Ddos protection

Ddos protection Хостинг

How did DDoS protection solution vendors and service providers survive 2022? What attack vectors prevailed last year? What’s next for us in this area? How to choose the right Anti-DDoS and what should be written in the quality agreement (SLA) between the service provider and the client?

Introduction

The topic of DDoS attacks in 2022 was very loud in the information space, and not only in specialized media. The flurry of attacks that hit Russian companies in the spring forced many of them to urgently look for remedies. How did Anti-DDoS vendors survive this period? What did 2022 teach them and have customers changed their approach to choosing systems to counter DDoS attacks? What techniques were most often used by attackers and what technologies did the developers oppose them? Together with a representative team of experts, we tried to answer these and other questions as part of the next issue of the AM Live online conference.

Figure 1. AM Live live speakers in the studio

Ddos protection

Live speakers:

Discussion leader and moderator: Rustem Khairetdinov, Deputy General Director of Garda Technologies.

2022 in DDoS protection

Opening the live broadcast, Rustem Khairetdinov asked the experts to tell us what 2022 was remembered for in the field of protection against DDoS attacks. Did customers conduct analysis when choosing a DDoS protection provider, or in a panic rushed to the first applicant who came across?

— We have seen a tremendous increase in the number of attacks. The number, complexity, and duration of attacks have increased by orders of magnitude. Due to the withdrawal of foreign companies from the Russian market, there were problems with supplies and third-party services. However, the increase in the number of attacks has also led to an increase in the client base. It was hard, but we managed.

Ddos protection

Alexander Gutnikov, Head of Product Development for Online Services Protection, Kaspersky Lab

— There are more customers due to the redistribution of clients against the backdrop of an increased number of attacks. Customers began to approach the choice of protection more comprehensively. Attackers began to change vectors and tools more often: since March there have been three or four waves of such changes. These challenges had to be promptly responded to.

— In February and March, people came with a request for urgent protection. They didn’t have time to choose. As the trend for massive DDoS attacks began to subside, demand also decreased. 2022 left a feeling of deja vu: just like during the pandemic, life has changed, only now we are faced with the fact that services need protection.

Ddos protection

Vladimir Zaitsev, NGENIX Client Service Director

— 2022 can be called the year of firefighting mode. Against the backdrop of the geopolitical situation, DDoS attacks on the Russian Internet have grown by 800% compared to 2021. The average number of attacks per day increased 10 times, and the main blow fell on the media, the public sector and banks. We recorded more than a million attacks in a year, and this is several times higher than in 2021.

— According to our statistics, for the first time Russia ranked 4th among the most DDoS-attacked countries. At the beginning of the year, most of the attacks were organized by hacktivists who united through social networks. The specificity was that botnets consisted of volunteer computers that independently launched malicious tools on them.

Ddos protection

Ramil Khantimirov, co-founder and CEO of StormWall

How has the portrait of the attacker changed? Has the profile of the typical attacker really shifted a lot towards hacktivism? Our experts confirmed this trend and said that at the beginning of the year, the attacks were massive, but fairly simple DDoS, which was easy to deal with. At the same time, professional cybercriminals did not participate in such attacks in order not to reveal their botnets. Naturally, malware was written by DDoS specialists and then distributed among activists. The direction of attacks was greatly influenced by the news agenda and, of course, the availability of resources. Gradually, the mass trend began to decline, as non-professionals got tired of doing it. At the moment, there are fewer attacks and they have become more selective.

Nearly 40% of businesses that employ AM Live viewers were attacked in 2022. This is evidenced by the results of our survey. At the same time, 30% were attacked multiple times, and 9% — once. 30% of respondents also did not record DDoS attacks on their organization, and 31% found it difficult to answer this question.

Figure 2. Has your organization experienced a DDoS attack in 2022?

Ddos protection

Technologies of DDoS attacks and fight against them

Ddos protection

How do developers of DDoS countermeasures respond to this? What technologies are used to protect customer resources? AM Live experts noted that in the current situation it is important to have filtering points in Russia and neighboring countries in order to receive traffic there, since attackers are actively using proxy servers. From a technology perspective, there is a growing focus on filtering traffic at the application layer. At the same time, there is a growing demand from customers for self-configuration of filtering systems: advanced customers want to individualize DDoS protection in their company on their own.

In the context of a sharply increased workload, security solution developers are faced with the need to increase their hardware infrastructures, as well as optimize the operation of software cores, increasing their performance and scalability. Experts noted that technologies are evolving in an evolutionary manner, in accordance with the requirements of customers, and the response team, for example, had to be seriously increased in 2022. Some vendors saw an increase in the number of engineers by 40%, other developers talked about an increase in the number of technical support specialists.

According to AM Live viewers, DDoS protection generally copes with its tasks. Our survey showed that 37% of respondents in 2022 had excellent protection. Another 16% noted that they consider the result of countering attacks positive, but there were downtimes. 9% of respondents had to change protection under attack, and 5% changed hosting or made changes to the infrastructure. 33% of survey participants believe that they were not attacked.

Figure 3. Did your protection cope with the DDoS attacks of 2022?

Ddos protection

The practice of using and choosing a DDoS protection system

How do companies choose a DDoS protection system now? What do customers look at first — SLA, technological capabilities, user interfaces? What recommendations can experts give to those who today are thinking about purchasing a tool to counter this type of attack? According to our guests, the choice of a solution should begin with the tasks that it will face. What attack vectors are expected, what are the risks in case of loss of certain services, do we even know all the services that can be attacked?

Speakers of the online conference formulated three key questions that potential customers ask:

The experts also advised to pay attention to the location of the filtering points of the selected service and assess whether they match the location of the customer’s equipment. It is useful to find out how technical support works: is it available around the clock, can you contact it by phone or chat. It is also worth paying attention to the pricing policy of the protection service: whether it depends on the intensity of attacks or some other parameters. Collaboration between supplier and customer is required. The service provider must know as much as possible about the protected resources in order to select the most appropriate methods to counter attacks.

Portrait of a potential client in the field of DDoS protection

In continuation of the discussion, we asked the experts about what percentage of customers contact the protection service provider only during a DDoS attack. Live broadcast speakers explained that this largely depends on external circumstances. For example, in March, when the number of attacks increased, there were about 30% of such calls; in calmer periods, the share of such clients does not exceed 10%. There is also some seasonality: according to experts, in November there are traditionally more calls “under attack”. Experts recommended that potential clients think about protection in advance, since organizing countermeasures at a time when the attack is already developing will cost them more, and the damage from the actions of intruders will be greater.

The results of a survey of viewers of our online conference confirmed the opinion of experts. As it turned out, 43% of them buy a subscription or equipment in advance. Another 14% rely only on their own strength in the matter of protection, and 11% turn to the supplier only at the time of the attack. 32% of respondents did not think about this issue.

Figure 4. How do you approach the organization of DDoS protection?

Ddos protection

How the Anti-DDoS service is delivered

How popular are cloud services and how often are on-premise solutions preferred? The speakers explained that their own software and hardware complex can only repel attacks that do not exceed the size of the channel available to the client. Therefore, for effective DDoS protection, it is better to use cloud or hybrid technologies. Some systems, such as a pure traffic server, can be moved to the client’s infrastructure. It is also important to understand that not all customers can completely send all traffic to the cloud for filtering. So, banks are limited in this by the requirements of laws, which means that part of the checks must take place on their own equipment.

Читайте также:  Proxmox и некорректные отчеты об оперативной памяти Windows

A survey of AM Live viewers showed that companies use a variety of methods to protect the communication channel from DDoS attacks. In particular, protection by the provider, as well as the use of hybrid protection methods, each gained 23% of the votes of the respondents; cloud-based protection — 21%. Another 20% of survey participants prefer to install a hardware and software system on the perimeter. At the same time, only 2% of respondents trust the self-written solution. The «Other» option was chosen by 11% of our viewers.

Figure 5. Which option of protection against DDoS attacks on a communication channel suits you best?

Ddos protection

Is it possible to use several anti-DDoS systems at the same time

An interesting discussion unfolded about the possibility of sharing several services or solutions from different providers. Some experts consider this a working variant of cascading protection, other speakers are convinced that reasonable integration will not work in this case. The fact is that with this approach, the reaction time increases significantly and the speed of solving problems decreases — with a minimal increase in the effectiveness of protection. Even if traffic at the DNS balancing level is simply distributed between two providers, it will be difficult to understand which solution works effectively and which one «doesn’t work.»

As the experts explained, two solutions in active mode may conflict with each other. If one of the services works as passive protection, then the company must decide for itself whether it is ready to pay for an extremely rarely used service.

What should be included in the SLA

The host decided to touch on the topic of service provider responsibility and asked the experts to talk about what is included in the SLA for protection against DDoS attacks. Speakers of the online conference noted that SLA is certainly important, but it is a tool for resolving conflicts, and not a rule of thumb for the daily operation of the service. In general, the following should be indicated there:

Expert predictions

At the end of the live broadcast, we asked each of the experts to share their vision of the DDoS protection market for the coming years, as well as to propose an action plan in this area for customers.

— My main recommendation is to prepare for everything in advance. Even if you think that a DDoS attack will not affect you, it’s still better to “lay straws” than to disentangle the consequences. I think the attacks will continue, but they will become more targeted and directed at the most sensitive parts of customer infrastructures.

Ddos protection

Dmitry Nikonov, Head of L7 DDoS Protection at DDoS-GUARD

— There will be more attacks, since hundreds of thousands of hacktivists have learned how to organize DDoS attacks, now they will monetize this knowledge. Demand for standalone solutions will decline, while demand for cloud providers will grow due to competition and increased attack sophistication.

— The attacks will definitely not stop, so I recommend companies to prepare for them in advance. Even if you do not have the opportunity to buy protection, consider at least the risks that are on your side. Identify problem areas and draw up a work plan that you will implement, gradually building protection.

— There will certainly be DDoS attacks, even if all of a sudden everything goes well. Traditional vectors have not gone away, and we note that in addition to hacktivist attacks, there are still attacks from China and Latin America. Therefore, you need to be prepared, follow the context and communicate with colleagues in the shop.

Ddos protection

Kirill Gerasimenko, Head of Business Development at Servicepipe

— I don’t see any tendencies to improve the situation. Attacks will grow and become more complex. To what extent is a separate question. But I’m more concerned about the trend towards the militarization of the Internet. In the worst scenario, we will get the collapse of the global network into separate segments. I hope this will not happen, but for now we are going in this direction.

Broadcast results

As usual, at the end of the episode, we asked viewers how much their opinions about DDoS protection have changed after the broadcast. It turned out that 38% of respondents were convinced of the correct choice of their solution. 3% of respondents are thinking about changing their DDoS protection tool. At the same time, 28% expressed their desire to test and implement protection, and 5% think that they do not need such systems yet. According to 10% of survey participants, the speakers did not convincingly prove the need for DDoS protection. Another 16% of viewers did not understand what was discussed during the broadcast.

Figure 6. What is your opinion on post air DDoS protection?

Ddos protection

Conclusions

The discussion showed that the topic of countering DDoS attacks remains one of the most relevant in the field of information security. As experts at the studio rightly noted, even if the reasons that caused massive attacks on Russian companies change, the army of attackers who have mastered DDoS tools will continue to attack in order to monetize their skills — and this will no longer be a narrowly focused and local problem, but a global one.

One way or another, there is no reason to hope for a decrease in the number of attacks and a decrease in their power, which means that literally every company that has resources available from the Internet should think about protection. If possible, it is better to choose a cloud service: it can handle more powerful attacks and is often cheaper than an on-premises system. Experts recommend that you carefully read the SLA, but do not forget that this is only a formal side of protection.

13 April 2022 — 11:37

DDoS attacks are massive requests to an external resource in order to disable it. Protecting against such attacks is essential for businesses whose operations and income depend on the availability of resources on the Internet. Consider options for import substitution of means of protection against DDoS attacks in the context of sanctions against Russia.

The task of ensuring the availability of external company resources has always been relevant both for organizations selling their goods and services through websites, and for companies with simple business card websites. The unavailability of the site can lead to financial losses — in the form of lost profits or a decrease in customer traffic — and to image losses. The most effective malicious tool to cause this kind of unavailability is DDoS attacks, during which millions of requests are generated, «hanging» servers and applications. Attackers can attack websites for various purposes: blackmail, execution of an «order» from competitors, ideological motives, and simply to try their hand.

It should be noted that the methods of protection against DDoS attacks were previously considered by experts in one of the AM Live broadcasts, as well as the issue of protecting web applications under sanctions pressure, which was devoted to a recent issue. You can read his review in our article.

Earlier we also talked about which domestic WAF Russian organizations can choose as part of import substitution.

Import substitution options for DDoS protection solutions

Despite the widespread opinion that the Russian market lags behind the foreign one, there is something to choose from for protecting against DDoS attacks: solutions are available for small companies and large businesses, both combined (including WAF) and specialized. Many of them have been certified by the FSTEC of Russia and, importantly, have been analyzed by our experts. Information about these solutions is presented in the table.

Table 1. Options for import substitution of means of protection against DDoS attacks

Despite the suspension of activities of foreign vendors on the territory of the Russian Federation, the DDoS protection market is not in danger of devastation. Products and services developed by domestic manufacturers can adequately replace the products of foreign companies.

The choice of a specific solution depends on a number of criteria, among which are the following:

In addition, do not forget about the elementary information security rules that will help protect external resources. These are administrative access granulation, a ban on access to the administrator interface from external resources, regular software updates, timely closing of dangerous vulnerabilities, and other measures.

Mass media registration certificate EL No. FS 77 — 68398, issued by the Federal Service for Supervision of Communications, Information Technology and Mass Communications (Roskomnadzor) on January 27, 2017 Partial use of materials on other sites is allowed if there is a link to the source. The use of site materials with a full copy of the original is allowed only with the written permission of the administration.

ORD promotional codes: JapBIIgg8, JapBINit6, JapBIR7iO, JapBIM8gm, LdtCKaTR6

The tsunami of DDoS attacks that hit Russian Internet resources in the spring and summer of this year demonstrated to everyone the relevance of this type of cyberthreat and dispelled the last doubts about the need to protect against them. The question is how to properly build protection against DDoS attacks and what mistakes should be avoided.

This analytical article summarizes the main observations and conclusions drawn from almost a decade of StormWall’s practice of building protection against DDoS attacks for its customers. The article will certainly be useful to those who want to ensure the effectiveness of protection, both in terms of the quality of repelling DDoS attacks, and in terms of the costs that will be required. This article will be especially valuable for those who are just starting to create Internet systems and have the opportunity to provide them with high resistance to DDoS risks already at the design stage.

The foundation of foundations is defensibility

In order for an Internet resource (network, server, site or application providing mobile or web services) to remain available not only in “peaceful” time, but also under attack, it is often not enough just to connect DDoS protection to it . And the right settings don’t always help either. The thing is that different resources have different degrees of resistance to DDoS attacks. It depends not only on the technical characteristics of the resource, but also on how its owners or those who are responsible for it interact with providers of solutions to protect against DDoS attacks.

Читайте также:  3 free Node.js hosting services you should be using today (with step-by-step deployment examples)

In 2017, our company formulated the concept of protection against DDoS attacks and determined the main parameters that affect it. In our understanding, security is the ability of Internet-connected resources to be effectively protected from DDoS attacks with minimal cost, time, and effort. In this case, we interpret efficiency as the ratio of the length of time when the consequences of an attack do not affect the availability of resources to the total duration of the attack. Ideally, this ratio should tend to unity. Its lower value indicates that from some point on, the availability of the attacked resource has become critically low.

Protectability is, if you like, the immunity of a resource to the effects of DDoS attacks: the higher it is, the more effective its protection can be. And, conversely, if the immune system is weak, then protection may not save this resource — it will most likely be unavailable for some time.

To ensure the security of a resource, four key tasks must be solved:

The first step matters

Otherwise, it will turn out like in the case of our client, who began (and urgently) to turn on protection only when he realized that he could not resist a powerful attack. And then it turned out that his specialists did not have at hand either a list of all Internet services, or certificates and private keys to them. While the client frantically tried to find or re-list its services, its network became unavailable. And since he could not enter the network, he also could not understand which of his resources were the targets of the attack.

You also need to determine what kind of protection your resources need: is it enough to filter packets of the network (L3 according to the OSI model) and transport (L4) levels, is it necessary to analyze traffic at the application level (L7) transmitted via HTTP / HTTPS protocols or «on top» of them, which resources can be protected with the disclosure of private SSL keys, and which cannot.

A detailed analysis of security needs will help you avoid many of the problems that arise from DDoS attacks.

And here is an example of what an insufficient study of these needs can lead to. One of our clients connected Anti-DDoS services not only from a large international supplier, but also from his Internet provider, however, these services could not protect the company from DDoS attacks last spring. When we began to understand at what levels protection is carried out, it turned out that there is protection against packet flooding at the L3 and L4 levels, but there is none against attacks at the L7 level — which just became the reason for the unavailability of Internet applications that turned out to be the target of the attack.

Special requirements — for the processing of personal and financial data

If your resource is a financial service or an application that provides the exchange of confidential (for example, personal) data, then most likely you will have to use protection without disclosing private SSL keys. In particular, it is required for systems that must comply with the international PCI DSS payment system standard.

To be clear, SSL private key disclosure protection is commonly used at L7, as this method provides ample opportunity for interactive checks of application clients (those who made a request to it) and makes it easier to decide whether it is safe for an application to have deal with a specific client.

But if the application exchanges financial or other confidential data, then you need to use protection without disclosing private keys. In this case, the range of possibilities for checking application clients is sharply narrowed. Without going into details, let’s say that to assess the legitimacy in such scenarios, the analysis of system logs (logs) for the presence of signatures is used, as well as a more complex analysis with the construction of a behavioral model of application clients based on machine learning: based on the data accumulated in system logs, a model of normal behavior, and a noticeable deviation from it is perceived as an alarm signal. If such a signal is received, then the traffic associated with the suspicious client is blocked.

Sometimes it is convenient to use a hybrid approach with a separate certificate and key pair, which is created specifically to provide protection against DDoS attacks. In this scenario, it is possible to hide the «native» private key, but at the same time use disclosure protection — StormWall has such an opportunity.

Not all security services are equally useful

After making a list of all resources that need to be secured and determining how to protect them, you need to choose a quality, reliable Anti-DDoS provider with a good reputation, with sufficient competence not only to provide protection services, but also to advise on building defense from cyber attacks and connecting Anti-DDoS services in the best possible way.

As a rule, companies that do not specialize in providing DDoS protection services simply sell access to the web interfaces of some solutions or devices without really understanding how they work. All further problems are connected with this: protection, most likely, is provided only on paper, but in reality it either does not work at all, or turns out to be ineffective.

A similar picture is observed in situations where the operator of a commercial data center, cloud or Internet provider resells the protection services of their partner — the Anti-DDoS provider. In principle, there is nothing wrong with this. The question is what quality and volume of support will be provided in the event of an attack: will you have a direct connection with the Anti-DDoS service provider and its support team, and will there be a hoster or Internet provider that directly sells Anti-DDoS services? DDoS, in-house DDoS protection specialists.

However, what can we say about hosters and Internet providers, even if the level and quality of services differ greatly among specialized DDoS defenders. Not every Anti-DDoS provider will be able, for example, to adjust its protection to the specifics of your Internet resources. Therefore, you should clarify in advance how ready he is to adapt to your requirements and specifics.

Not all Anti-DDoS providers also provide access to protection settings, and for those who do, the possibilities of these settings can vary over a wide range. It is useful to find out and then check during testing what is the power of the filtering system of this provider — 100, 200, 600 Gb / s or some other: this will help to assess whether the filters themselves are able to withstand a serious attack with serious power.

It is very important to understand what kind of protection a particular provider offers. Often (especially if the protection comes as an addition to the Internet service) this is protection at the L3 / L4 levels of the OSI model. But it is fundamentally unable to secure websites and applications from attacks using HTML bots. If an attack is launched from several computers, then at the batch level, some anomalous activity can be detected that needs to be filtered out. However, if the number of attacking bots is in the thousands (such botnets can be rented literally for pennies), then no L3 / L4 level protection will filter out such an attack. However, it shouldn’t. To repel such attacks, full-fledged L7 level protection is required, which allows analyzing each HTTP request, conducting additional checks, studying system logs, examining them and finding out exactly what requests are being made, what kind of activity is being observed, drawing conclusions and making decisions based on them.

You also need to make sure that the Anti-DDoS provider knows how to filter the most critical types of DDoS attacks for you, and has the necessary set of methods and tools for this in order to successfully cut off illegitimate traffic. We know, for example, that not all DDoS defenders are able to filter UDP traffic, and this is often found out only when the client’s resources are unavailable. Some defenders, having recognized the attack, simply block UDP traffic without even trying to filter it. Many Anti-DDoS providers are not capable of filtering DNS traffic at the application level. And so on.

It is also very important to understand what opportunities the Anti-DDoS provider provides for prompt communication with customers: does its technical support service have a phone, chat, ticket system, or other channels through which you can ask a question and quickly get an answer. This is also very important, since the worst thing that can happen during a DDoS attack is a long, many hours, or even many days (if, for example, the attack happened on the evening before the weekend) waiting for a response.

All these nuances must be discussed with the provider in advance and worked out even before signing the contract with him. It is advisable that he take the time and advise you: suggest options for more effective protection of your perimeter, tell you what to consider and what protection methods to use to secure certain components of your Internet resources, etc.

In addition, it is important not to forget to systematically check its performance after enabling protection, using, for example, stress testing: it will help you get at least a general idea of ​​what can happen to your service during a real attack. In particular, it is important to understand how the support of protection services works and what will happen if the attack starts on Friday evening or Sunday morning, when most specialists have a rest, whether someone from the provider will help you in this case, etc.

Stress testing will also help you assess the resilience of your resource in the event of a weak DDoS attack. It is not a fact that the provider will be able to filter out all 100% of illegitimate traffic. And if it cuts off 99%, then the remaining 1% of a powerful attack can easily make your resource inaccessible if it does not have sufficient performance and is unable to process illegitimate traffic.

Читайте также:  Grafana русский язык

What not to allow the attacker

In practice, it often happens that in the course of building protection against DDoS attacks, a certain number of gaps remain uncovered. By analyzing them, an attacker can learn enough about your resources to carry out a successful attack, albeit not the first time. Sometimes he manages to understand the features of your infrastructure even better than you.

Another common mistake is «patchwork» or «piecewise» building defense against DDoS, when some of the resources are covered by it, and the other part is not. Attackers can easily find all your resources and identify among them unprotected, vulnerable to DDoS attacks. You can be sure: with proper motivation, these resources will sooner or later be found and attacked.

Of course, one must take into account the possibility of attacks on the DNS. It is imperative to evaluate how secure and how reliably the DNS services to which your resources are connected work. When a large Russian domain name registrar became unstable during the massive attacks last spring, many of its customers regretted not having provided connections to another DNS service that was reliably protected from DDoS attacks. Similar services are provided by both Anti-DDoS providers and companies specializing in providing DNS services. Your best bet is to connect to at least two DNS service providers. And it is highly desirable that providers of at least two such services provide DDoS protection for them.

If the DNS server is located on your own network, then that network would be worth securing with an advertisement over BGP. To do this, you need to find out from the Anti-DDoS provider if it can filter attacks on DNS, and if it can, then tell it the addresses of DNS servers so that it can configure traffic filtering of the corresponding protocol on them.

In a word, enabling DDoS protection partially is useless. You need to take a comprehensive approach to building it, protecting the entire chain along which traffic flows, from DNS to application server components, and making sure that each of your resources is adequately protected.

Don’t leave the «rake»!

Often, protection against DDoS attacks seems to be built, but due to ridiculous mistakes, it turns out to be ineffective. And since these errors occur in a wide variety of clients, we have already begun to call them «rake».

Another bad case: applications are written in such a way that they use the HTTP protocol, but adhere to it «in their own way.» So, one banking application of our client carried out authorization via HTTP, using standard methods for this, and then began to send a data stream without any respect for the protocol. None of the normal DDoS protection, which distinguishes between HTTP protocol methods, will let such requests through. This problem is, in principle, solvable, but its solution takes time. And when a DDoS attack has already begun, every minute counts.

Another «textbook» problem: often at the edge of the network there is a device (for example, a router, firewall or load balancer) with low performance. Very often among such devices there are Cisco ASA firewalls and MikroTik routers — they can cope with a normal load, but they cannot “digest” even a weak flood, blocking any network connectivity passing through them. In the event of an attack, the device’s processor gets a 100% load, so it is almost impossible to understand what is happening with the device during an attack. If these devices are running SPI (Stateful Packet Inspection) filtering, then the situation gets even worse.

The most difficult problems are those that were originally laid down

As a rule, customers apply for DDoS protection when their applications are already created, deployed and in production. And at this point, it is often found that it is not so easy to protect them, since initially neither the application customers nor their developers thought about the risks associated with DDoS attacks and initially designed these applications poorly.

Usually DDoS protection of mobile applications works like this: first, a scheme is drawn up of how the application works (what locations visitors come from, what headers and methods it uses, with what intensity, etc.), then, based on this scheme, it builds the normal interaction model against which all requests to the application are compared. If no signs are provided that would allow distinguishing legitimate requests from those generated by bots, then recognizing illegitimate requests from bots becomes very difficult.

Once again about defensibility

Finally, we will describe once again the main tasks of ensuring security, but in more detail, based on specialists.

First, you need to provide as little information as possible to the attacker: if possible, hide from him the details of your architecture and protocols for interacting with your resources, so that the attacker could neither identify vulnerabilities in them, nor assess the possible damage from affecting them, neither to identify possible targets for an attack, nor to understand how successful it was, nor to hack into your systems in order to seize the necessary information or take control of their individual components. If the attacker realizes that the attack has failed, he will (of course, with the proper motivation) look for vulnerabilities in the system he has targeted and try to identify weaknesses in the infrastructure or application in order to organize a more effective attack.

Thirdly, it is necessary to ensure that the Anti-DDoS provider understands the ability to filter attacks — this is especially important for protecting applications. It is highly desirable that these features be built into them: they will allow the security provider to almost accurately distinguish the behavior of legitimate visitors from the behavior of bots, based on specific formal features. The fundamentally possible effectiveness of protecting your applications will largely depend on the solution of this problem.

Security of UDP applications is also often difficult, since filtering UDP traffic is more difficult than filtering TCP traffic. To more accurately determine whether the next user of such an application is legitimate, the Anti-DDoS provider needs to clearly understand the protocol used for interacting with clients. You may have a pre-authorization procedure to assess legitimacy. Or, another option, there are clear rules for interacting with legitimate clients, according to which the traffic filter will be able to determine that this client is legitimate. Sometimes legitimacy can be assessed using some TCP service.

As we have already said, the ideal option is to lay down the ability to filter attacks already at the stage of creating an application. To do this, during the discussion of the general contours of the future software product, you need to tell your developers in detail how you plan to distinguish legitimate clients from illegitimate ones. This knowledge needs to be documented, stored and then transferred to the DDoS defender.

If your application has been in production for a very long time, you can go the other way: take the time to figure out how it works with the Anti-DDoS provider. A detailed analysis of its behavior will help the provider prepare a protection profile that takes into account the features of this application as much as possible.

Fourth, it is important to ensure that your resource is sufficiently resistant to DDoS attacks. To do this, you need to determine in advance how the components of your resource depend on each other, what points of failure it has.

The simplest example: the site works in conjunction with a client mobile application that requests exchange rates or some other data from it. What happens if the site is unavailable? Will there be any problems with the mobile application? In a good way, it should stop displaying current exchange rates or react in some other way, but in general continue to work.

In addition, it is necessary to ensure the redundancy of capacities and achieve the stability of the resource against weak attacks. This is especially important when using asymmetric protection. As we have already said, when filtering some types of DDoS attacks, part of the traffic «flies» through. And if there is a powerful attack, for example, at 40 Gb / s, then cutting off 99% of illegitimate traffic will lead to the fact that a DDoS impact with a power of 400 Mb / s will fall on the protected resource. Whether he will be able to withstand it is a big question. For this to be possible, your router, firewall, and server must be capable of sufficient performance.

Golden Rules of DDoS Protection

Finally, here are three simple rules that will help you build a reliable line of defense against DDoS attacks.

As we have seen many times, security is an integral indicator on which the resistance of Internet systems and resources to DDoS risks fundamentally depends. Ideally, security should be laid down at the design stage of Internet systems: the right steps taken at this stage will allow them to be highly resistant to DDoS and, when protection is connected, will provide an advantageous ratio of efficiency and cost of repelling this type of attack.

And, of course, you need to understand that ensuring security is a multifaceted task that affects all stages of the life cycle of Internet systems. There are many aspects to consider in order to ensure security, since so many miscalculations and mistakes made when building it, one way or another, reduce the effectiveness of protection against DDoS attacks and increase the cost of subsequent measures that are required to achieve a high level of DDoS resistance. To cope with the whole range of complex issues related to ensuring the security of Internet systems and resources, we recommend not relying on your own experience, but actively engaging professional companies specializing in DDoS risk protection.

Оцените статью
Хостинги