Protectability from DDoS
We have been working in the field of protection from DDoS attacks for many years and once we began to wonder why some applications are easier to secure than others, and some are more difficult, and why this happens.
This is how we came up with the term “DDoS protectability” and investigated the factors that affect it among our clients.
The following main groups of parameters affect the security of an Internet service:
- Parameters that characterize the ability to hide from the attacker the information that will help him conduct the attack and understand that it was successful: the range of opportunities to hide the attacked Internet service from those for whom it is not intended; the number of ways to check its performance; security (protection from hacking).
- The ability for a DDoS defender to evaluate the effectiveness of protection.
- The breadth of the service's capabilities for recognizing bots, as well as the popularity and clarity of the protocols and mechanisms used in it, from the point of view of a DDoS defender.
- Parameters that characterize the reliability of the service under attack: redundancy at the application level; resistance to weak attacks; allocation of different functions to different IP addresses to reduce the number of attack vectors; dependence of system components on each other and their ability to work independently.
As a bad example, consider an online game that uses the UDP Protocol. Its website and game server are located on the same IP address. After each request, the site goes to the game database to calculate statistics. The game protocol allows the potential attacker to select a sequence of packets similar to the legitimate one, and thus inflict significant load on the application, dramatically reducing its performance.
As a good example, let's take a taxi automation service. Its website is located separately, and the authorization service for clients with mobile apps installed on their smartphones is located separately and works over the HTTPS protocol. The service itself, which connects taxi drivers' mobile apps, is deployed on a pool of IP addresses that are not consecutive from different subnets. Each taxi driver, depending on their username, is given a different set of IP addresses to connect to. The application establishes a TCP connection with several IP addresses at once, and if some of them are unavailable, it transparently switches to others. In addition, each time the client connects, the authorization token and the client's IP address are checked to make sure that the token actually belongs to the client. Such a scheme will be obviously more resistant to DDoS attacks, since it will be extremely difficult for an attacker to influence the taxi service in such a way as to make it inaccessible (or at least difficult to access) for its customers.
As you can see, DDoS protectability should be planned at the stage of planning the IT infrastructure and architecture – good design will increase the availability and reduce further costs of protection from DDoS attacks. Next time we will discuss how to implement the principles of good design in practice and what else you need in order to implement the effective protection from DDoS attacks.