A Brief History of DDoS Prevention
Distributed Denial of Service (DDoS) uses a large number of valid requests to consume network resources and make services unresponsive and unavailable to legitimate users. Currently, DDoS attacks are one of the most powerful cyber-attacks to defend against.
DDoS has been around the cybersecurity world for a long time and is an old attack method. DDoS prevention has also undergone different stages.
In the early days, no professional traffic scrubbing services were available to guard against DDoS attacks. At the time, Internet bandwidth was also relatively small, and most people were using 56K modems to obtain dial-up Internet access. Only a small portion of the bandwidth can be exploited by attackers. Generally, defenders can prevent DDoS attacks simply by optimizing kernel parameters and iptables.
In this phase, features built in Linux defended against DDoS attacks. For example, for SYN flood attacks, adjusted the net.ipv4.tcp_max_syn_backlog parameter, controlled the upper limit of the syn queue to avoid full connections, and adjusted net.ipv4.tcp_tw_recycle and net.ipv4.tcp_fin_timeout to make TCP retain the number of connections in TIME-WAIT and FIN-WAIT-2. For ICMP flood attacks, Iptables were adjsuted to close or limit the rate of pinging packets or filter malformed packets that were not compliant with RFC protocol. However, this protection method only optimized one single server. As the intensity of resource attacks increased, this protection method could not efficiently defend against DDoS attacks.
Professional Anti-DDoS Hardware Firewalls
Professional anti-DDoS hardware firewalls optimize power dissipation, forwarding chips, operating systems, etc. These firewalls can meet the requirement of DDoS traffic scrubbing. Generally, IDC service providers buy anti-DDoS hardware firewalls and deploy them at the entry of data centers to provide scrubbing services for the entire data center. The performance of these scrubbing services gradually evolved from the original 100 MB per machine to 1 Gbit/s, 10 Gbit/s, 20 Gbit/s, 100 Gbit/s or higher. These scrubbing services cover various attacks from layer three to seven, such as SYN-FLOOD, UDP-FLOOD, ICMP-FLOOD, ACK-FLOOD, TCP connection flood, CC attacks, DNS-FLOOD, and reflection attacks.
However, this DDoS prevention method is very costly for IDC service providers. Scrubbing devices are required at the entry of each data center and special maintenance officers are needed to maintain devices and services. In addition, not all IDCs have equal scrubbing and protection capabilities. Uplinks of some small data centers may only have 20 GB bandwidth and cannot reuse these scrubbing devices.
Advanced Anti-DDoS Systems With Secure IP Addresses in the Cloud Era
In the cloud era, services are deployed on various clouds or in traditional IDCs. The DDoS scrubbing services provided do not have a consistent standard. In the case of super-large amounts of DDoS attack traffic, data centers where services are hosted cannot provide matching protection capabilities. To protect services from being affected, we have to create the “black hole” concept. After the black hole mechanism is adopted, when a server has attack traffic that is more than the black hole triggering threshold in the IDC, the IDC will block Internet access for that server to avoid persistent attacks and ensure the overall stability of the IDC.
In this case, advanced anti-DDoS systems with secure IP addresses provide a complete set of anti-DDoS solutions by enabling high bandwidth for data centers, convert traffic to these IP addresses, and then forward scrubbed traffic to users’ source stations. This protection method supports the reuse of data center resources and allows data centers to focus more on their intended role. Additionally, this protection method simplifies DDoS prevention by providing DDoS scrubbing services in a SaaS-based manner.
Advanced anti-DDoS systems with secure IP addresses in the cloud-era can meet the requirement of high bandwidth. It also allows users to hide their source stations and flexibly change scrubbing service providers.
Key Components of Advanced Anti-DDoS Systems With Secure IP Addresses
Bandwidth and Network
Bandwidth and network are the first requirements to implement DDoS protection. To efficiently defend against DDoS attacks, the first thing that we need to do is establish a data center with high bandwidth. Currently, the mainstream data centers in China are single-line data centers with only one network provider (either China Telecom, China Unicom or China Mobile) and multi-line BGP data centers, which have more than one network providers).
Multi-Line vs. Single Line Data Centers
- Bandwidth and Cost: Single-line data centers feature moderate cost, but it requires a relatively high bandwidth (TB level) to prevent DDoS attacks. Multi-line BGP data centers, initial costs may be higher, but it only needs relatively low bandwidth to prevent DDoS attacks.
- Access Quality: Single line data has average access quality as it is affected by cross-network performance among operators. Multi-line provides optimal BGP networking.
- Business Complexity: A user needs several IP addresses to implement multi-line access — for example, one China Telecom, China Unicom, and China Mobile IP respectively, resulting in high business complexity. Only one IP address is needed to implement multi-line connectivity and the business complexity is relatively low.
- Disaster Recovery: Disaster recovery is inadequate and inefficient for a single line. If a data center encounters network failures, disaster recovery only supports switching in the business layer. BGP features redundant backup and loop elimination. When an IDC supplier has multiple BGP interconnection lines, the supplier can deploy routes in backup mode. If one line is faulty, routing will be automatically switched to another line.
Another dimension is maximum bandwidth. At present, 300 Gbit/s is just a basic protection capability. Protection level up to one Tbit/s or unlimited protection solutions become a choice for more and more users.
TB-level protection capability in multi-line BGP data centers also becomes a future development objective. Alibaba Cloud is dedicated to providing customers with Anti-DDoS Pro that is excellent in both access quality and protection capability.
Large Traffic Scrubbing Cluster
This is another key technology. The core part of DDoS scrubbing is the interception of attack traffic. The following are the general attack types and countermeasures:
When sufficient bandwidth is available, we need to consider how to scrub DDoS attack traffic. Generally, professional DDoS scrubbing devices adopt the following typical protection and prevention methods: discarding malformed packets and specific protocols, verifying source reflection attacks, and statistics rate limit behavior recognition. Attacks generally include SYN-FLOOD, UDP-FLOOD, ICMP-FLOOD, ACK-FLOOD, TCP connection flood, CC attacks, DNS-FLOOD, and reflection attacks.
- Discarding malformed packets and specific protocols are very simple. Specified methods can be used to prevent reflection attacks and messages that do not follow the RFC protocol.
- Source reflection verification is a countermeasure to defense against SYN flood attacks. Generally, reverse verification is used. Scrubbing devices verify the authenticity of access sources on behalf of servers by using sequence numbers generated by a special algorithm during answering SYN-ACK messages in a TCP three-way handshake. This algorithm takes many factors into consideration, such as IP addresses and ports on both sides and verifies the ACK messages. If the access is real and legitimate, the connection traffic is allowed. Similarly, to defend against complex CC attacks, a picture verification code can be used to verify if a seemingly potential attacker is a real and legitimate customer.
- Statistical rate limit and behavior recognition enable rate control based on blacklists, whitelists, user access rate, and behaviors.
Judging from the current DDoS prevention trend, DDoS prevention solutions require elastic scaling to better defend against attacks. Here we need to mention the popularity of the 100 GB interface. Generally, hashing for traffic load balancing is based on the feature of the five-tuple. If the hash of the five-tuple for attack traffic is uneven, congestion is more likely to occur. Traffic will not be sent to scrubbing engines at all. This is also an important part of the big cluster cleaning system.
Preventive Defense Planning
It is also very important to plan countermeasures to defend against DDoS attacks. Efficient planning requires years of DDoS prevention experience. In the case of new attacks and emergency incidents, quick analysis and decision making play a critical role in solving problems.
Load Balancing Devices and Security Components
Load balancing is a critical technology for advanced proxy protection. Load balancing includes layer-four and layer-seven.
Layer-four load balancing provides an exclusive IP address for each customer’s business. Layer-four server load balancing itself requires high-performance and high-availability forwarding capability and secure protection capability to defend against connection attacks.
Layer-seven load balancing targets proxy protection for website services. The support for HTTP/HTTPS and defense against CC attacks are integrated into the Layer-seven load balancing system.
- Exclusive IP address: One advantage of exclusive IP addresses is that if one IP address is under DDoS attack, other services will not be affected due to the isolation of resources.
- High availability and high scalability: You can scale your service based on the application load without interrupting service continuity. You can increase or decrease the number of backend servers as needed to expand the service capabilities of your applications.
- Security capability: You can view information about incoming and outgoing traffic and implement refined DDoS protection at the domain, session, or application level.
To implement ultimate DDoS protection, it is necessary to combine in-depth security capability development in layer-four and layer-seven with large traffic scrubbing clusters.
Real-time Data Analysis System
First, let’s look at the data source. Currently many data source mechanisms are available. One well-known mechanism NetFlow for sample analysis and attack detection. One-to-one traffic splitting can also be used to obtain all traffic for statistics and detection. Obviously, the latter method requires more resources and a more efficient data analysis system. Systems that require more development and technical support generally enable better analysis effectiveness.
After obtaining original messages and data, we need to differentiate applications. Application differentiation can be made at the IP level, IP+port level, domain name level or other levels. Different services require different prevention methods. We need to customize specialized prevention plans based on the characteristics of a specific service.
Current DDoS attack analysis no longer depends on statistics-based analysis algorithms. The theories and practices of behavior recognition and machine learning have been introduced for attack analysis. These algorithms can help us better defend against DDoS attacks. We should also consider how to efficiently apply these algorithms in users’ attack protection efforts.
The preceding content reflects the Wooden Bucket Theory on DDoS attack protection. Each aspect of attack prevention will affect the overall protection, effectiveness, and efficiency. Future advanced anti-DDoS systems with secure IP addresses should feature elastic bandwidth, high redundancy, high availability, high access quality, and simple business integration. At the same time, the combination of OPENAPI-based DDoS protection and users’ automatic maintenance systems can bring higher security to business and facilitate business growth.