Massive ddos ​​attacks. DDoS attack - what is it? DDoS attack program

A DoS and DDoS attack is an aggressive external impact on the computing resources of a server or workstation, carried out with the goal of bringing the latter to failure. By failure we mean not the physical failure of a machine, but the inaccessibility of its resources to bona fide users—the system’s refusal to service them ( D enial o f S ervice, which is what the abbreviation DoS comes from).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DiDoS or DDoS), which means "D istributed D enial o f S ervice" - distributed denial of service. Next, we’ll talk about why attackers carry out such attacks, what they are, what harm they cause to the attacked, and how the latter can protect their resources.

Who can suffer from DoS and DDoS attacks?

Corporate servers of enterprises and websites are attacked, much less often - personal computers of individuals. The purpose of such actions, as a rule, is one - to cause economic harm to the attacked person and remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, a company or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the instigation of dishonest competitors. Thus, by “crashing” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Your resources can be attacked by home-grown amateur hackers out of interest, avengers from among fired employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

The servers of state-owned companies and well-known organizations are often attacked by anonymous groups of highly skilled hackers in order to influence officials or cause public outcry.

How attacks are carried out

The operating principle of DoS and DDoS attacks is to send a large flow of information to the server, which to the maximum (as far as the hacker’s capabilities allow) loads the computing resources of the processor, RAM, clogs communication channels or fills disk space. The attacked machine is unable to process incoming data and stops responding to user requests.

This is what normal server operation looks like, visualized in the Logstalgia program:

The effectiveness of single DOS attacks is not very high. In addition, an attack from a personal computer exposes the attacker to the risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much greater profit.

This is how the Norse-corp.com website displays the activity of the botnet:

A zombie network (botnet) is a group of computers that have no physical connection with each other. What they have in common is that they are all under the control of an attacker. Control is carried out through a Trojan program, which for the time being may not manifest itself in any way. When carrying out an attack, the hacker instructs the infected computers to send requests to the victim's website or server. And he, unable to withstand the pressure, stops answering.

This is how Logstalgia shows a DDoS attack:

Absolutely any computer can join a botnet. And even a smartphone. It is enough to catch a Trojan and not be detected in time. By the way, the largest botnet consisted of almost 2 million machines around the world, and their owners had no idea what they were doing.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out in different directions, which will significantly complicate counteraction. Therefore, it is important for every server administrator to study all its “bottlenecks” and, if possible, strengthen them.

Flood

Flood, in simple terms, is information that does not carry any meaning. In the context of DoS/DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another, which the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels and saturate the bandwidth to the maximum.

Types of flood:

• MAC flood - impact on network communicators (blocking ports with data flows).
• ICMP flooding - inundating a victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked node so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flood is ping flood (sending ping requests to the server).
• SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (waiting for client confirmation) connections.
• UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
• HTTP flood - flooding the server with numerous HTTP messages. A more sophisticated option is HTTPS flooding, where the sent data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.

How to protect yourself from flooding

• Configure network switches to check the validity and filter MAC addresses.
• Restrict or disable the processing of ICMP echo requests.
• Block packets coming from a specific address or domain that gives reason to suspect it of unreliability.
• Set a limit on the number of half-open connections with one address, reduce their holding time, and lengthen the queue of TCP connections.
• Disable UDP services from receiving traffic from outside or limit the number of UDP connections.
• Use CAPTCHA, delays and other bot protection techniques.
• Increase the maximum number of HTTP connections, configure request caching using nginx.
• Expand network channel capacity.
• If possible, dedicate a separate server to handle cryptography (if used).
• Create a backup channel for administrative access to the server in emergency situations.

Hardware overload

There are types of flooding that affect not the communication channel, but the hardware resources of the attacked computer, loading them to their full capacity and causing a freeze or crash. For example:

• Creating a script that will post a huge amount of meaningless text information on a forum or website where users have the opportunity to leave comments until the entire disk space is filled.
• The same thing, only the server logs will fill the drive.
• Loading a site where some kind of transformation of the entered data is performed, continuously processing this data (sending so-called “heavy” packets).
• Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run any external program on the server).
• Triggering the security system, making the server inaccessible from the outside, etc.

How to protect yourself from overloading hardware resources

• Increase hardware performance and disk space. When the server is operating normally, at least 25-30% of the resources should remain free.
• Use traffic analysis and filtering systems before transmitting it to the server.
• Limit the use of hardware resources by system components (set quotas).
• Store server log files on a separate drive.
• Distribute resources across several servers independent of each other. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out this type of attack than using flooding. Their implementation depends on the qualifications and experience of the attacker, his ability to find errors in the program code and use them to his benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (an error in software that can be used to disrupt the operation of the system), all he has to do is create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control of the resource and use this “gift of fate” at his own discretion. For example, use it to distribute malware, steal and destroy information, etc.

Methods to counter the exploitation of software vulnerabilities

• Timely install updates that cover vulnerabilities of operating systems and applications.
• Isolate all services intended for solving administrative tasks from third-party access.
• Use means of continuous monitoring of the operation of the server OS and programs (behavioral analysis, etc.).
• Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
• Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine that a resource has been attacked by a hacker

If the attacker succeeds in achieving the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, several hours sometimes pass from the onset of the attack to noticeable symptoms. However, during hidden influence (until the server goes down), certain signs are also present. For example:

• Unnatural behavior of server applications or the operating system (freezes, termination with errors, etc.).
• The load on the processor, RAM and storage increases sharply compared to the original level.
• The volume of traffic on one or more ports increases significantly.
• There are multiple requests from clients to the same resources (opening the same website page, downloading the same file).
• Analysis of server, firewall and network device logs shows a large number of monotonous requests from various addresses, often directed to a specific port or service. Especially if the site is aimed at a narrow audience (for example, Russian-speaking), and requests come from all over the world. A qualitative analysis of traffic shows that the requests have no practical meaning for clients.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.

Today let's try to clarify the situation around Ddos attacks on the server. All the same, this problem really intersects with the topic of hosting as such.

The thing is quite unpleasant. Imagine, yesterday I installed a brand new plugin on my WordPress and suddenly after some time, bam! - the blog in the browser stops opening. Moreover, other sites are surfing perfectly at the same time. Thoughts creep in - I screwed up something with the plugin. I click to reload the page many times and nothing happens! Then, it really started working, but I had to go through a few unpleasant minutes.

And today in the mail I see a letter from TimeWeb technical support. I won’t hide it, I take hosting there. And what to hide, just enter the site address in Whois.
The letter is:

"Dear users.
Today, December 2, 2011 at 16:32 Moscow time, a massive DDOS attack began on the TIMEWEB technology platform, which disrupted the operation of some sites and servers.
TIMEWEB engineers took control of the situation and by 18:45 stable operation of the site was completely restored..."

I decided to figure out where they come from Ddos attacks on the server and what is it, anyway? And this is what I dug up.

Ddos attacks on a server - what is it?

First, let's take a look at Wiki, where would we be without it:

DOS ATTACK (from English. Denial of Service, denial of service) - an attack on a computer system with the aim of bringing it to failure, that is, to such a state that legitimate (rightful) users of the system cannot access the resources provided by the system (servers, services), or this access is difficult. The failure of an “enemy” system can be either an end in itself (for example, making a popular website unavailable) or one of the steps towards seizing control of the system (if in an emergency situation the software produces any critical information - for example, a version, part of a program code, etc. .d.).

If an attack is carried out simultaneously from a large number of computers, they speak of a DDOS ATTACK (from the English. Distributed Denial of Service, distributed denial of service attack). In some cases, an actual DDoS attack is caused by a legitimate action, for example, posting on a popular Internet resource a link to a site hosted on a not very productive server. A large influx of users leads to exceeding the permissible load on the server and, consequently, a denial of service to some of them.

So, on the one hand, there is an object of attack - a certain server or website, and on the other hand, a group of attackers organizing a DDoS attack on the object of attack.

What goals do the organizers of a Ddos attack pursue?

One of the most harmless reasons is banal cyber-bullying. The matter is aggravated by the fact that most programs for organizing attacks are freely available on the Internet.

Unfair competition generates more serious DDoS attacks. The goals here are different - to bring down the competitor’s server, thereby disrupting the work of the opponent, and in addition to this, to create a negative image for the competitor in the market. It is also possible for the server to be hacked, since a massive attack can cause pieces of information in the form of program codes to slip through for everyone to see.

Also, using the Ddos attack method, various Ddos groups can declare their existence or present demands and ultimatums to server owners.

Here are some examples Ddos attacks on the server which I found in Lurkomorye:

• OOFR (Organization of United Phages of Russia), which includes the following meme groups: Superstitious Leper Colony, Fallen Part of LiveJournal and led, of course, by Upyachka.

The main victims of the OPFR were:

1. www.mail.ru (for the project BEETLES),
2. www.gay.com (for being gay),
3. www.4chan.org (for insulting the god “Onotole”),
4. www.wikipedia.org (for an article about the UPCHK, which included an insult towards cats (Kote), which was not removed by the moderator within a month)

Many organizations working in the field of protection against DDoS attacks, despite the achievements in this area, still recognize the growing danger of the threat, mainly due to the ease of organizing attacks.

LET'S SUM UP A LITTLE RESULT:

We, ordinary Internet users, should be most interested in how protection from cyber attacks is handled by those hosters where we rent hosting for our creations - websites. As we see in this particular case, TimeWeb dealt with the problem quite quickly. I give him the second plus for notifying me about this by mail.

By the way, I recently gave TimeWeb another simple test.

That's all about Ddos attacks for today.

We'll soon talk about what they are and how protection against cyber attacks is organized.

This organization, in addition to registering domain names in the .tr zone, also provides backbone communications to Turkish universities. Anonymous hacktivists claimed responsibility for the attack, accusing the Turkish leadership of supporting ISIS.

The first signs of DDoS appeared on the morning of December 14; by noon, five NIC.tr servers had collapsed under the onslaught of junk traffic with a capacity of up to 40 Gbps. The problem also affected the RIPE coordination center, which provides an alternative NS infrastructure NIC.tr. RIPE representatives noted that the attack was modified in such a way as to bypass RIPE's security measures.

Large-scale DDoS attacks are becoming the most effective way to disrupt web services - the cost of attacks is constantly decreasing, which allows for increased power: in just two years, the average power of a DDoS attack has quadrupled to 8 Gbps. Compared to average values, the attack on the national domain zone of Turkey looks impressive, but experts emphasize that DDoS attacks at the level of 400 Gbps will soon become the norm.

The uniqueness of the Turkish attack is that the attackers chose the right target: by concentrating on a relatively small number of IP addresses, they were able to practically cripple the infrastructure of an entire country with just a 40-gigabit attack.

Turkey's National Cyber ​​Incident Response Center blocked all traffic coming to NIC.tr servers from other countries, causing all 400,000 Turkish websites to become unavailable and all email messages to be returned to their senders. Later, the center decided to change tactics, selectively blocking suspicious IP addresses. DNS servers for domains in the .tr zone were reconfigured to distribute requests between public and private servers, with help from Turkish Internet providers Superonline and Vodafone.

The attacked domains returned online on the same day, but many sites and email services continued to function intermittently for several days. Not only local companies and government organizations were affected, but also many national web resources that chose a domain name in the .tr zone; in total this is about 400 thousand websites, 75% of which are corporate. The Turkish national domain is also used by educational institutions, municipalities and the military.

Until “anonymous” made a statement, many blamed the Russians for the DDoS attack - due to tense relations between Turkey and Russia. At one time, for similar reasons, Russian hackers were suspected of involvement in large-scale cyber attacks on Estonia (2007), Georgia (2008) and Ukraine (2014). Some experts considered the Turkish DDoS to be the Russians’ response to a DDoS attack by Turkish cyber groups on the Russian news site Sputnik.

The Anonymous statement deprived the hypothesis of a “Russian trace” of any basis. Hacktivists are also threatening to attack Turkish airports, banks, government servers and military organizations if Turkey does not stop helping ISIS.

The FSB is investigating a criminal case regarding a massive hacker attack using the Internet of Things (IoT) on financial sector facilities in the fall of 2016, the targets of which were Sberbank, Rosbank, Alfa-Bank, Bank of Moscow, Moscow Exchange and others .

As Kommersant writes, Deputy Director of the FSB Dmitry Shalkov spoke about this when speaking in the State Duma at the presentation of a package of government bills on the security of critical information infrastructure (CII) of the Russian Federation.

In 2016, about 70 million DDoS attacks were recorded on Russian official information resources, which is three times more than the year before. However, the November hacker attacks are different from most of them, Shalkov noted.

According to him, between November 8 and November 14, medium-power DDoS attacks were carried out on eight organizations. They involved so-called botnets (computers with Internet access hacked and taken under control by hackers), using IoT devices connected to the network, and in particular web cameras. The deputy director of the FSB noted the similarity of the coordinated attack on Russian structures with the six-hour October attack in the United States, aimed against the services of the Internet provider Dyn, as a result of which a number of large American resources (Twitter, CNN, Spotify, The New York Times and Reddit) for a long time were unavailable.

However, the attacks were not accompanied by theft of funds, and the attacked banks did not record disruptions to their services. After the November attacks, such incidents did not recur, the Central Bank of the Russian Federation reported.

Kommersant notes that DDoS attacks themselves are not aimed at stealing money; they are used, as a rule, to block websites and online banking services. Gleb Cherbov, deputy head of the security audit department at Digital Security, explained that “devices and servers controlled by attackers are united in botnets, ready to generate network traffic that acquires fatal proportions for the system under attack.” However, massive DDoS attacks can cause serious losses for banks. For example, the unavailability of services can cause panic among depositors, who will begin to withdraw deposits en masse. In addition, massive DDoS attacks are often used to disguise other activities. In particular, while security experts are fixing the vulnerability, attackers can penetrate the banking infrastructure.

According to the publication, the initiation of a criminal case by the FSB into hacker attacks in November 2016 means that the suspects have already been identified by the investigation. The investigation deals with such cases for at least six months, but in reality the period stretches for two to three years, the publication’s source notes.

Introduction

Let me make a reservation right away that when I wrote this review, I was primarily focused on an audience who understood the specifics of the work of telecom operators and their data networks. This article outlines the basic principles of protection against DDoS attacks, the history of their development in the last decade, and the current situation.

What is DDoS?

Probably, today, if not every “user,” then at least every “IT specialist” knows what DDoS attacks are. But a few words still need to be said.

DDoS attacks (Distributed Denial of Service) are attacks on computer systems (network resources or communication channels) aimed at making them inaccessible to legitimate users. DDoS attacks involve simultaneously sending a large number of requests towards a specific resource from one or many computers located on the Internet. If thousands, tens of thousands or millions of computers simultaneously start sending requests to a specific server (or network service), then either the server will not be able to handle it, or there will not be enough bandwidth for the communication channel to this server. In both cases, Internet users will not be able to access the attacked server, or even all servers and other resources connected through a blocked communication channel.

Some features of DDoS attacks

Against whom and for what purpose are DDoS attacks launched?

DDoS attacks can be launched against any resource on the Internet. The greatest damage from DDoS attacks is suffered by organizations whose business is directly related to their presence on the Internet - banks (providing Internet banking services), online stores, trading platforms, auctions, as well as other types of activities, the activity and efficiency of which significantly depends on the representative office on the Internet (travel agencies, airlines, hardware and software manufacturers, etc.) DDoS attacks are regularly launched against the resources of such giants of the global IT industry as IBM, Cisco Systems, Microsoft and others. Massive DDoS attacks were observed against eBay.com, Amazon.com, and many well-known banks and organizations.

Very often, DDoS attacks are launched against the web representations of political organizations, institutions or individual famous personalities. Many people know about the massive and lengthy DDoS attacks that were launched against the website of the President of Georgia during the Georgian-Ossetian war of 2008 (the website was unavailable for several months starting in August 2008), against the servers of the Estonian government (in the spring 2007, during the unrest associated with the transfer of the Bronze Soldier), about periodic attacks from the North Korean segment of the Internet against American sites.

The main goals of DDoS attacks are either to extract benefits (direct or indirect) through blackmail and extortion, or to pursue political interests, escalate the situation, or take revenge.

What are the mechanisms for launching DDoS attacks?

The most popular and dangerous way to launch DDoS attacks is the use of botnets (BotNets). A botnet is a set of computers on which special software bookmarks (bots) are installed; translated from English, a botnet is a network of bots. Bots are usually developed by hackers individually for each botnet, and have the main goal of sending requests towards a specific resource on the Internet upon a command received from the botnet control server - Botnet Command and Control Server. The botnet control server is controlled by a hacker, or a person who bought the botnet and the ability to launch a DDoS attack from the hacker. Bots spread on the Internet in various ways, usually by attacking computers that have vulnerable services and installing software bookmarks on them, or by deceiving users and forcing them to install bots under the guise of providing other services or software that performs completely harmless or even a useful function. There are many ways to spread bots, and new methods are invented regularly.

If the botnet is large enough - tens or hundreds of thousands of computers - then the simultaneous sending from all of these computers of even completely legitimate requests towards a certain network service (for example, a web service on a specific site) will lead to the exhaustion of resources either of the service itself or the server, or to exhaustion communication channel capabilities. In any case, the service will be unavailable to users, and the owner of the service will suffer direct, indirect and reputational damage. And if each computer sends not just one request, but tens, hundreds or thousands of requests per second, then the impact of the attack increases many times over, which makes it possible to destroy even the most productive resources or communication channels.

Some attacks are launched in more "harmless" ways. For example, a flash mob of users of certain forums who, by agreement, launch “pings” or other requests from their computers towards a specific server at a certain time. Another example is placing a link to a website on popular Internet resources, which causes an influx of users to the target server. If a “fake” link (outwardly looks like a link to one resource, but in fact links to a completely different server) refers to the website of a small organization, but is posted on popular servers or forums, such an attack can cause an influx of visitors that is unwanted for this site . Attacks of the last two types rarely lead to the cessation of server availability on properly organized hosting sites, but there have been such examples, even in Russia in 2009.

Will traditional technical means of protection against DDoS attacks help?

The peculiarity of DDoS attacks is that they consist of many simultaneous requests, each of which individually is completely “legal”; moreover, these requests are sent by computers (infected with bots), which may well belong to the most common real or potential users of the attacked service or resource. Therefore, it is very difficult to correctly identify and filter exactly those requests that constitute a DDoS attack using standard tools. Standard systems of the IDS/IPS class (Intrusion Detection / Prevention System - a system for detecting / preventing network attacks) will not find “corpus delicti” in these requests, will not understand that they are part of an attack, unless they perform a qualitative analysis of traffic anomalies. And even if they do find it, filtering out unnecessary requests is also not so easy - standard firewalls and routers filter traffic based on clearly defined access lists (control rules), and do not know how to “dynamically” adapt to the profile of a specific attack. Firewalls can regulate traffic flows based on criteria such as source addresses, network services used, ports, and protocols. But ordinary Internet users take part in a DDoS attack, sending requests using the most common protocols - wouldn’t a telecom operator ban everyone and everything? Then it will simply stop providing communication services to its subscribers and stop providing access to the network resources it serves, which is what the initiator of the attack is actually seeking.

Many specialists are probably aware of the existence of special solutions for protection against DDoS attacks, which consist of detecting anomalies in traffic, building a traffic profile and an attack profile, and the subsequent process of dynamic multi-stage traffic filtering. And I will also talk about these solutions in this article, but a little later. First, we will talk about some lesser-known, but sometimes quite effective measures that can be taken to suppress DDoS attacks by existing means of the data network and its administrators.

Protection against DDoS attacks using available means

There are quite a few mechanisms and “tricks” that allow, in some special cases, to suppress DDoS attacks. Some can only be used if the data network is built on equipment from a specific manufacturer, others are more or less universal.

Let's start with Cisco Systems recommendations. Experts from this company recommend providing protection for the network foundation (Network Foundation Protection), which includes protection of the network administration level (Control Plane), network management level (Management Plane), and protection of the network data level (Data Plane).

Management Plane Protection

The term "administration layer" covers all traffic that manages or monitors routers and other network equipment. This traffic is directed towards the router, or originates from the router. Examples of such traffic are Telnet, SSH and http(s) sessions, syslog messages, SNMP traps. General best practices include:

Ensuring maximum security of management and monitoring protocols, using encryption and authentication:

• the SNMP v3 protocol provides security measures, while SNMP v1 practically does not provide, and SNMP v2 provides only partially - the default Community values ​​​​always need to be changed;
• different values ​​for public and private community should be used;
• the telnet protocol transmits all data, including login and password, in clear text (if traffic is intercepted, this information can easily be extracted and used), it is recommended to always use the ssh v2 protocol instead;
• similarly, instead of http, use https to access equipment; strict access control to equipment, including adequate password policy, centralized authentication, authorization and accounting (AAA model) and local authentication for redundancy purposes;

Implementation of a role-based access model;

Control of allowed connections by source address using access control lists;

Disabling unused services, many of which are enabled by default (or they forgot to disable them after diagnosing or configuring the system);

Monitoring the use of equipment resources.

The last two points are worth dwelling on in more detail.
Some services that are turned on by default or that are forgotten to be turned off after configuring or diagnosing the equipment can be used by attackers to bypass existing security rules. The list of these services is below:

• PAD (packet assembler/disassembler);

Naturally, before disabling these services, you need to carefully analyze whether they are necessary on your network.

It is advisable to monitor the use of equipment resources. This will allow, firstly, to notice in a timely manner the overload of individual network elements and take measures to prevent an accident, and secondly, to detect DDoS attacks and anomalies if their detection is not provided for by special means. At a minimum, it is recommended to monitor:

• CPU load
• memory usage
• congestion of router interfaces.

Monitoring can be carried out “manually” (periodically monitoring the status of the equipment), but it is better, of course, to do this with special network monitoring or information security monitoring systems (the latter includes Cisco MARS).

Control Plane Protection

The network management layer includes all service traffic that ensures the functioning and connectivity of the network in accordance with the specified topology and parameters. Examples of control plane traffic are: all traffic generated by or destined for the route processor (RR), including all routing protocols, in some cases SSH and SNMP protocols, and ICMP. Any attack on the functioning of the routing processor, and especially DDoS attacks, can lead to significant problems and interruptions in the functioning of the network. The following are best practices for protecting the control plane.

Control Plane Policing

It consists of using QoS (Quality of Service) mechanisms to give higher priority to control plane traffic than to user traffic (of which attacks are part). This will ensure the operation of service protocols and the routing processor, that is, maintaining the topology and connectivity of the network, as well as the actual routing and switching of packets.

IP Receive ACL

This functionality allows you to filter and control service traffic intended for the router and routing processor.

• are applied directly on routing equipment before the traffic reaches the routing processor, providing “personal” equipment protection;
• are applied after the traffic has passed through normal access control lists - they are the last level of protection on the way to the routing processor;
• apply to all traffic (both internal, external, and transit in relation to the telecom operator’s network).

Infrastructure ACL

Typically, access to the proprietary addresses of routing equipment is only necessary for hosts on the carrier's own network, but there are exceptions (for example, eBGP, GRE, IPv6 over IPv4 tunnels, and ICMP). Infrastructure ACLs:

• usually installed at the edge of the telecom operator's network ("at the entrance to the network");
• have the goal of preventing external hosts from accessing the operator’s infrastructure addresses;
• ensure unhindered transit of traffic across the border of the operator’s network;
• provide basic mechanisms of protection against unauthorized network activity described in RFC 1918, RFC 3330, in particular, protection against spoofing (spoofing, the use of fake source IP addresses to disguise when launching an attack).

Neighbor Authentication

The main purpose of neighbor authentication is to prevent attacks that involve sending forged routing protocol messages in order to change routing in the network. Such attacks can lead to unauthorized penetration of the network, unauthorized use of network resources, and also to the attacker intercepting traffic in order to analyze and obtain the necessary information.

Setting up BGP

• BGP prefix filters - used to ensure that information about the routes of the telecom operator’s internal network does not spread to the Internet (sometimes this information can be very useful for an attacker);
• limiting the number of prefixes that can be received from another router (prefix limiting) - used to protect against DDoS attacks, anomalies and failures in peering partner networks;
• the use of BGP Community parameters and filtering by them can also be used to limit the distribution of routing information;
• BGP monitoring and comparison of BGP data with observed traffic is one of the mechanisms for early detection of DDoS attacks and anomalies;
• filtering by TTL (Time-to-Live) parameter - used to check BGP partners.

If a BGP attack is launched not from the peering partner's network, but from a more distant network, then the TTL parameter for BGP packets will be less than 255. You can configure the carrier's border routers so that they drop all BGP packets with a TTL value< 255, а маршрутизаторы пиринг-партнеров наоборот - чтобы они генерировали только BGP-пакеты с параметром TTL=255. Так как TTL при каждом хопе маршрутизации уменьшается на 1, данный нехитрый приём позволит легко избежать атак из-за границ вашего пиринг-партнера.

Protecting the data plane on the network (Data Plane)

Despite the importance of protecting the administration and management levels, most of the traffic in a telecom operator's network is data, transit or intended for subscribers of this operator.

Unicast Reverse Path Forwarding (uRPF)

Often attacks are launched using spoofing technology - source IP addresses are falsified so that the source of the attack cannot be traced. Spoofed IP addresses can be:

• from the actually used address space, but in a different network segment (in the segment from which the attack was launched, these fake addresses are not routed);
• from an address space unused in a given data transmission network;
• from an address space that is not routable on the Internet.

Implementing the uRPF mechanism on routers will prevent the routing of packets with source addresses that are incompatible or unused in the network segment from which they arrived at the router interface. This technology sometimes makes it possible to quite effectively filter out unwanted traffic closest to its source, that is, most effectively. Many DDoS attacks (including the famous Smurf and Tribal Flood Network) use the mechanism of spoofing and constantly changing source addresses in order to deceive standard security and traffic filtering measures.

The use of the uRPF mechanism by telecom operators providing subscribers with Internet access will effectively prevent DDoS attacks using spoofing technology directed by their own subscribers against Internet resources. Thus, a DDoS attack is suppressed closest to its source, that is, most effectively.

Remotely Triggered Blackholes (RTBH)

Controlled black holes (Remotely Triggered Blackholes) are used to “dump” (destroy, send “to nowhere”) traffic entering the network by routing this traffic to special Null 0 interfaces. This technology is recommended to be used at the network edge to dump DDoS-containing attacking traffic as it enters the network. The limitation (and a significant one) of this method is that it applies to all traffic intended for a specific host or hosts that are the target of the attack. Thus, this method can be used in cases where one or more hosts are subjected to a massive attack, which causes problems not only for the attacked hosts, but also for other subscribers and the telecom operator’s network as a whole.

Black holes can be managed either manually or via the BGP protocol.

QoS Policy Propagation Through BGP (QPPB)

QoS control over BGP (QPPB) allows you to manage priority policies for traffic destined for a specific autonomous system or block of IP addresses. This mechanism can be very useful for telecom operators and large enterprises, including for managing the priority level for unwanted traffic or traffic containing a DDoS attack.

Sink Holes

In some cases, it is not necessary to completely remove traffic using black holes, but to divert it away from the main channels or resources for subsequent monitoring and analysis. This is exactly what “diversion channels” or Sink Holes are designed for.

Sink Holes are used most often in the following cases:

• to divert and analyze traffic with destination addresses that belong to the address space of the telecom operator’s network, but are not actually used (were not allocated to either equipment or users); such traffic is a priori suspicious, since it often indicates attempts to scan or penetrate your network by an attacker who does not have detailed information about its structure;
• to redirect traffic from the target of the attack, which is a resource actually functioning in the telecom operator’s network, for its monitoring and analysis.

DDoS protection using special tools

The Cisco Clean Pipes concept is an industry pioneer

The modern concept of protection against DDoS attacks was developed (yes, yes, you won’t be surprised! :)) by Cisco Systems. The concept developed by Cisco is called Cisco Clean Pipes. The concept, developed in detail almost 10 years ago, described in some detail the basic principles and technologies of protection against traffic anomalies, most of which are still used today, including by other manufacturers.

The Cisco Clean Pipes concept involves the following principles for detecting and mitigating DDoS attacks.

Points (network sections) are selected, the traffic in which is analyzed to identify anomalies. Depending on what we are protecting, such points may be peering connections of a telecom operator with higher-level operators, connection points of lower-level operators or subscribers, channels connecting data processing centers to the network.

Special detectors analyze traffic at these points, build (study) a traffic profile in its normal state, and when a DDoS attack or anomaly appears, they detect it, study and dynamically form its characteristics. Next, the information is analyzed by the system operator, and the process of suppressing the attack is launched in semi-automatic or automatic mode. Suppression is where traffic destined for the “victim” is dynamically redirected through a filtering device, where filters generated by the detector are applied to this traffic and reflect the individual nature of this attack. The cleared traffic is introduced into the network and sent to the recipient (that is why the name Clean Pipes arose - the subscriber receives a “clean channel” that does not contain an attack).

Thus, the entire cycle of protection against DDoS attacks includes the following main stages:

• Training in control characteristics of traffic (profiling, Baseline Learning)
• Detection of attacks and anomalies (Detection)
• Redirecting traffic to pass through a cleaning device (Diversion)
• Traffic filtering to suppress attacks (Mitigation)
• Injecting traffic back into the network and sending it to the recipient (Injection).

Several features.
Two types of devices can be used as detectors:

• Detectors manufactured by Cisco Systems are Cisco Traffic Anomaly Detector Services Modules, designed for installation in the Cisco 6500/7600 chassis.
• Detectors manufactured by Arbor Networks are Arbor Peakflow SP CP devices.

Below is a table comparing Cisco and Arbor detectors.

Parameter	Cisco Traffic Anomaly Detector	Arbor Peakflow SP CP
Obtaining traffic information for analysis	Uses a copy of the traffic allocated to the Cisco 6500/7600 chassis	Netflow traffic data received from routers is used; sampling can be adjusted (1: 1, 1: 1,000, 1: 10,000, etc.)
Identification principles used	Signature analysis (misuse detection) and anomaly detection (dynamicprofiling)	Primarily anomaly detection; signature analysis is used, but the signatures are of a general nature
Form factor	service modules in the Cisco 6500/7600 chassis	separate devices (servers)
Performance	Traffic up to 2 Gbit/s is analyzed	Virtually unlimited (sampling frequency can be reduced)
Scalability	Installation of up to 4 modulesCiscoDetectorS.M.into one chassis (however, the modules operate independently of each other)	Possibility of using several devices within a single analysis system, one of which is assigned the Leader status
Network traffic and routing monitoring	There is practically no functionality	The functionality is very developed. Many telecom operators buy Arbor Peakflow SP because of its deep and sophisticated functionality for monitoring traffic and routing in the network
Providing a portal (an individual interface for a subscriber that allows monitoring only the part of the network directly related to him)	Not provided	Provided. This is a serious advantage of this solution, since the telecom operator can sell individual DDoS protection services to its subscribers.
Compatible traffic cleaning devices (attack suppression)	Cisco Guard Services Module	Arbor Peakflow SP TMS; Cisco Guard Services Module.
	Protecting Data Centers when connected to the Internet Monitoring downstream connections of subscriber networks to the telecom operator's network	Detection of attacks onupstream-connections of the telecom operator’s network to the networks of higher-level providers Telecom operator backbone monitoring

The last row of the table shows scenarios for using detectors from Cisco and from Arbor, which were recommended by Cisco Systems. These scenarios are depicted in the diagram below.

As a traffic cleaning device, Cisco recommends using the Cisco Guard service module, which is installed in the Cisco 6500/7600 chassis and, upon command received from the Cisco Detector or Arbor Peakflow SP CP, traffic is dynamically redirected, cleaned, and reinjected into the network. Redirection mechanisms are either BGP updates to upstream routers, or direct control commands to the supervisor using a proprietary protocol. When using BGP updates, the upstream router is given a new nex-hop value for the traffic containing the attack, so that this traffic goes to the cleaning server. At the same time, care must be taken to ensure that this information does not lead to the organization of a loop (so that the downstream router, when entering cleared traffic onto it, does not try to wrap this traffic back to the clearing device). To do this, mechanisms can be used to control the distribution of BGP updates using the community parameter, or the use of GRE tunnels when entering cleared traffic.

This state of affairs existed until Arbor Networks significantly expanded the Peakflow SP product line and began to enter the market with a completely independent solution for protecting against DDoS attacks.

Arbor Peakflow SP TMS introduced

Several years ago, Arbor Networks decided to develop its line of products for protection against DDoS attacks independently and regardless of the pace and policy of development of this area at Cisco. Peakflow SP CP solutions had fundamental advantages over Cisco Detector, since they analyzed flow information with the ability to regulate the sampling frequency, and therefore had no restrictions on use in telecom operator networks and on trunk channels (unlike Cisco Detector, which analyze a copy of traffic ). In addition, a major advantage of Peakflow SP was the ability for operators to sell subscribers an individual service for monitoring and protecting their network segments.

Due to these and other considerations, Arbor has significantly expanded its Peakflow SP product line. A number of new devices have appeared:

Peakflow SP TMS (Threat Management System)- suppresses DDoS attacks through multi-stage filtering based on data obtained from Peakflow SP CP and from the ASERT laboratory, owned by Arbor Networks, which monitors and analyzes DDoS attacks on the Internet;

Peakflow SP BI (Business Intelligence)- devices that provide system scaling, increasing the number of logical objects to be monitored and providing redundancy for collected and analyzed data;

Peakflow SP PI (Portal Interface)- devices that provide an increase in subscribers who are provided with an individual interface for managing their own security;

Peakflow SP FS (Flow Censor)- devices that provide monitoring of subscriber routers, connections to downstream networks and data centers.

The principles of operation of the Arbor Peakflow SP system remain essentially the same as Cisco Clean Pipes, however, Arbor regularly develops and improves its systems, so at the moment the functionality of Arbor products is better in many respects than that of Cisco, including productivity.

Today, maximum performance of Cisco Guard can be achieved by creating a cluster of 4 Guard modules in one Cisco 6500/7600 chassis, while full clustering of these devices is not implemented. At the same time, the top Arbor Peakflow SP TMS models have performance up to 10 Gbps, and in turn can be clustered.

After Arbor began to position itself as an independent player in the market for detection and suppression of DDoS attacks, Cisco began to look for a partner that would provide it with the much-needed monitoring of network traffic flow data, but would not be a direct competitor. Such a company was Narus, which produces traffic monitoring systems based on flow data (NarusInsight), and entered into a partnership with Cisco Systems. However, this partnership did not receive serious development and presence on the market. Moreover, according to some reports, Cisco does not plan to invest in its Cisco Detector and Cisco Guard solutions, in fact, leaving this niche to Arbor Networks.

Some features of Cisco and Arbor solutions

It is worth noting some features of the Cisco and Arbor solutions.

1. Cisco Guard can be used either in conjunction with a detector or independently. In the latter case, it is installed in in-line mode and performs the functions of a detector, analyzing traffic, and, if necessary, turns on filters and clears traffic. The disadvantage of this mode is that, firstly, an additional point of potential failure is added, and secondly, an additional traffic delay (although it is small until the filtering mechanism is turned on). The recommended mode for Cisco Guard is to wait for a command to redirect traffic containing an attack, filter it, and enter it back into the network.
2. Arbor Peakflow SP TMS devices can also operate in either off-ramp or in-line mode. In the first case, the device passively waits for a command to redirect traffic containing the attack in order to clear it and enter it back into the network. In the second, it passes all traffic through itself, generates data based on it in Arborflow format and transfers it to Peakflow SP CP for analysis and detection of attacks. Arborflow is a format similar to Netflow, but modified by Arbor for its Peakflow SP systems. Traffic monitoring and attack detection is carried out by Peakflow SP CP based on Arborflow data received from TMS. When an attack is detected, the Peakflow SP CP operator gives a command to suppress it, after which TMS turns on filters and clears traffic from the attack. Unlike Cisco, the Peakflow SP TMS server cannot work independently; its operation requires a Peakflow SP CP server, which analyzes traffic.
3. Today, most experts agree that the tasks of protecting local sections of the network (for example, connecting data centers or connecting downstream networks) are effective