Our Anti DDoS service has been available since June 1st to Dedicated Server, Server Colocation, and Server Rack customers.
In this article, we’ll be describing how we protect clients from DDoS attacks.
DDoS Attacks: Quick Overview
DDoS stands for distributed denial of service. A DDoS attack is when requests from multiple hosts are sent to a machine, effectively interrupting its standard operation.
DDoS attacks are usually carried out by botnets. These are networks of computers that malware has been installed on (via a process called zombification).
Some attacks can be carried out without a botnet (such as UDP floods).
DDoS attacks can be divided into the following groups:
- Attacks to overload bandwidth. These attacks include the aforementioned UDP flood, ICMP flood (which is a ping flood), and others where massive amounts of unrequested packets are sent.
- Attacks at the protocol level. Just as the name implies, these attacks take advantage of the limitations and vulnerabilities of various network protocols. They “bombard” the server with extraneous packets, rendering it unable to process legitimate users’ requests. Examples include SYN flood, teardrop, and other attacks that disrupt the normal flow of packets at different stages within a protocol.
- Attacks on the application level interrupt a system by taking advantage of an application’s and operating system’s vulnerabilities and weak points.
We won’t go into more detail on DDoS attack classifications; those interested can easily find a plethora of reading material on the Internet. For us, what’s much more interesting is our method for mitigating DDoS attacks. Let’s take a look at this.
DDoS Protection Methods
We can divide our DDoS protection methods into two major groups: preventive measures and reactive measures.
Hardware-based methods for protecting a network’s perimeter are usually used to prevent DDoS attacks, like firewalls with intrusion detection systems (IDS). However, these don’t offer protection in the strictest sense of the word.
It’s entirely possible to launch a DDoS attack using firewall-approved packets. What the IDS usually does is perform signature and statistical analysis, comparing incoming packets to existing traffic templates. If an attack is carried out by sending standard network packets, which are harmless on their own, then not every IDS will be able to identify them.
Moreover, both firewalls and IDS usually use control sessions, which is why they can become victims of attacks themselves.
An effective means of minimizing failure during DDoS attacks is having multiple backups available: organizing server clusters in different data centers with connections to different communications channels. If a component in this kind of system becomes unavailable, the client will be redirected to a working server. This method has only one setback: building a geographically distributed cluster with multiple backups can be quite expensive.
Reactive measures are taken when an attack has already started and needs to be stopped (or at least its impact minimized).
If the target is a single machine, then we can just replace its IP address. The new address can then be given to only trusted external users. This solution can hardly be considered ideal, but it’s effective.
Filtering methods can help in some situations. After analyzing malicious traffic, we can identify a specific signature. Based on the results of the analysis, we can set up an ACL router or firewall rules.
Additionally, a large portion of malicious traffic often comes from a specific provider or backbone router. In this situation, a possible solution would be to block the pathway of the questionable incoming traffic (however, it’s worth keeping in mind that in this case, legitimate traffic will also be blocked).
If none of these methods help and you’re all out of options, then “black holing” is an option. This is when all traffic is redirected to a non-existent interface (a “black hole”). More times than not, this means the server being attacked will be inaccessible from external networks for a period of time. Because of this, black holing can’t really be called an adequate protection method: it only helps the attackers reach their goal–disabling their target–more quickly.
Hardware/software DDoS protection solutions have gained widespread use over the past few years. Their main advantage is that they can stop malicious traffic without creating access problems for legitimate users. Hardware/software DDoS protection solutions have appeared on the market from Cisco, Arbor Networks, F5, Juniper, and others.
Our DDoS protection service is built on a specially designed hardware-software solution and is provided in conjunction with our partner Servicepipe (Rus).
The DDoS Protection System
Our DDoS protection system incorporates several software and hardware components, including solutions from Arbor Pravail and F5. Using these tools, traffic is filtered and analyzed directly on the network.
Our system protects against the following kinds of attacks:
- TCP floods;
- SYN floods;
- illegal TCP flag combinations;
- attacks on window size (sockstress);
- TCP session attacks like TCP Idle, Slow TCP, etc.;
- HTTP session attacks (Slowloris, Pyloris, etc.);
- SSL alarm attacks;
- HTTP floods;
- DNS floods;
- DNS Cache Poisoning;
- UDP floods;
- ICMP floods;
- IP, TCP, and UDP fragment attacks;
- VoIP and SIP attacks.
The following countermeasures can be taken in the event of an attack:
- Invalid Packet List – filter packets that aren’t RFC compliant;
- Black and white IPv4 and IPv6 address lists;
- GeoIP Filter Lists – filter traffic by country (block traffic from countries where the most DDoS attacks are launched from);
- GeoIP Policing – policing traffic by country (monitor incoming traffic and limit traffic from countries where the most DDoS attacks are launched from);
- Flexible Zombie Detection – detect zombies and create legitimate traffic profiles;
- TCP SYN Authentication – counter TCP floods using client authentication;
- DNS Authentication – counter DNS floods using client authentication;
- DNS Scoping – validate DNS requests using regular expressions;
- DNS Malformed – check DNS requests for RFC compliance;
- DNS Rate Limiting – limit the number of DNS requests from one IP address (useful for resources with low attendance: providers in our country often use NAT. It’s fairly common when a “grey” /16 subnet accesses the Internet from one IP and all DNS requests come from one address).
- DNS NXDomain Rate Limiting – validate DNS responses. This countermeasure is for attacks where the DNS cache is flooded; for tracking requests with false DNS names.
- DNS Regular Expression – filter DNS requests by regular expressions.
- TCP Connection Reset – prevent excessively long TCP connections.
- Payload Regular Expression – filter traffic using regular expressions applied to Payload packets.
- HTTP Malformed – block HTTP traffic that is not RFC compliant.
- HTTP Rate Limiting – limit the number of HTTP requests from one IP address.
- HTTP Scoping – validate HTTP requests with regular expressions.
- SSL Negotiation – block SSL traffic that is not RFC compliant.
- AIF and HTTP/URL Regular Expression – apply an AIF signature to traffic to be analyzed.
- SIP Malformed – block SIP traffic that is not RFC compliant.
- SIP Request Limiting – limit the number of SIP requests from one IP address.
How It Works
Clients who order our service are provided with protected IP addresses (one is included in the base fee; additional addresses can be ordered from the control panel) as well as special bandwidth for protected traffic. Incoming Internet traffic passes onto the protected addresses via our partner’s network, where filtering occurs.
All illegitimate traffic is dumped from the network; only clean traffic actually makes it to the client. Outgoing traffic is sent to the Internet through Selectel’s infrastructure.
The following graph illustrates the flow of network traffic:
When discussing the benefits of our Anti DDoS service, we should firstly put special emphasis on the following:
- quick setup: Anti DDoS only takes 1 – 2 workdays to be fully up and running;
- very affordable and transparent payment system: only pay for incoming filtered traffic;
- no complicated configurations on the client side: just assign the protected IP address an alias or connect it to a loopback interface;
The service is already available and can be ordered in the control panel (under Network Services).
When ordering, you will have to fill out a questionnaire and indicate the following:
- the server’s primary purpose;
- the number of IP addresses that need to be protected;
- your preferred DDoS protection measures.
We will put together a defense strategy based on the information you provide us with to best fit your project’s specifications.
Mitigation templates have been developed for the most popular kinds of servers (web servers, application servers, DNS servers).
Anti DDoS is a new service and we need client feedback to further develop it. We’d appreciate any comments or suggestions and will keep these in mind as we continue to improve our services.