DDoS mitigation in the cloud presents a new dimension to solutions offered in traditional computing environments. By its very nature, cloud computing is vulnerable to DoS and DDoS attacks, however, it also offers many opportunities to recover quickly from such attacks as resources can be very easily provisioned and quickly applied. The most critical aspect of defense is to maintain availability of service for the end users, service providers and the cloud infrastructure managers. As cloud services grow more and more popular, ensuring the security and availability of services becomes more challenging.
At first look, a DoS or DDoS attack is harder to carry out than in a traditional computing environment as the attackers need many more resources to obtain their aims, particularly when cloud infrastructures have been well designed. Nonetheless, service providers need to consider how to mitigate against them, particularly within the context of the growing botnet market and its increasing scale within specific attacks, such as Mirai. It is unsafe for users to assume that cloud computing can always offer sufficient resistance to DDoS attacks because of its inherent elasticity and scalability.
The solutions currently on offer as DDoS mitigation will be broken down more thoroughly in other posts; however as always in the security landscape, no single solution is a cover-all. System administrators will always need to broker some kind of compromise to mitigate against the maximum harm possible from a DoS or DDoS, but should not be expected to prevent all possibilities of an attack.
The first stage in security protection within the cloud is a thorough Security Service Level Agreement (SLA) between a client and its service provider for confidentiality, integrity and availability, also known as the CIA triad.
The Security-SLA should take care of the following four areas: (i) privileged user access, ensuring that sensitive customer data does not fall into the wrong hands; (ii) regulatory compliance, which holds the customer responsible for his or her own data; (iii) data location i.e. a commitment to comply to the local jurisdiction and to only store and process data within that area; and (iv) data segregation: properly encrypting data to avoid leakages between users within the cloud.