"Operation Payback" wanted to take Amazon.com down probably more than any other site attacked the week of Dec.6. The organizers wanted Amazon to pay for dropping Wikileaks from its hosting. Hackers attacked for one full hour. But Amazon didn’t budge; no slow downs, no outages, no nothing.
This should be an eye-opener for businesses.
Amazon's ability to stay up and running while under direct attack shows that cloud hosting might just be the best place to withstand distributed denial of service attacks.
There are two reasons why Amazon.com, as a large cloud hosting service, did not succumb to the hacker attacks:
The same reason that Amazon was attacked was the same reason that makes it nearly invulnerable against a distributed denial of service attack (DDoS): hosting. Where a business hosts its online services is one critical element of its total online security.
Amazon is able to scale, to an extent, its traffic using the Elastic Compute Cloud (EC2). The EC2 allows it to balance traffic loads on the fly. Amazon also has the luxury of re-routing traffic to one of many data centers and scaling supply to meet the demand. It started doing this so that it could account for major traffic events like Black Friday and Cyber Monday.
Other large-scale cloud providers that could likely withstand this type of attack are Microsoft, Salesforce, RackSpace, and Grid hosting providers like MediaTemple.
2. Mitigation Systems:
There is also a very strong likelihood that Amazon has proprietary DDoS mitigation systems in place--practices like DNS logging, honeypots, anomaly detectors, etc.... In order to drown sites like Google and Amazon, a DDoS attack would have to generate a nearly impossible amount of traffic.
There are a number of companies that have DDoS mitigation tools on the market today. When combining DDoS mitigation with dynamic load balancing through cloud hosting, a site is able to withstand a much greater amount of traffic without failure.
Expect A Mass Exodus to the Cloud
Cloud hosting is likely to be one of the top IT issues for businesses in 2011.
The growing threat of cyber attacks, and the increased security afforded by large cloud hosts, are likely to spur a mass adoption of cloud hosting among U.S. businesses.
Another cue for businesses is that federal CIO, Vivek Kundra, recently announced a 25-point plan to improve government IT operations; a key part of this plan included a massive shift to cloud computing. Kundra describes this plan as a “cloud-first” policy.
For businesses contemplating a move to the cloud, here is a quick overview of the top four service providers:
1. Amazon Web Services: EC2 is Amazon’s premiere cloud hosting program that works alongside its S3 cloud storage solution. Besides hosting, users can boot a virtual machine and use EC2 for full computing purposes, including OS and applications. Amazon is constantly upgrading and adding features. Amazon also just announced that its EC2 hosting option is PCI-DSS 2.0 compliant – making it an even better choice for enterprise.
2. Rackspace: Rackspace boasts cloud hosting as well as full cloud computing. It also features a comprehensive repository of partner tools and applications and services for cloud computing.
3. Microsoft Azure: Microsoft is a relative newcomer to cloud computing, but has made a very bold introduction. Along with Office 365, its cloud offering comprises a full Windows development experience with services that allow developers to build applications using the typical Microsoft stack. Microsoft also recently announced that in 2011 its Dynamics CRM will be available to be hosted locally or on the cloud--with a switch from one to the other being relatively easy.
4. Salesforce – Salesforce adds another level of cloud computing by offering the option of hosting a business’ customer relationship management (CRM) system offsite. It also offers a wide array of applications for full cloud computing capabilities.
Chris Weber, co-founder and managing partner of Casaba Security, is a noted security researcher and a speaker at the Black Hat security conference. His company provides cyber security analysis and testing to major companies, including Microsoft. He is the author of Windows XP Professional Security and several other textbooks, and served as technical editor for Hunting Security Bugs, written by the MS Office Security Team.