Author: Aegis Security Team of Tencent Cloud & Tencent Security Platform Department
Quote:
DDoS attacks are becoming increasingly fierce. In addition to the diversified development of attack methods, the most direct thing is the double growth of attack traffic. In March, the record of the largest DDoS attack in China was still in the hundreds of gigabytes. In April, the data exceeded T level, and the future is uncertain. We have to remain vigilant and take steady steps in technology to cope with the bloody wind caused by DDoS attacks. On April 8, Aegis of Tencent Cloud successfully defended against 1.2Tbps massive traffic attack, which is also the largest known attack traffic in China at present. This article simply combs and analyzes the attack and defense event for everyone.
The largest known attack in the country
On April 8, the first working day after Qingming Festival, an important game customer of Tencent Cloud was suddenly attacked by a massive DDoS attack. The game was used to being attacked, but the peak traffic of this round of attack reached 1.23Tbps, setting a new record for the largest DDoS attack traffic in China.
However, with the support of aegis huge protection bandwidth of Tencent Cloud and the accumulation of DDoS protection technology of Tencent Security Platform Department for more than ten years, Tencent Cloud and the game customer successfully protected the massive traffic attack, escorting the stable operation of customer business.
So how did this big attack come about? And how was it successfully defended?
Attack analysis
The attack methods mainly include the congestion bandwidth-type attack (SSDP reflection, the attack principle described below), which accounts for 97% of the total traffic (1.2Tbps), and the protocol defect attack (SYNFLOOD and ACKFLOOD), which accounts for 3% of the total traffic.
SSDP reflection
As one of the most common DDoS attack methods on the live network, SSDP reflection is favored by attackers due to the large number of available reflection terminals and considerable amplification factor.
Similar to other reflection attacks, the attacker initiates SSDP reflection in the following general process:
- In IP address spoofing mode, an attacker forges the IP address of the target server and sends requests to terminals that enable the SSDP service.
- Because of a protocol design flaw, the SSDP service is unable to determine whether a request is forged and respond to the target server. In this way, a huge number of SSDP response packets are sent to the attacked server at the same time.
- Worse, one SSDP request packet can trigger multiple response packets for a specific request, and each response packet is larger than the request packet, resulting in about 30 times of attack traffic amplification.
Source IP Analysis
A total of 166,000 attack sources are collected. Among them, 68% are domestic and 32% are overseas. The TOP three countries are China (68%), Russia (13%) and the United States (8%).
In China, the main sources of attacks are: Shandong (40%), Liaoning (20%), Hebei (16%) and other bohai Rim regions, followed by Zhejiang (10%) and Taiwan (9%).
The main carrier sources of domestic attacks were China Telecom (66%) and China Unicom (24%).
In terms of attack source attributes, PCS are mainly from personal computers, accounting for 57%, and IDC servers account for 28%. It is worth noting that Internet of Things devices account for 15% of the attack sources. In terms of attack weapons, the number of iot devices as attack sources shows an obvious growing trend.At present, the security problem of Internet of things devices cannot be ignored.
Therefore, the number of terminals that open the SSDP service on the public network is large and widely distributed, facilitating attacks by attackers.
Protection scheme
To effectively protect against DDoS attacks, game manufacturers and developers are advised to do the following.
(1) Estimate the attack risk and access high defense if necessary
Different types of services have different risks of external DDoS attacks. Therefore, operators should determine whether they will be “targeted” by hackers and whether they need to access high security based on their industry threat situation and their service history of DDoS attacks.
Moreover, factors such as high profits and cut-throat competition in the game industry make it a high-incidence area for DDoS. According to Tencent Cloud, more than 66 percent of DDoS and CC attacks target game services. Therefore, for game business operators, it is more necessary to predict the attack threat and access high defense when necessary to ensure the stable operation of business.
(2) After access to high protection, do not expose the source station
After access to high defense, Tencent cloud will allocate a special high defense proxy IP, and in order to avoid hackers directly attack the source site, at this time must pay attention to: hide the source IP!
- The IP address of the source site before the access to high defense is no longer available (exposed).
- Comb through the game logic to ensure that the game logic does not expose the source IP;
- Run a security scan on the server to avoid a backdoor.
(3) Customize defense policies based on service features
After a high-defense device is installed, it can resist high-traffic DDoS attacks with large bandwidth and high IP address. However, hackers often mix high-traffic attacks with low-traffic attacks that consume server resources. For example, in this attack, CC attacks are mixed with SSDP reflection and SYNFLOOD attacks. Therefore, in order to achieve better protection effects, we can consult Tencent cloud game security team to deeply customize protection strategies based on business characteristics. Common dimensions of policy customization include:
- Sort out service protocols and ports, and block unnecessary protocols and ports to reduce the attack surface
- For HTTP services, you can configure CC defense on the console as required to defend against CC attacks in advance.
- If it is a private agreement, the Aegis security team of Tencent Cloud can be involved. The team can conduct statistical analysis on business traffic and deeply customize protection strategies to effectively solve various difficult and complicated diseases. For example, the customer also suffered from four-layer CC attacks in the history. The Aegis security team of Tencent Cloud deeply customized strategies for effective protection and stable operation of business!
conclusion
There will be competition wherever there is interest and DDoS attacks wherever there is Internet. We advise game manufacturers and developers to assess business risks in advance, choose reliable cloud service providers, purchase high protection services if necessary, and customize protection plans with expert teams to guarantee the safety lifeline of games.
Question and answer
How can I defend against DDos attacks?
reading
[Viewpoint] “Cloud” era: A Chinese-style breakout of network security
Let the bullets fly for a while | more on how to optimize DDoS
DDoS attack defense in simple terms
Has been authorized by the author tencent cloud + community release, the original link: https://cloud.tencent.com/developer/article/1100719?fromSource=waitui