Local and remote prevention of DDoS attacks: features, advantages, disadvantages, monitoring

    Denial of Service (DoS) threat is a special category of network attacks, whose goal is the inaccessibility of a web service for legitimate users. The attack is implemented by creating a mass of calls to the server-victim (victim). Such attacks are easily recognized, and the initiator of the attack itself is detected and blocked quite simply. Therefore, now no one is playing such toys, and the new generation of attacks is Distributed Denial of Service. The initiator of the attack uses infected systems located around the world to simultaneously hide its location and make the attack more powerful and effective. This post is dedicated to how the fight against attacks is going on, as well as a new way to remotely combat DDoS.


    Operation of Anti-DDoS systems, parameters for evaluating protection effectiveness

    Protection against distributed DDoS attacks is based on a multivariate analysis of traffic arriving at each protected server. During normal operation, the protection system can self-learn or configure itself, and after detecting an attack, either automatically or on demand, actively counteracts illegitimate traffic. The effectiveness of protection against DDoS attacks is usually described by three main parameters:
    • Attack power (usually in Mbps) that the system can withstand
    • The accuracy of the system when detecting and repelling an attack
    • The probability and number of false positives (False Positive)

    Depending on the combination of these parameters, the price and quality of services for protection against DDoS attacks are formed.

    Our protection principle

    We use the following principle of protection against DDoS attacks. The protected unit is the ip segment located in an arbitrary security zone. A security zone is a combination of IP segments for which thresholds for different types of traffic (thresholds) are set automatically or manually. If the traffic coming to the
    protected server significantly exceeds the threshold, then, depending on the level of excess, an action is applied that can both limit the speed of the attacking Internet site and completely block it. Self-learning zones are able to automatically adjust traffic thresholds in real time in order to avoid false positives that can lead to the degradation of some services.

    The structure of the Anti-DDoS system is quite simple. It consists of modules responsible for the Traffic Anomaly Detector and modules responsible for the prevention of anomalies (Traffic Anomaly Guard). Detectors (ADMs) are located as close to the servers as possible and monitor traffic coming to the servers. When the detector detects an anomaly, it reports this to the
    protection module (AGM). The protection module activates the zone and directs all traffic of the zone to itself, performing a series of complex calculations, recognizing and removing malicious traffic from the network.

    The server receives traffic already cleared from DDoS and continues to function normally, and when the attack is completed, the protection module excludes itself from the traffic path and reports this to the detector.

    The general DDoS protection scheme looks like this:


    We work with DDoS attacks in several ways and provide them as services to our customers.

    Dedicated Protection Zone

    A special protection zone is allocated for the user, automatically detecting thresholds and adjusting to traffic, as
    well as reacting as accurately as possible to the appearance of anomalous traffic. This avoids a lot of false positives in the Anti-DDoS system, which are characteristic for the fixed parameters of the protected zone. Thus, protection is carried out around the clock and does not require the user to take any actions related to activation.

    Segment Protection

    It implies placing the user's subnet in one of five protected zones, each of which is configured for a certain amount and structure of traffic. Servers receive round-the-clock protection against attacks and can be moved
    between protected zones upon request if the traffic structure of these servers has changed. Protection is also provided around the clock, and on request you can enable or disable the protection of servers for which False Positive (false positives) occur, or, together with the engineers of the Network Management Service (NOC), adapt server protection in manual mode.

    On Demand Protection

    The easiest way is when, at the request of the attacked user, all available power of the attack prevention system is used to cut off the attack.

    Remote DDoS protection, features, advantages and disadvantages

    Recently, we tested and launched a test operation of remote protection against DDoS attacks. In order for the attack to
    be repelled, the user directs the traffic intended for the protected resource to the DDoS protection equipment located in our data center. To do this, a new IP address is written in the DNS zone of the resource, and after the new DNS data is distributed to the appropriate nodes, all traffic to the resource will first be sent to a powerful hardware system to counter the attack.

    The attack is suppressed by two methods. In basic mode, all user sessions are cleared of DDoS and broadcast to the data center switches, and then they are sent to the client’s equipment on the Internet.

    The advantage of this method is that the user does not need special equipment or changes
    the existing structure of the service, and it can use protection both on demand and on an ongoing basis.
    The disadvantage of this method is that the client resource is deprived of full statistics on site visits (since all connections to this resource will look like established from a single address) for the duration of protection.

    The second method is more complex, we call it “tunnel”. After the client’s traffic is cleared of DDoS, it
    goes to the VPN equipment of the data center, from where it is transmitted via the IPSec tunnel to the user’s server located in any part of the Internet.

    The advantage here is the fact that the user can maintain comprehensive statistics on traffic to his site. But the disadvantage is the need for special equipment for terminating the IPSec tunnel.

    When using remote protection against DDoS attacks, it must be taken into account that the common drawback of working with such a service in the “on demand” mode is the long reaction time of the DNS service to changing records in the zone.

    Remote DDoS Protection Schemes



    DDoS Attack Monitoring

    Due to round-the-clock monitoring of all systems, the user can constantly have an idea of ​​the situation and directly evaluate the effectiveness of investments in security systems. Each attack reflected by the defense system is visualized and can be
    observed in real time. Below, in the graph, you can see how the protection activation restored the normal level of legitimate traffic (green graph) and filtered DDoS attack traffic (red graph):


    After the attack, the user can request a short or full attack report in the NOC service, which allows assessing how much effective operation of the Anti-DDoS system allows you to save resources.

    We hope this information will be useful and relevant in today's environment.

    Also popular now: