2

I know that one can deny services (DoS) in any of the 7 layers of the OSI model and that in principle, a denial can be done by a single entity (human or machine) or from 2 or more such entities ("distributed" - DDoS).

I also understand that:

  1. On layers 1,2, a DoS can be done by a single entity without software limitations, as these are purely "concrete" layers.
  2. On layers 3,4,5,6, a DoS is software-only and is typically distributed (DDoS) because of typical ISPs bandwidth limitations on entities (so one or more entities would typically need 2 or more ISP accounts) even if the hacking is done from one machine that includes 2 or more virtual machines.
  3. On layer 7, a DoS is software-only and can be either single or distributed easily without bandwith limitations (at least for a few types of attacks), but in any case are easier to manage in comparison to attacks on layers 1,2,3,4,5,6.

Background on cloud hosting services (CHS)

I know that there are basically two types of CHSs used to host web applications:

1. Minimally controlled cloud: The user is provided with an OS, DNS zone management tool, bypass console and some more possible tools while the user adds the rest by itself (examples: DigitalOcean, Linode and so forth).

2. Maximally controlled cloud: Either the user or the company provides the OS, DNS zone management tool, bypass console and some more possible tools while the user adds the rest by itself (examples: Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP) and so forth).

The main difference is that the latter allows using the VAD stack (Vagrant, Ansible, Docker) that enables true continuous integration or the closest one can get to it.

  • Regarding minimally controlled cloud; on the one hand, you don't have true continuous integration as when the time comes, you'll have to migrate all your data from one OS to another (say, from Ubuntu 18.04 to 20.04) or at least from one webserver to another (say, from Apache 2.4 to 3.4); these operations can be very resource-demanding and frustrating.
  • Regarding maximally controlled cloud; on the other hand, on maximally controlled cloud, the VAD stack can result in significantly slower performance and higher pricing.

Background regarding my problem

I generally host a few simple presentational websites with only a contact form and maybe also a paypal donation form; not anything grandiose like some mega ecommerce website with customer financial data but from an SEO standpoint, some of my websites can be in dense competitive fields and I suspect some form of DoS would be likely from an immoral competitor.

  • Regarding to layers 1 and 2, I understand that any CHS should protect these layers otherwise they won't be able to operate seriously because an immoral competitor of their own destroy these concrete layers of them.

  • Regarding to layer 7, I already protect from MITMs with TLS, from SSH and content management system BFAs with at least SSHGuard, and from Backdoors and DB injections (like SQL injections) with various policies and methods.

My problem

I worry about how to protect layers 3,4,5,6 from DDoS attacks, as both general types of CHSs seems to me not to include any internal protection mechanism from such attacks on these layers

Ways I know to handle it

1. Using a Content-Delivery-and-Protection-Network (CDPN) such as Cloudflare (more information here).

2. Using shared hosting platforms (such as SiteGround) that either have their own mechanisms to protect from such DoSs, or they themselves utilize Cloudflare "behind the scenes" or at offer their plugin for quickly utilizing its full version (no further pay is needed).

My question

Is there some technology I could use within a CHS to protect my services from being denied in the aforementioned ways?
I wouldn't mind paying say 25$ instead 20$ --- I just desire a technology that I could utilize from within the service, without opening other accounts on third-party providers like Cloudflare or otherwise.

  • Is [AWS Shield](https://aws.amazon.com/shield/) or [Azure DDoS Protection](https://azure.microsoft.com/en-us/services/ddos-protection/) the sort of thing you're looking for? – paj28 Nov 26 '18 at 15:13
  • 1
    Back up a second. What problem do you want to solve? You cannot solve DDoS on your servers or on your hosted environment no matter what your hosting environment is. Period. If that's your question, then there are many duplicate questions I could point you towards. If you want to solve DoS in your unique hosting environment, then we could look at that. – schroeder Nov 29 '18 at 16:59
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/86432/discussion-on-question-by-johndoea-is-there-a-multi-layered-dos-protection-which). – Rory Alsop Nov 30 '18 at 09:14

1 Answers1

1

Provider's Responsibility

In the cloud, as a general rule, the cloud provider handles OSI layer 1 and 2 protection. This is essentially free, as they cannot offer a functional service without it.

At OSI layers 5+, it's generally up to you unless you're buying SaaS or PaaS. If you're buying SaaS/PaaS, it's likely the responsibility of your provider, although you'll need to check the SLAs to see what they actually guarantee.

Your Responsibility

From your question, it sounds like you are not considering SaaS/PaaS so layers 5+ will remain your responsibility.

You can pay CDPNs to take it off your plate. You could simply use the same tools in the cloud that you use elsewhere, although you have extra options in the cloud. E.g., you can spin up more servers automatically in response to a DDoS attack until you can figure out how to filter it properly.

The Tough Nut to Crack

The real issue is, as always, DDoS protection at layers 3 and 4. While you can mitigate or eliminate your DDoS risk at layers 5+, everyone is fundamentally very vulnerable at layers 3/4.

A competent attacker can saturate any customer network link; it is no longer shocking to see 10+ Gbps attacks. Major attacks have even threatened the internet backbone and root DNS servers.

This is why CloudFlare and their competitors exist. In order to address all potential attacks, you need several fast, independent routes and/or a responsive ISP. Large cloud providers can offer this directly, at whatever price they see fit, or you can setup third-party protection in front of your cloud environment.

Comprehensive protection against layer 3/4 DDoS attacks requires backbone-grade network links or cooperation from the companies that have them. Very few organizations can accept 10+ Gbps traffic and only pass through the bits that you need.

To be comparable to CloudFlare, you would need to look at AWS Shield Advanced, Azure DDoS Protection, or Google Cloud Armor. Amazon seems to offer the best free protection at the moment, but there are some gotchas in there.

Economics

When my company looked for DDoS protection, the CloudFlare crowd offered far better pricing than the cloud providers. The dedicated DDoS protection firms had the lowest ongoing costs and fairly low costs for intervention (where applicable). This may vary depending on your workload and threat model.

Your prices suggest a very small cloud presence. If you're looking to add protection to one or two small sites, Azure and AWS will be far more expensive than Google or CloudFlare.

I would tentatively suggest:

  1. AWS if their free protection is adequate
  2. CloudFlare or competitor if you can bend on external protection
  3. Google Cloud Armor, Amazon WAF, or any other rule-based service may be within reach of your budget for small/light deployments (more than $5/month though)
  4. Neither Azure nor AWS DDoS protection are within reach of your budget

Be sure to take note of services which charge based on traffic; the price will spike during an attack. There should be a discussion with the application owner to determine what costs they are willing to incur to remain online during an attack.

DoubleD
  • 3,862
  • 1
  • 6
  • 14