Can we stop DDoS attacks once and for all?

Distributed Denial of Service attacks are an increasing threat on the Internet. We talk about the problem and how mitigating these attacks is one of the primary goals of The Unigrid Foundation.

Can we stop DDoS attacks once and for all?

Denial of Service attacks or Distributed Denial of Service attacks are all about volume. An attacker sends high volumes of different types of traffic towards a vulnerable server. The purpose is to overload the server, servers or network switches, effectively causing a situation where they cannot keep up with requests. This results in the service being hard to reach for real users and in many cases creates a situation where the service is completely blocked and inaccessible.

An example of a DDoS (Distributed Denial of Service) attack. The attacker controls a number of compromised servers or servers under his control. He then redirects enough traffic to the target to negatively affect it - causing service disruptions. (Image source: Wikipedia)

The complexity and size of DDoS attacks are increasing at a frightening rate as connectivity and network speeds across the globe keep increasing. Attackers are constantly developing new techniques to disrupt systems. To list just a few of them:

Cyberwarfare by states has also become an increasing threat to government agencies and important infrastructure, with a lot of proof pointing to Russia or Russian interests regularly attacking other states.

Distributed Denial of Service attacks are growing at an exponential rate. (Image source: Google)

Google Cloud recently made an investigation into the topic. Google has also developed services such as Google Cloud Armor and Cloud Load Balancing to help customers mitigate these issues. However, considering that Google Cloud is still a centralized service directly connected to one provider it still becomes inherently vulnerable to these attacks. While we applaud Google for their efforts, unlike Unigrid, these services are neither transparently available nor free to use. Protection and service stability should NOT be an option - it should be a right, as well as a natural part of the service and the network infrastructure. Anything else is unacceptable.

We can do better

One of the primary goals and purposes of The Unigrid Foundation is to allow for the deployment of protected services on the Internet, making them more resilient to disruption and DDoS attacks. The network will achieve this by employing transparent sharding, load-balancing and segmentation. With the Unigrid network, there no longer is a single point of failure that can be targeted. Instead, the network is load-balanced, with the services and their data spread out over the network. To protect the network further, the network can also filter traffic and employ rules for DDoS protection when packets are routed through the gridnodes of the network.

A DDoS attack on the Unigrid network

Let's consider a theoretical attack on the Unigrid network and what the attacker would be faced with when trying to disrupt a service with just a modest amount of deployed gridnodes with the attacker trying to disrupt a website running on the network. The attacker would be faced with a topology similar to this one:

The data is spread out among ten shard groups with ten gridnodes in each group. While not depicted here, a gridnode may actually be a member of multiple shard groups if its resource load allows it to. The website data is spread out among these shard groups with a small piece in each. When making a request, a small piece is fetched from each shard group. In this example, the bottom two shard groups contain parity data. In this example, the attacker would have to completely disrupt three shard groups (a total of 30 servers) in order to make the website completely inaccessible.

As depicted in the topology above, services on the Unigrid network are spread out with data sharded across several shard groups. Each shard group consists of a number of gridnodes.

Knowing how effective the Unigrid network will be against these types of attacks is extremely difficult to predict. The network might not be able to completely thwart all DDoS attacks out there, but with the built-in sharding, segmentation, fault tolerance and built in packet filtering it will be able to throw a very big wrench in the direction of any attackers trying to disrupt services and data on the network.