Pros and Cons of Cloud Computing in dealing with DDoS

Stefan Fouant sfouant at
Sat Nov 7 13:33:44 CST 2009

> -----Original Message-----
> From: Florian Weimer [mailto:fweimer at]
> Sent: Friday, November 06, 2009 4:55 AM
> Not all attacks involve saturated pipes.
> There used to be anti-DDoS vendors whose boxes didn't even have WAN
> links.  Part of the problem is that operating systems come with TCP
> stacks and web servers which are not very robust, so it's pretty easy
> to create something which behaves spectacularly better under certain
> attacks.

I am in complete agreement with you here.  And I don't think the things I've
said are generally inconsistent with the views held by others.  The original
point I was trying to make before the discussion got so eloquently hijacked
towards a discussion on flooding and its impact on availability is that with
regards to cloud computing, if the discussion hasn't shifted from that of
DDoS to EDoS, it should.  Just take one look at Amazon's usage-based pricing
model, and one can envision that a surplus of resources could actually be
just as bad as a lack thereof.  How long do you think it will take for the
bad guys to realize that they don't need to cause an outage to cause havoc
to the victim.  A slow trickle of seemingly legitimate requests from just a
few thousand hosts performed over several days or weeks might give some
organizations pause and that $50k extortion might start looking pretty

I second Roland's comments with regard to the CIA triad, and his opinion
that availability of resources is the first among equals is spot on.  But
I'm willing to bet that if the attackers exploit the so-called elasticity of
the cloud and the subsequent associated financial costs, integrity is going
to take on a whole new level of importance.  BTW, heuristic/behavioral based
analysis has benefit here, it just needs to start happening on more granular

Getting back to the original discussion, I'd still like to hear what some of
you think are the Pros vs. the Cons of Cloud Computing in dealing with this
situation.  We've heard a few and now I'd like to hear what others have to
say.  BTW, I realize this is a sensitive subject and I can understand why
some of you might not want to respond on-list (security through obscurity
eh' ;).  To those of you who have taken the time to respond to me off-list,
I appreciate your feedback and promise to keep your identities confidential.


Stefan Fouant
GPG Key ID: 0xB5E3803D

More information about the NANOG mailing list