Most Common Mistakes in DDoS Protection and Best Practices on How to Avoid Them

Owners of internet resources, in their efforts to protect against DDoS attacks, often make mistakes that undermine their investments in protection. Perhaps the most dangerous aspect is the illusion that purchasing DDoS protection automatically ensures complete safety.

Meanwhile, attackers can exploit these oversights, sometimes gaining more insight into your infrastructure than you have yourself. This situation is often worsened when multiple flaws combine, amplifying their overall negative impact.

When an attacker knows your infrastructure better than you do

Hackers can exploit vulnerabilities by targeting the back-end of your internet service, bypassing your DDoS protection. This allows them to discover the IP addresses associated with your service, along with any connected domains. Typically, when DDoS protection is enabled, a new IP address is assigned to redirect all traffic. However, attackers may already know the previous IP address of your resource or can easily locate it through various tools, which may even reveal the entire history of IP changes. They can also identify other IP addresses where the domain associated with the former IP was detected online. Additionally, attackers can deduce the actual address of the resource by examining SMTP headers.

Using relatively simple methods, attackers can easily discover all your Internet-connected resources and identify unprotected ones among them. We have encountered many clients who protected only some of their resources from DDoS attacks, leaving others vulnerable. If you’ve secured only a portion of your resources, you can be certain that motivated attackers will find the unprotected assets and direct attacks toward them. It’s in your best interest to anticipate what could happen to your network and applications and to take proactive measures to protect them.

If you have your own autonomous system and prefix, or use dynamic routing based with the BGP protocol, it’s essential to protect not only your Internet resources but also the network itself. An attack can target an unprotected IP address directly, and if the attack is strong enough, your entire network could be at risk—even if you use a firewall or ACL to block  unnecessary traffic. If you use BGP, then DDoS protection over BGP is also necessary.

Additionally, safeguarding against DNS attacks is crucial. Here are two key recommendations:

• Use at least two independent DNS providers; this could be two online services, or one could be an in-house DNS server while the other is an online service.
• Ensure that at least one of these services is protected against DDoS attacks (StormWall provides such protection).

Read also: How to Safeguard Corporate Networks from DDoS Attacks.

As our experience shows, it is essentially useless to enable partial protection against DDoS attacks. It is necessary to take a comprehensive approach to organizing protection and try to secure the entire chain through which traffic flows, starting from the DNS layer and ending with the back-end components of applications. And, of course, you need to make sure in advance that each of your resources is adequately protected without waiting for a sudden attack to deal them a devastating blow.

Examples of DDoS Protection Mistakes

Next, we will analyze some of the issues we encountered while building DDoS protection for a large client managing several hundred websites.

Mistake #1: DDoS protection covers only part of the Internet resources

The client connected only a portion of their resources to our cloud DDoS protection services, leaving about a hundred websites unprotected. Specifically, the protection was applied only at the L3/L4 layers of the OSI model, leaving the HTTP application layer (L7) unprotected. The client likely assumed that no one would ever find these websites and would find or target these websites. This might have been true if only regular users were involved.

However, the attackers didn’t rest—they discovered these websites and took them down with a DDoS attack at the application layer.
This example demonstrates once again that partial DDoS protection is often “leaky” and thus ineffective in practice. To reliably protect Internet resources from DDoS risks, comprehensive security is required, along with a range of interrelated measures to mitigate these risks (details of our approach are outlined in this article).

Since the attack was highly intense, the anti-DDoS services quickly identified the primary sources of illegitimate traffic and suppressed most of the attack at the packet level. However, the remaining traffic volume was still enough to make the client’s unprotected sites inaccessible at the L7 layer.

To fully resolve the issue, it was necessary to add filtering services at the application level. We managed to do this relatively quickly: after receiving a complete list of the partially protected sites from the client, we placed them under our L7-layer anti-DDoS protection.

Mistake #2: The client’s network was announced not only through us but also through two other ISPs

Our customer decided to “hedge their bets” by registering their network not only through StormWall but also through two ISPs, using their channels as backups. To prioritize traffic routing through the StormWall network, they attempted to deprioritize the paths through the other providers by using the BGP prepend mechanism.

However, this technique did not work as expected: because many providers filter announcements with BGP prepend parameters, traffic was routed not only through StormWall but also through other providers. When the DDoS attack started, three-quarters of the illegitimate traffic reached the client’s internet resources, bypassing StormWall protection.

It took over an hour to configure an exclusive announcement (ensuring that traffic flowed solely through StormWall filters) while the attack was ongoing.

There are three ways to protect internet applications and websites that operated over HTTPS:

1. By disclosing the SSL private key to the anti-DDoS provider
2. By allowing the anti-DDoS provider to receive the certificate and ‘Let’s Encrypt’ private key without decrypting SSL
3. By providing the anti-DDoS provider with the content of the application server’s system logs

In any case, the anti-DDoS provider must receive data about how data is exchanged at the L7 level – without this information it is impossible to build reliable protection of websites and Internet applications.

In our particular case, we applied protection with the disclosure of the SSL private key, as the resources were informational, and there were no strict requirements for data protection.

Mistake #3: The ACL mechanism was applied on GRE tunnels

After all the traffic was redirected to StormWall filters, it became apparent that some of the network packets were being lost. Possible reasons included excessive load on the routers. However, our client insisted that his routers were very powerful and, according to him, not overloaded.
After diagnosing the situation, our specialists found that packet loss was occurring within the GRE tunnel, despite sufficient channel bandwidth and moderate the traffic volume in the GRE tunnel.

Further analysis revealed that the ACL (Access Control List) mechanism on the customer’s routers, which were connected via GRE tunnels, was applied to the tunnel interfaces. This caused packets to be processed in software rather than hardware, significantly impacting the routers’ performance.

After the customer’s specialists disabled the ACL mechanism on routers connected to GRE tunnels, packet loss ceased.

The cascade of mistakes can significantly reduce resistance to DDoS risks

Although issues described were not critical individually, their combined effect rendered a significant portion of our client’s Internet resources unavailable. Normal access to these resources was restored only after about four hours.

Here are the three most important DDoS protection best practices as a summary for this case:

• For DDoS protection to be effective, it must be comprehensive, covering all internet resources and all layers that could be targeted in DDoS attacks.
• To minimize unauthorized traffic during DDoS attacks, all traffic should pass through the filters of anti-DDoS providers.
• To ensure high resilience of Internet resources against DDoS attacks, router performance should be optimized. Specifically, ensure that the ACL mechanism does not operate within GRE tunnels.