• DDos

DDoS Attack Mitigation Best Practices

A distributed denial of service attack (DDoS attack) is a malicious network attack against a target system. DDoS attacks often result in the normal inaccessibility of the attacked person's business, also known as denial of service.

Common DDoS attacks include the following categories

1. Network Layer Attacks

A more typical type of attack is a UDP reflection attack, such as an NTP Flood attack. This type of attack mainly uses large traffic congestion of the attacker's network bandwidth, resulting in the attacker's business can not respond normally to customer access.

2. Transport Layer Attacks

Typical types of attacks include SYN Flood attacks, connection count attacks, and so on. This type of attack uses the server's connection pool resources to achieve the purpose of the denial of service.

3. Session Layer Attacks

A typical type of attack is the SSL connection attack. This type of attack uses up the server's SSL session resources to achieve denial of service.

4. Application Layer Attacks

Typical types of attacks include DNS flood attacks, HTTP flood attacks (i.e., CC attacks), and game dummy attacks. These attacks take up the server's application processing resources and greatly consume the server's computing resources, thus achieving denial of service.

DDoS Attack Mitigation Best Practices

LightNode users are recommended to mitigate the threat of DDoS attacks in the following ways.

1. Reduce the risk of being attacked by narrowing the exposure and isolating resources and unrelated services

- Configure security groups: Try to avoid exposing non-business-essential service ports to the public network to avoid non-business-related requests and accesses. By configuring security groups, you can effectively prevent the system from being scanned or accidentally exposed.

- Using Virtual Private Cloud (VPC): Logical isolation within the network is achieved by using VPC on a proprietary network to prevent attacks from intranet puppet machines.

2. Optimize business architecture and use the characteristics of the public cloud to design a system for elastic scaling and disaster recovery switching.

- Scientific assessment of business architecture performance: In the pre-deployment or during the operation of the business, the technical team should stress test the business architecture to assess the business throughput processing capability of the existing architecture and provide detailed technical parameters to guide information for DDoS defense.

- Resilient and redundant architecture: Avoid single point of failure in the business architecture through load balancing or off-site multi-center architecture.

- Deployment of elastic scaling: Elastic scaling (Auto Scaling) is a management service that automatically adjusts elastic computing resources economically according to users' business needs and policies. By deploying elastic scaling, the system can effectively mitigate session and application-layer attacks, automatically increase servers when under attack, improve processing performance, and avoid serious impact on business.

- Optimized DNS resolution: Optimized DNS resolution through intelligent resolution can effectively avoid the risk arising from DNS traffic attacks. Meanwhile, it is recommended that you host your business to multiple DNS service providers and you can consider optimizing DNS resolution from the following aspects

- Blocking DNS response messages sent without request

- Discard fast retransmission packets

- Enable TTL

- Discard DNS query requests and response data from unknown sources

- Discard unsolicited or burst DNS requests

- Enabling DNS client authentication

- Caching of response information

- Permissions to use ACLs

- Utilize ACLs, BCP38, and IP reputation features

- Provide spare bandwidth: Evaluate the bandwidth and number of requests that can be accommodated in a normal business environment through server performance testing. Ensuring a certain amount of spare bandwidth when purchasing bandwidth can avoid the situation that the bandwidth is larger than normal usage and affects normal users when under attack.

3. Server security reinforcement to improve the performance of the server itself such as the number of connections.

Reinforce the security of the operating system and software services on the server to reduce the number of points that can be attacked and increase the cost of attack for the attacker.

- Make sure the system files of the server are the latest version and update the system patches in time.

- Check all server hosts to be clear about the origin of visitors.

- Filter unnecessary services and ports. For example, for WWW servers, open only port 80 and close all other ports, or set a blocking policy on the firewall.

- Limit the number of SYN semi-connections opened at the same time, shorten the timeout time of SYN semi-connections, and limit SYN and ICMP traffic.

- Double-check the logs of network devices and server systems. If there is a vulnerability or timeout change, the server may be under attack.

- Restrict network file sharing outside the firewall. Reduce the chances of hackers intercepting system files. If a hacker replaces it with a Trojan horse, the file transfer function will be paralyzed.

- Make full use of network devices to protect network resources. Policy configurations for flow control, packet filtering, half-connection timeouts, spam packet discards, source forged packet discards, SYN thresholds, and disabling ICMP and UDP broadcasts should be considered when configuring routers.

- Restrict the TCP new connections of suspected malicious IPs and limit the connection and transmission rate of suspected malicious IPs through software firewalls like iptable.

4. Do a good job of business monitoring and emergency response

- Pay attention to the basic DDoS protection monitoring: When your business suffers from a DDoS attack, basic DDoS default will send alarm information by SMS and email, for high traffic attacks basic DDoS protection also supports telephone alarm, you are recommended to deal with the emergency at the first time you receive the alarm.

- Cloud monitoring: Cloud monitoring service can be used to collect and obtain monitoring indicators of LightNode resources or user-defined monitoring indicators, detect the availability of services, and support setting alerts for indicators.

- Establish emergency response plans: According to the current technical business architecture and personnel, prepare emergency technical plans in advance, and if necessary, conduct technical exercises in advance to test the reasonableness of the emergency response plans.

5. Select the appropriate business security solutions

- Web Application Firewall (WAF): For web-based applications, such as common HTTP Flood attacks, you can use WAF can provide an effective defense against connection layer attacks, session layer attacks, and application-layer attacks.

- DDoS native protection: DDoS native protection provides cloud product IPs with shared full protection against DDoS attacks, which takes effect instantly.

- DDoS advanced protection: For high volume DDoS attacks, it is recommended to use a DDoS high defense service.

- Game Shield: Game Shield is an industry solution launched for DDoS attacks and CC attacks common in the game industry. Compared with the high-proof IP service, the Game Shield solution is more targeted and has a better attack defense effect and lower cost for the game industry.

Things that should be avoided

DDoS attacks are recognized as the industry's public enemy. DDoS attacks not only affect the attacked but also have an impact on the stability of the service provider's network, thus causing losses to other users' businesses that are under the same network.

The computer network is a shared environment that requires multiple parties to work together to maintain stability, and some of these actions may have an impact on the overall network and other tenants' networks, requiring your attention to:

- Avoid using LightNode products to build a DDoS protection platform.

- Avoid releasing instances in a black hole state.

- Avoid continuously replacing, unbundling, and adding SLB IP, elastic public IP, NAT gateway, and other IP products for servers in a black hole state.

- Avoid defending by building IP pools, and avoid defending by apportioning attack traffic to a large number of IPs.

- Avoid using LightNode non-network security defense products that front-load their services with attacks.

- Avoid using multiple accounts to bypass the above rules.