“The boy who made the site for us already set up DDoS protection.”
“We have DDoS protection, why did the site go down?”
“How many thousands does Qrator want?”
In order to normally answer such questions from the customer / boss, it would be nice to know what is hidden behind the name “DDoS protection”. Choosing protection services is more like choosing a medicine by a doctor than choosing a table at IKEA.
I have been supporting websites for 11 years, I have experienced hundreds of attacks on the services I support, and now I will talk a little about the internal protection kitchen.
Regular attacks. 350k req total, 52k req legitimate
The first attacks appeared almost simultaneously with the Internet. DDoS as a phenomenon has become massive since the late 2000s (look ).
Since about 2015-2016, almost all hosting providers have come under protection from DDoS attacks, like most of the notable sites in competitive areas (do whois on the IP sites eldorado.ru, leroymerlin.ru, tilda.ws, you will see the networks of protection operators).
If 10-20 years ago most attacks could be repulsed on the server itself (evaluate the recommendations of the Lenta.ru system administrator Maxim Moshkov from the 90s: ), but now the tasks of protection have become more difficult.
Types of DDoS attacks in terms of choosing a protection operator
Attacks at the L3 / L4 level (according to the OSI model)
- UDP flood from a botnet (many requests are sent directly from infected devices to the attacked service, the channel is flooded to the servers);
- DNS/NTP/etc amplification (many requests are sent from infected devices to vulnerable DNS/NTP/etc, the sender's address is forged, a cloud of packets with responses to queries floods the channel to the one being attacked; this is how the most massive attacks on the modern Internet are carried out);
— SYN / ACK flood (many requests to establish a connection are sent to the attacked servers, the connection queue overflows);
- packet fragmentation attacks, ping of death, ping flood (google plz);
- and so on.
These attacks aim to "fill up" the channel to the server or "kill" its ability to accept new traffic.
Although SYN/ACK flooding and amplification are very different, many companies deal with them equally well. Problems arise with attacks from the following group.
Attacks on L7 (Application Layer)
- http flood (if a website or some http api is attacked);
- an attack on vulnerable parts of the site (having no cache, very heavily loading the site, etc.).
The goal is to make the server "work hard", process a lot of "seemingly real requests" and be left without resources for real requests.
Although there are other attacks, these are the most common.
Serious attacks at L7 level are created in a unique way for each attacked project.
Why 2 groups?
Because there are many who are good at repelling attacks at the L3 / L4 level, but either do not take up protection at the application level (L7) at all, or are still weaker than their alternatives.
Who's Who in the DDoS Protection Market
(my personal view)
L3/L4 protection
To repel attacks with amplification (“blockage” of the server channel), wide channels are enough (many of the protection services connect to most large backbone providers in Russia and have channels with a theoretical capacity of more than 1 Tbit). Don't forget that very rare amplification attacks last longer than an hour. If you are Spamhaus and everyone doesn't like you, yes, they may try to shut down your channels for several days, even at the risk of further survival of the global botnet being used. If you just have an online store, even if it is mvideo.ru - you will see 1 Tbit within a few days very soon (I hope).
To repel attacks with SYN / ACK flood, packet fragmentation, of course, you need equipment or software systems to detect and cut off such attacks.
Many people produce such equipment (Arbor, there are solutions from Cisco, Huawei, software implementations from Wanguard, etc.), many backbone operators have already installed it and sell DDoS protection services (I know about installations from Rostelecom, Megafon, TTK, MTS , in fact, with all major providers, hosters do the same with their protection a-la OVH.com, Hetzner.de, he himself encountered protection in ihor.ru). Some companies develop their own software solutions (technologies like DPDK allow processing tens of gigabit traffic on one physical x86 machine).
Of the well-known players, everyone is able to repel L3 / L4 DDoS more or less effectively. I won’t say now who has more maximum channel capacity (this is insider information), but usually this is not so important, and the only difference is how quickly the protection works (instantly or after a few minutes of project downtime, as in Hetzner).
The question is how well this is done: an amplification attack can be repelled by blocking traffic from countries with the largest amount of harmful traffic, or only really unnecessary traffic can be discarded.
But at the same time, based on my experience, all serious market players cope with this without problems: Qrator, DDoS-Guard, Kaspersky, G-Core Labs (formerly SkyParkCDN), ServicePipe, Stormwall, Voxility, etc.
I have not come across protection from operators such as Rostelecom, Megafon, TTK, Beeline, according to colleagues, they provide these services with sufficient quality, but so far the lack of experience periodically affects: sometimes you need to screw something up through the support of the protection operator.
Some operators have a separate service "protection against attacks at the L3 / L4 level", or "protection of channels", it costs much less than protection at all levels.
But how can a backbone provider repel attacks of hundreds of Gbps, since it does not have its own channels?The protection operator can connect to any of the major providers and repel attacks “at his expense”. You will have to pay for the channel, but all these hundreds of Gbps will not always be utilized, there are options for a significant reduction in the cost of channels in this case, so the scheme remains workable.
These are the reports I regularly received from the upstream L3 / L4 protection, supporting the systems of the hosting provider.
L7 security (application layer)
Attacks at the L7 level (application level) are able to consistently and efficiently hit units.
I have real enough experience with
Qrator.net
— DDoS Guard;
- G-Core Labs;
— Kaspersky.
They charge for each megabit of net traffic, a megabit costs about several thousand rubles. If you have at least 100 Mbps of pure traffic - oh. Defense will be very expensive. I can tell in the following articles how to design applications in order to save very well on the capacity of protection channels.
The real “king of the hill” is Qrator.net, the rest are lagging behind. So far, Qrator is the only one in my practice that gives a percentage of false positives close to zero, but at the same time they are several times more expensive than other market players.
Other operators also provide high-quality and stable protection. Many services we support (including very famous ones in the country!) are protected by DDoS-Guard, G-Core Labs, and are quite satisfied with the result.
Attacks repelled by Qrator
There is also experience with small protection operators like cloud-shield.ru, ddosa.net, thousands of them. Definitely I will not recommend, because. experience is not very great, I'll tell you about the principles of their work. Their cost of protection is often 1-2 orders of magnitude lower than that of major players. As a rule, they buy a partial protection service (L3 / L4) from one of the larger players + make their own protection against attacks at higher levels. It can be quite effective + you can get a good service for less money, but these are still small companies with a small staff, please note.
What is the difficulty of repelling attacks at the L7 level?
All applications are unique, and you need to allow traffic that is useful for them and block harmful traffic. It is not always possible to unequivocally weed out bots, so you have to use many, really MANY levels of traffic cleaning.
Once upon a time, the nginx-testcookie module was enough (), and it is still enough to repel a large number of attacks. When I worked in the hosting industry, L7 built protection just on nginx-testcookie.
Alas, the attacks have become more difficult. testcookie uses JS-based bot checks, and many modern bots can successfully pass them.
Attack botnets are also unique, and each major botnet needs to be considered.
Amplification, direct flood from a botnet, filtering traffic from different countries (different filtering for different countries), SYN / ACK flood, packet fragmentation, ICMP, http flood, while at the application / http level you can come up with an unlimited number of different attacks.
In total, at the level of channel protection, specialized equipment for cleaning traffic, special software, additional filtering settings for each client, there can be tens and hundreds of filtering levels.
To properly manage this and correctly tune the filtering settings for different users, you need a lot of experience and qualified personnel. Even a major operator who decides to provide protection services cannot “stupidly throw money at the problem”: experience will have to be gained on lying sites and false positives on legitimate traffic.
There is no “repel DDoS” button for the protection operator, there are a large number of tools, you need to be able to use them.
And one more bonus example.
The server without protection was blocked by the hoster during an attack with a capacity of 600 Mbps
(“Disappearance” of traffic is not noticeable, because only 1 site was attacked, it was temporarily removed from the server and the blocking was lifted within an hour).
The same server is protected. The attackers “surrendered” after a day of repulsed attacks. The attack itself was not the strongest.
Attack and defense of L3/L4 are more trivial, mainly depending on the channel thickness, detection algorithms and attack filtering.
L7 attacks are more complex and original, they depend on the attacked application, capabilities and imagination of the attackers. Protection from them requires great knowledge and experience, and the result may not be immediately and not one hundred percent. Until Google came up with another neural network for protection.
Source: habr.com