Welcome to visit netease Cloud Community to learn more about Netease’s technical product operation experience.


Distributed Denial of Service (Distributed Denial of Service) means that a large number of legitimate Distributed servers send requests to a target, preventing legitimate users from receiving services. Generally speaking, network node resources such as IDC server, PERSONAL PC, mobile phone, smart device, printer, camera and so on are used to launch a large number of attack requests against the target. As a result, the server is congested and cannot provide normal services to the outside, so only game Over can be declared, as shown in the following figure:




DDoS Attack Diagram



2. Why do hackers choose DDoS


Unlike other malicious data tampering or hijacking attacks, DDoS attacks are simple and can directly destroy the target. In addition, compared with other attack methods, the technical requirements of DDoS and the cost of launching attacks are very low. You only need to purchase some server permissions or control a batch of chickens, and the corresponding attack speed is fast, and the attack effect is visible. On the other hand, DDoS attacks are easy to defend but difficult to defend. To ensure normal customer requirements, service providers need to spend a lot of resources to fight against the attack initiator. These features make DDoS a useful weapon for hackers, and a lightning bolt.


On the other hand, DDoS can erode bandwidth or resources and force service interruptions, but this is far from the true purpose of hackers. No buy, no kill, DDoS is just a nuclear weapon in the hands of hackers, either for extortion, commercial competition or to make a political point. Driven by such black interests, more and more people participate in the industry and improve and upgrade the attack methods, resulting in DDoS in the Internet industry intensified, and has become a stubborn disease that cannot be overcome worldwide.




3. DDoS attacks


A service needs to face the public needs to provide user access interface, these interfaces just give hackers an opportunity, such as: can use TCP/IP protocol handshake defect consumption of server link resources, can use UDP protocol stateless mechanism forged a large number of UDP packets blocking communication channel…… It can be said that since the birth of the Internet world, there is no lack of attack points used by DDoS, from TCP/IP protocol mechanism to CC, DNS, NTP reflection attacks, and even use a variety of application vulnerabilities to launch more advanced and more accurate attacks.


DDoS attacks can be classified into the following categories from the hazards and attacks:


A) Resource consuming attacks


Resource consumption attacks are typical DDoS attacks, including Syn Flood, Ack Flood, and UDP Flood attacks. The goal of this kind of attack is simply to consume the normal bandwidth and the capability of protocol stack processing resources through a large number of requests, so that the server cannot work properly.


B) Service consumptive attack


Compared with resource consuming attacks, service consuming attacks do not require much traffic. They are targeted at specific service features, such as Web CC, data service retrieval, and file service download. Such attacks are not intended to block traffic channels or protocol processing channels, but to keep the server busy with high-consumption services and unable to respond to normal services, as shown in the following diagram:




Service consumption attacks


C) Reflex attacks


Reflection attacks are also called amplification attacks. These attacks are based on UDP. Generally, the volume of the response traffic is much larger than that of the request itself. Through the characteristics of traffic amplification, attackers can create large-scale traffic sources with a small traffic bandwidth, so as to launch attacks on the target. Reflection attack is not a kind of attack strictly. It only uses the service characteristics of some services to launch Flood attacks at a lower cost. The diagram is as follows:




Reflex attack



D) Hybrid attacks


The hybrid attack combines the above attack types and selects the best attack mode during the attack. Hybrid attacks are usually accompanied by two attack types: resource consumption and service consumption.




4. DDoS protection is difficult


On the one hand, the core components of the network infrastructure have not changed in the past decade, which makes some vulnerabilities that have been discovered and exploited and some mature attack tools have a long life cycle and are still effective today. On the other hand, the rapid development of seven-layer model application of the Internet makes DDoS attack targets diversified, from Web to DNS, from three-layer network to seven-layer application, from protocol stack to application App, emerging new products also give hackers more opportunities and breakthroughs. Moreover, DDoS defense is a project of unequal technology and cost. Often, the construction cost of DDoS defense system of a business is larger than the cost or benefit of the business itself, which makes many start-up companies or small Internet companies unwilling to make more investment.




5. Anti-ddos means


DDoS defense system is essentially an intelligent system based on resource matching and rule filtering. The main defense measures and strategies include:


A) Resource isolation


Resource isolation can be regarded as a protection shield for user services. This protection system has extremely powerful data and traffic processing capabilities, and filters abnormal traffic and requests for users. For example, in response to Syn Flood attacks, the defense shield responds to Syn Cookie or Syn Reset authentication and authenticates data sources to filter forged source packets or power attacks, protecting the server from malicious connections. The resource isolation system focuses on layers 3 and 4 of the ISO model. The resource isolation diagram is as follows:




Resource Isolation Diagram



B) User rules


From the point of view of service DDoS protection is essentially a user for the main rely on anti D protection system and hackers on the war, in the process of the whole data against the service provider often has the absolute initiative, users can be based on specific rules anti D system, such as: flow type, frequency of requests, packet delay interval between characteristics, the normal business, etc. Based on these rules, users can better fight against layer 7 DDoS and reduce the resource overhead of the server on the premise of satisfying the normal service. The detailed schematic diagram is as follows:




User Rule Cleaning

C) Intelligent analysis of big data


In order to construct a large number of data streams, hackers often need to construct request data through special tools, which do not have some behaviors and characteristics of normal users. To counter DDoS attacks, legitimate users can be modeled based on massive data analysis, and the fingerprint features, such as Http model features, data sources, and request sources, can be used to effectively whitelist request sources, so as to achieve accurate cleaning of DDoS traffic.




Fingerprint filtering and cleaning



D) Resource confrontation


Resource countermeasure is also called “death charge”, which means that a large number of servers and bandwidth resources are piled up to cope with DDoS traffic






The netease Cloud anti-ddos service has a 1TB bandwidth to protect against DDoS attacks. You can click to try it out for free.


The above article is from the blog post “Understanding the Nature of DDoS Protection: An Intelligent System based on Resource Matching and Rule Filtering” written by netease Cloud Community.


Related articles: [recommended] four two dial a thousand catties type of attack! How to deal with DDoS attacks caused by Memcache server vulnerability?