Network security

DDoS protection: Cloud Overflow

April 2, 2018 by Frank Siemons

Distributed Denial of Service Attacks

Every organization operating online services facing the public internet, will at some point in time need to deal with a Distributed Denial of Service (DDoS) Attack. This is usually a targeted attack where, as part of a ransom demand or an activism campaign, a significant amount of traffic is directed to these online services to take them offline. Attacks could have many shapes and forms, for example, a SYN Flood, or an NTP or DNS Amplification Attack, depending on the capability of the attacker and the targeted online services of the target.

DDoS attacks have been around since the early days of the internet. The first recorded Denial of Service attack can be attributed to an unruly 13-year-old student in 1974, but from there the initially simple attack methods have evolved into the realm of sophisticated, massive botnets with an enormous capacity to generate traffic, further multiplied by amplification techniques and tools.

DDoS Protection

Defensive Security Controls aimed at mitigating the effects of DDoS attacks have been continuously developed, and they are quite effective these days.

Let’s take the example of a simple SYN flood. Using this method, an attacker with enough capacity attempts to overwhelm its target with large amounts of SYN requests, consuming all the target systems resources. Once all target resources are exhausted, legitimate traffic will be severely delayed or halted, resulting in the targeted service going offline. An advanced firewall or a specialized DDoS protection device can recognize the large proportion of SYN requests in its traffic compared to a previously “learned” baseline of normal traffic. It should then start to drop/block bad traffic from the sources of the excessive SYN requests until normal activity resumes.

Detection methods range from simple thresholds to complex algorithms and response times can be down to mere seconds. When placed inline, some of these specialized solutions such as Radware’s DefensePro, even apply machine learning techniques to normal (peacetime) traffic and in case of an attack, to bad traffic. This allows it to detect any traffic anomaly as soon as possible and to then deploy a matching customized protection profile to the incoming traffic, reducing the likelihood of dropping legitimate traffic.

There is a downside to these protection systems. The traffic generated by a DDoS attack can be significant, more than 100 Gbps is not uncommon. This means any DDoS protection device needs to have a large capacity to be able to prevent a relatively rare event from occurring. The costs of purchasing and operating a dedicated system for a single network are usually hard to justify. Another issue is that a large-scale DDoS protection solution will require specialized staff, equipped with both advanced networking and security skills. These professionals are not only expensive, but they are also hard to find. Once operational, a DDoS security team will need to operate 24/7 to monitor and control the system, because as always; attackers operate within every time zone.

Cloud protection

This is where cloud DDoS Protection solutions come in. In case of an attack, all traffic is re-directed via BGP advertisements to a cloud security provider by the targeted customer. There, the traffic is cleaned up (scrubbed) using the earlier mentioned technologies and the clean traffic is returned to the customer. As is the case with many cloud solutions, the significant costs of building and maintaining a DDoS protection solution are effectively spread out over the many cloud customers. Considering only a small portion of these customers are ever under a DDoS attack at the same time, this is a very cost-effective solution. Even this solution is still not cheap though. These vendors maintain large networks with many so-called scrubbing centers around the world to cater efficiently for every geography, which is costly. Another potential issue is that where there is no local scrubbing center, all traffic (including the significant portion of the DDoS traffic) will need to be sent to another area, causing delays and congestion even in the case of a small attack. Sending certain traffic off-shore could also create some compliance issues, especially for government-related organizations.

Hybrid Protection: Cloud Overflow

This is why many DDoS Protection vendors also offer the hybrid model. This model is much less known compared to the on-premises and the full cloud solution. The often called “Cloud Overflow” or “Hybrid” solution, however, brings together some of the best of both worlds. In this model, lower capacity and often fully automated On-Premises solution can take care of the smaller DDoS attacks. When the attack becomes too large or too long-lasting to handle locally, an overflow can be configured to either send all, or a portion of the bad traffic to a vendor Cloud protection solution. Especially from a cost-perspective, this solution has huge benefits. The initial purchasing costs of the hardware are limited, considering the on-premises devices will only need to be able to handle smaller DDoS attacks. The costs for Cloud Protection will also be limited because the majority of DDoS attacks will be mitigated locally and will not require any overflow at all. From a security perspective, the entire range of possible attacks is covered this way. Some of the leading DDoS vendors such as Arbor Networks, Radware, and Imperva offer these hybrid options.


When looking for both a cost-effective and a holistic DDoS security solution, the hybrid DDoS solutions certainly need to be considered. Cloud Overflow provides the best option for companies that have an on-premises network that significantly relies on internet-facing services, but that is not large enough to warrant its own full-scale DDoS Protection deployment.
DDoS attacks are inevitable, but because of the wide range of available security controls, their impact can usually be limited cost-effectively.

Posted: April 2, 2018
Frank Siemons
View Profile

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons