Denial of Service (DoS) and Distributed Denial of Service (DDoS)
DoS and DDoS attacks are a fact of life on the internet. No site is immune and all business-critical sites should be proactive and implement the necessary steps to protect itself. Carbon60 has taken a variety of proactive measures to harden its hosting solutions against the many forms of DoS and DDoS attacks used today.
Acceptable Use Policy (AUP)
Our DoS mitigation strategy begins with a strict AUP that forbids us from hosting high-risk sites (e.g. gaming and adult sites) and high-risk activities (e.g. bulk-mailing). This is important because living in a better neighborhood can help avoid being side-swiped by attacks. For the same reason, we engineer significant overhead into our cloud infrastructure. This overhead allows it to absorb reasonably large attacks without causing resource bottlenecks that can impact other customers.
Although we leverage public clouds, such as Azure and AWS, as part of our C60 cloud-of-clouds hosting infrastructure, our own cloud is semi-private, that is, only shared by a select customer-base. For customers that require the greatest degree of isolation, we also support fully private cloud infrastructures.
Hardened DNS Services
Currently, DNS is a favorite target of attackers. Many organizations use their own DNS service for websites not realizing the associated risk. Any publicly available DNS service must be specifically hardened to resist DOS attacks such as our own DNS services or the globally distributed DNS services of our partners.
Cloud Proxy Services
The most effective DoS protection shields your web site/application using a hyper-scale proxy network to filter all requests before they even reach your hosting origin(s). This shield works in a number of ways:
- By “cloaking” your origin IPs from public knowledge and, thus, preventing any from direct attacks against your hosting origin(s).
- By filtering out all non-Http/s requests which eliminates the threat of network-layer DDoS attacks;
- By allowing you to proactively or reactively deny or redirect http/s requests from and IP or an entire country, or region;
- And by offloading a high percentage of http/s requests through caching from your origin(s) thus making it more scalable to spikes in legitimate and illegitimate http/s requests.
By layering on web application firewall (WAF) services onto a global proxy service you get the best DoS protection available. WAF allows rate limiting policies to be applied to http/s requests. WAF’s rate control policies can dynamically alert and/or block clients exhibiting excessive request rate behaviors. These policies can be applied to incoming requests, requests forwarded to your hosting origin(s), or even responses from your origin(s). WAF can respond to bursts of requests within seconds. Rate controls further protect customers by mitigating Slow POST DDoS attacks. POST requests are not sent to the origin until the POST body completes at the edge. POST bodies that take too long to complete are terminated.
Detection and Mitigation
Our network is monitored 24x7x365 for suspicious activity, including DoS attacks. If proactive anti-DoS measures fail, then reactive measures can be taken to analyze and mitigate the attack. This can be as simple as adjusting network or application firewall rules or working with its upstream Internet providers to stop an attack by null-routing traffic from the offending IPs or IP blocks.