DDoS attacks come in all shapes and sizes. They are used to harm businesses, extort money, annoy system administrators, test vulnerabilities, and many other, mostly malicious reasons. A DDoS attack is typically meant to target a specific service, such as a website. By taking the website offline, the attacker accomplishes whatever goal he set for.
A data center is a facility that hosts many online services. They are indirectly the target of the majority of DDoS attacks, as they host most of the services on the web. These data centers all have various methods of dealing with DDoS attacks.
In order to understand the kind of impact DDoS attacks have on a data center, first we need to define at a high level what the network infrastructure of a typical data center looks like. Of course, network architecture is much more complicated, but at a high level, traffic entering the data center comes in through either the data center’s transit or peering network to the core layer, then aggregation layer, and finally the access layer prior to getting to the server hosting the online service.
Transit and peering links are connected to the large core router that sits at the edge of the network. This hardware is meant to be able to handle a large amount of data coming in. The aggregation layer is meant to handle a smaller amount of traffic. This is handled by having a larger number of aggregation layer hardware than core. The aggregation layer is typically where things like load balancing and firewalls are located. Prior to hitting the server, the traffic is sent to the access layer. The access layer is typically a top of rack switch, where a whole cabinet worth of services receive their internet connectivity from. There usually isn’t much going on at the access level. Access layer routers usually have a single or redundant uplink from the aggregation layer and either 1G or 10G. What this means is that a cabinet full of servers all share this 1G or 10G port upstream of them.
As far as vulnerability to DDoS is concerned, the end server is typically the most vulnerable due to two major factors: 1. that’s where the application is located, and as such its resources can quickly be depleted by a DDoS attacks, and 2. it only has a limited amount of network capacity (in this example, we’ll say it has a 1G port). A 1 gbps DDoS attack can take down almost any server solely due to the fact that it takes up all of the available network capacity of the server.
Moving up the chain, the access layer is the next most vulnerable part of a datacenter’s network when it comes to DDoS. This is due to the fact that it also has a more limited amount of network connectivity powering it. In this example, we’ll say the access layer switches have a 10g port coming from the aggregation layer. What this means is that a 10g DDoS attack target against a single server can take out every single server that shares an access layer switch with it. This is a huge problem for data centers. They can’t have one person getting hit by an attack impact potentially hundreds of other customers.
Aggregation and core routers are less vulnerable to DDoS attacks since they are limited almost exclusively by their network capacity.
How does a data center prevent a single customer getting DDoSed from impacting hundreds of other customers?
In order for a DDoS attack to not impact other customers at the access layer, the DDoS traffic must be stopped prior to it ever reaching the access layer. There are a couple of ways data centers handle this. One of the most typical strategies is for the data center to issue a blackhole on the destination IP address under attack to its transit providers. What this means is that when their transit providers receive traffic to that IP address, they don’t forward the traffic to the data center. This ensures that it never hits the access layer as it doesn’t even reach the core layer. Of course the issue with this is that it impacts all traffic, not just DDoS, so the web service is completely offline. This is a safe strategy for a data center though since it completely protects them against collateral damage at any layer. Another strategy is to have some sort of DDoS protection either using a cloud service where the traffic goes through another network before getting to the data center, or by using onsite hardware to scrub traffic at the core or aggregation layer prior to being forwarded to the access layer.
I mentioned two important things that get into the next part of this article. One was cloud protection and the other was blackholing IP addresses.
What happens if a data center receives an attack so large that it exceeds its total network capacity?
This is potentially the most devestating thing that can happen to a data center short of a critical event like power or cooling going out completely. Those things are less likely to occur due to the fact that data centers spend a lot of money ensuring that critical services have massive redundancy and backup. Many data centers have around 40 gigabits per second worth of network capacity. Very few of those ever get remotely close to using that much bandwidth. The reason for having so much capacity is to handle larger DDoS attacks that can wreck the entire network. Just like at the access level where a 10 gbps DDoS attack could impact potentially hundreds of customers (everyone at that specific access level), a 40 gbps DDoS attack, which would saturate the data center’s total network capacity, would take literally everyone being hosted in that data center offline. This is a very effective way to DDoS someone. By hitting them for so much that their data center can’t handle the traffic at all, they are forced to take that IP offline by blackholing it at the transit provider level. Since it never gets forwarded to the data center, it solves their problem at the cost of the one person being attacked being completely offline. This is an acceptable solution for data centers as the needs of the many outweigh the needs of the few. It costs too much for a company to invest in a massive network backbone just to handle these volumetric DDoS attacks. The other solution is for the datacenter to have a cloud DDoS protection provider that is specifically built to be able to take massive DDoS attacks. The data center can always have their traffic running through the DDoS protection provider, or have a manual or automatic method to send the DDoS traffic over to the DDoS protection provider when an attack occurs.