Denial-of-service attacks are a pernicious problem for any company with a presence on the web. A DoS attack floods an external-facing web service with traffic, so the server and its supporting infrastructure cannot respond to the flood of requests. This flood blocks legitimate traffic and, in many cases, can cause a failure that requires administrator action.
Distributed denial-of-service attacks add an additional element, using a network of maliciously controlled computers to launch the attack. A malicious actor creates a “botnet” of what might be analogous to zombies in a horror movie. These machines can be controlled by that malicious entity and used to launch coordinated DoS attacks. Since these attacks are coming from hundreds or even thousands of devices worldwide, they are tough to detect and mitigate.
These attacks can use multiple “attack vectors,” ranging from complex attempts to exploit software vulnerabilities to simple attempts to make so many requests from your resources that they cannot keep up.
SEE: Top 3 Tips to Identify Quality Vulnerability Intelligence (TechRepublic)
OVHcloud’s cloud-based DDoS mitigation
Typically, avoiding DDoS attacks requires a fairly sophisticated network and application design. And the most straightforward mitigation — having enough spare network and processing power to weather a DDoS attack — is also the most expensive. In addition to a solid technical architecture, a combination of firewall devices capable of performing advanced network analysis and using content delivery networks could help mitigate a DDoS attack but require setup and administration.
The OVHcloud solution is based on what the company terms a “VAC,” a set of physical and virtual routers and servers that the company purports can “vacuum” malicious traffic by redirecting it away from an organization’s application and web servers.
The OVHcloud system includes a series of high-throughput routers that continually analyze the traffic that passes through them en route to an organization’s servers. When the router detects an attack, excess bandwidth can be deployed to prevent the servers from being overwhelmed. The routers redirect all incoming traffic to the VAC less than two minutes after the attack originates.
This immediately reduces the loads on servers and applications and sends the workload of analyzing all incoming traffic to the VAC. The VAC takes over, absorbing and analyzing all incoming traffic, and only passes legitimate traffic to the organization’s server.
The VAC will continue to process all traffic for the next 26 hours, after which point the attacker has likely either lost patience or moved on to an easier target. At this point, the VAC will “stand down” and begin to pass traffic normally to servers while resetting should another attack occur.
How OVHcloud stands out amidst the competition
Interestingly, OVHcloud offers an online gaming-specific DDoS configuration. Recognizing the importance of competitive gaming and esports, where sponsorships, prize money and reputations are on the line, OVHcloud has customized its DDoS protection for popular game servers.
SEE: Healthcare turns to the gaming industry to build its metaverse (TechRepublic)
This protection is customized for several popular game and communication platforms, from GTA to Mumble. The routers are configured to cache requests, presumably providing additional performance for high-stakes esports events.
OVHcloud also offers DDoS protection on all its hosting options and includes a default anti-DDoS policy configured as a default.
For users that require more advanced and customizable DDoS protection, OVHcloud includes an application programming interface that allows for control and monitoring of the DDoS platform. The API can be used to notify the administrator of events or even adjust the DDoS profiles as events occur.
Should any user selections fail to mitigate an incoming DDoS attack, protection will continue to escalate to keep applications running. This provides a nice balance of allowing users flexibility in designing their DDoS protection while also providing escalating protection should the user’s configuration prove inadequate.
OVHcloud: Powerful and cost-effective DDoS protection
DDoS attacks are difficult to detect and mitigate since they can strike without warning and from multiple origins with seemingly no consistent pattern. Designing a comprehensive approach to protecting against DDoS can be extremely challenging, even for experienced network and security admins, and deploying the proper hardware and software can be cost-prohibitive.
OVHcloud allows the server administrator to focus on more important matters since the robust protection is already designed and deployed. The use of shared VAC technology gives applications powerful protection when needed, which effectively “disappears” when no longer operating.
Hosting providers often seem interchangeable, with most providing reliable, cost-effective bare metal or cloud-based hardware at similar price points. Capabilities like OVHcloud’s include DDoS protection can be the tilt factor that differentiates one provider from the next. This feature may keep your business-critical applications running when malicious actors attempt to take them down.