Cloud-based hosting of online services
Using a cloud service provider can allow an organisation to build highly resilient online services due to the increased computing resources, bandwidth and multiple separate physical sites made available by the cloud provider. Organisations can achieve the same results using their own infrastructure; however, this may require significant upfront costs and may still result in a limited capability to scale dynamically to meet increased demand. In case of a denial-of-service attack, cloud-based hosting can also provide segregation from self-hosted or other cloud hosted services ensuring that other systems, such as email services, are not affected.
Security Control: 1437; Revision: 3; Updated: Jun-20; Applicability: O, P
A cloud service provider is used for hosting online services.
Location policies for online services
When using cloud service providers, organisations will need to consider whether they should lock their information to specific regions or availability zones. In doing so, organisations that specify locking policies will have an expectation that their information won’t be relocated to different regions or availability zones by the cloud service provider.
Security Control: 1578; Revision: 0; Updated: Jul-20; Applicability: O, P
Organisations are notified by cloud service providers of any change to configured regions or availability zones.
Availability planning and monitoring for online services
It is important that the connectivity between organisations and their cloud service providers meets organisational requirements for bandwidth, latency and reliability. To support this, organisations and cloud service providers should discuss and document any specific network requirements, performance characteristics or planned responses to availability failures, especially when requirements for high availability exist. This includes whether network connections between organisations and cloud service providers will use dedicated communication links, or connect over the internet, and whether any secondary communications links will provide sufficient capacity to maintain operational requirements should the primary communication link become unavailable.
Furthermore, capacity monitoring should be performed in order to manage workloads and monitor the health of online services. This can be achieved through continuous and real-time monitoring of metrics such as latency, jitter, packet loss, throughput and availability. In addition, feedback should be provided to cloud service providers when performance does not meet service level agreement targets. To assist with this, anomaly detection can be performed through network telemetry that is integrated into security monitoring tools.
Security Control: 1579; Revision: 0; Updated: Jul-20; Applicability: O, P
Cloud service providers’ ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes.
Security Control: 1580; Revision: 0; Updated: Jul-20; Applicability: O, P
Where a high availability requirement exists, online services are architected to automatically transition between availability zones.
Security Control: 1441; Revision: 2; Updated: Jul-20; Applicability: O, P
Where a requirement for high availability exists, a denial of service mitigation service is used.
Security Control: 1581; Revision: 0; Updated: Jul-20; Applicability: O, P
Organisations perform continuous real-time monitoring of the availability of online services.
Using content delivery networks
Similar to cloud-based hosting, the use of content delivery networks (CDNs) and denial of service mitigation services can allow an organisation to create highly resilient online services by leveraging the large bandwidth, geographically dispersed hosting locations, traffic scrubbing and other security controls offered by CDN and denial of service mitigation service providers.
The use of CDNs is particularly effective when serving static, bandwidth intensive media such as images, sound or video files. However, the services offered by a CDN can include more than basic content hosting such as web response caching, load balancing, web application security controls or denial of service mitigations.
Care should be taken when configuring the use of a CDN or denial of service mitigation service to ensure that the IP address of the organisation’s web server is not identifiable by an adversary as this could allow for protections to be bypassed. Additionally, appropriate network security controls should be applied to only allow communication between an organisation’s server, the CDN or denial of service mitigation service provider and the authorised management environment.
Security Control: 1438; Revision: 1; Updated: Sep-18; Applicability: O, P
Where a high availability requirement exists for website hosting, CDNs that cache websites are used.
Security Control: 1439; Revision: 1; Updated: Sep-18; Applicability: O, P
If using a CDN, disclosing the IP address of the web server under the organisation’s control (referred to as the origin server) is avoided and access to the origin server is restricted to the CDN and an authorised management network.
Denial of service strategies
Denial-of-service attacks are designed to disrupt or degrade online services such as website, email and Domain Name System services. To achieve this goal, adversaries may use a number of approaches to deny access to legitimate users of online services:
- using multiple computers to direct a large volume of unwanted network traffic at online services in an attempt to consume all available network bandwidth
- using multiple computers to direct tailored traffic at online services in an attempt to consume the processing resources of online services
- hijacking online services in an attempt to redirect legitimate users away from those services to other services that the adversary controls.
Although an organisation cannot avoid being targeted by denial-of-service attacks, there are a number of measures they can implement to prepare for and potentially reduce the impact if targeted. This includes engaging with their cloud service providers to identify the denial of service detection technologies that may be available for use. For example, real-time capacity reporting dashboards, that provide out-of-band and real-time alerts based on organisation-defined thresholds, can assist with the rapid identification of denial-of-service attacks. In addition, not all online services or functionality offered by an organisation may be business critical. Understanding what services can be offered with reduced functionality, deprioritised, disabled or lived without can help an organisation reduce or eliminate the impact on other more essential services or free up resources to respond to more critical services first.
Overall, preparing for denial-of-service attacks before they occur is by far the best strategy as it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.
Security Control: 1431; Revision: 2; Updated: Jul-20; Applicability: O, P
Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically:
- their capacity to withstand denial-of-service attacks
- any costs likely to be incurred as a result of denial-of-service attacks
- thresholds for notification of denial-of-service attacks
- thresholds for turning off online services during denial-of-service attacks
- pre-approved actions that can be undertaken during denial-of-service attacks
- denial-of-service attack prevention arrangements with upstream service providers to block malicious traffic as far upstream as possible.
Security Control: 1458; Revision: 1; Updated: Sep-18; Applicability: O, P
The functionality and quality of online services, how to maintain such functionality, and what functionality can be lived without during a denial-of-service attack, are determined and documented.
Domain name registrar locking
The use of domain name registrar locking can prevent a denial of service caused by unauthorised deletion or transferal of a domain, or other unauthorised modification of a domain’s registration details.
Security Control: 1432; Revision: 1; Updated: Sep-18; Applicability: O, P
Domain names for online services are protected via registrar locking and confirming domain registration details are correct.
Monitoring with real-time alerting for online services
Organisations should perform automated monitoring of online services with real-time alerting to ensure that a denial-of-service attack is detected and responded to as soon as possible.
Security Control: 1435; Revision: 1; Updated: Sep-18; Applicability: O, P
Availability monitoring with real-time alerting is implemented to detect denial-of-service attacks and measure their impact.
Segregation of critical online services
Denial-of-service attacks are typically focused on highly visible online services, such as an organisation’s core website, in order to have a publicly noticeable impact. By segregating online services (e.g. having one internet connection for email and internet access and a separate connection for web hosting services) the impact of a denial-of-service attack can be limited to just a targeted service.
Security Control: 1436; Revision: 1; Updated: Sep-18; Applicability: O, P
Critical online services are segregated from other online services that are more likely to be targeted.
Preparing for service continuity
Depending on the nature of a denial-of-service attack, replacing a full-featured website with a minimal impact static version can help provide a level of service or information which would otherwise not be possible.
An organisation’s standard full-featured website may have higher processing or resource demands due to database integration or the presence of large media files such as high-resolution images or videos. These additional resource requirements may make the website more susceptible to denial-of-service attacks.
Security Control: 1518; Revision: 0; Updated: Sep-18; Applicability: O, P
A static version of a website is pre-prepared that requires minimal processing and bandwidth in order to facilitate at least a basic level of service when under a denial-of-service attack.
Further information on mitigating denial-of-service attacks can be found in the ACSC’s Preparing for and Responding to Denial-of-Service Attacks publication at https://www.cyber.gov.au/acsc/view-all-content/publications/preparing-and-responding-denial-service-attacks.