What is what and who is who in the DDoS protection market
I’ve been in the digital market since 2008, and during that time I’ve seen a transition from Joomla websites (remember this?) To today's Internet with its mobile-first applications and hundreds of millions of IoT devices connected to the network.
The attacks on the Internet have also developed well during this time :)
But the DDoS protection market and the attack protection technology used by operators are still quite closed.
I'll tell you what I learned about him, supporting websites and Internet services that have been under continuous attacks for the past few years.
Regular attacks. 350k req total, 52k req legitimate
The first attacks appeared almost simultaneously with the Internet. DDoS as a phenomenon has become widespread since the end of the 2000s ( see www.cloudflare.com/learning/ddos/famous-ddos-attacks ).
Since about 2015-2016, almost all hosting providers have come under protection from DDoS attacks, like most visible sites in competitive areas (do whois on the IP sites eldorado.ru, leroymerlin.ru, tilda.ws, see the network of protection operators).
')
If 10-20 years ago most of the attacks could be repelled on the server itself (evaluate the recommendations of the Lenta.ru system administrator Maxim Moshkov from the 90s ), now everything is more complicated.
First, briefly about the types of attacks.
These attacks aim to “fill up” the channel to the server or “kill” its ability to receive new traffic.
Although SYN / ACK flood and amplification are very different, many companies struggle equally well with them. Problems arise with attacks from the next group.
The goal is to make the server “hard to work”, to process a lot of “as if real requests” and to remain without resources for real requests.
Although there are other attacks, these are the most common.
Serious attacks at the L7 level are created in a unique way for each project attacked.
Why 2 groups?
Because there are many who are able to repel attacks well at the L3 / L4 level, but either do not take up the defense at the application level (L7) at all, or while they are weaker than the alternatives.
(my personal view)
To repel attacks with amplification (“blockage” of the server channel), there are enough wide channels (many of the protection services connect to most major backbone providers in Russia and have channels with a theoretical capacity of more than 1 Tbit). Do not forget that very rare attacks with amplification last longer than an hour. If you are a Spamhaus and everyone doesn’t like you, yes, you can try to put channels for several days even with a risk for the continued survival of the used world botnet. If you just have an online store, even if it is mvideo.ru - 1 Tbit in a few days you will see very soon (hopefully).
In order to repel attacks with SYN / ACK flood, packet fragmentation, equipment or software systems are needed to detect and cut off such attacks.
Such equipment is produced by many (Arbor, there are solutions from Cisco, Huawei, software implementations from Wanguard, etc.), many backbone operators have already installed it and are selling DDoS protection services (I know about installations from Rostelecom, Megafon, TTC, MTS , in fact, for all major providers, hosters with their own protection, a-la OVH.com, Hetzner.de, have done it themselves in ihor.ru). Some companies are developing their software solutions (technologies like DPDK allow processing traffic of tens of gigabits on one physical x86 machine).
Of the known players, L3 / L4 DDoS is more or less effective, everyone can do it. I won’t say now who has the maximum channel capacity (this is insider information), but usually this is not so important, and the only difference is how quickly the protection is triggered (instantly or after a few minutes of downtime of the project, as in Hetzner).
The question is how well this is done: an attack with amplification can be repulsed by blocking traffic from countries with the most harmful traffic, and only really extra traffic can be discarded.
But at the same time, based on my experience, all serious players in the Russian market cope with it without problems: Qrator, DDoS-Guard, Kaspersky, G-Core Labs (formerly SkyParkCDN), ServicePipe, Stormwall, Voxility, etc.
Companies in Russia rarely work with foreign security operators, with the exception of Cloudflare. I will write about Cloudflare separately.
Protection from operators such as Rostelecom, Megafon, TTK, Beeline did not come across, according to colleagues, they provide these services fairly well, but so far the lack of experience periodically affects: sometimes you need to screw something up through the support of the protection operator.
Some operators have a separate service “protection against attacks at the L3 / L4 level”, or “channel protection”, it costs much less than protection at all levels.
These are the reports from the upstream L3 / L4 protection I regularly received, supporting the hosting provider system.
Attacks at the L7 level (application level) are consistently and efficiently able to repel units.
I have a real big enough experience with
They charge for every megabit of pure traffic, a megabit costs about several thousand rubles. If you have at least 100 Mbps of pure traffic - oh. Protection will be very expensive. I can tell in the following articles how to design applications in order to save very well on the capacity of protection channels.
The real "king of the hill" - Qrator.net, the rest of them are somewhat behind. Qrator is so far the only ones in my practice who give close to zero percentage of false positives, but they are several times more expensive than other market players.
Other operators also have high-quality and stable protection. Many services on our support (including very well-known in the country!) Are protected from DDoS-Guard, G-Core Labs, and quite satisfied with the result, I can recommend them.
Qrator repelled attacks
There is also experience with small protection operators like cloud-shield.ru, ddosa.net, etc. I definitely cannot recommend, because the experience is not very great, I will tell you about the principles of their work. The cost of protection from them is often 1-2 orders of magnitude lower than that of large players. As a rule, they buy the partial protection service (L3 / L4) from one of the larger players + they do their own defense against attacks at higher levels. This can be quite effective + you can get good service for less money, but these are still small companies with a small staff, please note.
CloudFlare is a separate phenomenon. This is already a huge company that costs several billion dollars, their customers are half of the traffic generators of the world, and the DDoS protection service is simply the most famous among their services. We also constantly use them for DNS hosting, CDN, as a traffic proxying service.
For a website / service that doesn’t attack complex attacks, Cloudflare is quite ok, but with serious attacks (when they’re not just “flooding” the channel, but combining many types of attacks), they never saved us with a $ 200 Business plan, but talk about them Enterprise protection for Russia does not make sense, it is cheaper and more effective to turn to other players.
Why is that? I think it is difficult to make a massive, almost free service of very high quality.
By the way, many Russian-speaking engineers work in CF :)
I once had real experience with Dragonara.net (once the largest defense operator in the world), which no longer exists now.
Habré already has a lot of articles about modern operators, I’ll just give you a link to a fresh review: habr.com/ru/post/350384
Surely many of them are very good if the project is not aimed at the Russian market, but in Russia there are problems with them.
The first is that effective protection should be as close as possible to the defender and should take into account local peculiarities (some in Russia, some in China, others in South America).
The second reason: the really difficult and expensive task is the protection at the L7 level. And yes, it is expensive for everyone, in principle, not many companies in the world do a good L7 protection, and Russian services often simply win the competition.
All applications are unique, and you need to allow traffic that is useful to them and block harmful traffic. It is not always possible to weed out bots uniquely, so you have to use a lot, really MANY degrees of traffic cleaning.
Once, the nginx-testcookie module was enough, and it is still enough to repel a large number of attacks. When I worked in the hosting industry, my L7 protection was built just for nginx-testcookie. By the way, Beget.ru, Netangels.ru, FastVPS.ru had a similar system.
Alas, the attacks have become more difficult. testcookie uses checks on JS-based bots, and many modern bots are able to successfully pass them.
Attacking botnets are also unique, and you need to take into account the characteristics of each large botnet.
Amplification, direct flood from botnet, traffic filtering from different countries (different filtering for different countries), SYN / ACK flood, packet fragmentation, ICMP, http flood, while at the application / http level you can come up with an unlimited number of different attacks.
In total, at the level of channel protection, specialized equipment for traffic cleaning, special software, additional filtering settings for each client, there may be tens and hundreds of filtering levels.
To properly manage this and correctly tyunit filtering settings for different users, you need a lot of experience and qualified personnel. Even a large operator who decides to provide protection services cannot “stupidly throw money at a problem”: experience will have to be packed on lying sites and false positives on legitimate traffic.
For the protection operator there is no “repel DDoS” button, there are a large number of tools, they need to be able to use them.
And one more bonus example.
The server without protection was blocked by the hoster during an attack with a capacity of 600 Mbps
(The “loss” of traffic is not noticeable, since only 1 site was attacked, it was temporarily removed from the server and the block was removed within an hour).
The same server is protected. The attackers "surrendered" after a day of repulsed attacks. The attack itself was not the strongest.
L3 / L4 attacks and protection against them are more trivial, mainly they depend on the thickness of the channels, the algorithms of detection and filtering attacks.
L7 attacks are harder and more original, they depend on the attacked application, capabilities and fantasy of the attackers. Protection from them requires great knowledge and experience, and the result may not be immediately and not one hundred percent. So far, Google has not invented another neural network for protection.
The attacks on the Internet have also developed well during this time :)
But the DDoS protection market and the attack protection technology used by operators are still quite closed.
I'll tell you what I learned about him, supporting websites and Internet services that have been under continuous attacks for the past few years.
Regular attacks. 350k req total, 52k req legitimate
The first attacks appeared almost simultaneously with the Internet. DDoS as a phenomenon has become widespread since the end of the 2000s ( see www.cloudflare.com/learning/ddos/famous-ddos-attacks ).
Since about 2015-2016, almost all hosting providers have come under protection from DDoS attacks, like most visible sites in competitive areas (do whois on the IP sites eldorado.ru, leroymerlin.ru, tilda.ws, see the network of protection operators).
')
If 10-20 years ago most of the attacks could be repelled on the server itself (evaluate the recommendations of the Lenta.ru system administrator Maxim Moshkov from the 90s ), now everything is more complicated.
First, briefly about the types of attacks.
Types of DDoS attacks in terms of the choice of operator protection
L3 / L4 attacks (by OSI model)
- UDP flood from a botnet (many requests are sent directly to the attacked service directly from infected devices, servers are flooded with a channel);
- DNS / NTP / etc amplification (many requests for vulnerable DNS / NTP / etc are sent from infected devices, the sender's address is faked, a cloud of packets with the response to requests floods the channel to the one being attacked; this is how the most massive attacks in the modern Internet are performed);
- SYN / ACK flood (many connection requests are sent to the attacked servers, the connection queue overflows);
- packet fragmentation attacks, ping of death, ping flood (google plz);
- etc.
These attacks aim to “fill up” the channel to the server or “kill” its ability to receive new traffic.
Although SYN / ACK flood and amplification are very different, many companies struggle equally well with them. Problems arise with attacks from the next group.
L7 attacks (application level)
- http flood (if a website or any http api is being attacked);
- attack on vulnerable parts of the site (not having a cache, very heavily loading the site, that is.).
The goal is to make the server “hard to work”, to process a lot of “as if real requests” and to remain without resources for real requests.
Although there are other attacks, these are the most common.
Serious attacks at the L7 level are created in a unique way for each project attacked.
Why 2 groups?
Because there are many who are able to repel attacks well at the L3 / L4 level, but either do not take up the defense at the application level (L7) at all, or while they are weaker than the alternatives.
Who is who in the DDoS protection market
(my personal view)
L3 / L4 protection
To repel attacks with amplification (“blockage” of the server channel), there are enough wide channels (many of the protection services connect to most major backbone providers in Russia and have channels with a theoretical capacity of more than 1 Tbit). Do not forget that very rare attacks with amplification last longer than an hour. If you are a Spamhaus and everyone doesn’t like you, yes, you can try to put channels for several days even with a risk for the continued survival of the used world botnet. If you just have an online store, even if it is mvideo.ru - 1 Tbit in a few days you will see very soon (hopefully).
In order to repel attacks with SYN / ACK flood, packet fragmentation, equipment or software systems are needed to detect and cut off such attacks.
Such equipment is produced by many (Arbor, there are solutions from Cisco, Huawei, software implementations from Wanguard, etc.), many backbone operators have already installed it and are selling DDoS protection services (I know about installations from Rostelecom, Megafon, TTC, MTS , in fact, for all major providers, hosters with their own protection, a-la OVH.com, Hetzner.de, have done it themselves in ihor.ru). Some companies are developing their software solutions (technologies like DPDK allow processing traffic of tens of gigabits on one physical x86 machine).
Of the known players, L3 / L4 DDoS is more or less effective, everyone can do it. I won’t say now who has the maximum channel capacity (this is insider information), but usually this is not so important, and the only difference is how quickly the protection is triggered (instantly or after a few minutes of downtime of the project, as in Hetzner).
The question is how well this is done: an attack with amplification can be repulsed by blocking traffic from countries with the most harmful traffic, and only really extra traffic can be discarded.
But at the same time, based on my experience, all serious players in the Russian market cope with it without problems: Qrator, DDoS-Guard, Kaspersky, G-Core Labs (formerly SkyParkCDN), ServicePipe, Stormwall, Voxility, etc.
Companies in Russia rarely work with foreign security operators, with the exception of Cloudflare. I will write about Cloudflare separately.
Protection from operators such as Rostelecom, Megafon, TTK, Beeline did not come across, according to colleagues, they provide these services fairly well, but so far the lack of experience periodically affects: sometimes you need to screw something up through the support of the protection operator.
Some operators have a separate service “protection against attacks at the L3 / L4 level”, or “channel protection”, it costs much less than protection at all levels.
But how not a trunk provider beats off attacks of hundreds of Gbps, doesn’t it have its own channels?
The protection operator can connect to any of the major providers and repel the attacks "at his expense." You will have to pay for the channel, but all these hundreds of Gbps will not always be utilized, there are options for a significant reduction in the cost of channels in this case, so the scheme remains operable.
These are the reports from the upstream L3 / L4 protection I regularly received, supporting the hosting provider system.
L7 protection (application level)
Attacks at the L7 level (application level) are consistently and efficiently able to repel units.
I have a real big enough experience with
- Qrator.net;
- DDoS-Guard;
- G-Core Labs;
- Kaspersky.
They charge for every megabit of pure traffic, a megabit costs about several thousand rubles. If you have at least 100 Mbps of pure traffic - oh. Protection will be very expensive. I can tell in the following articles how to design applications in order to save very well on the capacity of protection channels.
The real "king of the hill" - Qrator.net, the rest of them are somewhat behind. Qrator is so far the only ones in my practice who give close to zero percentage of false positives, but they are several times more expensive than other market players.
Other operators also have high-quality and stable protection. Many services on our support (including very well-known in the country!) Are protected from DDoS-Guard, G-Core Labs, and quite satisfied with the result, I can recommend them.
Qrator repelled attacks
There is also experience with small protection operators like cloud-shield.ru, ddosa.net, etc. I definitely cannot recommend, because the experience is not very great, I will tell you about the principles of their work. The cost of protection from them is often 1-2 orders of magnitude lower than that of large players. As a rule, they buy the partial protection service (L3 / L4) from one of the larger players + they do their own defense against attacks at higher levels. This can be quite effective + you can get good service for less money, but these are still small companies with a small staff, please note.
Cloudflare
CloudFlare is a separate phenomenon. This is already a huge company that costs several billion dollars, their customers are half of the traffic generators of the world, and the DDoS protection service is simply the most famous among their services. We also constantly use them for DNS hosting, CDN, as a traffic proxying service.
For a website / service that doesn’t attack complex attacks, Cloudflare is quite ok, but with serious attacks (when they’re not just “flooding” the channel, but combining many types of attacks), they never saved us with a $ 200 Business plan, but talk about them Enterprise protection for Russia does not make sense, it is cheaper and more effective to turn to other players.
Why is that? I think it is difficult to make a massive, almost free service of very high quality.
By the way, many Russian-speaking engineers work in CF :)
Foreign security operators
I once had real experience with Dragonara.net (once the largest defense operator in the world), which no longer exists now.
Habré already has a lot of articles about modern operators, I’ll just give you a link to a fresh review: habr.com/ru/post/350384
Surely many of them are very good if the project is not aimed at the Russian market, but in Russia there are problems with them.
The first is that effective protection should be as close as possible to the defender and should take into account local peculiarities (some in Russia, some in China, others in South America).
The second reason: the really difficult and expensive task is the protection at the L7 level. And yes, it is expensive for everyone, in principle, not many companies in the world do a good L7 protection, and Russian services often simply win the competition.
What is the difficulty of repelling attacks at the L7 level?
All applications are unique, and you need to allow traffic that is useful to them and block harmful traffic. It is not always possible to weed out bots uniquely, so you have to use a lot, really MANY degrees of traffic cleaning.
Once, the nginx-testcookie module was enough, and it is still enough to repel a large number of attacks. When I worked in the hosting industry, my L7 protection was built just for nginx-testcookie. By the way, Beget.ru, Netangels.ru, FastVPS.ru had a similar system.
Alas, the attacks have become more difficult. testcookie uses checks on JS-based bots, and many modern bots are able to successfully pass them.
Attacking botnets are also unique, and you need to take into account the characteristics of each large botnet.
Amplification, direct flood from botnet, traffic filtering from different countries (different filtering for different countries), SYN / ACK flood, packet fragmentation, ICMP, http flood, while at the application / http level you can come up with an unlimited number of different attacks.
In total, at the level of channel protection, specialized equipment for traffic cleaning, special software, additional filtering settings for each client, there may be tens and hundreds of filtering levels.
To properly manage this and correctly tyunit filtering settings for different users, you need a lot of experience and qualified personnel. Even a large operator who decides to provide protection services cannot “stupidly throw money at a problem”: experience will have to be packed on lying sites and false positives on legitimate traffic.
For the protection operator there is no “repel DDoS” button, there are a large number of tools, they need to be able to use them.
And one more bonus example.
The server without protection was blocked by the hoster during an attack with a capacity of 600 Mbps
(The “loss” of traffic is not noticeable, since only 1 site was attacked, it was temporarily removed from the server and the block was removed within an hour).
The same server is protected. The attackers "surrendered" after a day of repulsed attacks. The attack itself was not the strongest.
L3 / L4 attacks and protection against them are more trivial, mainly they depend on the thickness of the channels, the algorithms of detection and filtering attacks.
L7 attacks are harder and more original, they depend on the attacked application, capabilities and fantasy of the attackers. Protection from them requires great knowledge and experience, and the result may not be immediately and not one hundred percent. So far, Google has not invented another neural network for protection.
Source: https://habr.com/ru/post/450092/
All Articles