technology used to protect popular services like Google Search, Gmail, and YouTube from large-scale DDoS attacks at layers 3, 4, and 7. 

Cloud Armor is available in two service tiers: Standard and Managed Protection Plus.

Standard provides basic DDoS protection capabilities and access to WAF capabilities. Predefined rules are available in Cloud Armor to mitigate OWASP Top 10 vulnerabilities, while customers can also tailor protection for workloads by configuring Cloud Armor security policies. You can evaluate the impact of a given rule in active traffic via the Preview mode before enforcing it in production.

Managed Protection Plus provides additional features like rule configuration based on third-party IP address lists, adaptive protection, and support from Google DDoS response teams in the event of an attack. The adaptive protection feature of Cloud Armor uses machine learning to help mitigate layer 7 attacks like HTTP floods, with potential attacks identified and a threat signature developed based on the anomalous activity. Custom WAF rules are then created based on the signature to block the attack. 

For centralized visibility, the discovered threats are reported as findings in the Security Command Center and the Adaptive Protection dashboard. The service also integrates with monitoring and logging to provide visibility into the attacks on a per-request basis, depending on the security policies and rules configured.

Cloud Armor can be integrated with Google Cloud load balancing services, serverless apps (Cloud Run/App Engine/Cloud Functions deployed behind load balancers), Cloud CDN, GKE, and Identity-Aware Proxy. The rate-limiting feature of Cloud Armor can also protect applications from erratic spikes of requests coming from a specific user that degrade performance for other users.

Drawbacks and Limitations

Cloud Armor can extend to layer 7 protection for DDoS attacks beyond Google Cloud to hybrid and multi-cloud deployments. However, the advanced protection capabilities are restricted to the Managed Protection Plus tier, which may not be affordable for all customers. It also lacks some key capabilities like API protection, a much-needed feature in modern-day services-based architecture. 

Fee Structure

The Cloud Armor Standard tier is a pay-as-you-go service. Managed Protection Plus uses a monthly subscription model that costs $3,000/month for the first 100 resources and $30/resource thereafter.

Why You Should Consider Advanced DDoS Protection

We’ve previously discussed the native CSP security tools, and we saw that although they provide some useful capabilities, they are not enough for complete web security. This is also true for DDoS protection specifically.

Inflexibility and Cloud Lock-In

A growing number of organizations use hybrid/multi-cloud architectures, and the CSPs’ native DDoS protection tools are not designed to fully support them. (Arguably, the opposite is true. The CSPs provide native tools for the purpose of encouraging and increasing the exclusive usage of their platforms alone.)

Limited Capabilities

The native security tools tend to rely on basic rate limiting and other techniques which work well against simple DDoS, but cannot defeat more sophisticated attacks. For example, some attackers have adopted “yo-yo attacks” as a method of inflicting more financial damage on the target. Others use techniques such as rotation of IPs, ASNs, agents, etc., which are intended to avoid rate limiting.

Cost

We’ve seen that the advanced tiers of DDoS protection services use costlier monthly subscription models.

Achieving Effective DDoS Protection in the Cloud

Comprehensive protection for cloud workloads requires a specialized security solution like Reblaze, which includes autoscaling multi-layer DDoS mitigation. Like the native CSP tools, Reblaze is fully integrated with (and runs natively on) each of the top-tier cloud platforms. Unlike the native tools, Reblaze also fully supports hybrid and multicloud architectures. 

Reblaze is a unified, all-in-one web security platform; along with DDoS protection, it also includes a next-gen WAF, advanced bot management, precise ACL, API security, real time reporting, full traffic transparency, ATO prevention, and more. The platform is fully managed, always up-to-date, and includes continual machine learning for accurate, adaptive threat recognition. Reblaze deploys in minutes, and runs on your clouds of choice. For more information or to get a demo, contact us here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.