preface

DDos attacks have been the most difficult form of attack to defend against since their inception. In the past year alone, several DDoS outbreaks have been eye-opening.

The event

In April 2016, hackers launched a DDoS attack on Blizzard Entertainment, and many games of World of Monsters and Overwatch went down. In May 2016, hacker groups launched DDoS attacks on banking institutions around the world, bringing down central bank systems in Jordan, South Korea, Monaco and other countries. In September 2016, OVH, a French host company, was attacked by DDoS with a peak value of 1Tbps. In October 2016, DynDNS was attacked by DDoS, and many websites in North America could not be accessed.

Before you know it, DDoS could be running amok on the Internet.

Before we talk about the history of attack and defense, let’s take a look at the principle of DDoS attacks.

What is a Ddos attack?

DDoS attacks are short for Distributed Denial of Service (DDoS) attacks. DDoS attacks exhaust network or system resources of the target computer and temporarily interrupt or stop services. As a result, normal users cannot access the target computer. The form of attack can be divided into bandwidth consumption and resource consumption. Bandwidth consuming attacks through UDP flood attacks, ICMP flood attacks, and other attacks. Resource-consuming attacks include CC attacks, SYN flood attacks, and botnet attacks. We respond differently to different types of attacks. However, in our daily work, DDoS attacks are generally bandwidth consuming attacks. In other words, hackers will send massive UDP packets and SYN packets to your server, so that the bandwidth of your server is occupied by attack traffic and cannot provide external services. For example: users accessing your server through the network is like guests coming to you across a bridge, but because you only have enough money to build a four-lane bridge in both directions, the attacker sends 100 big trucks to block your gate, so that no normal customers can cross the bridge to reach you.

In this case, if you want your guests to continue visiting, you need to upgrade your bridge so that there are free lanes for your guests to cross. However, the bandwidth in China is provided by the three major operators, China Unicom Telecom, so the cost of Internet bandwidth is very high, and the attacker uses chicken attack, the cost of attack is much lower, so we can not go to unlimited upgrade our bandwidth.

In the early days of the Internet, how did people resist DDoS attacks?

DDoS is not a new phenomenon. In the past, when black holes didn’t exist, how did people resist DDoS attacks? In the early days of the Internet, IDC did not provide the ability to protect, and there was no black hole, so the attack traffic caused a lot of pressure on the server and switch, resulting in network congestion, loopback, and even the server can not work properly. Many IDCs often use simple and crude methods such as pulling out the network cable to deal with it. Later, some IDCs add cleaning programs in the entrance to filter attack traffic, which greatly reduces the pressure on servers and Intranet switches. However, the carrying capacity of the equipment room is also limited. If the number of attacks exceeds the carrying capacity of the equipment room, the entrance of the equipment room will be blocked. As a result, all servers in the equipment room cannot provide services due to network congestion.

Later, black holes appeared, but at that time, black holes were also configured at the entrance of the machine room, which only relieved the pressure on the server. If the total amount of attacks exceeded the carrying capacity of the machine room, the server in the whole machine room could not provide services due to the blockage of the entrance. In this case, the attacker is declared successful and there is no need to continue the attack, but if the attacker does not stop because the target is inaccessible, there is still a risk of congestion at the entrance to the machine room.

Later, the black hole was further upgraded with carrier linkage black holes on top of the machine room black hole. In case of heavy traffic attacks, the DDoS defense system invokes carrier black holes to discard traffic on the carrier side, alleviating the pressure of DDoS attacks on the bandwidth of the equipment room.

Cloud computing platforms also widely use this kind of black hole technology to isolate attacked users, ensuring that equipment rooms and unattacked users are not affected by DDoS attacks. In addition, cloud computing platforms provide flexible and scalable computing and network resources. By integrating these resources, users can effectively mitigate the impact of DDoS attacks.

How do black holes withstand DDoS attacks

The flow chart of the most commonly used black hole defenses is shown above. During an attack, the hacker collects attack traffic from all over the world, and the attack traffic flows into the backbone network of the carrier, and then into the next layer of the carrier’s network, and into the cloud computer room through the carrier’s line until it reaches the cloud host. However, our defense strategy is just the reverse. The cloud service provider signs an agreement with the carrier, and the carrier supports the black-hole route published by the cloud service provider, spreads the black-hole route to the whole network, and discards the traffic of the specified IP address nearby. When the cloud service provider detects that the attack traffic exceeds the threshold for free defense, the cloud computing system sends a special route to the upper-layer carrier to discard the traffic from this IP address. In this way, the traffic is discarded in the nearby black hole of the carrier.

Why don’t hosting companies take unlimited attacks for you?

Generally speaking, the service will take a small amount of attacks for you, because many times it may be detection traffic, etc., not real attacks, if every time into the black hole, the user experience is terrible. DDoS attacks are our common enemy. Most cloud computing platforms have tried their best to protect customers from most DDoS attacks for free and share the risk of DDoS attacks with customers. When you are attacked by a large-scale DDoS attack, you are not the only victim. The entire equipment room and cluster are severely affected, and the stability of all services cannot be guaranteed. In addition, as mentioned above, DDoS attacks are bandwidth consuming attacks. To solve bandwidth consuming attacks, bandwidth needs to be increased. However, the biggest cost of the equipment room is the bandwidth cost. The bandwidth is purchased by the equipment room from telecom carriers such as China Telecom, China Unicom, and China Mobile. The carriers charge users based on the bandwidth. However, carriers do not clean the DDoS attack traffic but add it into the charging, which causes the equipment room to bear high costs. If you don’t pay the cost, the machine room’s only choice is to throw your server into a black hole.

When your host is attacked, how does the service provider deal with it?

With everyone moving to the cloud in general, we’ve rounded up the black hole strategies of several cloud computing service providers in the market for you to choose from.

AWS

The AWS Sheild service provides DDoS defense services for users. The service is divided into standard version for free and advanced class for charge. The standard version for free has no protection effect and may block public IP addresses. The paid version costs only $3,000 a month for protection.

Azure

Azure provides users with free anti-ddos services, but does not promise protection. If the attack intensity is too high and the cloud platform itself is affected, public IP addresses may be masked.

Ali cloud

Aliyun cloud Shield service provides users with anti-ddos attack capability. Under the condition of cost control, aliyun will defend users against DDoS attack for free. When the attack exceeds the threshold, Aliyun will shield the attacked IP. Ali Cloud provides users with attack protection of up to 5Gbps malicious traffic for free. You can see relevant instructions and terms on the product sales page of each product (ECS, SLB, EIP, etc.). The limitations of the service are also explained in the help document.

Tencent cloud

Tencent Cloud also provides users with free DDoS attack defense services. The standard of the free defense service is as follows: When the attack peak value exceeds 2Gbps, the IP address will be blocked (thrown into a black hole). Generally, the black hole lasts for 2 hours.

Ordinary IDC

Most COMMON IDCs do not provide defense capabilities. If an ATTACK occurs, the network cable may be removed.

How to use the power of cloud computing to resist DDoS attacks

Reasonable use of cloud computing capabilities, we can reduce the loss of attacks as much as possible:

1. Make full use of the flexible and scalable resources of the cloud platform. Designing a scalable system architecture to avoid IP or CPU resource exhaustion can effectively mitigate the impact of DDoS attacks and improve system reliability. 2. Reduce the attack radius. When designing the system, you should separate the application layer from the data layer and the network access layer from the system service layer, and make full use of cloud database, cloud storage, load balancing, and cloud network products provided by cloud service providers to effectively mitigate DDoS attacks. 3. Select appropriate DDoS defense solutions to actively defend against possible DDoS attacks. 4. Prepare anti-ddos plans, respond and implement solutions in the first time. 5, welfare official account: ha ha ha I am small handsome PICopy the code