Own goal. Testing protection against DDoS attacks

    The topic of DDoS attacks, their types and methods of protection has been repeatedly raised by our authors in the past . We carefully follow the wishes of our readers and, therefore, today we will demonstrate the DDoS protection service using a living example. In this article we will analyze a similar task: we will make a test web application, organize a stress test simulating a DDoS attack, and compare the network load statistics with and without protection.

    Under the cut a lot of images and gifs.

    We already wrote about the types of DDoS attacks and how to protect against them in our previous article . In addition to basic solutions for monitoring and filtering network traffic, Selectel provides a service for advanced protection against DDoS attacks. This level of protection adds an additional step to the traffic cleaning complex in the form of a special proxy server configured for specific applications.

    In this article, we will consider the case of an attack aimed at overloading the bandwidth, and we specifically use the DrDOS (Distributed Reflection Denial of Service) method , which uses the request reflection technique. This method is interesting in that it allows you to repeatedly increase the attack volume in comparison with the throughput of the infected machine, and was chosen by us because it clearly shows the scale of a possible attack.

    Action plan

    We will demonstrate the service for protection against DDoS attacks using an experiment, the purpose of which is to compare the performance of a web server under a DDoS attack with and without a connected service. To do this, we will organize two stress tests with the same attack parameters on a pre-prepared web server in VPC through a secure and direct IP address. We will evaluate the degree of impact of the DDoS attack protection service on filtering unwanted traffic using processor and network device load metrics. In addition, we use a service monitoring tool to determine the availability of a web server in different locations.

    Web server :

    • A simple Wordpress site deployed using a standard LAMP stack;
    • A virtual server in a VPC with 1 vCPU and 1 GB of RAM on Ubuntu.

    Monitoring tools :

    • Netdata utility for viewing system information in real time;
    • Monitoring  service availability, in which we use a simple GET request to conduct a test.

    Stress Test Tool :

    • IP Stresser , which provides the ability to create a test with an attack volume of up to 3 Gb / s.

    As a result of testing, it is expected that when the service for protection against DDoS attacks is connected, the service will not be affected. In the next part, we will consider the creation and configuration of an application in VPC and the process of connecting a service. Then we will conduct stress tests and compare the readings of the metrics.

    Application setup and connection of the DDoS protection service

    As the environment for hosting the web server, we chose a virtual private cloud for the ability to quickly create a virtual machine and connect a public subnet:

    We also included a public subnet in the allocated resources - a floating IP address is not suitable for working with the DDoS protection service:

    Next create a server inside the project, using the finished image of Ubuntu 16.04 as the source for installing the system. In the network settings section, you must select a connection through a previously reserved public subnet, and also select and record a public IP address: we will need it later.

    After installing the server, we will configure Wordpress using the standard LAMP stack :

    After making sure that the application is working, we will proceed to ordering the DDoS protection service.

    Service activation Basic DDoS protection

    The order of the service is carried out in the Networks and services section of the Selectel dashboard:

    Select the Basic protection from DDoS 10 Mbps item and pay for the service:

    After connecting the service, a ticket will be created for technical support to configure protection for your application. The tech support person needs to provide the IP address and type of application. After receiving all the necessary information, the protection will be configured. Additional information about the connected protection and services will be in the response message of the support service:

    We were allocated a secure IP address, which we will configure later, as well as the data for access to the attack statistics service. In addition, as you can see from the message, you need to configure the application to work with the new dedicated secure IP address, because traffic arriving at the original IP address will not be filtered.

    Setting aliases varies slightly between systems, in our example we use Ubuntu, where this is done with the following command:

    $ sudo ifconfig eth0:0 up

    At this stage, it remains to test the operation and availability of the service through a secure IP address:

    Stress test for insecure IP address

    Let's pass to the stress test of the system to an unprotected IP address with the following attack settings:

    The destination host is the address that will have to be hidden during the actual use of the service - the traffic going to it will not be filtered and will lead to a failure of the system.

    Let's start the first stress test:

    It is evident that processor overload occurs almost instantly and the amount of received traffic tends to 3 Gbit / s:

    Now we will evaluate the availability and response time of the service in different geographical points:

    Most of the check points showed the unavailability of the specified service and a long response time, which talks about the success of the stress test and the vulnerability of the current configuration to transport-level DDoS attacks.

    Summarizing the results obtained, it is obvious that the web server completely took over the entire volume of the test attack, and if the load increased, the application would fail. Next, we test the availability of a web server with a service for protecting against DDoS attacks, but in real systems it is highly desirable to take additional measures to ensure application security at the software level.

    Stress test for secure IP address

    Using completely similar parameters for the attack, besides the IP address, we will run a stress test:

    It can be seen that the recorded volume of incoming traffic is about 120 Mbit / s, and the processor load is about 20%:

    Now we turn to testing the availability and response time of the web server through a monitoring tool:

    Now we can say that the use of such a service for protection against DDoS attacks provides a certain level of security for the web server.

    Attack monitoring and statistics

    As soon as an attack on a secure address starts, the client is notified of this event by email:

    To view information about attacks in real time, a web interface is available:

    It contains more detailed information about incoming traffic:

    You can also see traffic sources by country:


    Our experience has shown that the web server remains operational under a test DDoS attack when the DDoS protection service is connected. In addition, the use of our service allows you to monitor in real time the incoming DDoS attacks without additional settings of the working systems and quickly respond to them.

    The space for further research can include the creation of more complex stress tests and the use of not only basic protection, but also expanded with more advanced traffic filtering tools.

    You can familiarize yourself with the types of protection and the successful experience of our clients on the service page .

    Also popular now: