Attacks like DDoS are inevitable in the internet.
"If you build it, they will come".
Although, this was said keeping customers in mind, however in today's digital world any service or product which is exposed on the internet attracts equal & sometimes even more number of unwanted visitors than actual customers.
Only way out is to restrict the boundaries and impact of such attacks on businesses by securing infrastructure layers, enough to hold back attacks and let the business run.
Most often security issues are only considered as data being compromised or stolen. Although that's the ultimate goal of hackers, however attacks like DDoS are capable of bringing the entire business down for days without even entering your premises.
"A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic." - Cloudflare.
One such incident happened in one of my early projects(pre cloud era) where an internet facing apache proxy server which became so busy in dropping the malicious requests that it forgot it had to server five other backed app servers.
As a result, customers were unable to access the services for a week. The attack was so severe that we had to blacklist the public IP address allocated to that proxy server as it got red flagged by the Govt. IT and Cyber security cell.
Finally we had to setup one intrusion detection & prevention(IPS/IDS) system in front of a new public proxy server so that the attacks are drop at the IPS/IDS level and our service endpoint is secure.
This was in the pre-cloud era and the systems were all on premise with restricted access, even then it could not be prevented. So imagine how much threat does modern cloud infrastructure face in today's internet where attacks has evolved and matured.
Designing modern infrastructure for softwares is like building your home. You must identify the privacy layers in the network and who needs access to what. Access to infrastructure must be secured with a Single Secure Entrypoint.
So how do you do it ?
Make sure the device where requests land first is secure. It must be a single trusted endpoint exposed with IP Segregation, DNS based backend mapping, WAF features that implements OWASP policies, DDoS Protection. You can use services like Cloudflare, Akamai. These also come with CDN that helps keeping your app endpoint flexible to point to wherever you backend it, helps in static asset migrations.
Configure certificate management for SSL certificate generation, renewal and offloading. Mutual TLS to establish zero trust policy with any third party application endpoint.
Always apply network policies based on whitelisting that deny all traffic by default and allow only whitelisted source CIDRs, ports or protocols level. Never allow a policy for any to any.
Sometimes some cloud providers tend to add external Ip sources on the network policies or security groups of the services managed by them for monitoring, management or security scanning.
Make sure you validate the whitelisted sources as trusted ones. For example cloud managed database service or managed kubernetes service or security centers. Ensure to confirm these sources with your cloud provider.
How to mitigate DDoS Attacks:
Secure Entrypoint:
To protect your business against attacks like DDoS the best way is to mitigate its impact on the bandwidth it consumes from your service network to reject unathorised requests. And to do that you need an endpoint that segregates the malicious traffic from the real ones. Services like cloudflare or akamai or aws sheild is built with such DDoS protection. So its better to use a secure entrypoint instead of just exposing services on loadbalancer or worst, bare bone public ips.
SSL Encryption:
Configure certificate management for SSL certificate generation, renewal and offloading. Mutual TLS to establish zero trust policy with any third party application endpoint.
Network Policies:
Network Policies based on whitelisting. Deny All by default. Ports or Protocol level filters. Do not allow any to any. System to System access policy with firewall rules or network policies.
Cloud Provider Sources:
Sometimes some cloud providers tend to add external Ip sources on the network policies or security groups of the services managed by them for monitoring, management or security scanning.
Make sure you validate the whitelisted sources as trusted ones. For example cloud managed database service or managed kubernetes service or security centers. Ensure to confirm these sources with your cloud provider.
My first encounter with DDoS happened 12 years ago.The on-prem web server became so busy rejecting the invalid requests that it didn't have bandwidth to process the real ones.Businesses were down for days. It was the pre-cloud era, pre-XaaS era. So we didn’t have many options left. These steps were the lessons learnt over the years in solving the attack factors from on-prem to modern day cloud infrastructure. Hope these help for in building a more secure infrastructure for your cloud business.
If you like this article, I am sure you will find the 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unscalable, vulnerable & inconsistent infrastructure.
Thanks & Regards
Kamalika Majumder
Comments