2

I ask this question as a follow up to this question in which I asked how I could protect from the simplest types of DoS attacks (say single-machine / up to 5 machines network level DoS attack) without using third party services like a CDN, given that it is unlikely for me to go thorugh a DDoS (although the answers to my question there shows that DDoS is likely just like a simple DoS is, in these days, due to various services that would help even a single attacker to launch a DDoS)

My hosting provider engineer told me that they are developing tools that could achieve my desire, at least in part, in the future, though these tools are now but experimental and far from being released in any form. The engineer mentioned the following three types of tools without explaining how each one of them could help reduce the risk to the phenomenon I just described:

  1. LBaas (I don't know what that means)
  2. DBaaS (Database as a Service)
  3. "auto-scaling" (I don't know what that means)

Assuming I understood correctly, how could any of these tools help prevent any kind of network level DoS, if at all?

user9303970
  • 443
  • 1
  • 4
  • 15

2 Answers2

3

LBaaS probably refers to Load Balancing as a Service (LBaaS).

With an LBaaS solution, the traffic to your site will reach to the LBaaS endpoint and then handed off to the server farm serving the site. In an auto-scaled environment, the number of servers(typically Virtual Machines) go up or down depending upon the traffic load.

LBaaS solutions themselves integrate DDoS prevention mechanisms by monitoring packet states and other detection mechanisms. In combination with DBaaS and autoscaling, as the load goes up (in a DDoS scenario), the backend instances scale up as well to handle the additional load.

This of course does not assume that the Anything-as-a-service solutions can handle infinite load. That is, a service supported by the cloud cannot take DDoS attacks of the scale of Tbps (as have been recently demonstrated).

sandyp
  • 1,146
  • 1
  • 9
  • 17
  • I didn't understand the last sentence in your answer. Care to rephrase it? – user9303970 May 13 '18 at 21:14
  • @user9303970 That is, a service supported by the cloud cannot take DDoS attacks of the scale of Tbps (as have been recently demonstrated). – sandyp May 14 '18 at 00:54
  • Tbps? I might missed something about that. – user9303970 May 14 '18 at 13:06
  • I searched for the terms `Tbps` and `bps` in the previous question but found nothingl. Maybe I'm missing its purpose as having a bed week. – user9303970 May 14 '18 at 21:34
  • @user9303970 Tbps would be Terra-bits-per-sec (quantified network bandwidth). – sandyp May 14 '18 at 22:13
  • Hmm, I hope there would be a radical change in technology in next 4-5 years so cloud companies will indeed be able to deal with such attacks. Maybe I'm optimistic, but, can't know for sure... – user9303970 May 15 '18 at 00:00
1

Sandyp already posted a succinct answer, so this is largely supplemental.

In order to use both LBaaS and DBaaS, your application must support that model.

Typically, this entails building for clustering and/or load balancing. While this isn't the hardest thing to accomplish, you cannot benefit from these technologies if you have not designed for it. (Most enterprise apps will work these days, but it sounds like you're deploying your own application.)

Cost is more variable with scale-out.

With scale-out, your cloud provider will spin up additional VMs and allocate additional resources as needed, but you typically pay for those resources in accordance with your service agreement. These rates can vary wildly.

Sometimes emergency scale-out is available at minimal cost; sometimes not. Rates can range from your standard contract rate to the highest on-demand rate. With most CDNs, DDoS mitigation is included, so there are rarely unanticipated costs. Ask your provider for specifics.

Assuming you have an application that can support scale-out, it comes down to a question of cost and trade-offs.

With CDNs, you have to configure your assets to use their transport/caching, and you have to trust them. In return, the top-tier CDNs typically offer better DDoS protection, latency, and throughput than cloud providers. (You didn't mention latency or throughput as concerns, so these are only included for completeness.)

You should also inquire into the spin-up or response time from your cloud provider. With CDNs, it is very quick and always available. Cloud providers vary, and some of them offer configurable scaling.

E.g., you can configure when it scales out, how long after the peak until additional resources spin down, whether there is a rate limit or a hard cap on automatic provisioning, whether there is a monetary cap on auto-provisioning, etc.

I don't have personal experience with DigitalOcean, so I have no idea which options are available.

DoubleD
  • 3,862
  • 1
  • 6
  • 14