Adam Hemsley, Senior Software Engineer at Inter.link, shares his insights below on how to stop DDoS attacks, including the benefit of receiving IP Transit and DDoS protection from the same provider.
What is a DDoS Attack?
When answering the question: “How do I stop a distributed denial of service (DDoS) attack?” it is first useful to understand what a DDoS attack is and what the attacker is trying to achieve.
Although there are many ways of implementing a denial-of-service attack – all these attacks have a common theme: They are designed to starve a service of resources it relies on with fake requests. This means the service will no longer be able to serve legitimate requests as it is too busy processing the fake ones – Hence “denial of service.”
When the word “distributed” is used, this refers to the fact that the attack traffic is coming from many different locations on the internet – so there will not just be one host making fake requests – there might be 100!
Our earlier articles explain the definition of DDoS attacks in more detail, along with methods to mitigate them.
The Prevalence of Volumetric Attacks
One of the most common and easy to understand forms of DDoS attack are volumetric attacks whereby the attacker is simply trying to consume all the network resources available to a given attack target.
Imagine for a moment that you provide a web service that has 1Gbps internet connection and suddenly 2Gbps of malicious web traffic is sent towards your service.
Anyone legitimately trying to use your service will now have an extremely negative experience as the network will be completely congested, causing massive packet loss from the output drops caused by the bottle neck of the upstream router.
The rest of this article continues to focus on volumetric DDoS attacks, however more sophisticated attacks also existed which, rather than targeting network bandwidth, might target the actual web application.
Protection Methods Against DDoS Attacks
Upgrading Your Web Server’s Internet Breakout
One potential solution to this problem could be to upgrade your web server’s internet breakout to 10Gbps – therefore your network resources can now handle a 2Gbps DDoS attack, then place a firewall in front of your webserver to filter out the attacking hosts.
The only issue with this is that it is possible to order 100’s of Gbps worth of DDoS traffic online from a botnet made up of many sources from all over the internet – so this is a rather inefficient way of solving the problem that can be overcome with relative ease by a would-be attacker.
DDoS Protection and IP Transit from the same provider
A more effective solution is to order DDoS protection from your transit provider.
Transit providers such as Inter.link have Terabits of network capacity allowing them to absorb large attacks and can run your traffic through devices known as “scrubbers.” Scrubbers are devices that analyse the IP header of packets flowing through them against large dictionaries of attack patterns, known as signatures.
These include known botnet IP addresses, port and protocol combinations and other tell-tale patterns of attack traffic. These signatures are also frequently updated as new attack vectors become established. When an attack signature is recognised, the offending packet will be dropped. This means that you can retain your original 1Gbps service and have a clean feed of only legitimate requests.
A Word on Reflection, Spoofing and Amplification
Although scrubbing is an effective way of alleviating attack traffic on the target it is also worth noting that large volumes of DDoS traffic can be efficiently generated by reflection attacks using techniques known as “spoofing” and “amplification.”
Spoofing
In Internet Protocol packet headers, there are two address fields – the source address of the host that sent the packet (who presumably is looking for some form of response.) and the destination address, the address of the host that the packet is destined for.
Spoofing is a process whereby packets are crafted using an attack victims IP address as the source address then requests are sent to many legitimate servers across the internet.
When the server receives the packet it responds to the source address, which as previously established has been switched to an attack target – reflecting the traffic to the victim causing massive disruption.
This is a very effective technique as large volumes of traffic can be generated without a botnet. Luckly spoofing can be shut down by implementing the actions outlined by the MANRS community https://manrs.org/ which is something we at Inter.link are currently in the process of implementing.
Amplification
Amplification is a technique that leverages a large differential in the packet size between the small, spoofed request that is sent the server and the large, reflected answer that is sent to the attack target.
Protocols such as DNS and NTP can be abused to amplify the amount of data that a single attacking host can leverage against an attack target. Keeping servers patched with recommended security updated can help limit the number of servers with open protocols susceptible to being used in amplification attacks.
Integrated DDoS Protection from Inter.link
Inter.link offers a tight integration between IP connectivity services, and DDoS protection available from within our own network.
This “protected transit” is designed with low latency, security, and redundancy in mind, and we offer it with transparent pricing so that customers get the best protection with the most pricing predictability.
When experiencing an attack, efficiency is crucial and by receiving DDoS Protection from the same provider as your IP Transit, this superior integration means you have greater control, making it easier and therefore much more efficient to protect your infrastructure. We offer multiple tiers so you can pick the type of protection that suits you best, we provide transparent pricing with no surprises, and we do not bill based on clean traffic.
If you are interested in finding out more about Inter.link DDoS Protection, click here.
Interested in who we have already helped with DDoS Protection?
Check out this customer story.
