Attack, during which users cannot access any other resources, are called a DDoS attack, or a "failure to maintenance" problem. The main feature of such hacker attacks is simultaneous requests from a large number of computers around the world, and they are directed mainly on the servers of well-protected companies or government organizations, less often - on single non-commercial resources.

The computer that has become infected becomes the similarity of "Zombies", and hackers using several hundreds, and then tens of thousands of such "zombies", cause a resource failure (refusal to maintain).

The reasons for the DDoS attack can be a lot. Let's try to designate the most popular, and at the same time will answer the questions: "DDOS attack - what is it, how to protect yourself, what are its consequences and what means is it carried out?"

Competition

The Internet has long been a source of business ideas, the implementation of large projects and other ways to earn very rather big money, so the DDOS attack can be made to order. That is, if an organization wants to remove it in the event of a competitor, then it is just to contact Khakura (or to a group of such) with a simple task - to paralyze the work of an unwanted company through Internet resources (DDOS attack on the server or site).

Depending on the specific purposes and tasks, this attack is established for a certain period and using the appropriate force.

Fraud

Quite often, DDOS attack on the site is organized on the initiative of hackers in order to block the system and access personal or other important sources. After the attackers are paralyzed by the system, they may require some amount of money to restore the performance of attacked resources.

Many Internet entrepreneurs agree to the extended conditions, justifying their actions by dowstaries in the work and receipt of colossal losses - it is easier to pay a small amount as a fraud man than to lose significant profits for every day of downtime.

Entertainment

Many users are just for the sake of curiosity or fun are interested in: "DDOS attack - what is it and how to do it?" Therefore, there are often cases when beginner intruders for the sake of fun and samples organize such attacks for random resources.

Together with the reasons, DDOS attacks have their own classification signs.

1. Bandwidth. Today, almost every computer place is equipped or local NetworkOr simply connected to the Internet. Therefore, there are often cases of a network flood - a large number of requests with an incorrectly formed and meaningless system to specific resources or equipment in order to subsequent refusal or failure. hard drives, memory, etc.).
2. Exhausting system. Such a DDOS attack on the SAMP server is carried out for capture physical memory, processor time and other system resources, due to the lack of which an attacked object is simply not possible to fully work.
3. Cooling. Infinite data test and other cycles acting "in a circle" force an object to spend a lot of resources, thereby taking memory to the full exhaustion.
4. False attacks. Such an organization is aimed at a false response of protection systems, which ultimately leads to blocking certain resources.
5. Http protocol. Hackers send violent HTTP packages with special encryption, the resource, naturally, does not see that the DDOS attack is organized on it, the program for the server, performing its work, refers to the response packages of much greater capacity, thereby taking the bandwidth of the victim, which leads Again, to the failure of the services.
6. Smourf attack. This is one of the most dangerous species. Hacker via the broadcast channel sends the victim a fake ICMP package, where the victim's address is replaced by the attacker's address, and all nodes begin to send an answer to the ping request. This DDOS attack is a program directed to the use of a large network, i.e. the request treated with 100 computers will be 100 times strengthened.
7. UDP-flood. This type of attack is something similar to the previous one, but instead of ICMP packages, intruders use UDP packets. The essence of this method is to replace the IP address of the victim to the Hacker address and fully download the bandwidth, which will also lead to the system failure.
8. Syn-Flood. The attackers are trying to simultaneously run a large number of TCP connections through a SYN channel with incorrect or not allowed reverse address. After several such attempts most operating systems In the queue, the problem connection is set and only after an enon number of attempts to close it. The SYN channel stream is quite large, and soon, after a variety of such attempts, the core of the victim refuses to open any new connection by blocking the operation of the entire network.
9. "Heavy packages". This species gives the answer to the question: "What is a DDOS-attack server?" Hackers send packets to the user server, but the saturation of the bandwidth does not occur, the action is directed only for processor time. As a result, such packets lead to a failure in the system, and it, in turn, to their resources.
10. Log files. If the quotation and rotation system have a bare bag, the attackers can send large in the volume of packages, thereby occupying all the free space on the rigid dials of the server.
11. Program code. Hackers with extensive experience can fully explore the structure of the victim's server and launch special algorithms (DDOS attack - Explit program). Such attacks are mainly aimed at well-protected commercial projects of enterprises and organizations of various spheres and regions. The attackers find bars in the program code and launch invalid instructions or other exceptional algorithms that lead to an emergency stop of the system or service.

DDOS attack: what it is and how to protect

DDoS-attack protection methods There is a lot. And all of them can be divided into four parts: passive, active, reactionary and preventive. What we will talk next more.

A warning

Here you need to prevent directly the reasons themselves that could provoke a DDoS attack. This type can be attributed to some personal hostility, legal disagreements, competition and other factors provoking "increased" attention to you, your business, etc.

If in time to respond to these factors and make the appropriate conclusions, then many unpleasant situations can be avoided. This method can be attributed rather to problems than to the technical side of the issue.

Response measures

If attacks on your resources continue, it is necessary to find the source of your problems - a customer or artist, using both the legal and technical levers of exposure. Some firms provide services for finding intruders in a technical way. Based on the qualifications of specialists dealing with this issue, not only a hacker exercising a DDoS attack, but also directly the customer himself.

Software protection

Some hardware and software manufacturers together with their products can offer quite a lot of effective solutions, and the DDOS attack on the site will be stopped by feeding. A separate small server aimed at countering small and medium DDoS attacks can be a technical defender.

This decision is perfect for small and medium businesses. For larger companies, enterprises and government agencies, there are whole hardware complexes to combat DDoS attacks, which, along with a high price, have excellent protective characteristics.

Filtration

Locking and thorough filtering of incoming traffic will allow not only to reduce the likelihood of an attack. In some cases, the DDOS attack on the server can be completely excluded.

You can select two main ways to filter traffic - firewalls and full routing on lists.

Filtering using lists (ACL) allows you to cut down the secondary protocols without disturbing the work of TCP and without lowering the speed of access to the protected resource. However, if hackers use botnets or high-frequency requestsT. this method It will be ineffective.

It is much better to protect against DDoS attacks, but their only minus is that they are intended only for private and non-profit networks.

Mirror

The essence of this method is to redirect the entire incoming traffic of the attacker back. You can do this, having powerful servers and competent specialists in the presence that will not only redirect traffic, but will be able to deal with the equipment of the attacker.

The method does not suit if there are errors in system services, program codes and other network applications.

Search for vulnerabilities

This type of protection is aimed at correcting the exploits, troubleshooting errors in web applications and systems, as well as other services responsible for network traffic. The method is useless against flood attacks that are directed to the vulnerability data.

Modern resources

100% protection guarantee this method cannot. But it allows you to more effectively carry out other events (or complex such) to prevent DDoS attacks.

Distribution of systems and resources

Duplication of resources and distribution of systems will allow users to work with your data, even if at this moment the DDoS attack is performed on your server. For distribution, you can use various server or network equipment, and it is also recommended to share the services physically differently in different duplicate systems (date-centers).

Such a defense method is the most effective today, provided that the correct architectural design was created.

Evasion

The main feature of this method is the output and separation of an attacked object (domain name or IP address), i.e., all working resources on the same site must be divided and positioned on third-party network addresses, or even on the territory of another state. This will allow you to survive any attack and keep the inner IT structure.

DDOS-attack protection services

After telling everything about such an attack, like DDOS attack (what it is and how to deal with it), we can finally give one good advice. Many large organizations offer their services to prevent and prevent such attacks. Mostly such companies use a whole range of measures and various mechanisms that allow you to protect your business from most DDoS attacks. Experts and connoisseurs work there, therefore, if your resource you are expensive, the option is optimal (albeit) an appeal to one of such companies.

How to carry out DDOS attack with your own hands

It is aware, it means armed - the right principle. But remember that the intentional organization of DDOS attacks is solely or a group of persons - a criminal offense, therefore, this material is provided solely for familiarization.

American IT threat prevention workers have developed a program to test stability of server loads and the possibility of DDoS-attacks by attackers with subsequent elimination of this attack.

Naturally, the "hot" minds turned this weapon against the developers themselves and against what they fought. Product code name - LOIC. This program is in free access and, in principle, is not prohibited by law.

The interface and functionality of the program is quite simple, it can take advantage of anyone interested in DDOS attack.

How to do everything yourself? In the interface strokes, it is enough to enter IP victims, then set TCP and UDP streams and the number of requests. Voila - after pressing the cherished button, the attack began!

Any serious resources naturally will not suffer from this software, but small may experience some problems.

QRATOR LABS, specializing in countering DDoS attacks and accessing Internet resources, recorded the fact of high-speed DDoS attacks on the largest web resources using MEMCACHE-based amplification techniques (software that implements data caching service in random access memory Based on a hash table).

From February 23 to 27, 2018, the wave of Memcache was rolled throughout Europe amplified DDoS attacks. The technique of such an attack is to listen to UDP traffic attackers subject to the installation of the default Memcache parameters, that is, the UDP flood is actually used - sending the set of fake UDP packets per unit of time from a wide range of IP addresses.

MEMCACHE security problems are known at least since 2014, however, in 2018, this vulnerability manifested itself particularly brightly: on the night of February 25-26, QRATOR Labs specialists have observed a range of Memcache amplified DDOS attacks throughout the Internet, including attacks on Russia largest network resources .

In 2017, a group of researchers from the Chinese Okee Team spoke about the possibility of organizing such attacks, pointing to their potentially destructive power.

Over the past few days, many sources confirmed the fact of attack by amplified responses from Memcache resources, with attacks of answers from DNS and NTP. Sources of these spoofed attacks were a major OVH provider and a large number of smaller Internet providers and hosters.

One of the customers of the company QRATOR LABS - payment system QIWI confirms the fact of a successfully neutralized attack of a 480 Gbps band / s UDP traffic on its resources from compromised Memcache amplifiers.

"Modern techniques for the implementation of DDoS attacks do not stand still. Increasingly, we fix the emergence of new "broys" in the infrastructure of the Internet, which are successfully used by attackers to implement attacks. Attacks using Memcache, the speed of which reached several hundred GB / s, became confirmed, - comments on the general director and founder Qrator Labs Alexander Lyamin. - Vulnerable Memcache resources on the Internet a huge amount, and we strongly recommend technical specialists to make the correct configuration of Memcache, not forgetting about the default installations. This will help avoid listening to the entire UDP traffic sent to the server, and reduce the likelihood of DDOS-attacks. "

About QRator Labs

Qrator Labs - Number One in the DDOs Countering in Russia (according to IDC RUSSIA Anti-DDos Services Market 2016-2020 Forecast and 2015 Analysis). The company was founded in 2009 and provides the services to counteract DDoS attacks in a complex with WAF (Web Application Firewall) solutions organized by Wallarm's partner technology. To effectively counter DDoS attacks, QRATOR Labs uses QRator.radar's own global monitoring service data. QRATOR filtering network is built on nodes located in the USA, Russia, EU and Asia, which, along with its own filtering algorithms, is a competitive advantage of the company.

This organization, in addition to the registration of domain names in Zone.TR also provides the main bond to Turkish universities. The accomplishers of Anonymous accusing Turkish leadership in support of ISIL took responsibility.

The first signs of DDOS were manifested in the morning of December 14, by noon, five Nic.Tr servers surrendered under the onslaught of garbage traffic with a capacity of up to 40 Gb / s. The problem also affected the RIPE Coordination Center, providing an alternative NIC.tr infrastructure. Representatives of RIPE noted that the attack was modified in such a way as to bypass RIPE protection.

Large-scale DDoS attacks become the most in an effective way Clean the work of web services - the cost of attacks is constantly decreasing, which allows you to increase power: in just two years the average power of the DDoS attack has grown fourly and is 8 Gb / s. Regarding the average attack values, the national domain zone of Turkey looks supreme, but the experts emphasize that the 400 Gb / s level DDoS-attacks will soon become the norm.

The uniqueness of the Turkish attack is that the attackers chose the right goal: concentrating on a relatively small number of IP addresses, they were able to practically fail the infrastructure of the whole country using only a 40-gigabit attack.

The Turkish National Reaction Center for CyBerincidents blocked all traffic entering the NIC.TR servers from other countries, which is why all 400 thousand Turkish sites have become inaccessible, and all messages email returned to senders. Later, the Center decided to change the tactics, conducting a selective blocking of suspicious IP addresses. DNS servers of domains in the area .TR have been reconfigured to distribute requests between public and private servers, which helped Turkish Internet providers Superonline and Vodafone.

The attacked domains returned online on the same day, but many sites and mail services A few more days worked with interruptions. Not only local companies and government organizations were injured, but also many national web resources that choose a domain name in zone.tr; In the aggregate it is about 400 thousand websites, 75% of which are corporate. The Turkish National Domain also use educational institutions, municipalities and military.

While "anonymouss" did not make a statement, many vinyls in the DDoS attack of Russians - due to the tense relations between Turkey and Russia. At one time, Russian hackers for similar reasons were suspected of involvement in large-scale cyber attacks on Estonia (2007), Georgia (2008) and Ukraine (2014). Some experts found the Turkish DDOS response to Russians on the DDOS attack of Turkish cybergroups on the Russian news site "Satellite".

Anonymous declaration deprived the hypothesis of the "Russian trail" of the foundation. Khakctivists also threaten to attack Turkish airports, banks, servers of government structures and military organizations, if Turkey will no longer stop helping IGIL.

The unstable economic situation of the last two years led to a significant increase in the level of competitive struggle in the market, as a result of which the popularity of DDoS-attacks increased - effective method Applying economic damage.

In 2016, the number of commercial orders for the organization of DDOS-attacks increased several times. The massive DDoS attacks switched from the area of \u200b\u200bpoint political influences, as it was, for example, in 2014, into a massive business segment. The main task of attackers is as quickly as possible and with minimal costs to make a resource inaccessible to get money from competitors for this, to ensure that the conditions for extortion, etc. DDOS attacks are used more and more actively, which stimulates the search for increasingly large-scale business protection tools.

At the same time, the number of attacks continues to grow, even despite noticeable success in the fight against DDOS. According to QRATOR Labs, in 2015 the amount of DDoS attacks increased by 100%. And it is not surprising, because their cost decreased to about $ 5 per hour, and their implementation tools went on a massive black market. We indicate several basic trends of distributed attacks aimed at refusal to maintain, which are projected for the next few years.

Attack UDP Amplification

Attacks aimed at the exhaustion of channel capacity include UDP Amplification. Such incidents were the most common in 2014 and became a bright trend of 2015. However, their number has already reached its peak and gradually goes to a decline - a resource for carrying out such attacks is not only the final, but also decreases sharply.

Under the amplifier is meant a public UDP service that works without authentication, which in a small query can be sent more than a bigger answer. Attacking, sending such requests, replaces its IP address to the IP address of the victim. As a result, reverse traffic, much more exceeding the bandwidth of the attacker channel, is redirected to the victim's web resource. For invalid participation in attacks, DNS, NTP-, SSDP- and other servers are used.

Attacks on web applications at L7

Due to the reduction in the number of amplifiers to the forefront again, the organization of attacks on web applications at the L7 level using classic botnets. As you know, botnet is able to perform network attacks on remote commands, and the owners of infected computers may not suspect about it. As a result of the overload of the service "trash" requests for the appeal of legitimate users, there are no response without an answer or the responses require an unnecessar than a large amount of time.

Today, botnets become more intelligent. When organizing the appropriate attacks, Full-Browser Stack technology is supported, that is, full emulation of a custom computer, browser, Java Script working out. Such techniques allow you to perfectly disguise the attacks L7. Manually distinguish the bot from the user is almost impossible. This requires systems using Machine Learning technology, thanks to which the level of countering attacks increases, the mechanisms are improved, and the accuracy of testing is growing.

BGP problems

In 2016, a new trend appeared - attacks on the infrastructure of the network, including based on the use of BGP vulnerabilities. The problems of the BGP routing protocol, which is based on the entire Internet, have been known for several years, but in recent years they are increasingly leading to serious negative consequences.

Network anomalies associated with routing on an interdomen network level are able to affect a large number of hosts, networks, and even global connectivity and Internet accessibility. The most typical kind of problems is Route Leaks - "leakage" of the route, which arises as a result of its announcement in the wrong direction. While BGP vulnerabilities are rarely used intentionally: the cost of organizing such an attack is quite high, and incidents mainly occur due to banal errors in network settings.

However, in recent years, the scale of organized criminal groups on the Internet has significantly increased, therefore, according to QRATOR Labs, attacks related to BGP problems will be popular already in the foreseeable future. A bright example is the "hijack" of IP addresses (Hijacking) by a well-known cybergroup Hacking Team, carried out under state order: Italian police needed to control several computers, with respect to the owners of which investigative actions were taken.

IncidentsTCP.

The network stack of the TCP / IP system has a number of problems that already in the current year will be especially acute. In order to maintain active speed growth, the Internet infrastructure must be constantly updated. The speed of physical connection to the Internet is growing every few years. In the early 2000s. The standard was 1 Gbit / s, today the most popular physical interface is 10Gbit / s. However, the mass introduction of a new standard of physical joint, 100 Gbit / s, which generates problems with an outdated TCP / IP protocol, not designed for such high speeds.

For example, it becomes possible in a matter of minutes to select a TCP Sequence Number - a unique numerical identifier, which allows (or rather, allowed) TCP / IP partners to carry out mutual authentication at the time of installing the connection and exchange data, while maintaining their order and integrity. At the speed of 100 Gb / s line in the TCP server log files about the open connection and / or data sent over it, it does not ensure that the fixed IP address really installed the connection and transmitted this data. Accordingly, it opens the possibility for organizing new class attacks, and the efficiency of Firewalls can significantly reduce.

TCP / IP vulnerabilities attract the attention of many researchers. They believe that in 2016 we will hear about the "loud" attacks related to the operation of these "holes".

Nearby future

Today, the development of technologies and threats does not occur on the "classic" spiral, since the system is not closed - there are many external factors. As a result, a spiral with an expanding amplitude is obtained - it rises up, the complexity of attack is growing, and the coverage of technology is significantly expanding. We note several factors that have a serious impact on the development of the system.

The main of them is definitely - migration to the new IPv6 transport protocol. At the end of 2015, the IPv4 protocol was recognized as obsolete, and IPv6 comes to the fore, which brings with them new challenges: now each device has an IP address, and they can all directly connect to each other. Yes, new recommendations appear on how end devices should work, but as the industry will cope with all this, especially telecom operators, the Mass Product segment and Chinese vendors, is an open question. IPv6 radically changes the rules of the game.

Another challenge is a significant increase in mobile networks, their speeds and "endurance". If the mobile botnet has created problems, first of all, the operator of the communication itself, now, when the 4G connection becomes faster than wired Internet, mobile networks with a huge number of devices, including Chinese production, are transformed into an excellent platform for DDos and hacker attacks. And problems arise not only at the telecom operator, but also among other market participants.

A serious threat is the emerging world of the Internet of Things. New attack vectors appear, since a huge number of devices and the use of wireless communication technology are opened for hackers truly limitless perspectives. All devices connected to the Internet can potentially become part of the infrastructure of intruders and be involved in DDoS attacks.

Unfortunately, manufacturers of all kinds of household appliances connected to the network (kettles, televisions, cars, multi-currencies, scales, "smart" sockets, etc.) not always ensure the proper level of their protection. Often, older versions of popular operating systems are used in such devices, and vendors do not care about their regular update - replacement on versions in which vulnerabilities are eliminated. And if the device is popular and widely used, the hackers will not miss the opportunity to exploit its vulnerabilities.

The harbingers of IOT problems appeared already in 2015 according to preliminary data, the last attack on Blizzard Entertainment was carried out using the IOT class devices. Malicious code was recorded, functioning on modern teapots and light bulbs. The task of hackers simplifies the chipsets. Not so long ago, an inexpensive chipset was released, intended for various equipment, which can "communicate" with the Internet. Thus, the attackers do not need to hack 100 thousand customized firmware - it is enough to "break" one chipset and access all devices that are based on it.

It is predicted that all smartphones based on older android versionswill consist of a minimum one botnet. All "smart" sockets, refrigerators and other appliances. After a couple of years, it is waiting for a botnet of kettles, radionias and multicurok. "Internet of Things" will bring us not only convenience and additional opportunities, but also a lot of problems. When things in IoT will have many and each pin will be able to send 10 bytes, new security challenges will have to be solved. And this should be prepared today.

Introduction

Immediately make a reservation that when I wrote this review, I first focused on the audience, dismantling in the specifics of the operation of telecom operators and their data transmission networks. This article outlines the basic principles of protection against DDOS attacks, the history of their development in the last decade, and the situation is currently.

What is DDOS?

Probably about what a DDoS attack is, today knows if not every "user", then in any case - every "IT". But a few words need to say.

DDOS attacks (DISTRIBUTED DENIAL OF SERVICE - DISTRIBUTIONAL CLUCTION CLOCK CLUCTIONS - These are attacks on computing systems (network resources or communication channels), aimed at making them inaccessible to legitimate users. DDoS attacks are simultaneously dispatched towards a certain resource of a large number of requests from one or many computers located on the Internet. If thousands, tens of thousands or millions of computers will simultaneously begin sending requests to a specific server (or network service), it will not either endure the server, or does not have enough communication channel bandwidth to this server. In both cases, Internet users will not be able to access the server to the attacked server, or even to all servers and other resources connected via a blocked communication channel.

Some features of DDOS attacks

Against anyone and for what purpose are DDoS attacks launch?

DDoS attacks can be run against any resource presented on the Internet. The greatest damage from DDoS-attacks receive organizations whose business is directly related to the Internet - Banks (providing Internet banking services), online shopping, shopping grounds, auctions, as well as other activities, the activity and effectiveness of which significantly depends on the representation on the Internet (travel airstrms, airlines, equipment manufacturers and software, etc.) DDOS attacks are regularly launched against the resources of such giants of the world IT industry, Like IBM, Cisco Systems, Microsoft and others. A massive DDoS attacks against ebay.com, Amazon.com, many famous banks and organizations have been observed.

Very often, DDoS attacks are launched against Web representations of political organizations, institutions or individual known personalities. Many people know about massive and long-term DDoS attacks that were launched against the Georgian President's Web site during the Georgian-Ossetian War of 2008 (the Web site was unavailable for several months since August 2008), against the Estonian government servers (in spring 2007, during the riots associated with the transfer of a bronze soldier), about periodic attacks by the North Korean network segment against American sites.

The main objectives of DDoS attack are either extraction of the benefits (direct or indirect) by blackmail and extortion, or the persecution of political interests, the discharge of the situation, revenge.

What are the launch mechanisms DDOS-attacks?

The most popular and dangerous way to launch DDOS attack is the use of botnets (Botnets). Botnet is a lot of computers on which special software bookmarks (bots) are installed, translated from English botnets is a network of bots. The bots are usually designed by hackers individually for each botnet, and have the main purpose of sending requests towards a specific Internet resource on the command received from the botnet management server - Botnet Command and Control Server. A botnet controller manages a hacker, or a person who bought this botnet from a hacker and the ability to run a DDoS attack. Bots apply to the Internet in various ways, as a rule - by attacks on computers that have vulnerable services, and installing software bookmarks, or by deceiving users and coercion them to install bots under the guise of other services or software performing quite harmless or even useful feature. Methods of dissemination of bots are many, new ways are invented regularly.

If a botnet is large enough - dozens or hundreds of thousands of computers - then simultaneous sending from all these computers even quite legitimate requests in the direction of a certain network service (for example, Web service on a specific site) will result in the exhaustion of resources or the service or server itself, or to exhaustion Channel Opportunities. In any case, the service will be unavailable to users, and the owner of the service will incur straight, indirect and reputational losses. And if each of the computers sends not one request, and dozens, hundreds or thousands of requests per second, then the impact force attack increases many times, which makes it possible to outreach even the most productive resources or communication channels.

Some attacks are launched more "harmless" ways. For example, the flash mob of users of certain forums, which by agreement launch at a certain time "Ping" or other requests from their computers towards a specific server. Another example is the placement of links to the Web site on popular Internet resources, which causes the user's influx to the target server. If the "fake" link (externally looks like a link to one resource, and actually refers to a completely different server) refers to a small organization's website, but is posted on popular servers or forums, such an attack may cause an unwanted site influx of visitors to this site. . The attacks of the last two types rarely lead to the termination of the availability of servers on properly organized hosting sites, but such examples were, and even in Russia in 2009.

Do traditional technical means of protection against DDoS-attacks will help?

The feature of DDoS-attack is that they consist of a variety of simultaneous requests, of which each individually "is easily", moreover, these queries send computers (infected with bots), which can be quite common to belong to the most common real or potential users of the attacked service or resource. Therefore, it is very difficult to identify that the DDoS attack is correctly identified and filter. Standard systems IdS / IPS class (Intrusion Detection / Prevention System - Network Attack Detection / Prevention System) will not find in these queries of the "Crime Composition", will not understand that they are part of the attack, unless they perform a qualitative analysis of traffic anomalies. And even if they find, then the unnecessary requests are also not so simple - standard firewalls and routers filter traffic on the basis of well-defined access lists (control rules), and do not know how to "dynamically" adapt to the profile of a particular attack. Firewalls can adjust traffic flows based on criteria such as sender's addresses used. network Services, ports and protocols. But regular Internet users take part in the DDOS attack, which send requests for the most common protocols - will not be the same communication operator to prohibit everything and everything? Then he will simply stop provide communication services to its subscribers, and will stop providing access to network resources serviced by them, which, in fact, achieves the initiator of the attack.

Many specialists are probably aware of the existence of special solutions to protect against DDoS-attacks, which are discovered by anomalies in traffic, building a traffic profile and an attack profile, and the subsequent process of dynamic multi-stage traffic filtering. And I will also talk about these decisions in this article, but somewhat later. And first will be described about some less well-known, but sometimes quite effective measures that can be accepted to suppress DDoS attacks with existing means of data network and its administrators.

Protection against DDoS attacks available means

There are quite a few mechanisms and "tricks", allowing in some particular cases to suppress DDoS attacks. Some can be used only if the data network is built on the equipment of a particular manufacturer, more more or less universal.

Let's start with the recommendations of Cisco Systems. Specialists of this company recommend providing Network Foundation Protection to protect the Network Foundation Protection, which includes network administration level protection (Control Plane), the network management level (Management Plane) and the data level of the network (Data Plane).

Management Plane Protection (Management Plane)

The term "administration level" covers all traffic that provides control or monitoring routers and other network equipment. This traffic is sent towards the router, or comes from the router. Examples of such traffic are Telnet, SSH and HTTP (S) sessions, syslog messages, SNMP-lads. Common Best Practices include:

Providing maximum security and monitoring protocols security, use of encryption and authentication:

• sNMP V3 Protocol provides protection tools, while SNMP V1 practically does not provide, and SNMP V2 provides only partially - the default Community value must always be changed;
• various values \u200b\u200bfor Public and Private Community should be used;
• the Telnet protocol transmits all data, including the username and password, in the open form (if the traffic is intercepted, this information can easily be retrieved and used), it is recommended to use the SSH V2 protocol instead;
• similarly, instead of HTTP, use HTTPS to access equipment; Strict hardware access control, including adequate password, centralized authentication, authorization and account (AAA model) and local authentication for reservation purposes;

Implementation of the role-playing model of access;

Control of allowed connections at the source address using access control lists;

Disable unused services, many of which are enabled by default (or they forgot to disable after diagnosing or setting up the system);

Monitoring the use of equipment resources.

In the last two points it is worth staying in more detail.
Some services that are enabled by default or which forgot to turn off after setting up or diagnosing equipment can be used by intruders to bypass existing safety rules. List of these services below:

• PAD (Packet Assembler / Disassembler);

Naturally, before turning off these services, you need to carefully analyze the absence of their need for your network.

It is desirable to monitor the use of equipment resources. This will allow, first, to notice overload individual elements Networks and take measures to prevent accidents, and secondly, detect DDoS attacks and anomalies if their detection is not provided for by special means. At a minimum, it is recommended to monitor:

• processor loading
• memory use
• uploading interfaces of routers.

Monitoring can be "manually" (periodically tracking the state of the equipment), but it is better to make it better to do with special network monitoring systems or monitoring information security (The latter refers to Cisco Mars).

Control Plane (Control Plane)

The network management level includes all the service traffic that ensures the functioning and connectivity of the network in accordance with the specified topology and parameters. Examples of traffic control traffic are: all traffic generated or intended for routing processor (ROUTE PROCESSOR - RR), including all routing protocols, in some cases - sSH protocols and SNMP, as well as ICMP. Any attack on the functioning of the routing processor, and especially the DDoS attacks, may entail significant problems and interruptions in the operation of the network. Below are described Best Practices to protect the control level.

Control Plane Policing

It is to use QoS mechanisms (Quality of Service - quality of service) to provide a higher priority to the control level of the control level than the user traffic (part of which are attacks). This will ensure the work of the service protocols and the routing processor, that is, to maintain the topology and connectivity of the network, as well as the proper routing and switching of the packages.

IP Receive ACL

This functionality allows filtering and control of service traffic intended for the router and routing processor.

• it is already applied directly on routing equipment before traffic reaches the routing processor, providing "personalized" equipment protection;
• applied after traffic passed the usual access control lists - are the last level of protection on the way to the routing processor;
• apply to all traffic (and internal and external, and transit to the network operator network).

Infrastructure ACL

Usually, access to its own router equipment addresses is required only for hosts of its own network operator network, however, there are exceptions (for example, EBGP, GRE, IPv6 Over IPv4, and ICMP tunnels). Infrastructure Access Control Lists:

• usually installed on the border of the network operator network ("at the entrance to the network");
• are intended to prevent access to external hosts to the address of the operator's infrastructure;
• provide unhindered transit traffic across the border of the operator network;
• provide basic protection mechanisms from unauthorized network activity, described in RFC 1918, RFC 3330, in particular, spoofing protection (spoofing, using fake source IP addresses to disguise when you start the attack).

Neighbor authentication.

The main goal of the authentication of neighboring routers is to prevent attacks in reference to fake routing protocols for changing routing on the network. Such attacks can lead to unauthorized penetration into a network, unauthorized use. network resources, as well as to the fact that the attacker will capture traffic in order to analyze and obtain the necessary information.

Setting up BGP.

• bGP Prefix Filtering (BGP Prefix Filters) - Used so that information about the internal network of the communication operator does not distribute the Internet (sometimes this information may be very useful for the attacker);
• restricting the number of prefixes that can be accepted from another router (Prefix Limiting) - used to protect against DDOS attacks, anomalies and failures in pyring partner networks;
• using BGP Community parameters and filtering on them can also be used to limit the distribution of route information;
• bGP monitoring and comparison of BGP data with observed traffic is one of the mechanisms for early detection of DDOS attacks and anomalies;
• filtering by parameter TTL (TIME-TO-Live) - Used to check BGP partners.

If the attack on the BGP protocol is launched from the piring partner network, but from a more remote network, the TTL parameter at BGP packets will be smaller than 255. You can configure the boundary routers of the telecom operator so that they discard all the BGP packets with the TTL value.< 255, а маршрутизаторы пиринг-партнеров наоборот - чтобы они генерировали только BGP-пакеты с параметром TTL=255. Так как TTL при каждом хопе маршрутизации уменьшается на 1, данный нехитрый приём позволит легко избежать атак из-за границ вашего пиринг-партнера.

Data Level Protection (Data Plane)

Despite the importance of protection of administration and control levels, most of the traffic in the network operator network is data, transit or detected for subscribers of this operator.

UNICAST REVERSE PATH FORWARDING (URPF)

Often, attacks are started using a spoofing technology (spoofing) - source IP addresses are falsified so that the source of the attack is impossible to track. Falsified IP addresses can be:

• from the actually used address space, but in another network segment (in the segment where the attack was running, these fake addresses are not routing);
• from the address space unused in this network;
• from the address space that is not routed on the Internet.

Implementation on the URPF mechanism routers will prevent packet routing with source addresses that are incompatible or unused in the segment of the network from which they entered the router interface. This technology may sometimes effectively filter unwanted traffic closest to its source, that is, the most efficient. Many DDoS attacks (including famous Smurf and Tribal Flood Network) use a wiring mechanism and a constant change of source addresses to deceive standard means Protection and filtering traffic.

Using the URPF mechanism by telecom operators providing subscribers access to the Internet will effectively prevent DDoS attacks using a spoofing technology directed by its own subscribers against Internet resources. Thus, the DDoS attack is suppressed closest to its source, that is, most effectively.

Remotenet Triggered Blackholes (RTBH)

Remotenet Triggered Blackholes are used to "drop" (destroying, sending "to nowhere") traffic entering the network by routing this traffic to special NULL 0 interfaces. This technology is recommended to be used on the network boundary to reset the DDoS- Traffic attack when entered into the network. The restriction (and the essential) of this method is that it is applied to all traffic intended for a certain host or hosts, which is the goal of attack. Thus, this method can be used in cases where a massive attack is exposed to one or more hosts, which causes problems not only for attacked hosts, but also for other subscribers and network operator networks in general.

Black holes can be controlled both manually and via BGP protocol.

QoS POLICY PROPAGATION THROUGH BGP (QPPB)

QoS control via BGP (QPPB) is cliviating to manage priority policies for traffic intended for a specific autonomous system or block IP addresses. This mechanism may be very useful for telecom operators and large enterprises, including to manage priority levels for unwanted traffic or traffic containing a DDoS attack.

Sink Holes.

In some cases, it is required not to completely remove traffic using black holes, but to remove it away from the main channels or resources for subsequent monitoring and analysis. It is for this that "tap channels" or Sink Holes are intended.

Sink Holes are most often used in the following cases:

• to remove to the side and analysis of traffic with the addresses of the destination, which belong to the address space of the network operator network, but at the same time are not really used (neither equipment or users were not highlighted); Such traffic is a priori suspicious, as it often testifies to trying to scan or penetrate your network an attacker who has no detailed information on its structure;
• to redirect traffic from the purpose of the attack, which is actually functioning in the network of the resource operator, for its monitoring and analysis.

DDOS protection using special means

Cisco Clean Pipes Concept - Industry Sport

The modern concept of protection against DDOS-attack has developed (yes, yes, you are not surprised! :)) Cisco Systems company. Developed by Cisco The concept was called Cisco Clean Pipes ("Purified Channels"). In the concept developed for almost 10 years ago, the basic principles and technology of protection against abnormal abnormalities in traffic, most of which are used today, including other manufacturers, were described in detail.

Cisco Clean Pipes Concept suggests the following DDoS attacks detection and suppression principles.

Points are selected (network sites), traffic in which is analyzed for the identification of anomalies. Depending on the fact that we protect, with such points there may be pyring connections of the communication operator with superior operators, the connection points of the lower statements or subscribers, the channels for connecting data centers to the network.

Special detectors analyze traffic at these points, build (study) traffic profile in its normal state, when the DDoS attack or anomaly appears - detect it, studies and dynamically form its characteristics. Further, the information is analyzed by the system operator, and in a semi-automatic or automatic mode, the attack suppression process is started. The suppression is that the traffic intended for the "victim" is dynamically redirected through the filtering device, on which filters formed by the detector and reflecting the individual character of this attack are used to this traffic. Purified traffic is entered into the network and sent to the recipient (because Clean Pipes originates - the subscriber receives a "clean channel" that does not contain an attack).

Thus, the entire DDoS attack protection cycle includes the following main stages:

• Training control characteristics of traffic (profiling, Baseline Learning)
• Detection Detection and Anomalies (Detection)
• Distribution redirection to pass through the cleaning device (DIVERSION)
• Traffic filtering to suppress attacks (Mitigation)
• Enter traffic back to the network and sending addressee (injection).

N Essential features.
Two types of devices can be used as detectors:

• Cisco Systems Production Detectors - Cisco Traffic Anomaly Detector Services Module service modules intended for installation in the Cisco 6500/7600 chassis.
• Arbor Networks Production Detectors - ARBOR PEAKFLOW SP CP Devices.

Below is a table comparing Cisco and Arbor detectors.

Parameter	Cisco Traffic Anomaly Detector	Arbor Peakflow SP CP
Receiving traffic information for analysis	Used copy of traffic allocated on the Cisco 6500/7600 chassis	NetFlow-data on traffic received from routers is allowed to adjust the sample (1: 1, 1: 1 000, 1: 10,000, etc.)
Used principles of detection	Alarm analysis (Misuse Detection) and the detection of anomalies (dynamicprofiling)	Mainly detection of anomalies; Anarted analysis is used, but signatures are general
Form factor	service modules in the chassis Cisco 6500/7600	separate devices (servers)
Performance	Test traffic up to 2 Gbps	Practically unlimited (you can reduce the sampling rate)
Scalability	Installation up to 4 modulesCisco.DetectorSM. One chassis (however, the modules act independently from each other)	The ability to use multiple devices within a single analysis system, one of which is assigned to the status of LEADER
Traffic and Routing Monitoring	The functionality is practically absent	The functionality is very developed. Many telecom operators buy Arbor Peakflow SP due to the deep and developed functional on the monitoring of traffic and routing on the network
Providing the portal (individual interface for a subscriber to monitor only the relative part of the network directly to it)	Not provided	Provided. It is a serious advantage of this solution, since the communication operator can sell individual DDOS protection services to their subscribers.
Compatible traffic cleaning devices (attack suppression)	Cisco. Guard Services Module.	Arbor Peakflow SP TMS; Cisco GUARD SERVICES Module.
	Data Centers Protection (Data Center) when connecting to the Internet Monitoring downstream connections of subscriber networks to the network operator network	Detection of attacks byupstream- connections network operator to networks of higher providers Monitoring of the mains operator

The last row of the table shows the use of Cisco detectors and from Arbor, which were recommended by Cisco Systems. Script data is reflected in the following scheme.

As a Cisco traffic cleaning device, it is recommended to use the Cisco Guard service module, which is installed in the Cisco 6500/7600 chassis and the command received from the Cisco Detector detector or with Arbor Peakflow SP CP is a dynamic redirection, cleaning and reverse traffic entry to the network. Redirection mechanisms are either BGP updates towards higher routers, or direct managers towards the supervisor using the proprietary protocol. When using BGP updates, the upstream router is indicated by the new NEX-HOP value for the traffic containing the attack - so that this traffic falls on the cleaning server. At the same time, it is necessary to take care that this information does not entail the organization of the loop (so that the downstream router does not try to complete this traffic on the cleaning device when entering it to be cleaned). For this purpose, mechanisms for controlling the distribution of BGP updates according to the Community parameter, or using the GRE-tunnels when entering cleaned traffic.

Such a state of affairs existed until Arbor Networks significantly expanded the PEAKFLOW SP product line and did not go to the market with a completely independent decision on protection against DDoS attacks.

ARBOR PEAKFLOW SP TMS appearance

A few years ago, Arbor Networks decided to develop its product line to protect against DDoS attacks on their own and regardless of the pace and policy of development of this direction from Cisco. PEAKFLOW SP CP solutions have fundamental advantages over Cisco Detector, as they analyzed the flow-information with the possibility of regulating the sample frequency, which means there were no restrictions on the use of communication operators in networks and on trunk channels (as opposed to Cisco Detector, which analyze a traffic copy ). In addition, the serious advantage of Peakflow SP was the possibility for operators to sell individual monitoring services to subscribers and protect their network segments.

In view of these or other considerations, Arbor has significantly expanded the PEAKFLOW SP product line. A number of new devices appeared:

PEAKFLOW SP TMS (Threat Management System) - supplies DDoS attacks by multistage filtering based on the data obtained from PEAKFLOW SP CP and from the Asert Lab, owned by Arbor Networks and monitoring and analyzing DDoS attacks on the Internet;

PEAKFLOW SP BI (Business Intelligence)- devices providing system scaling, increasing the number of logical objects to be monitored and providing redundancy of collected and analyzed data;

PEAKFLOW SP PI (Portal Interface)- devices providing an increase in subscribers who are provided with an individual interface for managing their own safety;

PEAKFLOW SP FS (Flow Censor)- Devices that ensure monitoring of subscriber routers, connections to lower networks and data processing centers.

Principles of operation of the Arbor Peakflow SP system remained mainly the same as Cisco Clean Pipes, but Arbor regularly develops and improve their systems, so at the moment the functionality of Arbor products in many parameters is better than Cisco, including Performance.

To date, maximum performance Cisco Guard Modets to be achieved by creating a cluster of 4 Guard modules in one Cisco 6500/7600 chassis, while the full clustering of these devices is not implemented. At the same time, the upper models of Arbor Peakflow SP TMS have a capacity of up to 10 Gb / s, and in turn can clusterly.

After Arbor began to position myself as an independent player in the market for detecting and suppressing DDoS-attacks, Cisco began to look for a partner who would provide it as the necessary monitoring of flow data on network traffic, but it would not be a direct competitor. Such a company has become Narus, which produces a flow-data database monitoring system (NarusInsight), and has entered into partnership with Cisco Systems. However, this partnership did not receive serious development and presence on the market. Moreover, according to some messages, Cisco does not plan to invest in their Cisco Detector and Cisco Guard solutions, in fact, leaving this niche for the company of the company ARBOR NETWORKS.

Some features of Cisco and Arbor solutions

It is worth noting some features of Cisco and Arbor solutions.

1. Cisco Guard can be used both in conjunction with the detector and independently. In the latter case, it is installed in the In-Line mode and performs the functions of the detector analyzing traffic, and if necessary, turns on the filters and clean the traffic. The minus of this mode is that, firstly, an additional point is added potentially failure, and secondly, additional traffic delay (although it is small as long as the filtration mechanism is turned on). Recommended for Cisco Guard Mode - waiting for a command to redirect traffic containing the attack, filtering and entering it back to the network.
2. ARBOR PEAKFLOW SP TMS devices can also work both in OFF-RAMP mode and in In-Line mode. In the first case, the device passively expects a command to redirect a traffic that contains an attack to clean and enter it back to the network. In the second, he skips through itself all traffic, produces data on the basis of ArborFlow based on it and transmits them to PEAKFLOW SP CP for analyzing and detecting attacks. ArborFlow is a format similar to NetFlow, but improved by Arbor for its PEAKFLOW SP systems. Traffic monitoring and detecting attacks performs Peakflow SP CP based on ArborFlow data obtained from TMS data. When an attack is detected, the PEAKFLOW SP CP operator gives the command to its suppression, after which the TMS turns on the filters and clears the traffic from the attack. Unlike Cisco, the Peakflow SP TMS server cannot work independently, it requires a PEAKFLOW SP CP server to work, which performs traffic analysis.
3. Today, most specialists agree that the tasks of protecting local areas of the network (for example, connecting the CDS or connection of downstream networks)