22 September 2022
What is needed to protect a network, apart from connecting the anti-DDoS service
Customers of DDoS protection services often perceive their anti-DDoS provider as a wizard or shaman: a little magic and cyberthreats just cease to exist. In reality, not everything is like that - the effectiveness of protection depends not only on the professionalism of the anti-DDoS provider and the level of its technologies (although these are very important, of course), but also on the characteristics of the protected resources.
Depending on the architecture and a number of other indicators, different resources require different efforts and costs to achieve a similar level of protection. In other words, some resources are easy to protect from DDoS attacks, and it does not take much to do so - it's enough to connect the protection services properly. Others, however, remain vulnerable even after connecting the best anti-DDoS services. This property of Internet resources to maintain high resistance to DDoS attacks with a minimum of time, money and effort is what we call protectability.
We provide a brief guide that will help to improve the effectiveness of protecting networks and autonomous systems from DDoS attacks. It lists the aspects that should be taken into account.
Specifics of network protection
Ensuring the protectability of the network against DDoS attacks places high demands on the organization of protection. The network may host many different resources - websites, Internet applications, and services that belong not only to the owners of the network itself, but also to their customers. A strong DDoS attack on one of these resources is enough to create a huge load on network devices - the illegitimate traffic is so large that even powerful routers cannot handle it.
And these are not empty words. Even today, attacks with a capacity of several hundred gigabits per second are not uncommon. And not so long ago, for example, we recorded attacks with a capacity of 1.2 Tbit/s. It is obvious that edge software and hardware complexes are overwhelmed with coping with such attacks; therefore, anti-DDoS cloud services must be integrated.
Additional difficulties in organizing protection against DDoS attacks arise from the fact that network operators usually have a relatively large pool of IP addresses. Attackers can target them simultaneously with a large number of relatively weak DDoS attacks, hoping that defenses will not notice them. Their overall impact on edge devices can be severe, leading not only to a reduction in infrastructure performance, but also to more serious problems - from disruption of operational stability to node unavailability.
First perform an audit and develop a DDoS protection strategy
Before you start building network protection, we strongly recommend that you conduct an audit of the network itself as well as an information security (IS) audit.
First, this will help you better understand how your network is actually built and configured, how loads are distributed within it, what kind of power margin edge network devices and servers have, and how they are connected to other infrastructure components - so you can find out how the performance of individual units of edge equipment affects other elements of the infrastructure. Configuration databases (CMDB) can be of great help - they are maintained and serviced by many self-aware network and data center owners.
Second, you need to find out which network services and ports are open on the edge equipment and which are disabled.
Third, it is necessary to understand what means are already in place to protect them, how they are managed and coordinated, and how they interact with each other.
Fourth, it is very important to understand which devices, services, ports, and IP addresses need to be protected from DDoS attacks. When determining which resources need to be protected, it is important to remember that partial coverage by anti-DDoS services will not protect the network from attacks. We need comprehensive protection that covers all layers and is able not only to defend against packet attacks at the network and transport layers (L3/L4), but also to protect DNS and HTTP/HTTPS services at the application layer (L7) from DDoS risks.
After gathering and analyzing information about the current state of the network and the need for protection against DDoS attacks, you will be able to develop a strategy for the development of this area of information security and build all subsequent activities on it.
Collect network information for an anti-DDoS provider
The more information the customer provides to their anti-DDoS provider, the faster they can help and the more success can be achieved in increasing the protectability. (By the way, it is a good sign if the anti-DDoS provider itself asks you to provide it with detailed data about your network).
Based on your network audit and information security audit, you can prepare a detailed description for the provider. Together, you can then not only choose the best option for connecting to protection against DDoS attacks, but also work out an action plan that will increase the security of your network, taking into account your interests- needs, scope, load, vulnerabilities, client configurations, etc.
The anti-DDoS provider wants to know the following details in particular:
- on which IP addresses are your DNS servers running;
- to which addresses are the VPN gateways connected;
- which IP addresses have a significantly higher traffic volume than others (e.g. NAT pools);
- whether caching proxies are used (e.g. Squid, BlueCoat) and on which IP addresses they are located;
- which IP addresses are used by caching services, e.g. Google Global Cache (GGC), Facebook Network Appliance (FNA), Netflix caching services, Akamai and others. The fact is that caching services suddenly generate a large amount of traffic from time to time, which is often perceived as a DDoS attack by anti-DDoS services and blocked. Information about caching services helps the provider to properly configure protection against DDoS attacks;
- which IP addresses are used to connect to full-fledged Internet clients that require both incoming and outgoing requests for all protocols (VDS/VPS, end users), and which services are not included (web servers, shared hosting, individual services) - this information allows you to create more accurate protection profiles. If attackers try to explore the network, the anti-DDoS provider can take more countermeasures.
In addition, it is useful to provide the anti-DDoS provider with information about the devices used for routing - this will help them assess their performance and, if necessary, recommend replacement for slow devices and optimization for faster ones. For example, as an experienced anti-DDoS provider, we know for sure that the low-end MikroTik router is unreachable even by a weak attack with a capacity of 100-200 thousand packets per second, so we define a stricter filtering policy for the network on the border of which MikroTik devices are located. For example, a modern Cisco ASR series router should be able to withstand traffic of 5-6 million packets per second. However, if we determine that it cannot handle a higher load (including legitimate ones), we offer the customer recommendations that will improve not only the performance of this device, but also its resistance to DDoS attacks.
Close all unused ports and hide unused IP addresses
From the attacker's perspective, your network should be as much of a "black box" as possible. A hacker will probably try to find vulnerabilities, weaknesses and unprotected resources in it (even those that you yourself forgot about or overlooked during the audit) and launch a DDoS attack on them.
Therefore, it is very important to create a detailed list of used and unused network services and resources, and then block those that are not currently used - this will prevent DDoS attacks on them.
You also need to limit the attacker's ability to analyze your network as much as possible and make it difficult for him to investigate it. In particular, try to hide your peering IP addresses from Traceroute, both from outside and inside the network. After all, in addition to external attackers, it is possible that there are insiders working inside the network, including both your own specialists and employees of client companies that host their resources inside the network. Those addresses that for some reason cannot or should not be hidden must be protected with access control lists (ACLs) - ask your anti-DDoS provider about this.
Ensure adequate performance of edge devices
Very often, the sources of problems with DDoS attacks on networks are poor-performance edge devices (such as routers, firewalls, load balancers, etc.). Usually, they can cope with the usual load, but even with weak DDoS attacks they go down. Examples of such devices that we regularly encounter are Cisco ASA firewalls (especially older models) and MikroTik routers. There are also often devices designed for use in small offices, but not for use in telecom networks or data centers, as well as simply outdated devices - quite advanced for their time, but not sufficiently resistant to today's DDoS attacks.
Why it is not recommended to leave “slow” devices at the edge of the network? The fact is that even the best anti-DDoS services cannot always filter out 100% of an attack. And if at least a small portion (let us say only 1%) of the illegitimate traffic that hits the network during a strong attack (e.g., with a capacity of 50 Gbps) seeps through the anti-DDoS provider's filter, the load on the border devices can increase by tens or even hundreds of times. In such situations, almost all productivity is spent trying to handle the incoming traffic like a tsunami. And when stateful packet inspection (SPI) routing is enabled on devices, then performance is depleted even faster. As a result, there's no performance left for legitimate requests, and the devices can not even report what's happening to them, nor allow them to find out, because they become virtually inaccessible.
The network audit mentioned earlier helps identify edge network devices that do not have sufficient performance margin. Detected slow devices should be replaced with faster ones, otherwise the effect of connecting to the anti-DDoS service will be low and the risks associated with DDoS attacks will be high.
You should also keep in mind that a strong attack can exhaust not only the performance of network devices, but also the bandwidth of your Internet communication channels. Therefore, we strongly recommend that you ensure the expansion of existing and the connection of backup channels.
Perform a stress test
You can test the network for its protectability to relatively weak DDoS attacks by performing stress tests using tools available on the Internet, such as the hping3 utility included in many Linux distributions. This utility allows you to simulate different types of attacks with different parameters. Note that you should use it carefully, gradually increasing the load on the network.
Stress tests should also be systematically performed after the protection is connected - this will help you understand what consequences to expect when at least a small amount of DDoS attack traffic reaches your network. You will also be able to determine how your anti-DDoS provider's technical support will respond to the attack: will they respond to your request, will they respond quickly if the attack began outside of business hours, etc.
Protect DNS servers
Attacks on DNS servers have become the second most common type of DDoS attacks (after HTTP flood) in the first half of 2022, so you need to pay special attention to their protection. Otherwise, there is a risk that DNS servers exposed to a DDoS attack will operate unstably, so users will have problems with resource availability.
A DNS server located inside your network can be protected with a BGP announcement - of course, only if your anti-DDoS provider is able to filter DNS attacks. If this is the case (which is not for some providers!), you need to provide them with the addresses of your DNS servers and ask them to configure the traffic filtering accordingly.
Build and develop processes that coordinate with other information security processes
It is very important to ensure that measures to protect the network from DDoS attacks are carried out as part of a comprehensive information security (IS) strategy. In other words, this protection should be organically integrated into your organization's IS system and its plans for developing protection against cyber risks, and should be developed in close coordination with other areas of information security. Accordingly, the processes that provide protection against DDoS risks should be well coordinated with other information security processes, including vulnerability management processes, configuration management, incidents, and monitoring and auditing processes.
And as DDoS threats and risks increase and evolve, it is necessary to adapt your network to protect against DDoS attacks: conduct regular network audits and security audits, analyze the network for possible vulnerabilities, study the nature of attacks and their consequences, perform stress tests, etc. In addition, it is necessary to consult with your anti-DDoS provider to increase the security of your resources and timely eliminate vulnerabilities in the network that could become susceptible to new types of attacks.
- perform an audit and develop a DDoS protection strategy
- collect network information for an anti-DDoS provider
- close all unused ports and hide unused IP addresses
- ensure adequate performance of edge devices
- perform stress tests
- protect DNS servers
- build and develop processes that coordinate with other information security processes