December 13 2024

Hyperscaler Cloud and DDOS Attacks: How Attack Scenarios Are Changing in the Cloud Computing Era

What We Learned About Big Commercial Cloud Providers From Analyzing Latest DDoS Reporting

Hyperscaler DDOS Attack

The cybersecurity landscape is constantly evolving, and the advent of Cloud Computing has radically transformed not only the opportunities for companies, but also the strategies adopted by attackers. Recently, a case involved us first-hand, showing how sophisticated and complex DDoS (Distributed Denial of Service) attacks have become.

The case of a customer in emergency

An international e-commerce of virtual products, operating in various global markets, contacted us in an emergency situation. The PrestaShop platform, hosted on a Cloud instance managed by SiteGround, was under DDoS attack for over two days. Despite the engineers' attempts to mitigate the attack, the customer reported persistent downtime and significant degradation in site performance. The inability to access root privileges on the managed instance and other infrastructure limitations prevented an effective and rapid response.

In response, we proposed rapid onboarding to our infrastructure, offering a multi-layered mitigation strategy.

The mitigation strategy

Our solution is designed with a holistic approach, combining advanced technologies and custom tuning to address every level of attack:

Network Level Protection

For network attacks (layer 3 of the OSI model), we relied on the automatic protection offered by our data center partner, based on Arbor Networks' NetScout technology. This system was able to mitigate over 500 Gbps of malicious traffic during the first ten hours of the attack, demonstrating extraordinary effectiveness in minimizing the impact on customer service and providing top-notch protection capable of handling even the most intense spikes. Arbor Networks' NetScout technology is one of the most advanced solutions for DDoS attack mitigation. Integrating continuous monitoring and real-time analysis capabilities, it is designed to identify and neutralize threats at the network level with extreme precision. The system uses advanced algorithms to distinguish legitimate traffic from malicious traffic, ensuring a smooth flow of business operations. In addition, its ability to scale with large infrastructures makes it ideal for data centers and cloud service providers.

Application Defense

Application attacks (layer 7) were countered by implementing an enterprise-class WAF (Web Application Firewall) provided by Cloudflare. We chose this solution for several reasons:

  • Low costs: An advantageous choice compared to more expensive solutions, with an extremely competitive quality-price ratio.
  • Flexibility in the rules: Cloudflare enables granular control of filtering rules and related policies, allowing for advanced customization and optimization of specific parameters, perfectly adapting to your needs.
  • Extensive reporting: An advanced monitoring system to identify attack patterns, providing a clear and detailed view of the progress of threats in real time and ensuring unparalleled responsiveness.

DDOS-Attack-Requests

Thanks to the initial tuning, in a couple of hours we stabilized the system, bringing the site back online without speed problems. Overall, we managed to mitigate Over 7 billion HTTP requests in 24 hours, with peaks of 800 million requests per hour, demonstrating an unprecedented ability to handle abnormal loads of this magnitude while maintaining an optimal user experience for legitimate users.

Self Hosted Local Tools

We have implemented and configured a series of tools to strengthen security and improve system performance. Here are the details:

Fail2ban:

  • Real-time blocking of malicious IPs identified via system logs.
  • Dynamically reduce the attack surface through continuous analysis of unauthorized access attempts.
  • Automatic and continuous creation of customized blacklists based on detected threats.
  • Optimized configurations for different services, such as SSH, NGINX, and Postfix, to ensure 360-degree protection.

NGINX Bad Bot Blocker:

  • Integrate an advanced ruleset to identify and block known bots that are consuming resources improperly or posing a threat.
  • Improved overall system resilience by preventing scraping or brute force attacks from unauthorized crawlers.
  • Regular rule updates to keep up with new emerging threats.
  • Reduce server load by preventing malicious requests.

 

Specific filters with IPTables:

  • Level filtering GEOIP, to block traffic coming from countries considered risky or irrelevant to the business.
  • Using rules based on ASN (Autonomous System Number), allowing you to exclude entire network blocks managed by providers with a compromised reputation.
  • Create granular rules to filter packets based on specific protocols, ports, and IP addresses, reducing the likelihood of DDoS attacks.
  • Integration with monitoring tools to analyze and adapt rules in real time, maximizing protection without compromising system performance.

These configurations not only improve security, but help reduce the load on systems, ensuring greater efficiency and operational stability.

Data emerging from the attack

Analyzing the generated reports, a worrying and significant trend emerged that highlights how the DDoS attack landscape has changed dramatically in recent years. In the past, the main DDoS attack vectors were represented by consumer IP addresses, typically linked to ADSL connections or similar networks, which were exploited in a massive way. Many of these connections originated from countries characterized by low cyber regulation, such as China, Brazil, Iran, Malaysia and Russia. These regions represented fertile ground for attackers, thanks to the combination of less secure infrastructure and lax regulations, which made it easier for attackers to exploit these networks to generate malicious traffic.

Hyperscaler - DDOS

Today, however, the situation appears to have changed dramatically, with an evolutionary leap that has shifted the focus of attacks towards more advanced infrastructures. Most malicious requests no longer come from consumer connections, but from instances hosted on commercial cloud hyperscalers. Vendors such as Oracle, Microsoft Azure, DigitalOcean, Vultr, OVH, and Alibaba Cloud have become the new platforms of choice for attackers. This shift is significant, as it highlights how threat actors are exploiting the enormous scalability and flexibility of these infrastructures to launch large-scale attacks.

Hyperscaler Cloud

Un hyperscale is a cloud infrastructure provider designed to deliver compute, storage, and networking resources in a highly automated and scalable manner at global scale. These providers operate data centers distributed across multiple geographic regions, allowing users to access virtualized resources with minimal latency and high availability. With advanced technologies such as load balancing, virtualization, and energy optimization, hyperscalers ensure efficient management of workloads, dynamically adapting to the needs of customers, whether they are small startups or large enterprises. Their infrastructure allows to reduce operating costs and accelerate innovation, supporting a wide range of applications, from simple websites to complex artificial intelligence systems and big data analytics.

Two main hypotheses

Data analysis suggests two possible explanations:

  1. Compromised instances: Hyperscaler Infrastructures, Given the sheer scale of hyperscaler infrastructures and the sheer number of active instances, it is likely that many of them are vulnerable to exploits or insecure configurations. Attackers could use these compromised resources as a beachhead to mount large-scale attacks. This approach not only increases the complexity of mitigation efforts, but also makes it extremely difficult to identify the actual sources of attacks, as malicious traffic is carried through legitimate and distributed platforms.
  2. Malicious provisioning: The flexible and scalable nature of the cloud, supported by a pay-per-use model, gives attackers the ability to create and destroy virtual instances at breakneck speeds. This dynamic allows organized groups to develop automated scripts to provision dedicated attack instances. With centralized coordination, these attackers can orchestrate operations at scale, minimizing operational costs and maximizing attack effectiveness. This type of strategy introduces a level of operational agility never seen before, challenging traditional detection and blocking techniques. The combination of anonymity, speed, and accessible computing power presents an unprecedented challenge for defenders.

Implications for the future

This evolution in the DDoS attack landscape raises important questions for the cybersecurity and cloud computing industry:

Hyperscalers' Responsibilities

Cloud hyperscalers must take more stringent measures to prevent malicious use of their infrastructure. This includes:

  • Proactively monitor instances to identify anomalous behavior, significantly reducing the risk of large-scale abuse and implementing AI-based detection systems.
  • Increased emphasis on securing default configurations to reduce vulnerabilities, making it harder for attackers to exploit system flaws and preventing large-scale escalation of attacks.
  • Collaboration with security companies to mitigate attacks in real time, creating a more robust and efficient defensive ecosystem that can respond rapidly to emerging threats.

Corporate defensive strategy

For companies, the approach to security must be rethought:

  • Multi-level solutions: Combining network, application and local layer protections is essential to address complex and targeted attacks, ensuring comprehensive coverage against a diverse range of threats.
  • Collaboration with specialized suppliers: Experienced DDoS security and mitigation partners can make the difference in critical moments, ensuring a rapid and effective response and minimizing downtime.
  • Proactive preparation: Conduct attack simulations and test defense systems before real situations occur, improving the overall resilience of the infrastructure and ensuring that measures are always up to date with the latest threats.

Conclusion

The case study highlights a significant shift in the way DDoS attacks are conducted in the era of Cloud Computing. While the cloud offers unprecedented advantages in terms of scalability and flexibility, it also introduces new vulnerabilities that attackers are ready to exploit.

For companies like ours, specialized in Linux hosting and systems, it is essential to stay one step ahead, continuously adapting defense strategies and collaborating with excellent technology partners. Security is never static, and only with a dynamic and proactive approach can we guarantee the protection of our customers in an increasingly complex and challenging landscape, building lasting trust through the ability to effectively respond to the challenges of the future.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top