Defending against TB-level Traffic Attacks with Advanced Anti-DDoS systems
A Brief History of DDoS Prevention
DDoS (Distributed Denial of Service) uses a large number of valid requests to consume lots of network resources and make services unresponsive and unavailable to legitimate users. Currently, DDoS attack is one of the most powerful cyber-attacks that are hard to defend against.
DDoS has been around the cybersecurity world for a long time and is an old attack method. DDoS prevention has also undergone different stages.
In the early days, no professional traffic scrubbing services were available to guard against DDoS attacks. At the time, the Internet bandwidth was also relatively smaller, and most people were using 56K modems to obtain dial-up Internet access. Only a small portion of the bandwidth can be exploited by attackers. Generally, defenders can prevent DDoS attacks simply by optimizing kernel parameters and iptables. People who can develop kernel can also improve the protection capability by writing kernel protection modules.
In this phase, features built in Linux can basically defend against DDoS attacks. For example, for SYN flood attacks, adjust the net.ipv4.tcp_max_syn_backlog parameter, control the upper limit of the syn queue to avoid full connections, and adjust net.ipv4.tcp_tw_recycle and net.ipv4.tcp_fin_timeout to make TCP retain the number of connection in TIME-WAIT and FIN-WAIT-2; for ICMP flood attacks, adjust Iptables to close or limit the rate of pinging packets, or filter malformed packets that are not compliant with the RFC protocol. However, this protection method only optimizes one single server. As the intensity of resource attacks increases, this protection method cannot efficiently defend against DDoS attacks.
Professional Anti-DDoS Hardware Firewalls
Professional anti-DDoS hardware firewalls optimize power dissipation, forwarding chips, operating systems, and many other parts and can meet the requirement of DDoS traffic scrubbing. Generally, IDC service providers buy anti-DDoS hardware firewalls and deploy them at the entry of data centers to provide scrubbing services for the entire data centers. The performance of these scrubbing services gradually evolves from the original 100 MB per machine to 1 Gbit/s, 10 Gbit/s, 20 Gbit/s, 100 Gbit/s or higher. These scrubbing services basically cover various attacks from layer 3 to layer 7 (such as SYN-FLOOD, UDP-FLOOD, ICMP-FLOOD, ACK-FLOOD, TCP connection flood, CC attacks, DNS-FLOOD, and reflection attacks).
However, this DDoS prevention method is very costly for IDC service providers. Scrubbing devices are required at the entry of each data center and special maintenance officers are needed to maintain devices and services. In addition, not all IDCs have equal scrubbing and protection capabilities. Uplinks of some small data centers may only have 20 GB bandwidth and cannot reuse these scrubbing devices.
Advanced Anti-DDoS Systems with Secure IP Addresses in the Cloud Era
In the cloud era, services are deployed on various clouds or in traditional IDCs. The DDoS scrubbing services provided do not have a consistent standard. In the case of super-large amounts of DDoS attack traffic, data centers where services are hosted cannot provide matching protection capabilities. To protect services from being affected, we have to create the “black hole” concept. After the black hole mechanism is adopted, when a server has attack traffic that is more than the black hole triggering threshold in the IDC, the IDC will block Internet access for that server to avoid persistent attacks and ensure the overall stability of the IDC.
In this case, advanced anti-DDoS systems with secure IP addresses provide a complete set of anti-DDoS solutions by enabling high bandwidth for the whole data centers, converts traffic to these IP addresses and then forwards scrubbed traffic to users’ source stations. This protection method supports the reuse of data center resources and allows data centers to focus more on their intended role. Additionally, this protection method simplifies DDoS prevention by providing DDoS scrubbing services in a SaaS-based manner.
Advanced anti-DDoS systems with secure IP addresses in the era of cloud can meet the requirement of high bandwidth. It also allows users to hide their source stations and flexibly change scrubbing service providers.
Key Components of Advanced Anti-DDoS Systems with Secure IP Addresses
Bandwidth and Network
Bandwidth and network are the first requirement to implement DDoS protection. To efficiently defend against DDoS attacks, the first thing that we need to do is establish a data center with high bandwidth. Currently, the mainstream data centers in China are single-line data centers (having only one network provider, either China Telecom, China Unicom or China Mobile) and multi-line BGP data centers (having more than one network providers).
Multi-Line vs. Single Line Data Centers
What are the characteristics of single-line data centers and multi-line BGP data centers and what are the differences between them?
- Bandwidth and Cost: Single-line data centers feature moderate cost, but it requires relatively high bandwidth (TB level) to prevent DDoS attacks. Multi-line BGP data centers, initial costs may be higher, but it only needs relatively low bandwidth to prevent DDoS attacks.
- Access Quality: Single line data has average access quality as it is affected by cross-network performance among operators. Multi-line provides optimal BGP networking and enables good access quality.
- Business Complexity: A user needs several IP addresses to implement multi-line access, for example, one China Telecom, China Unicom, and China Mobile IP respectively, resulting in high business complexity. Only one IP address is needed to implement multi-line connectivity and the business complexity is relatively low.
- Disaster Recovery: Disaster recovery is inadequate and inefficient for single line. If a data center encounter network failures, disaster recovery only supports switching in the business layer. BGP features redundant backup and loop elimination. When an IDC supplier has multiple BGP interconnection lines, the supplier can deploy routes in backup mode. If one line is faulty, routing will be automatically switched to another line.
Another dimension is the maximum bandwidth. At present, 300 Gbit/s is just a basic protection capability. Protection level up to 1 Tbit/s or unlimited protection solutions become a choice for more and more users.
TB-level protection capability in multi-line BGP data centers also becomes one of the future development objectives. Alibaba Cloud is dedicated to providing customers with Anti-DDoS Pro that is excellent in both the access quality and protection capability.
Large Traffic Scrubbing Cluster
This is another key technology. The core part of DDoS scrubbing is the interception of attack traffic. The following are the general attack types and countermeasures:
When sufficient bandwidth is available, we need to consider how to scrub DDoS attack traffic. Generally, professional DDoS scrubbing devices adopt the following typical protection and prevention methods: discarding malformed packets and specific protocols; verifying source reflection attacks; and statistics rate limit and behavior recognition. Attacks generally include SYN-FLOOD, UDP-FLOOD, ICMP-FLOOD, ACK-FLOOD, TCP connection flood, CC attacks, DNS-FLOOD, and reflection attacks.
- Discarding malformed packets and specific protocols is very simple. That is, specified methods can be used to prevent against reflection attacks and messages that do not follow the RFC protocol.
- Source reflection verification is a countermeasure to defense against SYN flood attacks. Generally, reverse verification is used, for example, syn cookie. That is, scrubbing devices verify the authenticity of access sources on behalf of servers by using sequence numbers generated by a special algorithm during answering SYN-ACK messages in a TCP three-way handshake. This algorithm takes lots of factors into consideration, such as IP addresses and ports on both sides, and verifies the ACK messages. If the access is real and legitimate, the connection traffic is allowed. Similarly, to defend against complex CC attacks, a picture verification code can be used to verify if a seemingly potential attacker is a real and legitimate customer.
- Statistical rate limit and behavior recognition enable rate control based on blacklists, whitelists, user access rate, and behaviors.
Judging from the current DDoS prevention trend, DDoS prevention solutions require elastic scaling to better defend against attacks. Here we need to mention the popularity of the 100 GB interface. Generally, hashing for traffic load balancing is based on the feature of the 5-tuple. If a single interface has relatively low bandwidth (say, 10 GB or 40 GB). If the hash of the 5-tuple for attack traffic is uneven, congestion is more likely to occur. Traffic will not be sent to scrubbing engines at all. This is also an important part of the big cluster cleaning system.
Preventive Defense Planning
It is also very important to plan countermeasures to defend against DDoS attacks. Efficient planning requires years of DDoS prevention experience. In the case of new attacks and emergency incidents, quick analysis and decision making play a critical role in solving problems.
Load Balancing Devices and Security Components
Load balancing is a critical technology for advanced proxy protection. Load balancing includes layer-4 and layer-7 load balancing.
Layer-4 load balancing provides an exclusive IP address for each customer’s business. Layer-4 server load balancing itself requires the high-performance and high-availability forwarding capability as well as the secure protection capability to defend against connection attacks.
Layer-7 load balancing targets proxy protection for website services. The support for HTTP/HTTPS and defense against CC attacks are integrated in the Layer-7 load balancing system.
- Exclusive IP address. One advantage of exclusive IP addresses is that if one IP address is under DDoS attack, other services will not be affected due to the isolation of resources.
- High availability and high scalability. You can scale your service based on the application load, without interrupting services continuity. You can increase or decrease the number of backend servers as needed to expand the service capabilities of your applications.
- Security capability. You can view information about incoming and outgoing traffic and implement refined DDoS protection at the domain, session or application level.
To implement ultimate DDoS protection, it is necessary to combine in-depth security capability development in layer 4 and layer 7 with large traffic scrubbing clusters.
Real-Time Data Analysis System
First, let’s look at the data source. Currently many data source mechanisms are available. One well-known mechanism is to use NetFlow for sample analysis and attack detection. 1:1 traffic splitting can also be used to obtain all traffic for statistics and detection. Obviously, the latter method requires more resources and a more efficient data analysis system. Systems that require more development and technical support generally enable better analysis effectiveness.
After obtaining original messages and data, we need to differentiate applications. Application differentiation can be made at the IP level, IP+port level, domain name level or other levels. Different services require different prevention methods. We need to customize specialized prevention plans based on the characteristics of a specific service.
Current DDoS attack analysis no longer depends on statistics-based analysis algorithms. The theories and practices of behavior recognition and machine learning have been introduced for attack analysis. These algorithms can help us better defend against DDoS attacks. We should also consider how to efficiently apply these algorithms in users’ attack protection efforts.
The preceding content reflects the Wooden Bucket Theory on DDoS attack protection: Each aspect of attack prevention will affect the overall protection effectiveness and efficiency. Future advanced anti-DDoS systems with secure IP addresses should feature elastic bandwidth, high redundancy, high availability, high access quality, and simple business integration. At the same time, the combination of OPENAPI-based DDoS protection and users’ automatic maintenance systems can bring higher security to business and facilitate the business growth.