Attack Vector: Application DDoS

Quick review of Netflix article.

Application DDoS

There is a blogpost on Netflix which describes a new attack vector called Application DDoS. While traditional DDoS attacks rely on causing heavy network traffic to overload a system, application DDoS relies on heavy computation to bring down a microservice architecture.

Let's start with how this is suppose to work. In a microservice architecture, you have a network of microservices that rely on each other. Calling one service can lead to that service calling multiple other services that call other services. This gives attackers the ability to make one request that actually makes many many more internal requests. By leveraging this idea, they can amplify their attack on the system.

a single request in a microservices architecture may generate tens of thousands of complex middle tier and backend service calls

This attack cannot be stopped by a traditional firewall because it may not know that the initial request is causing harm in lower layers. It may also not know how much work per request will generate later.

What to do

The first step is to understand how your system operates, and identify the inter-dependencies between systems. From there you will want to limit the impact on customer-facing services. If one service looks to be unstable, the rest of your services should work in a degraded state.

The real key here is to:

Putting a limit on the allowable work per request can significantly reduce the likelihood of exploitation.

Takeaway

Relationships between your services has important performance impacts.  DDoS attacks take advantage of these vulnerabilities, so we must be mindful of how these work, and to design robust systems that can defend against them.

Comments

Post a Comment

Popular posts from this blog

Uncle Bob's Clean Architecture

Image
The basis of my current understanding of architecture comes from the brilliant mind of Robert C. Martin (Uncle Bob). You can find the original post through his blog , which I strongly encourage you to read. In this post I'll try to summarize some of the key points I've understood from his post. Clean Architecture Source Clean architecture is a design used to emphasize the structure and relation of your various code components to promote the idea of Dependency Rule , such that "source code dependencies only point inwards" . Clean architecture is able to promote this by defining that your software system consists of various layers , that can be organized in such a way that the layers point in one direction, and a dependency graph will not have circular reference. The reason this is important is because it allows you to keep closely code related, and increase clarity of how components fit into your system. Explaining the Layers We can really separate out this
Read more

C4 Model: Describing Software Architecture

Image
The point behind a presentation of Visualizing Software Architecture , by Simon Brown, was that we need to standardize the way software developers communicate with each other in respect to our discussions of software architecture. As part of Simon's consultation, one exercise he gave to software architects was a simple task to white board the architecture of a software system. The results he received varied immensely, and there was never a defacto standard format that he received from this exercise. When inspecting the feedback from the participants, the general answer was that it was easy to come up with the design, but difficult to properly put their ideas onto paper, or white board in this case. White Board Example, c4model.com Simon sought to start a movement by defining a set of organizational rules to help us describe our software architecture with a set of standard terminologies. His work has let to C4 Model , which stands for C ontext, C ontainers, C omponents,
Read more

Running RabbitMQ with Docker

Image
Short post today, mostly just wanted to how to setup RabbitMQ for local development. Refer back to my previous post to learn more about RabbitMQ. Prerequisite Docker For complete guide reference, check out the Docker Hub Website for RabbitMQ . Why use Docker? Before starting my current job at iHerb, I would go straight for the Windows installation (my development environment) for all of my development tools needs. It was straight forward and "just worked" a lot of the time. What I've begun to realize experimenting with all these different tooling and services is that things can get a bit cluttered, you will have a bunch of supporting systems that need to be run - caches, queues, databases and it can be a hassle to manage them through window services and executables. Additionally some of these require additional dependencies outside of the executable itself, which prompts you to install even more tooling. The great thing about docker is that it defi
Read more