What DDoS protection services do not negotiate or why protection does not work
The reason for this article was a security audit in one Internet project. The customer asked to deal with their security system and check how they are subject to one or another attack. At the same time, we were assured that they are fully protected from DDoS attacks and there is no reason to worry, as they are protected by one of the market leaders, Incapsula.
It was then that a great surprise awaited us - the customer was absolutely not protected.
Let's see what happened, but first a little theory.
I will not describe what a DDoS attack is, I note only that they are divided into 2 types:
')
- DDoS Layer 3 & 4 on the OSI model. One of the characteristics of this attack is a large number of packets that attack a resource. At the moment, the average attack power in the world is 9.7 Gb / s and 19 Mpps.
- DDoS Layer 7 on the OSI model, that is, an attack on the application layer. As a rule, the attack does not contain a large number of packets (by orders of magnitude lower than with DDoS L3 & 4), rather it is characterized by a point strike on the weak point of the attacked site.
Connection to services protecting from DDoS attacks is as follows:
- For the protected resource, the address of the protecting one is entered in the DNS;
- The client indicates which IP address to forward the cleared traffic (as a rule, to the same address that was before connecting to the service). Perhaps raising the tunnel.
Now I specifically do not understand the case of connecting with the help of BGP, there is also not so good, but most of the clients are connected through changes in the DNS record.
The customer is satisfied, relaxed and completely confident in the future! But, in fact, at the very moment when the customer relaxed, he became even less protected!
Let's take a look at why or how to bypass the protection.
Indeed, when trying to get the ip-address of the customer by the site name, we get the ip-address of the protection service:
$ nslookup www.XXXXXXXX.ru
www.XXXXXXXX.ru canonical name = xxx.incapdns.net.
Name: xxx.incapdns.net
Address: 149.126.xxx.xxx
But no one bothers us to see the DNS history for this name. We go to any site that provides such information. And what we see:
As a result, we see that its previous ip-address is zzz.zzz.zzz.zzz; Moreover, now we know that it is located at the HOSTER LTD site in the USA (it will be clear further why this is also important).
It remains only to look closely at the server that has this ip-address and we already know for sure that this is the client server we are looking for.
Everything! We attack this server by ip-address and the customer lies as much as we need. A lot of money was spent on the wind, but the costs did not pay off, the protection does not work.
Below I will describe recommendations for the proper use of such services.
Strangely enough, but none of the popular DDoS protection services, both in the West and in Russia, provide any recommendations on this issue to their clients.
As soon as you at least once lit your ip-address in the DNS service, you will never be able to delete this information - it will always be available in DNS history. Moreover, you lit up your location (hoster, commercial data center, etc.).
Do you want to fully protect yourself - leave this place. As soon as you stayed, your service will be attacked if you present at least some value to the attackers.
Consider how the attackers will behave and try to understand, depending on the size of your project, what to do in this situation.
1) You have a small website and you initially placed it at the hosting provider . The correct actions are to configure the http-server in such a way that it accepts requests only from the ip-addresses of the protecting one (this way you will precisely remove the possibility of the DDoS Layer 7 attack) and change the ip-address (protection from DDoS Layer 3 & 4). In this case, the attackers will not be able to find your site directly, but this does not mean that you are safe. The average hoster in Russia has channels 1-5 Gb / s and if you are really interesting to the attackers, they will attack (DDoS Layer 3 & 4) on the hoster channels and put it and you along with it.
2) You have a dedicated Virtual Private Server and it hosts your project . Correct actions:
- configure the http server so that it accepts requests only from the ip-addresses of the protecting (so you just remove the possibility of an attack DDoS Layer 7);
- configure the firewall so that all unnecessary ports are closed and / or accept connections only from ip-addresses known to you. If you did not do this from the very beginning when you connected to the DDoS protection service, then perhaps the attackers have already studied your server and found out which ports are open and which are not (the attackers made a fingerprint on your system). This means that they know what kind of car they need to look for in the provider's network;
- change the ip-address (protection from DDoS Layer 3 & 4).
If you stayed on an existing cloud provider, you are still not safe. The most vulnerable part of the cloud provider is the management console (even with Amazon it is not very well protected). Attackers can launch a DDoS Layer 3 & 4 attack on the channels of a small cloud-based provider and put the entire cloud on.
3) You have a big project and a lot of servers that are located in any commercial data center. Such a project is the most difficult to protect. It is necessary to take a comprehensive approach to this task, changing the ip and configuring the firewall does not solve anything (but this does not mean that this should not be done). At a minimum, you need to change the grid that the provider gave you. It is to change, not to add a new one, otherwise, you don’t even have to look for you - the attackers will simply put your channels in, attacking the old grid. As a rule, in such projects there are services that cannot or cannot be protected from DDoS - think about how to properly distribute these services across different networks or even sites, otherwise you will be found precisely by them (the simplest example is MX mail service records).
DDoS protection services are not a panacea, but they can help a lot if you take a number of steps in the right direction.
Good luck to you and your projects.
It was then that a great surprise awaited us - the customer was absolutely not protected.
Let's see what happened, but first a little theory.
I will not describe what a DDoS attack is, I note only that they are divided into 2 types:
')
- DDoS Layer 3 & 4 on the OSI model. One of the characteristics of this attack is a large number of packets that attack a resource. At the moment, the average attack power in the world is 9.7 Gb / s and 19 Mpps.
- DDoS Layer 7 on the OSI model, that is, an attack on the application layer. As a rule, the attack does not contain a large number of packets (by orders of magnitude lower than with DDoS L3 & 4), rather it is characterized by a point strike on the weak point of the attacked site.
Connection to services protecting from DDoS attacks is as follows:
- For the protected resource, the address of the protecting one is entered in the DNS;
- The client indicates which IP address to forward the cleared traffic (as a rule, to the same address that was before connecting to the service). Perhaps raising the tunnel.
Now I specifically do not understand the case of connecting with the help of BGP, there is also not so good, but most of the clients are connected through changes in the DNS record.
The customer is satisfied, relaxed and completely confident in the future! But, in fact, at the very moment when the customer relaxed, he became even less protected!
Let's take a look at why or how to bypass the protection.
Indeed, when trying to get the ip-address of the customer by the site name, we get the ip-address of the protection service:
$ nslookup www.XXXXXXXX.ru
www.XXXXXXXX.ru canonical name = xxx.incapdns.net.
Name: xxx.incapdns.net
Address: 149.126.xxx.xxx
But no one bothers us to see the DNS history for this name. We go to any site that provides such information. And what we see:
| IP Address | Location | IP Address Owner | Last seen on this IP |
|---|---|---|---|
| 149.126.xxx.xxx | Binghamton - United States | Incapsula Inc. | 2015 |
| 149.126.yyy.yyy | Binghamton - United States | Incapsula Inc. | 2015 |
| zzz.zzz.zzz.zzz | United States | HOSTER LTD | 2014 |
As a result, we see that its previous ip-address is zzz.zzz.zzz.zzz; Moreover, now we know that it is located at the HOSTER LTD site in the USA (it will be clear further why this is also important).
It remains only to look closely at the server that has this ip-address and we already know for sure that this is the client server we are looking for.
Everything! We attack this server by ip-address and the customer lies as much as we need. A lot of money was spent on the wind, but the costs did not pay off, the protection does not work.
Below I will describe recommendations for the proper use of such services.
Strangely enough, but none of the popular DDoS protection services, both in the West and in Russia, provide any recommendations on this issue to their clients.
So what needs to be done?
As soon as you at least once lit your ip-address in the DNS service, you will never be able to delete this information - it will always be available in DNS history. Moreover, you lit up your location (hoster, commercial data center, etc.).
Do you want to fully protect yourself - leave this place. As soon as you stayed, your service will be attacked if you present at least some value to the attackers.
Consider how the attackers will behave and try to understand, depending on the size of your project, what to do in this situation.
1) You have a small website and you initially placed it at the hosting provider . The correct actions are to configure the http-server in such a way that it accepts requests only from the ip-addresses of the protecting one (this way you will precisely remove the possibility of the DDoS Layer 7 attack) and change the ip-address (protection from DDoS Layer 3 & 4). In this case, the attackers will not be able to find your site directly, but this does not mean that you are safe. The average hoster in Russia has channels 1-5 Gb / s and if you are really interesting to the attackers, they will attack (DDoS Layer 3 & 4) on the hoster channels and put it and you along with it.
2) You have a dedicated Virtual Private Server and it hosts your project . Correct actions:
- configure the http server so that it accepts requests only from the ip-addresses of the protecting (so you just remove the possibility of an attack DDoS Layer 7);
- configure the firewall so that all unnecessary ports are closed and / or accept connections only from ip-addresses known to you. If you did not do this from the very beginning when you connected to the DDoS protection service, then perhaps the attackers have already studied your server and found out which ports are open and which are not (the attackers made a fingerprint on your system). This means that they know what kind of car they need to look for in the provider's network;
- change the ip-address (protection from DDoS Layer 3 & 4).
If you stayed on an existing cloud provider, you are still not safe. The most vulnerable part of the cloud provider is the management console (even with Amazon it is not very well protected). Attackers can launch a DDoS Layer 3 & 4 attack on the channels of a small cloud-based provider and put the entire cloud on.
3) You have a big project and a lot of servers that are located in any commercial data center. Such a project is the most difficult to protect. It is necessary to take a comprehensive approach to this task, changing the ip and configuring the firewall does not solve anything (but this does not mean that this should not be done). At a minimum, you need to change the grid that the provider gave you. It is to change, not to add a new one, otherwise, you don’t even have to look for you - the attackers will simply put your channels in, attacking the old grid. As a rule, in such projects there are services that cannot or cannot be protected from DDoS - think about how to properly distribute these services across different networks or even sites, otherwise you will be found precisely by them (the simplest example is MX mail service records).
Conclusion
DDoS protection services are not a panacea, but they can help a lot if you take a number of steps in the right direction.
Good luck to you and your projects.
Source: https://habr.com/ru/post/250735/
All Articles