Explain in simple terms DDoS attack defense - Defense articles

Source: Internet
Author: User
Keywords Cloud computing DDoS
Tags address automatic processing business cache check cleaning client cloud

1. Defense base

1.1. How much attack traffic in the end
When it comes to DDoS defense, the first thing to know is how much the attack has been suffered. This question seems simple, in fact, there are many unknown details in it.

Take SYN Flood as an example. To increase the sending efficiency, more SYN waiting queues are generated on the server side. When the attacker populates the header, both the IP header and the TCP header do not fill the optional fields. Therefore, the length of the IP header is exactly 20 bytes , The first TCP is 20 bytes, a total of 40 bytes.

For Ethernet, the minimum packet length of the data segment must reach 46 bytes, while the attack packet is only 40 bytes, so the card sent to do something, at the end of the TCP header, fill 6 0 Meet the minimum packet length requirements. At this time, the entire packet length is 14 bytes of Ethernet header, 20 bytes of IP header, 20 bytes of TCP header plus 6 bytes of padding 0 for a minimum packet length requirement Is 60 bytes.

But this is not over. Ethernet transmission of data, there are CRC test requirements. The network card will carry on the CRC examination to the data packet before sending the data, attach the CRC value of 4 bytes to the back of the header. This time, the packet length is no longer 40 bytes, but into 64 bytes, which is often said SYN packet attacks, the packet structure is as follows:

| 14 bytes Ethernet header | 20 bytes IP header | 20 bytes TCP | 6 bytes fill | 4 bytes check || Destination MAC | Source MAC | Protocol Type | IP Header | TCP Header | Ethernet Fill CRC test

To 64 bytes, SYN packet has been filled completed, ready to begin transmission. Attack packets are small, far less than 1500 bytes of the maximum transmission unit (MTU) and therefore will not be fragmented. So these packets like the production line on the same cans, a packet with a packet tightly packed together? In fact it is not the case.

Ethernet transmission, there are preamble and inter-frame gap (inter-frame gap). Preamble which accounted for 8 bytes (byte), that is 64 bits. The first seven bytes of the preamble are 10101010, 1 and 0 intervals. But the eighth byte becomes 10101011, when the host monitors the two consecutive 1:00, we know that the beginning of the data behind. In the network transmission, the data structure is as follows:

8-byte preamble 6-byte destination MAC address 6-byte source MAC address 2-byte upper protocol type 20-byte IP header 20-byte TCP header 6-byte Ethernet fill 4 bytes CRC test | 12-byte frame pitch |

With the above foundation in place, you can now begin to calculate attack flow and wire-speed issues with network devices. When the smallest SYN packets that fill only the IP header and the TCP header run on the Ethernet network, the maximum permissible PPS (Packet Per Second) of the 100 Mbit network is 100 × 106 / (8 * (64 + 8 + 12)) = 148809, 1000Mbit network, the maximum PPS that can be supported is 1488090.

1.2. SYN Flood Defense
As described earlier, SYN Flood attacks consume a large amount of server CPU and memory resources and fill up the SYN waiting queue. Accordingly, we modify the kernel parameters can be effectively alleviated. The main parameters are as follows:

net.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_synack_retries = 2

Enable SYN Cookie respectively, set SYN maximum queue length and set SYN + ACK maximum number of retries.

SYN Cookie's role is to ease the pressure on the server resources. Before enabling, the server allocates storage immediately upon receiving the SYN packet and sends a SYN / ACK packet as a SYN number. Then save the connection status information waiting for the client to confirm. After SYN Cookie is enabled, the server no longer allocates storage space, and a SYN number is set based on the time-seed-based random number algorithm instead of a completely random SYN number. After sending a SYN + ACK confirmation message, emptying the resource does not save any status information. Until the server receives the final ACK packet from the client, it checks whether the cookie matches the sequence number of the SYN + ACK packet sent by the cookie checker. If the match is completed, the handshake is completed and the packet is discarded if it fails. Of course, in the previous advanced attack SYN mixed ACK attacks, it is counter-attack on this defense method, the advantages and disadvantages of both hardware configuration decisions

tcp_max_syn_backlog is the use of the server's memory resources, in exchange for a larger waiting queue length, so that the attack packet will not fill all the connections lead to normal users can not complete the handshake. net.ipv4.tcp_synack_retries reduce the number of server SYN + ACK packet retry, release the waiting resources as soon as possible. These three measures correspond with the three kinds of attacks that attack one by one, and give the right remedy completely. But these measures are also double-edged sword, may consume more memory resources of the server, and even affect the normal user to establish a TCP connection, you need to assess the server hardware resources and the size of the cautious attack.

In addition to the custom TCP / IP protocol stack, another common practice is TCP first packet discarding scheme, which uses TCP retransmission mechanism to identify normal users and attack packets. After a defense device receives a SYN packet with an IP address, it simply compares whether the IP address is in the white list or not. If it exists, the packet is forwarded to the backend. If it does not exist in the whitelist, check whether it is the first SYN packet for the IP address within a certain period of time. If not, check whether the packet is retransmitted. If the packet is retransmitted, forward it to the whitelist. Otherwise, the packet is discarded and added to the blacklist. . Is the first SYN packet is discarded and waits for a period of time in an attempt to accept the IP SYN retransmission packet waiting for the timeout is determined to attack packets blacklisted.

The first packet drop scenario will have a slight impact on the user experience because discarding the first packet retransmission will increase the response time of the service. In view of this, a better TCP Proxy scheme is developed. All SYN data packets are accepted by the cleaning device and processed according to the SYN Cookie scheme. And the device successfully established the TCP three-way handshake IP address is determined to be legitimate users to join the white list, the device masquerading the real client IP address and then the real server to complete the three-way handshake, and then forward the data. However, the IP address that has not been shaken three times by the device within a specified period of time is determined to be a malicious IP address for a certain period of time. In addition to SYN Cookie combined with TCP Proxy, the cleaning device also has the ability to detect multiple malformed TCP flag packets and authenticate normal access and malicious behavior by responding to unexpected responses from SYN packets.

Cleaning equipment hardware has a special network processor chip and a specially optimized operating system, TCP / IP protocol stack, can handle very large traffic and SYN queue.

1.3. HTTP Flood Defense
HTTP Flood attack defense mainly through the cache, as far as possible by the device cache directly returns the result to protect the back-end business. Large Internet companies, there will be a huge CDN node cache content.

When advanced attackers penetrate the cache, the cleaning appliance intercepts HTTP requests for special handling. The easiest way is to do statistics on the source IP HTTP request frequency, higher than a certain frequency IP address to the blacklist. This method is too simple, easy to bring manslaughter, and can not be shielded from the proxy server attacks, it gradually abolished, replaced by JavaScript jump human-machine identification scheme.

HTTP Flood is simulated by the program HTTP request, in general, will not resolve the server to return data, but will not resolve JS code. Therefore, when the cleaning device intercepts the HTTP request, it returns a special JavaScript code. The normal user's browser will process and jump normally without affecting the use, and the attacker will attack the empty space.


1.4. DNS Flood Defense
DNS attack defense also has similar HTTP defense means, the first option is to cache. Followed by retransmission, can be directly discarded DNS packets cause UDP layer retransmission request, it can return a special response to force the client to use TCP protocol retransmission DNS query request.

In particular, for the protection of the authorized domain DNS, the device extracts the received DNS domain name list and ISP DNS IP list for backup during normal business hours. During the attack, all non-list requests are discarded, greatly reducing the performance pressure. For the domain name, the same white list mechanism is implemented, and the domain name resolution request in the non-white list is discarded.

1.5. Slow Connection Attack Defense
Slowloris attack defense is relatively simple, the main program has two.

The first one is to count the duration of each TCP connection and calculate the number of packets passed in a unit time so as to be accurately identified. In a TCP connection, too few HTTP packets and too many packets are abnormal, too little may be a slow connection attack, too much may be HTTP HTTP attacks using the HTTP 1.1 protocol sent in a TCP connection Multiple HTTP requests.

The second is to limit the maximum HTTP header transfer time allowed. If the HTTP Header has not been transmitted for the specified time, it is determined that the source IP address is a slow connection attack, and the connection is terminated and added to the blacklist.

2. Enterprise-level defense
Internet business defense DDoS attacks, the main still use the above basic defensive measures, the focus is on the use of monitoring, organization and processes and other things to ensure the timely and correct use of these tools, and changes in tactics to change.

2.1. Abnormal monitoring
Monitoring requires the concept of multi-layer monitoring and defense in depth. From the backbone network, the BPS, PPS, and protocol distributions in the IDC ingress network, the number of new VIP connections in the load balancing layer, the number of concurrent connections, the CPU status of the BPS and the PPS to the host layer, TCP new connection status, TCP concurrent connection status, business layer to the business layer, business connectivity and other points deployment monitoring system. Even if a monitoring point fails, other monitoring points can also give timely warning information. The combination of multiple points of information helps to accurately determine the attack target and attack techniques.

2.2. Process and plan, exercise
Once found abnormal, immediately start the emergency process in the virtual defense organization. Defense organizations need to include enough comprehensive staff, including at least the monitoring department, operation and maintenance department, network department, security department, customer service department, business department, etc., all staff need 2-3 backups. After the start of the process, in addition to manual processing, it should also include some automatic processing, semi-automatic processing capabilities. Such as automated attack analysis, defensive type determination, automated, semi-automated defensive tactics, and mitigating measures can be taken by the department where the attack is first discovered before the security personnel are in place.

In addition to the DDoS arrival process, etc., more work is before the arrival of the attack. Mainly includes CDN node deployment, DNS settings, process exercises and so on. For enterprises, having multiple CDN nodes is a key indicator of DDoS defense capacity. When a computer room can not bear the huge amount of data, you can use DNS polling to direct traffic to multiple distribution nodes and use defense devices to process the data separately. Therefore, the DNS TTL value needs to be set small enough to switch quickly, and various VIP settings for each CDN node also need to be prepared.

3 summary
In the era of virtualization, different businesses of mass users are co-located on the same physical machine platform, and are more and more likely to suffer DDoS attacks. And a user attack may involve a large number of other users, the harm was significantly enlarged, so defense is particularly important. Aliyun's virtualized cloud computing business suffers an average of about 200 DDoS attacks each day and its maximum traffic reaches nearly 80 Gbit / s. All these attacks are handled automatically in less than 1 minute, allowing customers to stay away from the threat of DDoS and concentrate on business development.

In general, the main job of DDoS defense is to accumulate behind the scenes. Ten minutes on the stage, the audience ten years of work, there is not enough resources to prepare, there is not enough emergency drills, there is no rich experience in handling DDoS attacks will be the nightmare of all.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.