What do DDoS protection services do not negotiate or why protection does not work
The reason for this article was a security audit in one Internet project. The customer asked to deal with their security system and check how susceptible they are to one or another attack. At the same time, they assured us that they are completely protected from DDoS attacks and there is no reason to worry, since they are protected by one of the market leaders - Incapsula.
This was where great surprise awaited us - the customer was completely unprotected.
Let's see what happened, but first a little theory.
I will not describe what a DDoS attack is, I only note that they are divided into 2 types:
- DDoS Layer 3 & 4 according to the OSI model. One of the characteristics of this attack is the large number of packets that attack the resource. At the moment, the average attack power in the world is 9.7 Gb / s and 19 Mpps.
- DDoS Layer 7 according to the OSI model, that is, an attack on the application level. As a rule, an attack does not contain a large number of packets (orders of magnitude lower than with DDoS L3 & 4), rather it is characterized by a targeted hit on the weak spot of the attacked site.
Connection to services protecting against DDoS attacks occurs as follows:
- For the protected resource, the address of the protecting one is registered in DNS;
- The client indicates to which ip address to send the cleared traffic (as a rule, to the same address as it was before connecting to the service). Perhaps raising the tunnel.
Now I don’t specifically analyze the case of connecting using BGP, everything is not so good there either, but most of the clients are connected via changes to the DNS record.
The customer is satisfied, relaxed and fully confident in the future! But, in fact, exactly at the moment when the customer relaxed, he became even less protected!
Let's look at why or how to circumvent protection.
Indeed, when we try to get the customer’s IP address by the name of the site, we get the IP address of the protection service:
$ nslookup www.XXXXXXXX.ru
www.XXXXXXXX.ru canonical name = xxx.incapdns.net.
Name: xxx.incapdns.net
Address: 149.126.xxx.xxx
But no one bothers us to look at the DNS history for this name. We go to any site that provides such information. And what we see:
As a result, we see that his previous ip-address is zzz.zzz.zzz.zzz; moreover, now we know that it is located at the HOSTER LTD site in the USA (it will be further understood why this is also important).
It remains only to carefully look at the server that has this ip-address and we already know for sure that this is the customer server we are looking for.
All! We attack this server by ip-address and the customer lies as much as we need. A lot of money was spent on the wind, but the costs did not pay off, the protection does not work.
Below I will describe recommendations for the proper use of such services.
Oddly enough, but none of the most popular - both in the West and in Russia DDoS protection services - does not give any recommendations on this issue to its customers.
Once you have highlighted your ip-address in the DNS service at least once, you will never be able to delete this information - it will always be available in the DNS history. Moreover, you lit up your location (hoster, commercial data center, etc.).
If you want to completely protect yourself - leave this place. As soon as you stay, your service will be attacked if you are of any value to attackers.
Consider how attackers will behave and try to understand, depending on the size of your project, what needs to be done in this situation.
1) You have a small site and you originally posted it from a hosting provider. The correct actions are to configure the http-server in such a way that it only accepts requests from the IP addresses of the protector (so you definitely remove the possibility of a DDoS Layer 7 attack) and change the IP address (protection from DDoS Layer 3 & 4). In this case, the attackers will not be able to find your site directly, but this does not mean that you are safe. The average host in Russia has channels 1-5 Gb / s and if you are really interesting to the attackers, they will attack (DDoS Layer 3 & 4) on the host’s channels and put it and you along with it.
2) You have a dedicated Virtual Private Server and your project is located on it . Correct actions:
- configure the http server so that it accepts requests only from the IP addresses of the protector (so you will definitely remove the possibility of a DDoS Layer 7 attack);
- configure the firewall so that all extra ports are closed and / or accept connections only from IP addresses known to you. If you did not do this from the very beginning when connecting to the DDoS protection service, then perhaps the attackers have already examined your server and found out which ports are open and which are not (the attackers made a fingerprint on your system). This means that they know what kind of machine they need to look for in the provider's network;
- change ip-address (protection against DDoS Layer 3 & 4).
If you stayed on an existing cloud provider, you are still not safe. The most vulnerable part of the cloud provider is the management console (even with Amazon it is not very well protected). On the channels of a small cloud provider, attackers can conduct a DDoS Layer 3 & 4 attack and put the entire cloud.
3) You have a large project and many servers standing in any commercial data center. Such a project is the most difficult to protect. It is necessary to approach this task in a comprehensive manner, changing ip and setting up a firewall does not solve anything (but this does not mean that this should not be done). At a minimum, you need to change the grid that the provider gave you. Just change, and not add a new one, otherwise, you don’t even have to look - the attackers will simply put your channels, attacking the old grid. As a rule, in such projects there are services that cannot or cannot be protected from DDoS - think about how to properly distribute these services on different networks or even sites, otherwise you will be found on them (the simplest example is MX records of the mail service).
DDoS protection services are not a panacea, but they can help a lot if you take a few more steps in the right direction.
Good luck to you and your projects.
This was where great surprise awaited us - the customer was completely unprotected.
Let's see what happened, but first a little theory.
I will not describe what a DDoS attack is, I only note that they are divided into 2 types:
- DDoS Layer 3 & 4 according to the OSI model. One of the characteristics of this attack is the large number of packets that attack the resource. At the moment, the average attack power in the world is 9.7 Gb / s and 19 Mpps.
- DDoS Layer 7 according to the OSI model, that is, an attack on the application level. As a rule, an attack does not contain a large number of packets (orders of magnitude lower than with DDoS L3 & 4), rather it is characterized by a targeted hit on the weak spot of the attacked site.
Connection to services protecting against DDoS attacks occurs as follows:
- For the protected resource, the address of the protecting one is registered in DNS;
- The client indicates to which ip address to send the cleared traffic (as a rule, to the same address as it was before connecting to the service). Perhaps raising the tunnel.
Now I don’t specifically analyze the case of connecting using BGP, everything is not so good there either, but most of the clients are connected via changes to the DNS record.
The customer is satisfied, relaxed and fully confident in the future! But, in fact, exactly at the moment when the customer relaxed, he became even less protected!
Let's look at why or how to circumvent protection.
Indeed, when we try to get the customer’s IP address by the name of the site, we get the IP address of the protection service:
$ nslookup www.XXXXXXXX.ru
www.XXXXXXXX.ru canonical name = xxx.incapdns.net.
Name: xxx.incapdns.net
Address: 149.126.xxx.xxx
But no one bothers us to look at the DNS history for this name. We go to any site that provides such information. And what we see:
| IP Address | Location | IP Address Owner | Last seen on this IP |
|---|---|---|---|
| 149.126.xxx.xxx | Binghamton - United States | Incapsula Inc. | 2015 |
| 149.126.yyy.yyy | Binghamton - United States | Incapsula Inc. | 2015 |
| zzz.zzz.zzz.zzz | United states | HOSTER LTD | 2014 |
As a result, we see that his previous ip-address is zzz.zzz.zzz.zzz; moreover, now we know that it is located at the HOSTER LTD site in the USA (it will be further understood why this is also important).
It remains only to carefully look at the server that has this ip-address and we already know for sure that this is the customer server we are looking for.
All! We attack this server by ip-address and the customer lies as much as we need. A lot of money was spent on the wind, but the costs did not pay off, the protection does not work.
Below I will describe recommendations for the proper use of such services.
Oddly enough, but none of the most popular - both in the West and in Russia DDoS protection services - does not give any recommendations on this issue to its customers.
So what needs to be done?
Once you have highlighted your ip-address in the DNS service at least once, you will never be able to delete this information - it will always be available in the DNS history. Moreover, you lit up your location (hoster, commercial data center, etc.).
If you want to completely protect yourself - leave this place. As soon as you stay, your service will be attacked if you are of any value to attackers.
Consider how attackers will behave and try to understand, depending on the size of your project, what needs to be done in this situation.
1) You have a small site and you originally posted it from a hosting provider. The correct actions are to configure the http-server in such a way that it only accepts requests from the IP addresses of the protector (so you definitely remove the possibility of a DDoS Layer 7 attack) and change the IP address (protection from DDoS Layer 3 & 4). In this case, the attackers will not be able to find your site directly, but this does not mean that you are safe. The average host in Russia has channels 1-5 Gb / s and if you are really interesting to the attackers, they will attack (DDoS Layer 3 & 4) on the host’s channels and put it and you along with it.
2) You have a dedicated Virtual Private Server and your project is located on it . Correct actions:
- configure the http server so that it accepts requests only from the IP addresses of the protector (so you will definitely remove the possibility of a DDoS Layer 7 attack);
- configure the firewall so that all extra ports are closed and / or accept connections only from IP addresses known to you. If you did not do this from the very beginning when connecting to the DDoS protection service, then perhaps the attackers have already examined your server and found out which ports are open and which are not (the attackers made a fingerprint on your system). This means that they know what kind of machine they need to look for in the provider's network;
- change ip-address (protection against DDoS Layer 3 & 4).
If you stayed on an existing cloud provider, you are still not safe. The most vulnerable part of the cloud provider is the management console (even with Amazon it is not very well protected). On the channels of a small cloud provider, attackers can conduct a DDoS Layer 3 & 4 attack and put the entire cloud.
3) You have a large project and many servers standing in any commercial data center. Such a project is the most difficult to protect. It is necessary to approach this task in a comprehensive manner, changing ip and setting up a firewall does not solve anything (but this does not mean that this should not be done). At a minimum, you need to change the grid that the provider gave you. Just change, and not add a new one, otherwise, you don’t even have to look - the attackers will simply put your channels, attacking the old grid. As a rule, in such projects there are services that cannot or cannot be protected from DDoS - think about how to properly distribute these services on different networks or even sites, otherwise you will be found on them (the simplest example is MX records of the mail service).
Conclusion
DDoS protection services are not a panacea, but they can help a lot if you take a few more steps in the right direction.
Good luck to you and your projects.