The nuances of the introduction of protection against DDoS-attacks
As the saying goes, Truth and Falsehood lie in trifles. More precisely, the Truth is in the presence of these, and the Lie is in their absence. This article is devoted to some nuances of the implementation of "protection from ddos-attacks".
There are quite a few theories on “ddos-attacks” and “protection against them” on the Internet, therefore I will not dwell on these aspects. The article tried to voice their thoughts on this topic.
So, during the introduction of the new service “protection against ddos-attacks” in his company, he encountered some nuances that led him to a chain of reasoning.
1. The implementation of protection on its infrastructure is still quite expensive, as is, in fact, everything new in this life. This is what we faced in the first place, when we began to implement a center for protection against ddos-attacks on our infrastructure. We are always talking about the cost of ten million rubles. Or more. Moreover, when studying the issue, it becomes clear that in the near future, these costs will not “beat off”. If the issue of leveling these costs is not resolved, then this nuance can stop all activities in this direction, which gives rise to other nuances:
')
- Since these costs can not afford all, then the need to provide services such as "protection against ddos-attacks", or rather the "desired characteristics of the center of defense," many large companies, especially from the public sector, use when announcing a tender as a barrier against specific company. Sometimes you look at the requirements and understand that the figure is kind of strange. For example, once faced with the requirement, among others: "bandwidth protection center - 180 Gbit / s." Why exactly 180? Not 50, not 100, not 500, but exactly 180? How was this figure derived, from what considerations? So far, colleagues have not opened their eyes to the fact that a particular operator has such a bandwidth of the network core. By the way, it was necessary to confirm this opportunity by providing a “certificate in any form signed by the head”, and the channel for filtered traffic was requested at 1 Gbit / s.
- If you minimize these costs by known methods, then the company can provide full protection against ddos-attacks on its network infrastructure only with serious reservations. Sometimes we are talking about an agent scheme, through someone, sometimes we are talking about protecting only up to OSI level 4. Some honestly say about this: “we implement only traffic filtering by means of ...”, or “we will provide a service in a partnership scheme”. Of course there is nothing wrong with that. But, as they say in a well-known joke: “there were some spoons, but the sediment remained.” That is, everything important, as in those loan agreements, "is written finely and at the end."
- If all costs are accepted, then the supplier of this service is profitable to work only with large volumes. I came across the fact that in one serious company, when checking with a simulated dos-attack of 120 Mb / s, the anomalies in statistics were not recorded. When asked why it was so, it was stated that they filter all anomalies, but they are recorded in the attack statistics starting from 1 Gb / s. That is, if the client has access to the Internet at 20 Mb / s, then he will never be informed about the attacks. On the one hand - well, just to work. On the other - not very, because there is no understanding for what the client pays.
2. Of potential customers, rarely anyone understands exactly what he wants. I talked somehow with the head of the IT department of a large bank on this issue. It would seem that he should know for sure that he should receive in quantitative terms as part of the “defense against ddos ​​attacks”. The answer was a bit confusing: “Well, I’ve google it here, there’s the Harbor Peak Flow product (I’m not writing a real name, for advertising), do the same thing that it can.”
An interesting consequence of this nuance.
One potential client was going to change the “ddos protection” service provider, because he was not satisfied with what he currently has. No one could give a clear answer to the question, what exactly does not suit.
3. The service “protection against ddos-attacks” should be considered as an addition to the services “access to the Internet” or “communication channels”. All incoming traffic must go through the protection center, which is essentially ensured when access to the network is granted. This nuance has an interesting consequence. I will explain. In cases of resource protection (for example, a site) from multiple attempts of unauthorized access, if we are talking about encrypted traffic, the encryption keys (certificates) must be transferred to the 3rd party (under whose control the protection center), which reduces to "no" encryption meaning.
4. Fixed ddos-anomalies are very frequent, but relatively short-lived. Statistics show that the protection system fixes anomalies mainly on operator traffic, lasting up to 30 minutes. On the corporate traffic they are less. When you start to deal with these anomalies, the picture “Pareto's law in action” usually emerges - 80% of anomalies do not have any relation to the attacks:
- The cause of the problem lies in the client's network infrastructure. Or it is a distinctive feature of such a network (“this is not a bug — this is a feature”). That is, the client has a network infrastructure such that its activity or network problems are recorded by the protection center as anomalies, which is what the center signals. All geographically distributed local networks can be safely attributed to this category, especially if users are working in them through some vpn channels.
- Outgoing activity, initiated, for example, by viruses (not a client is attacked, but he is someone). Although here we can assume that the client resource is still a member of the ddos ​​attack, but not as a target.
- Active players online games. First of all, our center recorded WoW traffic in the anomalies.
- Multicast traffic DVRs. With this, a separate topic. Especially for “public” registrars, to whom access is distributed to everyone. It is impossible to block traffic, and it is almost impossible to understand who services this device.
The main type of anomaly in this case is udp-flood or tcp-syn-flood. When you start to understand these issues, it ends with the fact that you have to tune the work of the protection center by creating all sorts of “white” lists and exceptions, because the client assures that everything is fine with him, and “this” anomaly is a consequence of “something there ", in the future," I ask you not to fix it. "
The consequence of this nuance is the following, essentially final.
5. In the process of introducing the service, the question has repeatedly arisen: “Who still needs this service?”. To be honest, there are not many requests for it. Apparently until "the thunder breaks out - the peasant will not cross." Most likely, few people think about such a threat until they fall under the real ddos-attack. It is then that an understanding immediately appears that the real attack is very serious, and it is not for nothing that it is considered an offense. They are always attacking for some purpose, mostly apparently for political reasons, either on the orders of competitors or in case of a hack to protect the network. That is, in any case, this is a logical consequence of the main activity of the organization. In my opinion, it is unlikely that someone will just attack, for example, an online store selling clothes. You can certainly talk about the experiments of novice hackers, or "revenge of evil customers", but the seriousness of these attacks is hardly significant. Therefore, in my opinion, the potential targets of ddos ​​attacks can be:
- for the purpose of masking simultaneous parallel targets, such as hacking a resource:
network resources of banks, other financial organizations, financial departments of companies;
network resources of organizations related to state or commercial secrets;
- to disrupt the activity:
network resources of political parties, government organizations associated with political activities (elections, etc.);
network resources of law enforcement agencies;
- in order to make access difficult:
newspapers, magazines, other news media resources;
organizations publishing compromising information;
organizations that "strongly interfere" with their activities competitors;
perhaps the network resources of tenders and auctions, where the result is predetermined;
- for the purpose of hooliganism - in fact, any resources.
Honestly, about “hooliganism” I indicated exclusively under the cases when the websites of tour operators are attacking in the middle of the season ...
Telecom operators “protection center against ddos-attacks” are needed if they are going to sell this service. In other cases, the carrier initially has the resources to protect itself. The staff knows what to do, there are several trunk channels, their throughput is not small. Yes, and attack the carrier does not make much sense. And if, after all, some travel agency is attacked, and so much so that the telecom operator also gets it, then you can always ask your colleagues of the up-link operator to “slack off” the source.
PS When writing an article, a new article appeared. Thought, and this case under which category can be brought? Most likely under the 2nd - an attempt to disrupt the activity. Although, of course, banks are more logical than ddos ​​for hacking ... It looks like an unsuccessful attempt, judging by the answer of the SB banks.
There are quite a few theories on “ddos-attacks” and “protection against them” on the Internet, therefore I will not dwell on these aspects. The article tried to voice their thoughts on this topic.
So, during the introduction of the new service “protection against ddos-attacks” in his company, he encountered some nuances that led him to a chain of reasoning.
1. The implementation of protection on its infrastructure is still quite expensive, as is, in fact, everything new in this life. This is what we faced in the first place, when we began to implement a center for protection against ddos-attacks on our infrastructure. We are always talking about the cost of ten million rubles. Or more. Moreover, when studying the issue, it becomes clear that in the near future, these costs will not “beat off”. If the issue of leveling these costs is not resolved, then this nuance can stop all activities in this direction, which gives rise to other nuances:
')
- Since these costs can not afford all, then the need to provide services such as "protection against ddos-attacks", or rather the "desired characteristics of the center of defense," many large companies, especially from the public sector, use when announcing a tender as a barrier against specific company. Sometimes you look at the requirements and understand that the figure is kind of strange. For example, once faced with the requirement, among others: "bandwidth protection center - 180 Gbit / s." Why exactly 180? Not 50, not 100, not 500, but exactly 180? How was this figure derived, from what considerations? So far, colleagues have not opened their eyes to the fact that a particular operator has such a bandwidth of the network core. By the way, it was necessary to confirm this opportunity by providing a “certificate in any form signed by the head”, and the channel for filtered traffic was requested at 1 Gbit / s.
- If you minimize these costs by known methods, then the company can provide full protection against ddos-attacks on its network infrastructure only with serious reservations. Sometimes we are talking about an agent scheme, through someone, sometimes we are talking about protecting only up to OSI level 4. Some honestly say about this: “we implement only traffic filtering by means of ...”, or “we will provide a service in a partnership scheme”. Of course there is nothing wrong with that. But, as they say in a well-known joke: “there were some spoons, but the sediment remained.” That is, everything important, as in those loan agreements, "is written finely and at the end."
- If all costs are accepted, then the supplier of this service is profitable to work only with large volumes. I came across the fact that in one serious company, when checking with a simulated dos-attack of 120 Mb / s, the anomalies in statistics were not recorded. When asked why it was so, it was stated that they filter all anomalies, but they are recorded in the attack statistics starting from 1 Gb / s. That is, if the client has access to the Internet at 20 Mb / s, then he will never be informed about the attacks. On the one hand - well, just to work. On the other - not very, because there is no understanding for what the client pays.
2. Of potential customers, rarely anyone understands exactly what he wants. I talked somehow with the head of the IT department of a large bank on this issue. It would seem that he should know for sure that he should receive in quantitative terms as part of the “defense against ddos ​​attacks”. The answer was a bit confusing: “Well, I’ve google it here, there’s the Harbor Peak Flow product (I’m not writing a real name, for advertising), do the same thing that it can.”
An interesting consequence of this nuance.
One potential client was going to change the “ddos protection” service provider, because he was not satisfied with what he currently has. No one could give a clear answer to the question, what exactly does not suit.
3. The service “protection against ddos-attacks” should be considered as an addition to the services “access to the Internet” or “communication channels”. All incoming traffic must go through the protection center, which is essentially ensured when access to the network is granted. This nuance has an interesting consequence. I will explain. In cases of resource protection (for example, a site) from multiple attempts of unauthorized access, if we are talking about encrypted traffic, the encryption keys (certificates) must be transferred to the 3rd party (under whose control the protection center), which reduces to "no" encryption meaning.
4. Fixed ddos-anomalies are very frequent, but relatively short-lived. Statistics show that the protection system fixes anomalies mainly on operator traffic, lasting up to 30 minutes. On the corporate traffic they are less. When you start to deal with these anomalies, the picture “Pareto's law in action” usually emerges - 80% of anomalies do not have any relation to the attacks:
- The cause of the problem lies in the client's network infrastructure. Or it is a distinctive feature of such a network (“this is not a bug — this is a feature”). That is, the client has a network infrastructure such that its activity or network problems are recorded by the protection center as anomalies, which is what the center signals. All geographically distributed local networks can be safely attributed to this category, especially if users are working in them through some vpn channels.
- Outgoing activity, initiated, for example, by viruses (not a client is attacked, but he is someone). Although here we can assume that the client resource is still a member of the ddos ​​attack, but not as a target.
- Active players online games. First of all, our center recorded WoW traffic in the anomalies.
- Multicast traffic DVRs. With this, a separate topic. Especially for “public” registrars, to whom access is distributed to everyone. It is impossible to block traffic, and it is almost impossible to understand who services this device.
The main type of anomaly in this case is udp-flood or tcp-syn-flood. When you start to understand these issues, it ends with the fact that you have to tune the work of the protection center by creating all sorts of “white” lists and exceptions, because the client assures that everything is fine with him, and “this” anomaly is a consequence of “something there ", in the future," I ask you not to fix it. "
The consequence of this nuance is the following, essentially final.
5. In the process of introducing the service, the question has repeatedly arisen: “Who still needs this service?”. To be honest, there are not many requests for it. Apparently until "the thunder breaks out - the peasant will not cross." Most likely, few people think about such a threat until they fall under the real ddos-attack. It is then that an understanding immediately appears that the real attack is very serious, and it is not for nothing that it is considered an offense. They are always attacking for some purpose, mostly apparently for political reasons, either on the orders of competitors or in case of a hack to protect the network. That is, in any case, this is a logical consequence of the main activity of the organization. In my opinion, it is unlikely that someone will just attack, for example, an online store selling clothes. You can certainly talk about the experiments of novice hackers, or "revenge of evil customers", but the seriousness of these attacks is hardly significant. Therefore, in my opinion, the potential targets of ddos ​​attacks can be:
- for the purpose of masking simultaneous parallel targets, such as hacking a resource:
network resources of banks, other financial organizations, financial departments of companies;
network resources of organizations related to state or commercial secrets;
- to disrupt the activity:
network resources of political parties, government organizations associated with political activities (elections, etc.);
network resources of law enforcement agencies;
- in order to make access difficult:
newspapers, magazines, other news media resources;
organizations publishing compromising information;
organizations that "strongly interfere" with their activities competitors;
perhaps the network resources of tenders and auctions, where the result is predetermined;
- for the purpose of hooliganism - in fact, any resources.
Honestly, about “hooliganism” I indicated exclusively under the cases when the websites of tour operators are attacking in the middle of the season ...
Telecom operators “protection center against ddos-attacks” are needed if they are going to sell this service. In other cases, the carrier initially has the resources to protect itself. The staff knows what to do, there are several trunk channels, their throughput is not small. Yes, and attack the carrier does not make much sense. And if, after all, some travel agency is attacked, and so much so that the telecom operator also gets it, then you can always ask your colleagues of the up-link operator to “slack off” the source.
PS When writing an article, a new article appeared. Thought, and this case under which category can be brought? Most likely under the 2nd - an attempt to disrupt the activity. Although, of course, banks are more logical than ddos ​​for hacking ... It looks like an unsuccessful attempt, judging by the answer of the SB banks.
Source: https://habr.com/ru/post/314912/
All Articles