|
Work item:
|
X.gapci
|
|
Subject/title:
|
Guidelines on Anti-DDoS protection for cloud infrastructure
|
|
Status:
|
Under study
|
|
Approval process:
|
TAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2026-02 (No priority specified)
|
|
Liaison:
|
CSA
|
|
Supporting members:
|
China, China Telecom, China Unicom, China Mobile
|
|
Summary:
|
In recent years, cloud computing technology has been developing rapidly. Meanwhile, with the widely application of cloud computing and the development of cloud native technologies, more and more attackers are launching against cloud infrastructure, cloud infrastructure are facing expanding Internet-exposed attack surface, as well as more complex and frequent attack status. Distributed denial of service (DDoS) is one of the major threats faced by cloud computing. Once an successful DDoS attack occurs on cloud infrastructure, enterprises often need to spend hours or even days on business recovery. DDoS attacks on cloud infrastructure may also cause critical business interference or stagnation, and even have a serious impact on public services. Therefore, it is necessary to develop specific anti-DDoS protection strategies for cloud infrastructure.
Traditional DDoS protection strategies may fail to work for cloud infrastructure due to the following reasons.
1. Most of the DDoS attacks targeting cloud infrastructure are attacks with extremely high traffic and exhibit a second-level acceleration trend. Simply expanding network bandwidth or increasing host server resources is difficult to resist high-traffic attacks targeting cloud infrastructure.
2. Due to the concentration of cloud computing resources, DDoS attacks in cloud computing not only come from external sources but also face the threat of internal VM denial-of-service attacks. The abundant cloud computing resources have extremely powerful processing capabilities, and while providing normal services to users, they may also be exploited by attackers or malicious users to launch DDoS attacks and other malicious network attack activities within the cloud infrastructure. Furthermore, the development of cloud native technologies has also expanded the attack surface. For example, the use of container technology has increased the assets that enterprises need to manage, and the container orchestration platform. DevOps provides assurance for the development, deployment, and operational efficiency of application business systems but can introduce system vulnerabilities due to developers' lack of security experience which attackers can exploit. When using microservices and serverless architecture, main risks faced by cloud native applications include business logic defects, API abuse, unauthorized access, and sensitive data leakage. Thus, cloud computing is more susceptible to both internal and external security threats.
3.As there are multiple models of cloud computing service, the security requirements for different deployment models and service categories vary as well. Due to the distributed and multi-tenant nature of cloud computing, remote login for accessing cloud computing services is very common, involving numerous entities in each program. Insufficient management of identity, credentials, access, and keys; improper configuration of customers'cloud services; and inadequate change control can all lead to an increased risk of being DDoS attacked. To avoid increased risk of DDoS attacks due to unclear security responsibility, it is necessary to divide the security responsibility of cloud service providers(CSPs) and cloud service customers(CSCs) in different cloud computing service models, take corresponding anti-DDoS protection measures based on the security responsibilities of different roles, and establish a security collaboration mechanism for Anti-DDoS protection between CSPs and CSCs.
Due to these inherent characteristics mentioned above in cloud computing infrastructure protection against DDoS attacks becomes more challenging. Therefore, it is necessary to develop specific guidelines addressing anti-DDoS protection for cloud infrastructure. For example, to defense against DDoS attacks from outside the cloud infrastructure, it is necessary to implement abnormal traffic detection, attack traffic cleaning, and device security management that adapted to the characteristics of cloud computing, such as distributed detection to improve system detection and analysis capabilities, multi-party coordinated defense mechanism to reaching a comprehensive security visibility of the whole cloud. To defense against DDoS attacks from inside the cloud infrastructure, it is necessary to deploy security measures such as IDS to implement intrusion detection of data packets, and applying micro isolation technology to prevent unauthorized lateral movement within cloud infrastructure to slow down attack speed and achieve visibility of all traffic. This recommendation will provide guidelines on anti-DDoS protection for cloud infrastructure from both technical and managerial levels, and provide reference suggestions for CSPs, CSCs and third-party security vendors to help relevant parties effectively improve the defense capabilities of cloud infrastructure against DDoS attack.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2024-03-12 14:41:02
|
|
Last update:
2024-03-12 14:45:19
|
|
