Author: Tencent Cloud Game Security team & Tencent Security Platform Department
Quote:
DDoS attacks are becoming increasingly fierce. In addition to the diversified development of attack methods, the most direct thing is the double growth of attack traffic. In March, the record of the largest DDoS attack in China was still in the hundreds of gigabytes. In April, the data exceeded T level, and the future is uncertain. We have to remain vigilant and take steady steps in technology to cope with the bloody wind caused by DDoS attacks. On April 8, Tencent Cloud successfully defended against 1.2Tbps of massive traffic attack, which is also the largest known attack traffic in China at present. This article simply combs and analyzes the attack and defense event for everyone.
The largest known attack in the country
On April 8, the first working day after qingming Festival, an important chess and card game customer of Tencent Cloud was suddenly attacked by a massive DDoS attack. Chess and card games are used to being attacked, but this round of attack traffic peak reached 1.23Tbps, setting a new record for the largest DDoS attack traffic in China.
However, with the support of Tencent cloud’s huge protection bandwidth and the accumulation of DDoS protection technology in Tencent Security Platform Department over ten years, Tencent Cloud and the chess and card game customer successfully protected the massive traffic attack, escorting the customer’s chess and card business to run stably.
So how did this big attack come about? And how was it successfully defended?
Attack analysis
The attack methods mainly include the congestion bandwidth-type attack (SSDP reflection, the attack principle described below), which accounts for 97% of the total traffic (1.2Tbps), and the protocol defect attack (SYNFLOOD and ACKFLOOD), which accounts for 3% of the total traffic.
SSDP reflection
As one of the most common DDoS attack methods on the live network, SSDP reflection is favored by attackers due to the large number of available reflection terminals and considerable amplification factor.
Similar to other reflection attacks, the attacker initiates SSDP reflection in the following general process:
ø Through IP address spoofing, the attacker forges the IP address of the target server and initiates a request to the terminal that opens the SSDP service;
ø Due to a protocol design flaw, the SSDP service cannot determine whether the request is forged or not and respond to the target server. In this way, a huge number of SSDP response packets are sent to the attacked server at the same time.
ø What is more frightening is that under a specific request, one SSDP request packet can trigger multiple response packets, and each response packet is larger than the request packet, resulting in about 30 times of amplification of attack traffic.
Source IP Analysis
A total of 166,000 attack sources are collected. Among them, 68% are domestic and 32% are overseas. The TOP three countries are China (68%), Russia (13%) and the United States (8%).
In China, the main sources of attacks are: Shandong (40%), Liaoning (20%), Hebei (16%) and other bohai Rim regions, followed by Zhejiang (10%) and Taiwan (9%).
The main carrier sources of domestic attacks were China Telecom (66%) and China Unicom (24%).
In terms of attack source attributes, PCS are mainly from personal computers, accounting for 57%, and IDC servers account for 28%. It is worth noting that Internet of Things devices account for 15% of the attack sources. In terms of attack weapons, the number of iot devices as attack sources shows an obvious growing trend. At present, the security problem of Internet of things devices cannot be ignored.
Therefore, the number of terminals that open the SSDP service on the public network is large and widely distributed, facilitating attacks by attackers.
Protection scheme
To effectively protect against DDoS attacks, game manufacturers and developers are advised to do the following.
(1) Estimate the attack risk and access high defense if necessary
Different types of services have different risks of external DDoS attacks. Therefore, operators should determine whether they will be “targeted” by hackers and whether they need to access high security based on their industry threat situation and their service history of DDoS attacks.
Moreover, factors such as high profits and cut-throat competition in the game industry make it a high-incidence area for DDoS. According to Tencent Cloud, more than 66 percent of DDoS and CC attacks target game services. Therefore, for game business operators, it is more necessary to predict the attack threat and access high defense when necessary to ensure the stable operation of business.
(2) After access to high protection, do not expose the source station
After access to high defense, Tencent cloud will allocate a special high defense proxy IP, and in order to avoid hackers directly attack the source site, at this time must pay attention to: hide the source IP!
ø The IP address of the source site before the access to high security cannot be used any more (exposed);
· Comb the game logic to ensure that the game logic will not expose the source IP;
ø Do a security scan on the server to avoid embedding the back door.
(3) Customize defense policies based on service features
After a high-defense device is installed, it can resist high-traffic DDoS attacks with large bandwidth and high IP address. However, hackers often mix high-traffic attacks with low-traffic attacks that consume server resources. For example, in this attack, CC attacks are mixed with SSDP reflection and SYNFLOOD attacks. Therefore, in order to achieve better protection effects, we can consult Tencent cloud game security team to deeply customize protection strategies based on business characteristics. Common dimensions of policy customization include:
ø Sort out service protocols and ports, block unnecessary protocols and ports, and reduce the attack surface
ø For HTTP services, CC defense can be configured on the console based on actual conditions to defend against CC attacks in advance.
ø If it is a private agreement, Tencent Cloud game security team can be involved. The team can conduct statistical analysis on business traffic and deeply customize protection strategies to effectively solve various difficult and complicated diseases. For example, the customer has suffered from four-layer CC attacks in the history. Tencent cloud game security team has deeply customized strategies for effective protection and stable operation of business!
Note: A layer 4 CC attack refers to an attack in which hackers control broilers to simulate service traffic and exhaust server resources after TCP connections are established on the destination server.
conclusion
There will be competition wherever there is interest and DDoS attacks wherever there is Internet. We advise game manufacturers and developers to assess business risks in advance, choose reliable cloud service providers, purchase high protection services if necessary, and customize protection plans with expert teams to guarantee the safety lifeline of games.
Tencent Cloud limited time to launch a new generation of high security products, now buy a month or more of any high security products, you can get a free month of use.
Click the link to apply for product discounts now! Link: wj.qq.com/s/2023496/3…