Local and remote prevention of DDoS class attacks: features, advantages, disadvantages, monitoring
The threat of denial of service (Denial of Service, DoS) is a special category of network attacks, whose goal is the inaccessibility of a particular web service for legitimate users. The attack is implemented by creating a mass of calls to the victim server (the victim). Such attacks are easily recognized, and the initiator of the attack itself is detected and blocked quite simply. Therefore, nobody plays such toys now, and the new generation of attacks is distributed (Distributed Denial of Service). The initiator of the attack uses infected systems located around the world to simultaneously hide their location and make the attack more powerful and efficient. This post is devoted to how the fight against attacks occurs, as well as to a new way of remotely controlling DDoS.
')
Protection against distributed DDoS attacks is based on a multifactorial analysis of the traffic arriving at each protected server. During normal operation, the protection system can self-educate or tune itself, and after an attack is detected, either automatically or on demand, it actively counteracts the illegitimate traffic. The effectiveness of protection against DDoS attacks is usually described by three main parameters:
Depending on the combination of these parameters, the price and quality of services for protection against DDoS attacks are formed.
We use the following principle to protect against DDoS attacks. The protected unit is an ip-segment located in an arbitrary security zone. A security zone is a combination of IP segments, for which thresholds for different types of traffic (thresholds) are set automatically or manually. If traffic arriving at
If the protected server significantly exceeds the threshold, then, depending on the level of the excess, an action is taken that can both limit the speed of the attacking Internet node and completely block it. Zones that are in self-learning mode can automatically adjust traffic thresholds in real time to avoid false alarms that can lead to degradation of some services.
The structure of the Anti-DDoS system is quite simple. It consists of modules responsible for detecting anomalies (Traffic Anomaly Detector) and modules responsible for preventing anomalies (Traffic Anomaly Guard). Detectors (ADM) are located as close as possible to the servers and monitor the traffic coming to the servers. When a detector notices an anomaly, it reports this.
protection module (AGM). The protection module activates the zone and directs all zone traffic to itself, performing a series of complex calculations, recognizing and removing malicious traffic from the network.
The server receives the traffic already cleared of DDoS and continues to function normally, and when the attack is completed, the protection module removes itself from the traffic path and reports this to the detector.
The general scheme of protection against DDoS looks like this:
We work with DDoS attacks in several ways and provide them as services to our own clients.
The user is allocated a special protection zone that automatically detects thresholds and adapts to traffic, and
also as responsive to the appearance of abnormal traffic. This allows you to avoid a lot of false positives in the Anti-DDoS system, characteristic of the fixed parameters of the protected area. Thus, protection is carried out around the clock and does not require any action from the user related to activation.
This implies placing the user's subnet in one of the five protected zones, each of which is configured for a specific number and structure of traffic. Servers receive round-the-clock protection against attacks and can be relocated upon request.
between protected zones, if the traffic structure of these servers has changed. Protection is also provided around the clock, and upon request, you can enable or disable protection of servers for which False Positive occurs (false positives), or together with network management service (NOC) engineers adapt protection of servers in manual mode.
The easiest way is when, according to the application of the attacked user, all available power of the attack prevention system is used to cut off the attack.
Recently we tried and launched a remote protection against DDoS attacks for testing. In order to attack
was reflected, the user directs the traffic intended for the protected resource to the DDoS protection equipment located in our data center. To do this, a new IP address is registered in the DNS zone of the resource, and after the new DNS data spreads over the corresponding nodes, all traffic to the resource will first be directed to a powerful hardware system to counter the attack.
The attack is extinguished by two methods. In basic mode, all user sessions are cleared of DDoS and broadcast to data center switches, and then transferred to client equipment on the Internet.
The advantage of this method is that the user does not need special equipment or changes
existing service structure, and it can use protection both on demand and on an ongoing basis.
The disadvantage of the method is that the client resource is deprived of full-fledged statistics of visiting the site (since all connections to this resource will look like they are set up from a single address) for all-time protection.
The second method is more complicated, we call it “tunnel”. After client traffic is cleared of DDoS, he
enters the VPN equipment of the data center, from where it is transmitted via an IPSec tunnel to the user's server located in any part of the Internet.
The advantage here is the fact that the user can maintain comprehensive statistics on the attendance of his site. A disadvantage is the need for special equipment to terminate the IPSec tunnel.
When using remote protection against DDoS attacks, it is necessary to take into account that the general disadvantage of working with such a service in the “on demand” mode is the long response time of the DNS service to changing records in the zone.
Due to round-the-clock monitoring of all systems, the user can constantly have an idea of ​​the situation and directly evaluate the effectiveness of investments in security systems. Each attack reflected by the defense system is visualized and can
be monitored in real time. Below, on the graph, you can see how the activation of protection restored the normal level of legitimate traffic (green graph) and filtered DDoS-attack traffic (red graph):
After the attack, the user can request in the NOC service a short or full report on the attack, which allows to evaluate how effectively the Anti-DDoS system can save resources.
We hope this information will be useful and relevant in today's conditions.
')
Anti-DDoS systems performance, parameters for evaluating protection effectiveness
Protection against distributed DDoS attacks is based on a multifactorial analysis of the traffic arriving at each protected server. During normal operation, the protection system can self-educate or tune itself, and after an attack is detected, either automatically or on demand, it actively counteracts the illegitimate traffic. The effectiveness of protection against DDoS attacks is usually described by three main parameters:
- Attack power (usually in Mbps) that the system is able to withstand.
- Accuracy of system actions when detecting and repelling an attack
- The probability and number of false positives (False Positive)
Depending on the combination of these parameters, the price and quality of services for protection against DDoS attacks are formed.
Our principle of protection
We use the following principle to protect against DDoS attacks. The protected unit is an ip-segment located in an arbitrary security zone. A security zone is a combination of IP segments, for which thresholds for different types of traffic (thresholds) are set automatically or manually. If traffic arriving at
If the protected server significantly exceeds the threshold, then, depending on the level of the excess, an action is taken that can both limit the speed of the attacking Internet node and completely block it. Zones that are in self-learning mode can automatically adjust traffic thresholds in real time to avoid false alarms that can lead to degradation of some services.
The structure of the Anti-DDoS system is quite simple. It consists of modules responsible for detecting anomalies (Traffic Anomaly Detector) and modules responsible for preventing anomalies (Traffic Anomaly Guard). Detectors (ADM) are located as close as possible to the servers and monitor the traffic coming to the servers. When a detector notices an anomaly, it reports this.
protection module (AGM). The protection module activates the zone and directs all zone traffic to itself, performing a series of complex calculations, recognizing and removing malicious traffic from the network.
The server receives the traffic already cleared of DDoS and continues to function normally, and when the attack is completed, the protection module removes itself from the traffic path and reports this to the detector.
The general scheme of protection against DDoS looks like this:
We work with DDoS attacks in several ways and provide them as services to our own clients.
Dedicated protection zone
The user is allocated a special protection zone that automatically detects thresholds and adapts to traffic, and
also as responsive to the appearance of abnormal traffic. This allows you to avoid a lot of false positives in the Anti-DDoS system, characteristic of the fixed parameters of the protected area. Thus, protection is carried out around the clock and does not require any action from the user related to activation.
Segment protection
This implies placing the user's subnet in one of the five protected zones, each of which is configured for a specific number and structure of traffic. Servers receive round-the-clock protection against attacks and can be relocated upon request.
between protected zones, if the traffic structure of these servers has changed. Protection is also provided around the clock, and upon request, you can enable or disable protection of servers for which False Positive occurs (false positives), or together with network management service (NOC) engineers adapt protection of servers in manual mode.
On-Demand Protection
The easiest way is when, according to the application of the attacked user, all available power of the attack prevention system is used to cut off the attack.
Remote DDoS protection, features, advantages and disadvantages
Recently we tried and launched a remote protection against DDoS attacks for testing. In order to attack
was reflected, the user directs the traffic intended for the protected resource to the DDoS protection equipment located in our data center. To do this, a new IP address is registered in the DNS zone of the resource, and after the new DNS data spreads over the corresponding nodes, all traffic to the resource will first be directed to a powerful hardware system to counter the attack.
The attack is extinguished by two methods. In basic mode, all user sessions are cleared of DDoS and broadcast to data center switches, and then transferred to client equipment on the Internet.
The advantage of this method is that the user does not need special equipment or changes
existing service structure, and it can use protection both on demand and on an ongoing basis.
The disadvantage of the method is that the client resource is deprived of full-fledged statistics of visiting the site (since all connections to this resource will look like they are set up from a single address) for all-time protection.
The second method is more complicated, we call it “tunnel”. After client traffic is cleared of DDoS, he
enters the VPN equipment of the data center, from where it is transmitted via an IPSec tunnel to the user's server located in any part of the Internet.
The advantage here is the fact that the user can maintain comprehensive statistics on the attendance of his site. A disadvantage is the need for special equipment to terminate the IPSec tunnel.
When using remote protection against DDoS attacks, it is necessary to take into account that the general disadvantage of working with such a service in the “on demand” mode is the long response time of the DNS service to changing records in the zone.
Plans for the organization of remote protection against DDoS
DDoS Attack Monitoring
Due to round-the-clock monitoring of all systems, the user can constantly have an idea of ​​the situation and directly evaluate the effectiveness of investments in security systems. Each attack reflected by the defense system is visualized and can
be monitored in real time. Below, on the graph, you can see how the activation of protection restored the normal level of legitimate traffic (green graph) and filtered DDoS-attack traffic (red graph):
After the attack, the user can request in the NOC service a short or full report on the attack, which allows to evaluate how effectively the Anti-DDoS system can save resources.
We hope this information will be useful and relevant in today's conditions.
Source: https://habr.com/ru/post/96777/
All Articles