Symmetric and asymmetric filtering of DDoS attacks: what and when to choose?
1 December 2022
Providers of Anti-DDoS services often offer to connect protection using the asymmetric scheme: only incoming traffic is filtered — the one that goes to the protected resources, and outgoing traffic is not considered at all. In a number of other situations, they use a symmetrical scheme when not only incoming, but also outgoing traffic or service information about it is analyzed. When and in which cases should the asymmetric filtering scheme be preferred, and when should the symmetric one be preferred?
Asymmetric scheme: easier, cheaper…
The asymmetric traffic filtering scheme is popular among both clients and Anti-DDoS providers.
It is largely thanks to its advantages:
- it is simpler in many ways, mainly because the client does not need to make additional changes to the infrastructure;
- it is cheaper: both the subscription fee for Anti-DDoS services and the traffic costs are lower;
- the connection to the service is faster — in a matter of hours;
- this scheme provides more opportunities for managing outgoing traffic, allowing the client to independently choose routes from various providers to reduce delays;
- accordingly, delays in the delivery of traffic are lower;
- the asymmetric scheme simplifies the use of DDoS sensors;
- it allows the use of the services of several Anti-DDoS providers simultaneously;.
Anti-DDoS providers are willing to implement the asymmetric scheme also because it is easier to implement and further scale, besides its cost is lower — it requires less bandwidth and computing resources.
…But also more vulnerable
The problem with the asymmetric protection scheme is that there are a number of DDoS attacks against which it is ineffective. Among them, for example, the attacks such as TCP Reflection and Random UDP flood.
TCP Reflection attacks use the features of the three-step handshake to establish a TCP connection: an attacker sends a fake SYN packet (note: it would be correct to say “fake TCP segment with the SYN flag”, because the packet is the part of the IP protocol, not TCP, but we will continue to use the term “packet” for simplicity), in which the source IP address is replaced with the IP address of the victim node, with many IP addresses of other nodes (they are called reflection nodes), and they send SYN+ACK packets to the victim. If the victim node does not send an ACK packet in response, which the TCP service on the reflection node expects from it, then the SYN-ACK packet is sent again — thus an amplification effect is achieved. You can filter 100% of such an attack only if you analyze both incoming and outgoing traffic — i.e. using the symmetric protection scheme. StormWall, unlike most other protection providers, has its own TCP Reflection filtering mechanism for an asymmetric connection, and it reduces the number of attack packets that slips into the victim by tens or hundreds of times, but is forced to allow some part of them in order to check the legitimacy of connections and not deprive the protected resources of the ability to establish outgoing TCP connections to the Internet. This example well demonstrates the limitations of an asymmetric connection scheme, which should always be kept in mind.
The Random UDP flood is based on the fact that the attacker sends a lot of UDP datagrams of different sizes to different ports (most often the victim is a public IP pool of an Internet provider), while their sizes and ports are selected randomly. The server tries to determine which application can process them, and if it does not find a suitable one (and in the case of a flood, this happens with the vast majority of UDP datagrams), it sends an ICMP Destination Unreachable packet as a response. If the stream of UDP datagrams is large enough, then the victim spends all its performance on processing them. To filter out such a flood, you need to analyze the outgoing traffic, find out which UDP sessions were actually requested by clients, and skip only datagrams associated with these sessions. Having no access to outgoing traffic, it is almost impossible to filter the Random UDP flood, so Anti-DDoS service providers using an asymmetric scheme in such cases simply shape (restrict) incoming traffic. An even more sophisticated version of this attack that we have to face is the reproduction of legitimate traffic from one provider with an increase in intensity and the replacement of the destination IP with the IP of another (attacked) provider. In this case, the IP addresses of the sources and the contents of the packages (payload) remain completely legitimate, and the only way to filter out such an attack at a low intensity is to use a symmetric connection.
In order to prevent these and other similar DDoS attacks, the provider of asymmetric protection has to use various tricks and tricks, however, they do not allow to secure the victim resource by 100%, especially when it comes to Internet provider traffic (if a public TCP service is protected, then you can simply block TCP SYN+ACK together with UDP and not know the problems).
Symmetric scheme: more reliable, but also more expensive
Unlike asymmetric protection, the symmetric one makes it quite easy to filter the listed attacks using the features of the TCP protocol: it first establishes the connections itself, and if they are established successfully, then transfers them to the protected destination. To filter UDP traffic, symmetric protection analyzes not only incoming, but also outgoing UDP datagrams and passes only those that relate to previously opened (or legitimately established from the point of view of the filtering profile) UDP sessions.
There are many other types of attacks from which a symmetric filtering scheme protects much better than an asymmetric one, therefore, when connecting the protection of critical applications and online software services at the L7 level of the OSI model, our company StormWall, as a rule, uses a symmetric scheme, and always uses it to protect sites and applications with SSL certificates disclosure.
Of course, the symmetric scheme is not ideal: the price for its high reliability is higher connection costs, payment for Anti-DDoS services and traffic (since the volume of outgoing traffic is usually one or two orders of magnitude larger than the volume of outgoing traffic), as well as (in the case of remoteness of the protected object from the cleaning point) longer delays when transmission of packets.
What to choose depends on your goals and requirements
When choosing between a symmetric and an asymmetric protection scheme, it is important to consider the following requirements and factors:
- You need to work with a DDoS protection provider to assess the risks of connecting only asymmetric protection - they are so relevant for your services.
- You also need to take into account the amount of traffic that you are ready to let inside the network: if the infrastructure inside the perimeter of the network has sufficient performance and will be able to maintain availability if some part of the attacking traffic overcomes the protection, then you can try to do with an asymmetric scheme.
- In addition, it is necessary to assess how resistant your Internet applications and online services are to DDoS attacks. If they have enough performance margin to cope with the unfiltered part of the illegitimate traffic, then you can try to save money by connecting asymmetric protection. If application performance is critically important to you, or its margin is small, or you cannot control it, then you should choose a symmetrical scheme.
Here are some recommendations that will increase the resilience of your resources to DDoS attacks.
- Make traffic profiling over different IP or subnets. Placing different types of protected resources separately from each other will allow you to protect yourself from whole classes of threats in advance. For example, on IP with websites, you can initially close all protocols except TCP and prohibit packets with SYN+ACK flags, which will increase security against a whole class of attacks. Meanwhile, on IP with VDS or Internet users, the same restrictions can no longer be applied painlessly.
- If you decide to use the asymmetric scheme, also consider the option of emergency activation of the symmetric one in order to protect yourself from attacks that the asymmetric scheme cannot cope with.
In general, we recommend following a balanced approach to choosing a traffic filtering scheme to protect against DDoS attacks. First of all, we strongly advise you to carefully assess your own risks and certainly take them into account when choosing the particular scheme.
We also consider it necessary to think through a plan of action in advance at the beginning of a serious DDoS attack, so that when it occurs, do not waste time thinking, but take clear steps that will minimize your damage.