17 May 2021

DDoS protection technologies

Contents:

Modern business is becoming more and more dependent on information technology. Large-scale digital transformation programs have significantly increased the importance of digital interaction channels with customers and partners. Moreover, the massive shift to remote work has forced businesses to hastily build digital communication channels with their own employees as well. As a result, the network infrastructure and information resources connected to the Internet have become critical for many enterprises, and the risks associated with them have become business risks because the downtime of these resources or denials of service lead to significant losses and reputational costs.

This is exactly what cybercriminals exploit by regularly launching attacks on networks, websites, and all kinds of Internet services. To do this, they use different approaches and tools. In particular, they really like to use DDoS attacks, as they are inexpensive to organize and carry out while being quite effective in their impact on the victim's business.

DDoS Threats for business

The damage from a successful DDoS attack primarily lies in financial and reputation costs: lost profits, termination of contracts and user outflow, numerous complaints from customers, a wave of negativity in the media and social networks and, as a result, damage to the reputation of an Internet resource and its owner. Often, a DDoS attack is used as a cover for the main malicious impact in targeted attacks: while information security specialists concentrate on repelling a DDoS attack and restoring systems to operability, attackers increase the main attack vector – for example, hacking a service, stealing confidential data or installing malicious codes.

The most common targets for DDoS attacks are the government, financial institutions, gaming services, and e-commerce companies. With the onset of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have greatly increased.

In the event of a successful attack, the victim resource will demonstrate a significant decrease in performance or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack may be slow operation or inaccessibility of the network, server, Internet service, website, application. As a result, the Internet resource freezes, legal users cannot access it at the right time, the network or server becomes temporarily cut off from the Internet, the Internet resource stops working correctly, etc.

Targets and methods of attacks

The targets of DDoS attacks are often devices connected to the Internet: network equipment, physical and virtual servers, various Internet services, websites and web applications, IoT infrastructure.

Most attacks develop in the following sequence:

1. Collection of data about the victim and its analysis in order to identify obvious and potential vulnerabilities, choice of attack method;
2. Preparing for an attack by creating a network of bots (botnet) by deploying malicious code on computers and Internet-connected devices that were managed to be intercepted;
3. Generating a stream of malicious requests from multiple devices under the control of the attacker;
4. Analysis of the effectiveness of the attack: if the objectives of the attack were not achieved, the attacker can conduct a more thorough analysis of the data and perform a second search for the methods of attack (go to step 1).

In some types of attacks the so-called amplification is used. Its effect can be so strong that an attack is quite successfully carried out without creating a botnet, using one or several computers. The amplifying effect is achieved due to the fact that the attacker sends requests, replacing his IP address with the address of the victim, and the size of the response that the victim will receive may be several times, or even dozens of times larger than the original request.

Smart DDoS attacks deserve a separate mention: the attackers select the most resource-intensive functions of web applications as a specific target and create an excessive load on them, thus causing the denial of service for these applications (usually, no exhaustion of channels is observed). The effect of such an impact can be very strong, even if the attack was carried out from one computer without using a botnet (DoS attack).

DDoS attack classification

Most often, attacks are classified according to the OSI layer at which they were carried out:

• Network layer (L3): DDoS attacks over IP, DVMRP, ICMP, IGMP, PIM-SM, IPsec, IPX, RIP, DDP, OSPF, OSPF. The targets of attacks are primarily network devices – switches and routers.
• Transport layer (L4): impact over TCP and UDP protocols, as well as subprotocols DCCP, RUDP, SCTP, UDP Lite. The targets of such attacks are servers and some Internet services, in particular, gaming.
• Application layer (L7): Attack at the application protocol layer – HTTP, HTTPS, DNS and others. These attacks target popular network services, websites, and web applications.

Another common method of classification is by the method of exposure:

• Exploitation of protocol vulnerabilities: denial of service is provided by affecting the attacked resource with incorrect requests, as a result of which the victim is unable to process them;
• Traffic overflow with a powerful stream of requests;
• Impact on weaknesses in the architecture and logic of application work.

DDoS protection classification

There are at least three ways to classify DDoS defenses:

• By type of solution: deployed locally (on-premise), cloud, hybrid;
• By protection level: packet (at the L3 and L4 levels) or at the application level (L7);
• By connection mode: symmetric or asymmetric filtering.

Classification by solution type

At the highest level, DDoS protection solutions can be classified as follows:

Solutions deployed locally (on-premise), software and hardware.

Their main advantages:

• Minimal latency impact due to local installation.
• The ability to flexibly integrate the solution into the existing infrastructure.
• The ability to independently deeply configure protection.

Drawbacks and limitations:

• High cost of ownership (orders of magnitude higher than that of a cloud solution).
• The need to have specialists to work on the solution.
• Limited filtering functionality with protection against packet flooding only (L3-L5).
• Limited bandwidth of the solution itself, as well as communication channels. For example, if channels with a total capacity of 40 GBps are connected, then an attack of 50 GBps cannot be repelled.

The main client of on-premise solutions is large operators: ISPs, cloud providers, data centers with their own service for responding to DDoS attacks.

Cloud solutions — their protection functionality is approximately the same as that of an on-premise solution, but with the provision of site protection against attacks by bots via the HTTP protocol, as well as technical support and support during a DDoS attack.

Benefits of quality cloud solutions:

• Affordable (monthly subscription).
• No additional staff costs.
• High filtration capacity.
• High connection speed (from several minutes).
• Obtaining not only filtering, but also expertise in effective filtering of attacks.
• Test period/PoC availability (usually).
• Availability of filtering attacks on websites at the application level (L7).

Drawbacks:

• Increased latency (traffic goes first to the security provider, then to the client).
• The need to transfer sensitive data to the cloud.

Cloud solutions are the best option for most organizations.

Hybrid solutions — are a set of on-premise solutions and a subscription to a cloud protection service that connects automatically when the attack is more than a given value. The hybrid option allows you to neutralize the main disadvantage of on-premise solutions – limiting the attack volume and combining the advantages of cloud solutions and on-premise. As the cost of hybrid solutions declines, they will become available to smaller service providers.

Classification by level of protection

Typically, DDoS attacks exploit vulnerabilities and features of protocols and systems operating either at the network (L3) and transport (L4) layers of the OSI model or at the application and software services (L4) layer. In addition, “intelligent” attacks using very sophisticated methods of influence are becoming more and more widespread. Based on this, DDoS protection solutions can be divided into three categories:

1. Providing protection against packet flooding (by filtering transport and network layer packets – L3 and L4);
2. Protecting against both packet flooding and flooding at the application level (L3-L7) – this is necessary, in particular, to ensure the operability of sites since most attacks on sites are carried out precisely at the L7 level;
3. Capable of protecting not only against attacks at the L3-L7 level, but also against “intelligent” DDoS attacks using "smart" bots that attack those parts of web applications that are most resource-intensive when processing incoming requests – such solutions require application in their as part of the functional of intelligent firewalls of the web application level (Web Application Firewall, WAF). WAF services are capable of protecting against a wide range of attacks, not limited to DDoS only. At the same time, WAFs are not designed to protect against DDoS attacks aimed at overflowing channels and are vulnerable to them in the same way as application servers are; therefore, to effectively protect against attacks, WAF and anti-DDoS services must be used together.

On-premise solutions are typically limited to L3 and L4 protection. The functionality of cloud solutions can vary widely, and to understand what they are capable of, you need to carefully study the documentation of specific services. To protect critical Internet resources, you should choose the option using WAF – this will maximize the security of resources and ensure their availability in case of DDoS attacks of various levels of complexity.

Classification by connection format

According to the connection format, DDoS protection can be divided into symmetric and asymmetric.

• Symmetric algorithms imply setting the filter in such a mode when both incoming and outgoing traffic of the protected server (or service information about this traffic) always passes through the filter.
• Asymmetric algorithms analyze only incoming traffic.

Typically, symmetric algorithms are more efficient because they analyze both traffic streams at the same time and can base decisions on complete information about the network interaction between the server and clients. Asymmetric algorithms do not guarantee 100% filtering of some attacks.

Usually, symmetric protection is recommended countering attacks against websites and mission-critical applications, while asymmetric protection is recommended protecting ISP networks.

A comparison of the main advantages and disadvantages of both protection classes is shown in the table.

Methods and means of protection against DDoS

Depending on what objects need to be protected, you should choose different methods and means of protection against DDoS attacks.

In addition, it is very important to imagine yourself in the position of an attacker. Think in what ways he could try to implement his plans, and then not only eliminate all found vulnerabilities, but also thoroughly test the service to make sure that it can really withstand attacks.

Websites and web applications

The first thing to consider when building protection of sites and web applications from DDoS attacks is whether you have access to the server on which the sites and applications are hosted. If you can fully control it, you should not only take care of connecting external DDoS protection, but also properly prepare the server itself: optimize the operating system's network stack so that the server can withstand high loads. To protect against DDoS, it is very important to ensure high performance of the server, including the processing of requests coming over the network.

The standard settings of the network stack of the OS and the Apache or Nginx web server operating in productive operation mode usually have significant limitations that must be eliminated. Particularly, you need to pay attention to the parameters that determine the performance of the server on Nginx and the Linux network stack. You should also pay attention to the optimization of the used DBMS – it should work quickly.

If your site uses popular CMS systems (for example, Joomla!, WordPress, Drupal), be sure to use the public recommendations for tuning their performance. It is necessary to ensure high performance of the site in standard mode – this will increase its chances of coping with a DDoS attack.

If an application or site is deployed on an external site and it is decided to entrust protection against DDoS attacks to its owner, then at least it should be clarified whether he will be able to protect this Internet resource from attacks at the application level (L7). In any case, you can connect an external protection service, and you need to configure it so that the IP address of the real server is not visible to the attacker either through mail headers or through open ports or through other services.

And here are some more recommendations:

When connecting an external anti-DDoS service to your Internet service, change the IP address. If this is not possible, then at least close the processing of requests from all IP addresses, except for those provided by the protection service provider.

If a service is critical, you need to take care of purchasing or renting reliable and efficient, and, if possible, dedicated hosting resources for its deployment, in order to exclude a situation where an attack on another service on the same resource will lead to the failure of your service. It is desirable to provide redundancy for capacity and resources to reduce the likelihood of failure.

To reduce the likelihood of failure when attacking one or more IP addresses, it is advisable to try to use all available addresses, distributing them between services or users.

It is useful to notify the security provider about which IP addresses are being used for what purposes – this will help them build a line of defense against DDoS attacks.

Internet services and online games based on TCP and UDP

In an effort to ensure the stability of services that interact with users via TCP and UDP, it is necessary first of all to optimize the network stack of the operating system. To begin with, you need to make sure that the interrupts of the network card are distributed across different processor cores. In the most modern systems, this allocation is done automatically; however, additional discretion will not hurt.

Note that services based on the TCP protocol have a definite advantage in protecting against DDoS attacks since the protocol itself is better suited to repel attacks. Much more effort is required to secure UDP servers. This protocol does not imply connections, and if the server is subjected not to a typical, but to a targeted attack that simulates game packets, the traffic will not be filtered – unless you inform your DDoS defender about the details of the server architecture and operation in advance, and think about it with him methods of repelling atypical attacks and do not test their effectiveness on several test attacks.

To protect Internet services and online games based on TCP and UDP, you must first configure the network card driver. When a frame arrives at it, it must initiate a system interrupt, which "asks" the processor to suspend the execution of the current task and process the incoming portion of traffic. However, if every frame caused an immediate interrupt and "distracted" the processor from its current tasks, a noticeable decrease in performance could even be observed in the simplest network operations, such as file transfer via FTP. Therefore, these interrupts are queued, which accumulate on the network card and are processed by the processor at one time. This usually happens 250-1000 times per second, and less often – the less the CPU load, but the higher the latency.

On the other hand, the most modern servers have multiple processor cores. Since the OS treats each of them as a separate processor, we can evenly distribute the load from interrupts between them. There are two ways to do this.

• The first and recommended one is to use hardware queues. Modern NICs have multiple interrupt queues, usually 4 to 16. For some reason, they are often disabled by default in Linux. You need to enable them and then evenly distribute them among the processors.
• The second method is using the Receive Packet Steering mechanism. This is a relatively new kernel mechanism that automatically balances the load between all the cores, regardless of whether there are multiple hardware queues on the network card or not. Use this method only if you have more cores than hardware queues (by the way, consider disabling SMT/HyperThreading – this will be very useful during an attack).

Networks

Securing network resilience is perhaps the most difficult case in terms of effective protection against DDoS attacks. Firstly, because often you have to protect not only your Internet resources, but also those belonging to your customers who have placed their IT assets inside your network. Second, the large number of IP addresses that the network owner most likely possesses allows attackers to launch relatively weak attacks against multiple addresses simultaneously, which will significantly slow down the entire infrastructure.

The first thing to take care of is that the Edge router has sufficient performance. It is necessary to clarify their bandwidth, assess the current load and, if possible, conduct a series of stress tests, for example, using the hping3 utility.

Second, you need to make sure that the IP addresses you own cannot be determined by tracing (traceroute) both from the outside and from the inside of the network, and those that can be protected by means of ACLs (for appropriate help, contact your security provider).

When connecting network protection through BGP, remember that an attacker can easily trace to a provider providing DDoS filtering and find out the butt IP address, which is usually not protected and therefore vulnerable to DDoS attacks. Therefore, it is advisable to close the junction IP addresses, first, using an ACL (this must be provided by the provider), and, secondly, to hide them from tracing both from the outside and from the inside.

Connecting protection does not guarantee that attacks will be repelled

Connecting DDoS protection alone does not guarantee the availability of Internet resources in the event of a DDoS attack. And often the problem lies not in the "bad" DDoS protection, but in the unsuccessful architecture of the Internet service or some of its other features.

In 2017, our company first proposed to the community the term “DDoS protectability” and a set of parameters that affect it. In short, defensibility is the ability of an Internet service to be effectively protected from attacks with a minimum waste of resources.

The following main groups of parameters affect the protectability:

1. Parameters characterizing the ability to hide from the attacker the information that will help him conduct an attack and understand that it has been successful: a range of capabilities that allow you to hide the attacked Internet service from those for whom it is not intended; the number of ways to check its performance; information security (protection from hacking).
2. Providing the DDoS Defender with the ability to assess the effectiveness of the protection.
3. The breadth of the service's capabilities for recognizing bots, as well as the popularity and clarity of the operation of the protocols and mechanisms used in it, from the point of view of the DDoS protector.
4. Parameters characterizing the reliability of the service under attack conditions: redundancy at the application level; resistance to weak attacks; allocation of different functions to different IP addresses to reduce the number of attack vectors; dependence of system components on each other and their ability to work autonomously.

Protection against DDoS attacks can and should be incorporated into a solution at the design stage of its architecture – this will increase availability and reduce the cost of protecting against attacks.

Choosing a provider: what to think about and what to ask

DDoS protection services are now offered by many companies – both specializing in information security and others: ISPs, hosting providers, data centers. Their functionality and quality of protection can vary greatly.

It should be kept in mind that DDoS protection is a very serious matter, so you need to choose a provider with the utmost care. When choosing a provider, it is important to find out the following features.

• Where are his points of presence located, how close are they to your sites and points of presence of your customers? We recommend that you check the connectivity with transit operators and conduct a ping test to the resources protected by the provider from different places.
• How long is the provider engaged in DDoS protection and does it specialize in these services? Try to study reviews about him on the Internet and assess whether he participates in the life of the information security community, whether he offers something new. This will help assess how well the provider is monitoring the situation and how prepared it is to resist new threats.
• How does the provider's technical support work? You should choose a provider that provides protection around the clock, seven days a week (attackers often launch attacks late in the evening or at night, relying on the fact that support is sleeping). It is advisable to have several different channels for contacting the provider in order to quickly resolve urgent issues.
• If import substitution and the absence of cross-border movement of data are important for you and your customers, then you need to find out in advance from the provider what technologies he uses and whether he will send traffic abroad, albeit encrypted.Если для вас и ваших клиентов важны импортозамещение и отсутствие трансграничного перемещения данных (подобные требования проистекают, в частности, из закона о персональных данных 152-ФЗ), то необходимо заранее выяснить у провайдера, какие именно технологии он использует и будет ли отправлять трафик за границу, пусть и в зашифрованном виде.
• Does the provider have a list of clients known in the market or personally to you (the presence of this list allows you to hope for an acceptable number of services). If there are familiar organizations on this list, it is advisable to contact them and get their feedback on it.Есть ли у провайдера список известных на рынке или лично вам клиентов (наличие этого списка позволяет надеяться на приемлемое количество сервисов). Если в этом списке есть знакомые организации, желательно связаться с ними и узнать их отзывы о нем.
• Test the service before purchasing it and evaluate how the protection and technical support works. For this, if not complete stress testing, then at least simple test attacks using available free tools and tools for monitoring your resources (they will help you see the dynamics of their behavior during a test attack).
• Find out if the provider requires additional payment for the volume of attacks or their number. We strongly do not recommend agreeing to such conditions since it does not depend on you who and how tightly will attack you.

Conclusion

DDoS protection is a complex task, a real test of the professionalism not only of the anti-DDoS service provider, but also of your own IT employees – system administrators, programmers and, of course, information security specialists.

When setting up an anti-DDoS service, it is important to remember that it must be thoroughly integrated into your information security management processes, otherwise it will not work effectively.

And, obviously, you need to understand that the World, business and IT do not stand still: various modifications are often made to existing systems, new modules appear. Changes are also taking place at the level of the business logic of the systems. Finally, attackers come up with new ways to attack. Therefore, it is necessary to check and test both your resources and protection services, as well as adapt them to the changes taking place in the IT and information security landscape – this will require the efforts of both the owner of the Internet resources and his security provider.