2 June 2022
When an attacker knows your infrastructure better than you do, or the most trivial mistakes in connecting DDoS protection
Owners of Internet resources, trying to protect them from DDoS attacks, often make mistakes that undo their efforts and investments in protection. Perhaps, most dangerous in this case is that organizations that bought a DDoS protection are under the illusion that they are automatically on the safe side.
In the meantime, attackers can exploit such mistakes and learn even more about your infrastructure than you know about it yourself. For example, they can try to perform an attack on the inside (back-end) of your Internet service, bypassing the protection. This way, they can learn the IP addresses of this service as well as the domains connected to them. Usually, when DDoS protection is connected, the client is assigned a new IP address to which all traffic is redirected. In this case, the previous IP address of an Internet resource may either already be known to the attackers or they can easily locate it through various services and, for example, learn the entire history of its changes. They can also find out on which IP addresses on the Internet the domain associated with the previous IP address was seen. In addition, attackers can determine the actual address of the resource by looking at the SMTP headers.
Using relatively simple methods, attackers can easily find all your Internet-connected resources and identify unprotected ones among them. We met many customers who protected only a part of their resources from DDoS attacks, while the other part remained unprotected. And if you have protected even a part of the resources, then you can be sure that if the attackers are motivated, they will definitely find them and direct the attack directly at them. In this case it is in your best interest to realize in advance what can happen to your network and applications and take measures to protect them.
If you have your own autonomous system and prefix, or use dynamic routing based on the BGP protocol, you need to protect not only your Internet resources but also the network itself. An attack can be carried out directly on an unprotected IP address, and if it is strong enough, your network will be in danger even if you use a firewall or ACL to protect that address from unnecessary traffic. In December 2021 and January 2022, we observed attacks with a capacity of 1.2 Tbit/s almost every day. Such attacks can overload not only the devices and Internet bandwidth, but also your provider's entire network. Therefore, it is necessary to think in advance about how you will protect the back-end components of your Internet applications. If you use BGP, then protection over BGP is also necessary.
Of course, the possibility of attacks on the DNS must also be taken care of. There are two recommendations:
- Have at least 2 independent DNS providers (these can be two online services, or one of them can be the company's own DNS server and the other one can be an online service).
- At least one of these services must be protected from DDoS (StormWall provides such protection).
As our experience shows, it is essentially useless to enable partial protection against DDoS attacks. It is necessary to take a comprehensive approach to organizing protection and try to secure the entire chain through which traffic flows, starting from the DNS layer and ending with the back-end components of applications. And, of course, you need to make sure in advance that each of your resources is adequately protected without waiting for a sudden attack to deal them a devastating blow.