⬆️ ⬇️

Protection from DDoS attacks as a service by VimpelCom - and the story of the won tenders

When a large online tender is announced, sometimes it happens that one bid comes pretty quickly, and then the tender site falls under a strong DDoS attack. The attack in a strange way ends at the end of the tender. Since one application has arrived, it is she who wins. Many of our corporate clients face such a problem (as well as ordinary DDoS attacks from detractors and blackmailers).



Now we provide protection as a service. This is done on two levels: installing the Radware DefensePro hardware at the client and, if necessary, switching traffic to our cleaning center.





')

The maximum attack power is 80 Gb / s (at the application level, the more powerful are also filtered, but without guarantees of the absence of legitimate traffic loss), we plan to expand to 160 as needed. The time from the beginning to reflect the attack on the client side is 18 seconds maximum , on the side of the data cleaning center - up to 40 seconds, taking into account the traffic switching time. When switching traffic loss does not occur.



How it's done



As usual when submitting a service, you first need to sign a contract with Beeline and fill out an order form (application) with the necessary information to connect. After that, the DefensePro equipment is mounted and configured before the first router at the entrance to your network. A dedicated technical channel to the control center is created (transparent for the client: it does not affect the main channel and there is no invoice for it). Physically, this is the same optics (or other channel) as the main line, but the bandwidth is reserved so that even when the Internet access line is completely filled at the time of a strong attack, the control channel works fine and the equipment is available. Equipment through the IP VPN tunnel connects to the cleaning center.



The equipment is in our service, constant monitoring of network activity on your channels is carried out. From you it is still necessary to provide a list of protected resources, their type, and also to list all the ranges of networks available via communication channels. In addition, in the case of providing protection against DDoS attacks through other communication channels (other providers), it is necessary to provide the parameters of these channels. The integration of all this is done, if necessary, with the help of our specialists. It is possible to connect the service directly under the attack (in case of presence of our Internet channel). In this case, all client traffic switches to the purge center. Over the course of the reflection of the attack, engineers observe and, if necessary, participate in filtering the attack. This is done within one working day.



The equipment itself does not affect the legitimate traffic and has a mechanism for the smooth passage of traffic in case of equipment failure. An emergency bypass is put on the piece of iron (the “copper” ports are equipped with them out of the box, external ones are put on the optics) so that even when sticking scrap iron into it, traffic is not affected.



Below is a graph showing the download of the Firewall, on which the inclusion of the reflection attack mode is clearly visible. It can be seen that the CPU load of the Firewall located on the perimeter of the network is reduced by more than 2 times. This is due to the filtering of parasitic traffic on Defense Pro, installed before the Firewall.







How it works



The hybrid scheme “Protection against DDoS attacks” is built on Radware DefensePro equipment. Today, Radware is a global leader in the security of networks and applications.



The defensepro solution used implements the following necessary defense mechanisms:



This list is far from complete, listing all types of protection takes 218 pages in the manufacturer’s manual. DefensePro allows you to repel attacks up to the 7th level of the OSI model and at the same time not cut legitimate users (that is, do not close entire subnets by providers at once, as less accurate means of protection can do).



DefensePro works in in-line mode, invisible for network equipment (Transparent L2 Forwarding). This means that it is impossible to make an attack on him, which guarantees the work of the equipment in any conditions.



The first week the device works in a training mode and collects statistics for traffic profiling. In some cases, training can last up to a month. Then the device switches to reflection mode and works with full dedication. In case of emergency installation, the training mode is reduced to the minimum necessary to start reflection, and the customer’s network is fully profiled a little later. If, during the use, new devices or on-line services are added for protection, leading to a change in the traffic profile, the equipment is trained and adapts itself (even in reflection mode, the attack continues to collect data). To ensure correct filtering during an incomplete training period, or in the case of an emergency service connection under attack, Beeline has a 24-hour customer support service for this service.



The device, standing at you, reflects all the attacks in the channel strip and profiles traffic. When an attack occurs, it forms a signature of the attack for 18 seconds in a difficult case and 5-6 seconds in the general situation with the existing granular policy (well-described network). The device matches the channel width with attack power. As soon as (manually set) the channel criticality value (for example, 20–30% of its capacity) is exceeded, the device reports the situation to the Beeline cleaning center via a separate control channel and transmits the profiles and signature. Traffic switches to the cleaning center within 40 seconds. The attack lands on our equipment, the return traffic goes to the same Internet channel.



Migrates either the entire segment (with a horizontal UDP flood) or a specific address. Since switching occurs within the Beeline backbone network, there is no gap in traffic.



Reverse switching is done in manual mode by customer support. The same team detects and repels attacks that were not found automatically. Switching the traffic after the attack back is performed manually by them, as there are not yet sufficiently accurate algorithms for determining the moments of the cessation of an attack.



The entire protection system and cleaning center are organized on the Beeline transport network, which does not limit us in terms of the total capacity of the channels that most other DDoS protection providers have to rent.



Why users do not suffer



With various attacks at the time of triggering alternative protection systems aimed at ensuring the availability of the communication channel, end users lose access to the company's on-line resource. It turns out that the organization's systems are protected, but at the same time the business process stops completely until the attack is stopped.



In the case of using the service “Protection against DDoS attacks” from Beeline, access to the systems is open to users, while the attack is reflected in parallel and does not affect the passage of legitimate requests.



When attacking slowloris and similar groups, as well as attacks with a wide geography, a careful approach is needed to distinguish living users from bots. For example, to detect attacks inside SSL at the iron level, we do the following:

  1. First, the 302nd redirect is sent to the user. Approximately half of the botnets do not pass it - as a rule, this is the end of the story “let's fill up the competitor cheaply at the seasonal peak”.
  2. If the botnet fulfills the redirect, each individual client receives Javascript literally 3 lines. Modern botnets do not pass this script.
  3. Theoretically, at the moment, a solution has been created that allows to pass this second level of protection. Especially for such situations, the equipment manufacturer has its own team of specialists ERT (Emergency Response Team), carefully studying the closed specialized resources. Accordingly, these experts have found and predetermined this tool and have protection. As soon as it is used, the protection will turn on.
  4. The rapid response team is available 24/7 by phone support. When a new protection bypass is released, new methods “roll forward” in 5 minutes. These 5 minutes, the resource will experience problems, but these are the principles of this “shield and sword” race.


Additionally, it is worth noting that the main issue of guaranteed attack reflection is to protect the communication channel, which cannot be provided on the client side. In this connection, channel protection must be organized at the carrier level. Beeline cleaning center just solves this problem.



Where used



Most of our clients do not plan on telling that they have such protection, for obvious reasons. Nevertheless, it is possible to name the spheres - these are banks (traditionally taking care of security before an emergency), state-owned companies and large retail. The situation with tenders is already described above - therefore electronic platforms are connected to us. In addition, manufacturing companies stand up for protection: the fact is that under the terms of tenders it is often necessary to upload certain information on your website, and if the commission suddenly fails to verify this, the application will be charged. As you can guess, putting such a site at the time of the tender is usually quite easy, and this is used by some interested parties.



Actually, you can learn more about protection in the comments, and to clarify how to connect this service - here .

Source: https://habr.com/ru/post/222559/



All Articles