Last week we discussed how to provide as much information as possible to the DDoS protection company.
Today we will continue with the goal #3 – ensure clear opportunities for filtering the attacks.
Many clients are sure that merely using an anti-DDoS service will save them from problems to ensure the protection from DDoS attacks. This is an illusion.
Let’s imagine a situation
Imagine an online service that works with UDP and a formal connection procedure does not exist, so the legitimate sequence of packets that must be exchanged upon connection is not defined. At the same time, the performance of the service is quite low, and if an attack starts, even a small one, it will definitely go down.
So, the question is – how will the DDoS-protection company secure such a service? There is no way to filter packets by any signature because the signatures can be random. Source IP addresses of the packets can also be random, so it is impossible to restrict the flow based on them. Standard verification methods can be used to protect the service from DDoS attacks of standard types. But if an attacker will use an unusual method developed specifically for the attacked service? What will you do?
What to do?
You need to think about these aspects in advance, at the stage of service development. You need to provide the DDoS protection company with a clear opportunity to cut off interaction with bots. Of course, it is much easier to implement it with TCP than with UDP. If for some reason it is necessary to use UDP, then you should at least provide the DDoS protection provider with documentation on this service, which describes in detail the connection and authentication procedures. Some popular UDP protocols (such as SIP, SAMP, and TeamSpeak) can be filtered quite easily because they have detailed descriptions. If the protocol on which the service is based does not contain filtering mechanisms, then it is very difficult to protect such a service.
Our recommendations
- If it’s possible use TCP.
- If you are forced to use UDP, you should decide how to distinguish a legitimate client from an illegitimate one.
- Make sure that the DDoS protection company knows how to filter an attack and has a filtering method.
Remember that connecting anti-DDoS service is not a panacea, especially if the service is based on UDP.