We're interested in moving some of our Web applications to a cloud provider, but one of my concerns in particular is distributed denial-of-service (DDoS) attacks (which our enterprise has experienced before). I'm afraid that if attackers try to overload our Web apps in the cloud, they'll end up costing us a fortune in cloud usage charges. Are there ways to prevent this from happening?
Preventing a distributed denial-of-service, or DDoS attack against any resource, local or cloud-based, may be difficult to impossible to do, but minimizing the impact from a DDoS attack should be a priority if the Web application is critical to your business.
One option is to take the opportunity to rewrite your Web application when it is moved to the cloud to minimize the impact from a DDoS attack and take advantage of any new security functionality from the cloud provider, like high availability failover if a system is unavailable from a DDoS attack. Depending on the type of cloud provider and service utilized, you could add your own DDoS protections in the application infrastructure, but you would still need to rely on the cloud provider’s ISP to respond to a DDoS. You could use a content distribution network to further reduce the impact from a DDoS, but many cloud providers already have sufficient distributed resources to help minimize the effect of a DDoS. If the application is critical to your business and only requires internal access, you could even get a leased line to the provider, but this seems unlikely given the cost and complexity.
There are also non-technical mechanisms to minimize the cost from a cloud DDoS attack on a Web application hosted at a cloud provider. One is to negotiate DDoS protection or potential costs into the upfront contract. If you can’t get DDoS provisions in the contract, you may want to compare the potential cloud bandwidth costs from a DDoS on a cloud provider to the costs your organization incurred from the DDoS on your locally hosted Web application, including the staff time to respond. If the costs of the additional usage fees are less than the costs your organization incurred from the DDoS on your locally hosted Web application, the potential additional usage fees from a DDoS may not be a concern.
This was first published in January 2012