Cloud security

DDOS Protection for Public Cloud Customers

October 11, 2016 by Frank Siemons

Public Cloud Adaption

The rate of adaptation of cloud services by organizations over the recent years has been significant. Some of these organizations decided to migrate at least part of their IT systems to a public cloud for one or many of the better-known benefits. Such benefits could be the easier to manage cost model, the nearly unlimited flexibility in hardware and software or the guaranteed uptime locked into Service Level Agreements. Not very often, however, has security been at the forefront of the decision-making process. That is a shame because most public cloud providers offer some very solid security options such as security monitoring and Distributed Denial of Service (DDoS) protection. Arguably, these options not only benefit their customers but their own cloud platforms as well.

Distributed Denial of Service

The literally exponential growth of DDoS attacks, up to fifty times larger now than ten years ago, has many organizations worried about when they will be next. It is only a matter of time and when their number does come up, how prepared are they and how prepared could they actually be? A well organized and targeted DDoS attack could easily fire a sustained 100 Gbps of traffic at its victim. For example, an attack against a BBC website in 2016 reached a peak of 602 Gbps, so far the largest DDoS attack in history. Even though the average connection bandwidth for organizations has grown at almost the same pace, the sophistication and specifically targeted characteristics of these attacks mean they are becoming harder to deal with every day. A business will need to decide on either investing a huge amount in dedicated hardware, software and specialist skills, or outsourcing these DDoS protection services to a third party. Because these third parties can spread out the costs of their high-capacity infrastructure over many customers that are unlikely to be all under attack at the same time, this is usually the most viable option for small, medium and even some larger enterprises.

DDoS Service Add-ons

Public Cloud Service Providers (CSP) such as Amazon WS, Microsoft Azure, and Rackspace have been ideally placed to pick up this growing demand. They are competing with specialized DDoS protection providers such as CloudFlare, but with one main benefit; the customer already has an agreement for one or more products such as IaaS or SaaS with that CSP. That means the DDoS protection service is just another add-on to that existing contract. Most of the technical side, routing traffic, for instance, can all be handled by the Public Cloud Service Provider as well, without the need for another party to be involved. Even if the CSP decides in turn, to outsource that entire DDoS protection service to a specialized provider such a CloudFlare, the Public Cloud customer still does not need to worry. Their agreement is simply with their CSP and the responsibilities and complexities behind that are not of their own concern.

Potential Benefits

The main benefit for an organization to choose DDoS protection from their Public Cloud Service Provider over a 3rd party is the simplicity in both technical and organizational processes. The customer only deals with one party and escalations between the different CSP teams should, in theory, be faster and without much customer interaction. Another benefit is the fact that the CSP better knows their network, indirectly monitors it for potential DDoS attacks and has more control over any available mitigation actions. In the case of a sustained attack over many days, weeks or even months, there will be some options such as a quick relocation to another virtual network or to another actual data center as well. An also very important factor to keep in mind is who will foot the bill for the potentially enormous increase in data due to a DDoS attack. This issue is more complex. Although many CSP’s will allow for unexpectedly high charges to be dropped in the case of a DDoS attack, this is likely much easier to manage (and proof) when the CSP itself is handling the DDoS attack and its potential mitigation. This will require the customer to do some further provider-specific research. For example, some CSP’s don’t charge for inbound traffic (anymore), which could be a very important consideration.

Available Options

Every cloud provider will have some level of DDoS protection services in use for their own cloud infrastructure. This will cover lower layer DDoS attack methods such as SYN floods. It will protect their own business from an attack that could bring down many or all of their cloud customers simultaneously. The legal, financial and reputational ramifications to the CSP would be enormous in such a case, which is simply a risk they cannot accept. This platform-wide protection does not cover individual customers however and their own specific configurations, requirements, and priorities. The customers will need to deal further with for instance application-based DDoS attacks, which are more customized and targeted towards their publicly hosted services. Imagine a low to medium bandwidth DDoS attack specifically targeted at a customers’ website using the HTTP protocol. Not knowing the website specifics, the CSP might not notice the attack. How would the CSP security team know this is an attack and not a very popular online sale, without having an in-depth knowledge of the service? If they actually do detect an attack, they might not be authorized or knowledgeable enough to take custom mitigation actions. This means a customized DDoS protection service is required. Most of the larger Public Cloud Service providers have optional per-customer DDoS protections available, usually for an additional fee. This will provide the customer with bespoke DDoS protection profiles, in-depth analysis and alerting capabilities which match the customers’ own organizational structure and requirements.


It is not hard to see that it is well worth researching DDoS protection offerings by the Public Cloud Service Providers, especially if they already manage most of the existing Cloud services. Of course, not all organizations will have their main online services hosted within a public cloud infrastructure. Think for instance of a private cloud configuration, or a customer-managed data centre. In that case, other benefits of a 3rd party or a self-managed DDoS protection could stand out. As always in the world of ICT: there are enough options out there, it is just a matter of weighing them all up against each other.

Posted: October 11, 2016
Frank Siemons
View Profile

Frank Siemons is an Australian security researcher at InfoSec Institute. His trackrecord consists of many years of Systems and Security administration, both in Europe and in Australia. Currently he holds many certifications such as CISSP and has a Master degree in InfoSys Security at Charles Sturt University. He has a true passion for anything related to pentesting and vulnerability assessment and can be found on His Twitter handle is @franksiemons