Simple and simple DDoS attack defense--Defensive articles

1. Defensive base

1.1. How big is the attack flow?
When it comes to DDoS defense, the first thing to do is to know how much of an attack has been hit. The problem seems simple, but in fact there are a lot of unknown details in it.

In the case of SYN Flood, in order to increase the efficiency of sending SYN wait queues on the server, the IP header and TCP header are not populated with optional fields when the attack program fills the header, so the IP header length is exactly 20 bytes, and the TCP header is 20 bytes, a total of 40 bytes.

For Ethernet, the minimum packet length data segment must reach 46 bytes, and the attack message only 40 bytes, therefore, the network card when sending, will do some processing, at the end of the TCP header, fill 6 0来 to meet the minimum packet length requirements. At this time, the entire packet length of 14-byte Ethernet head, 20-byte IP header, 20-byte TCP header, plus the minimum packet length required to fill the 6-byte 0, a total of 60 bytes.

But it's not over yet. Ethernet in the transmission of data, there are CRC test requirements. The NIC verifies the data packet before sending the data, attaching the 4-byte CRC value to the last side of the header. At this time, the packet length is no longer 40 bytes, but become 64 bytes, which is often said SYN packet attack, packet structure is as follows: |14 byte Ethernet head |20 byte IP header |20 byte tcp|6 byte fill |4 byte Test | | Purpose mac| Source mac| protocol type | IP Header | TCP Header | Ethernet Fill | CRC Test |

To 64 bytes, the SYN packet is already populated and ready to start transmitting. The attack packets are small, far from the maximum Transmission Unit (MTU) of 1500 bytes and are therefore not fragmented. So these packets are like cans on a production line, and a package is tightly packed together in a packet. Actually, it's not like that.

Ethernet also has a preamble (preamble) and frame spacing (inter-frame gap) when transmitting. The leading code occupies 8 bytes (byte), or 64 bits. The 7 bytes preceding the preamble are 10101010,1 and 0 intervals. But the eighth byte becomes 10101011, and when the host monitors the two consecutive 1 o'clock, it knows that the data is behind the start. The structure of the data in the network is as follows: |8 byte preamble |6 byte destination mac address |6 byte source MAC address Upper protocol type |20 byte IP header |20 byte TCP header |6 byte Ethernet fill |4 byte CRC verify |12 byte frame spacing |

With the above foundation, you can now start to calculate the attack traffic and network device wire speed problem. When the minimum SYN packet that fills only the IP header and the TCP head runs on the Ethernet network, the 100Mbit network, the maximum PPS (Packet per Second) that can be supported is 100x106/(8 * (64+8+12)) = 148809,1000mbit Network, The maximum PPS that can be supported is 1488090.

1.2. SYN Flood Defense
As described previously, the SYN flood attacks the CPU, memory resources of the server and fills the SYN wait queue. Accordingly, we modify the kernel parameters to effectively alleviate. The main parameters are as follows: Net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 8192

Net.ipv4.tcp_synack_retries = 2

Enable the Syn Cookie, set the SYN maximum queue length, and set the maximum number of syn+ack retries, respectively.

The role of SYN cookies is to ease server resource pressures. Before it is enabled, the server allocates storage space immediately after receiving the SYN packet, and randomization a number to send the Syn+ack packet as the SYN number. The status information for the connection is then saved for client confirmation. After the SYN cookie is enabled, the server no longer allocates storage space, and a SYN number is set up with a random number algorithm based on the time seed, instead of a completely random syn number. After sending the Syn+ack confirmation message, the empty resource does not save any state information. Until the server receives the client's final ACK packet, the cookie test algorithm is used to identify whether it matches the Syn+ack message sequence number sent out, and the match is discarded by the completion of the handshake. Of course, the advanced attack of the preceding article has the SYN mixed ACK attack method, then is to this kind of defense method counterattack, in which the good or bad is decided by the two sides ' hardware configuration

Tcp_max_syn_backlog uses the server's memory resources in exchange for a larger wait queue length so that the attack packets do not fill all the connections and the normal user cannot complete the handshake. Net.ipv4.tcp_synack_retries is to reduce the number of server Syn+ack message retries, release waiting resources as soon as possible. These three measures are corresponding to the three kinds of attacks, and completely prescribe the right remedy. But these measures are also double-edged sword, may consume the server more memory resources, even affects the normal user establishes the TCP connection, needs to evaluate the server hardware resources and the attack size careful setting.

In addition to customizing the TCP/IP protocol stack, a common practice is the TCP first packet discarding scheme, which uses the retransmission mechanism of the TCP protocol to identify the normal user and the attack message. When the defense device receives a SYN message from an IP address, it is simpler than whether the IP exists in the whitelist, and the presence is forwarded to the back end. If it does not exist in the whitelist, check whether the IP in a certain period of time for the first SYN message, not to check whether the retransmission message, is retransmission is forwarded and added whitelist, is not discarded and added blacklist. The first SYN packet discards and waits for a period of time to attempt to accept the SYN retransmission message for the IP, while the wait timeout determines that the attack message is blacklisted.

The first packet discard scheme has a slight effect on the user experience, because discarding the first Baozhong will increase the response time of the business, in view of which a better TCP proxy scheme has been developed. All SYN data packets are accepted by the cleaning device and processed according to the SYN cookie scheme. And the equipment successfully established TCP three times the IP address of the handshake was judged as a legitimate user to join the whitelist, by the device camouflage real client IP address and the real server to complete three handshake, and then forward the data. The specified time does not have a three-time handshake with the device IP address, was determined to shield a malicious IP address a certain time. In addition to the SYN cookie combined with TCP proxy, the cleaning device also has the ability to detect a variety of malformed TCP flag bit packets, identifying normal access and malicious behavior by responding to the unexpected response of the SYN packet to the test client.

The hardware of the cleaning device has a special network processor chip and a specially optimized operating system, TCP/IP protocol stack, which can handle very large traffic and SYN queues.

1.3. HTTP Flood Defense
The HTTP flood attack defense is mainly done by caching, as far as possible by the device cache directly return the results to protect the back-end business. Large Internet enterprises, there will be a large CDN node cache content.

When a senior attacker penetrates the cache, the cleaning device intercepts the HTTP request for special processing. The simplest method is to make statistics on the HTTP request frequency of the source IP, and to blacklist the IP address above a certain frequency. This method is too simple, easy to bring manslaughter, and can not block attacks from the proxy server, so gradually abolished, replaced by JavaScript jump human machine recognition scheme.

HTTP Flood is a program that simulates HTTP requests, typically does not parse server-side return data, nor does it parse code like JS. So when a cleaning device intercepts an HTTP request, a special JavaScript code is returned, and the normal user's browser handles it and the normal jump does not affect the use, and the attack program attacks the space.

1.4. DNS Flood Defense
DNS attack defenses also have similar HTTP defenses, and the first scenario is caching. The second is a postback, which can be a direct drop of a DNS message that causes a request to be sent at the UDP level, and can be a special response. Force the client to use the TCP protocol to send DNS query requests again.

Special, for the protection of authorized domain DNS, the device will extract the list of DNS domain names and the ISP DNS IP list in the normal time of the business, and when the attack, the request of not this list is discarded, greatly reducing the performance pressure. For domain names, implement the same domain name white list mechanism, the non-white list of domain name resolution requests, do discard processing.

1.5. Slow connection Attack Defense
Slowloris attack defense is relatively simple, the main program has two.

The first is to count the length of each TCP connection and calculate the number of messages passed within the unit time to be accurately identified. In a TCP connection, too few HTTP packets and too many messages are not normal, too little can be a slow connection attack, too many may be HTTP flood attacks using the HTTP 1.1 protocol, sending multiple HTTP requests in a TCP connection.

The second is to limit the maximum allowable time for HTTP header transfers. More than the specified time HTTP header has not been transmitted complete, directly determine the source IP address for slow connection attacks, disconnect and blacklist.

2. Enterprise-Class Defense
Internet enterprises to defend against DDoS attacks, mainly using the above basic defense means, the focus is on the use of monitoring, organization and process and other things to ensure timely and correct use of these tools, and change according to the attack strategy changes.

2.1. Anomaly Monitoring
Monitoring requires multi-layer monitoring, the concept of defense-in-depth, from the backbone network, IDC Portal Network BPS, PPS, protocol distribution, load equalization of VIP new connection number, concurrent connection number, BPS, PPS to host layer CPU state, TCP New connection number state, TCP concurrent connection number state, To the business layer of business processing volume, business connectivity, such as the deployment of multiple points monitoring system. Even if a monitoring point is not valid, other monitoring points can give the alarm information in time. Multiple points of information combined to help accurately determine the attack target and attack tactics.

2.2. Process and plan, drill
Once an exception is found, start the emergency process in the virtual Defense organization immediately. Defense organizations need to include a full range of personnel, at least the Monitoring Department, Operations department, Network Department, Security Department, customer service Department, business unit and so on, all need 2-3 backup. After the process started, in addition to manual processing, but also should include a certain automatic processing, semi-automatic processing capacity. For example, automated attack analysis, identifying the type of attack, automated, semi-automatic defense strategy, before the security personnel in place, the first detection of the attack department can do some mitigation measures.

In addition to the process of DDoS coming, more work is done before the attack arrives. Mainly includes CDN node deployment, DNS settings, process drills and so on. For enterprises, having multiple CDN nodes is the key index of DDoS defense capacity. When a computer room can not bear the mass of data, through DNS polling, the flow of traffic to a number of distribution nodes, the use of defense equipment to separate processing. Therefore, the DNS TTL value needs to be set small enough to quickly switch, each CDN node of the various VIP settings also need to be fully prepared.

3. Summary
In the era of virtualization, the different services of mass users coexist in the same physical machine platform, and the possibility of DDoS attack is more and more high. And a user is attacked may involve a large number of other users, the harm is significantly magnified, so the defense is particularly important. Aliyun's virtualized cloud computing business, with an average of about 200 DDoS attacks per day, reaches close to 80gbit/s, all of which are automatically processed within 1 minutes, keeping customers away from the threat of DDoS and concentrating on business development.

Overall, for DDoS defense, the main job is to accumulate behind the scenes. Stage 10 minutes, the next ten years of work, not sufficient resources to prepare, not enough emergency drills, no rich experience in processing, DDoS attacks will be everyone's nightmare.