Welcome to Tencent Cloud + community, get more Tencent mass technology practice dry goods oh ~
Author: Tencent DDoS security expert, Tencent cloud game security expert Chen Guo
0 x00 introduction
Tencent Cloud recently defended itself against a hybrid DDoS attack targeting a game business on the cloud. The attack lasted 31 minutes with a peak traffic of 194Gbps. This level of attack traffic in the current is not too eye-catching, but Tencent cloud game security experts found in the detailed review of attack methods, mixed attack traffic was mixed with the use of TCP protocol launched reflection attacks, the live network is extremely rare.
As is known to all, the reflection attacks favored by live network hackers are all based on UDP protocol, no matter the traditional NTP, DNS, SSDP reflection, Memcached reflection, or IPMI reflection. This attack is a new way to use TCP protocol to launch reflection attack. This article will do a simple analysis and interpretation of this kind of attack, and share protection suggestions for the majority of Internet and game industry friends.
0x01 Attack Method Analysis
This attack is a mixture of common DDoS attacks, such as SYNFLOOD, RSTFLOOD, and ICMPFLOOD. The attack traffic peak reaches 194Gbps. However, 1.98Gbps/194wpps syn/ ACK packets were mixed among them, which attracted the attention of researchers.
First, the syn/ ACK source ports cluster on common TCP ports 80, 8080, 23, 22, and 443, and the destination port is the attacked service port 80. (Normally, when clients access services, the source port uses a random port larger than 1024.)
In addition, the researcher also found that syn/ ACK packets from these source IP addresses had TCP stack timeout retransmission behavior. Therefore, the researchers judged that this attack was probably a TCP reflection attack launched by TCP protocol, rather than a random forged SOURCE TCP DDoS.
By statistical analysis: attack process of the communist party of China collected 912726 attack source, confirmed open TCP port scan: 23/80/443/8080/3389/81/1900/21/22 source accounts for more than 95%, it is clear that this is the reflection of attack by using network TCP protocol. The surviving status of the attack source IP port is as follows
Based on the source IP addresses, almost all attack sources are from China, accounting for more than 99.9% of the total. The distribution of attack source countries is as follows:
From the perspective of domestic provinces, source IP addresses are distributed in almost all provinces and cities in China. The TOP three source IP addresses are Guangdong (16.9%), Jiangsu (12.5%) and Shanghai (8.8%).
IDC servers accounted for 58% of attack source attributes, while IoT devices and PCS accounted for 36% and 6%, respectively. The attack source is IDC servers.
0x02 TCP Reflection Attack
Similar to the ROADMAP of UDP reflection attacks, an attacker launches A TCP reflection attack as follows:
1. The attacker forges the IP address of the target server to send a connection request (namely, a SYN packet) to the TCP server on the public network through IP address spoofing.
2. After receiving the request, the TCP server returns a SYN/ACK packet to the target server. In this way, the target server receives a large number of SYN/ACK packets that do not belong to the connected process.
Some people may wonder: the syn/ ACK packets caused by reflection are smaller than the original SYN packets and have no amplification effect. Then why do hackers use this attack method? In fact, the severity of this attack is not whether the flow is amplified, but the following three points:
1. Using TCP reflection, an attacker can turn attack traffic into real IP attacks, which is difficult to be effectively defended by traditional reverse challenge defense technology.
2. Reflected SYN/ACK packets have protocol stack behavior, which makes it more difficult for the defense system to identify and defend and increases the chance of transparent attack traffic transmission.
3. Use the server of the public network to launch attacks, which are closer to service traffic. After the attacks are mixed with other TCP attacks, the attacks are more hidden.
Therefore, COMPARED with the traditional TCP attack with forged source, THE TCP reflection attack is more hidden and harder to defend.
0x03 Protection Suggestion
Even though this TCP reflection attack is small and obscure, it is more difficult to defend against than normal attacks, but it is not difficult to deal with successfully.
1. According to the actual situation, block unnecessary TCP source ports, and suggest access to Tencent cloud new-generation high security solution, which can provide flexible advanced security policies;
2. It is recommended to configure BGP high-security IP+ THREE-network high-security IP to hide the source IP address and access THE Tencent cloud new-generation solution BGP high-security IP.
3. In the face of high-level DDoS threats, access the industry solutions of cloud computing vendors, and request the expert services of DDoS protection vendors if necessary.
0 x04 summary
Tencent cloud game security team protected a round of DDoS attacks on cloud game business, and found that hackers used TCP reflection attack, which is very rare in the live network, during the detailed analysis of attack methods. The characteristics of this method include:
- Syn/ACK packets are set.
- Source ports cluster in common TCP service ports such as 80/443/22/21/3389, and the source IP address and port of the port are alive.
- Syn/ACK packet TCP stack timeout retransmission behavior.
- Most source IP addresses come from domestic sources and are scattered in various provinces of China.
- Most of the traffic comes from IDC servers.
- Because the attack source is real and the TCP protocol stack exists, defense is more difficult.
To sum up, hackers use TCP servers on the Internet to launch TCP reflection attacks. Compared with common random forged source attacks, TCP reflection attacks are more covert and difficult to defend, posing a new challenge to DDoS security.
The core layer of The Aegis DDoS protection system of Tencent Cloud comes from Tencent Security Platform Department, which has accumulated more than ten years of DDoS attack and defense experience of Tencent business. It has advanced DDoS detection/defense algorithm in the industry, and introduced AI and big data leading defense solutions. Service QQ, wechat, King of Glory, League of Legends, CF, BATTLEground and many other Tencent internal business, can effectively resist various types of DDoS and CC attacks, provide advanced and reliable DDoS protection services, is committed to ensure the security and stability of game customers business.
Tencent Security Emergency Response Center will also bring aegis protection system to the Exhibition area and game sub-forum of Tencent Cloud 2018 Cloud + Future Summit on May 23-24. You are welcome to attend the summit and talk about DDoS attack and defense together.
Tencent greetings + 2018 future summit registration entry: cloud.tencent.com/developer/s…
Question and answer
How can I defend against DDos attacks?
reading
1.23T, Tencent Cloud successfully defended against DDoS attack with the largest traffic in China
Learn about common DDoS attacks
DDoS attack defense in simple terms
Has been authorized by the author tencent cloud + community release, the original link: https://cloud.tencent.com/developer/article/1121916?fromSource=waitui
