I. Overview
1.1Background
DoS, Denial of Service, refers to the attack that exhausts the system resources with all kinds of service requests, causing the network to fail in handling normal user requests. The emergence of botnets leads to the rapid development and spreading of DDoS (Distributed Denial of Service) due to its simple implementation, severe impact and difficulty in tracing。 Botnets composed of thousands of hosts provide the required bandwidth and hosts for DDoS attacks. A large amount of attacks and network traffic overwhelm the attacked network.
The continuous improvement and development of DDoS attacks increases the security and operation challenges faced by ISP, ICP and IDC operators. They are looking for an anti-DDoS system that helps ensure stable and proper operation of network and services before DDoS attacks compromise critical services and applications. Meanwhile, anti-DDoS system has also become a value-added service that is aimed at enhancing user satisfaction.
1.2 Common attacks
Packets are usually transmitted through TCP/IP protocols. They are harmless if they follow normal protocols. However, excessive data packets may result in overload of network devices or servers; and data packets exploiting protocol defects and incompleteness or malformation may cause the network to fail to process normally due to exhaustion of system resources. This is how DDoS works. It is hard to prevent DDoS attacks as the attack traffic is mixed with the normal service traffic, making it almost impossible to distinguish the two.
Generally speaking, DDoS attack is composed of the following types:
Bandwidth-based attack: This type of DDoS attack sends huge amount of data packets to overload the device, result in exhaustion of network bandwidth or device resources.
Resource-based attacks: This type of DDoS attack constantly consumes the limited resources by exploiting some signatures of TCP or HTTP protocols and prevents the target device from processing normal requests.
II. Anti-DDoS Systems
2.1 Shortcomings of the existing solutions
Firewalls or routers used in traditional anti-DDoS systems are based on network layer detection. However, most DDoS attacks can be launched using legitimate protocols, so they can be identified and prevented by traditional solutions. Meanwhile, as firewall or router is not designed for anti-DDoS, their performance will be greatly compromised if used in anti-DDoS prevention.
Device upgrade can help avoid DDoS attacks, but given the recent surge of DDoS attacks,it is difficult for the speed of upgrade to catch up with the growth of DDoS attack traffic.
2.2 DPtech Anti-DDoS System
DPtech anti-DDoS system provides various deployment modes such as Online Mode or Bypass Mode for different users and environments.
The Bypass Mode is generally adopted in large operator networks or high-traffic networks. Bypass deployment boasts easy expansion and implementation without the need of changing the original network topology or leading to single point of failure. Please refer to the below for introduction of Bypass deployment.
Fig. 1 Networking in Bypass mode of anti-DDoS system
As shown above, the Bypass deployment of anti-DDoS system is composed of four stages, namely, traffic detection, traffic traction, traffic cleaning, and traffic re-injection.
1) Traffic detection: Anti-DDoS detection system Probe3000 performs detection of specified traffic by mirroring, splitting,NetFlow/NetStream/nFlow traffic logs and other methods, and sends traffic information to the management platform for user’s reference. In the event of an attack, an alarm can be issued in time to the UMC.
2) Traffic traction: Upon receiving an alarm log, UMC distributes protection policies to the anti-DDoS system Guard3000, which interacts with the core network device. Based on BGP dynamic routing protocol, traffic to be protected to is drawn to the Guard3000 for protection.
3) Traffic cleaning: Guard3000 performs attack identification on drawn traffic and clean the attack packets with the professional anti-DDoS protection technology.
4) Traffic re-injection: After cleaning, Guard3000 re-injects legal traffic into the user's network and report the cleaning logs to the UMC to generate traffic cleaning reports.
The Bypass Mode applies to large networks, while the Online Mode is ideal for small networks carrying traffic of about 1G. The Online Mode provides integrated detection and protection, and is capable of detecting two-way traffic. However, the disadvantage of serial connection is the lack of flexibility and the increase of fault nodes. Besides, it demands a high reliability since all traffic passes through the device. See below for the typical networking:
Fig. 2 Networking in Online mode of anti-DDoS system
2.3Technical Features and Advantages
1) Highly efficient detection and cleaning technologies
It is designed with the Deep Packet Inspection (DPI) technology, and the NetFlow/NetStream/SFlow protocol-based detection (DFI) technology to conduct in-depth detection of hidden attack packets and provide accurate traffic identification and cleaning. Based on an advanced distributed multi-core hardware structure and a multi-device cluster through intelligent clustering, it stands out as a 10G anti-DDoS platform with outstanding performance.
2) High Reliability
Anti-DDoS protection can be deployed in Online Mode or Bypass Mode. In Bypass Mode, traffic is cleaned as needed without affecting normal traffic. Thanks to its adaptability to network protocols, it supports network layer protocols such as ARP, VLAN, and link aggregation as well as routing protocols such as static routing, RIP, OSPF, BGP and policy-go-together to meet various networking applications. In Online Mode, it allows real-time cleaning of threat traffic.
3) Multi-level Security Protection
Diverse technologies including static inspection of vulnerability signatures, dynamic rule filtering, abnormal traffic control and the advanced “intelligent traffic detection” are adopted to provide multi-level security protection and accurately detect and block various network-layer and application-layer DoS/DDoS attacks and unknown malicious traffic, such as SYN Flood, UDP Flood, ICMP Flood, DNS Query Flood, HTTP Get Flood, and CC attack.
4) Automatic Traffic Traction and Flexible Traffic Re-injection
When a DDoS attack is discovered, the Guard3000 issues a BGP routing update notification to its neighboring routers/switches, and the target traffic under attack will be automatically and rapidly drawn to the Guard3000 for cleaning. Meanwhile, Guard3000 can re-inject cleaned traffic to users through policy-go-together, MPLS VPN, GRE VPN, and layer-2 transparent transmission, ensuring the continuity of services.
5) Detailed Analysis and Statistical Reports
A wide array of attack logs and reporting statistics are provided to address abnormal traffic in anti-DDoS products. Information available includes the traffic before attacks and after cleaning, the size, duration and sorting of traffic, attack trend analysis, and other detailed reports to offer users a full understanding of traffic status.
III. Key Technologies of Anti-DDoS System
3.1 Anti-DDoS Detection System
Anti-DDoS Detection System Probe3000 performs monitoring and management of abnormal network traffic through interacted operation with the UMC. It judges and issues an alarm on overloaded traffic and DDoS attacks, helping Web administrators generate network monitoring charts and prepare logs and reports.
Probe3000 supports two detection modes:
1) DPI-based Detection
The DPI (Deep Packet Inspection) function is realized by receiving real traffic through mirroring or splitting to make real analysis of traffic. The advantage of mirroring is that all information of the original packet can be obtained, and the statistical data is relatively complete, but the disadvantage lies in that it demands a highly reliable device in order to detect large traffic.
2) DFI-based Detection
Traffic statistics can be made by receiving NetFlow/NetStream/nFlow and other traffic information. This technology is ideal for large traffic statistics, but the data is raw and the information is delayed.
By aggregating traffic information, the Probe3000 performs real-time traffic detection according to pre-set thresholds and reports traffic logs regularly. If abnormal traffic is found, an alarm will be issued promptly to the UMC, notifying the latter to enable anti-DDoS protection and draw and clean the traffic.
Probe3000 also provides intelligent detection of attacks. By building an automatic learning model based on L3~4 packets and common application statistics, which is subject to automatic updates with the latest traffic, it can quickly identify any abnormal traffic. Intelligent learning is effective in detecting unknown attacks.
Probe3000 can detect multiple DDoS attacks, including network-based attacks such as SYN Flood, UDP Flood, DNS Query Flood, ICMP Flood, (M)Stream Flood, Ping of Death, Connection
Flood, Land, Tear Drop and WinNuke, as well as application-based attacks such as HTTP Get, CC, and DNS attacks.
3.2 Anti-DDoS Cleaning System
Diverse technologies, including abnormal traffic control, dynamic rule filtering, and DPtech’s unique fingerprint recognition and intelligent protection, are adopted in the anti-DDoS cleaning system Guard3000 to provide multi-level security protection and accurately filter various network-layer and application-layer attacks and unknown malicious traffic.
3.2.1 Protection against Network-layer Attacks
In addition to the commonly used traffic control function, DPtech provides a number of specialized protection algorithms to prevent from the Flood attacks.
1) Rate limit
Aggregate the traffic according to the various protection policies set by the users. Compare the aggregated data and the set threshold, and impose rate limit on the part that exceeds the threshold.
2) SYN Cookie protection
Guard3000 intercepts the negotiation SYN packet of the new TCP connection and calculates a cookie value based on the connection information. The Cookie value is returned to the client as the initial seq number of the SYN/ACK packet. Then it performs validity check on the cookie information contained in the ACK packet replied by the client. If it is confirmed as a legitimate request, Guard3000 will act as a proxy to send a SYN packet to establish a connection. All the future packets between the client and the server regarding this connection will be forwarded by Guard3000. When the attackers launch SYN Flood attack on the server, they cannot establish a connection with the server with effective cookie information. In this process, Guard3000 acts as a proxy server to interact with the client and interacts with the server by simulating the client. It filters out malicious connections for the server to ensure the normal and stable operation of business.
SYN Cookie protection technology is shown as below:
Fig. 3 SYN Cookie protection
3) SYN Reset protection
Although the SYN Cookie technology is effective in protecting against the SYN Flood attack, it needs the cleaning device to act as a forwarding proxy, and has higher requirements for device performance. SYN Reset technology is further optimized on the basis of SYN Cookie.
When a client initiates SYN packets for a new connection, the Guard3000 discards the SYN packet first and acts as a server to send a SYN/ACK packet to the client. Instead of being generated according to the protocols, the acknowledged serial number (ack number) is generated based on the cookie value calculated by a special algorithm, which is different from the client's expected value. When a client with normal requests receives the SYN/ACK packet and finds that the confirmed serial number is inconsistent with the expected one, it will return a RST packet with the serial number being cookie to the server and stop the connection. Guard3000 extracts the cookie information contained in the packet before verifying with the information contained in the device’s protection table entry. If the verification succeeds, the connection is considered to be trusted, and the client IP will be registered in the device whitelist so that subsequent packets can pass through directly. As the attackers would neither process the returned SYN/ACK packet nor perform verification of the returned RSP packet, their IP addresses will not be included in the whitelist, which helps eliminate attacks by preventing them from establishing connections with the server. Cleaning device adopting the SYN Reset technology is responsible for verifying the legitimacy of the client only, with no need to act as a forwarding proxy, thus enabling limited performance consumption.
SYN Reset protection technology is shown as below:
Fig. 4 SYN Reset protection
4) TCP status protection
Normal clients make communication through legal protocol stacks, and their TCP protocols are provided with relevant status transition models. However, to save attack resources, attackers do not use legal protocol stacks. Therefore, based on the full state detection on TCP through a simple state detection entry, packets with incomplete status are discarded to shield attacks. For example, a normal TCP request establishes a connection by three-way handshake, which is in compliance with the status transition model. However, some ACK Flood and FIN Flood packets will be filtered out directly due to lack of three-way handshake and incomplete status transition model.
5) Fingerprint protection
Fields in the network layer and transport layer of a data packet, including packet length, TTL, source and destination ports, and even some information of data segments, represents distinguished statistical characteristics in different networks, which are known as fingerprints. The basic idea of fingerprint protection is to establish a protection model based on the fingerprint of normal network traffic. In case of network exception, abnormal fingerprint will be extracted and compared with the protection model. Data packets exceeding the protection model will be filtered.
For example, when the Guard3000 receives a packet, it extracts the packet length field, conducts discretized storage of the field, and makes statistics on a regular basis about the distribution model of the packet length in the current network. Network exception is reflected by a distribution fluctuation of a certain fingerprint that exceeds the pre-set distribution model value. In this case, abnormal packets can be filtered out based on the fingerprint signature.
However, protection based on a single fingerprint signature may seem unsatisfactory. Aggregation of multiple packets, such as source IP and TTL, into a single fingerprint signature for statistics and filtering, provides enhanced protection against complex DDoS attacks.
3.2.2 Protection against Application-layer Attacks
Different from network-layer attacks, the application-layer attacks is asymmetric, that is, the client consumes just a little bandwidth and host resources, but the server consumes a lot of bandwidth or host resources. This type of attacks is catastrophic. The application-layer attacks are mainly the DNS attack and the HTTP attack.
1) DNS traffic control per domain name
Traffic control is performed on each domain name of the DNS. It allows traffic control based on wildcard to adapt to the situation where domain names are partially random.
2) DNS Propagation Checker
When an attack is detected, the cleaning device will cache the first DNS request packet received subsequently locally instead of forwarding it to the server. A properly working host will resend the DNS request packet if no response packet has been received for a period of time (2-5 seconds), but the attack packet will keep sending requests within a short time. Taking advantage of this feature, we can immediately drop attack packets that violate the propagation interval.
3) DNS TC Bounce Protection
Almost all DNS attacks are launched through UDP packets, which provide us an opportunity to protect against discrete DNS attacks. When a DNS attack is detected, the device will return a response packet with the TC flag. In this case, a properly working host will re-initiate a request based on TCP port 53. After receiving the TCP request, the device will convert it into a UDP request before sending it to the DNS server, preventing the DNS server from overloading the server by processing too much TCP packets. However, simulated attack packets sent by the attack software will never resend the TCP packets of DNS requests, so all DNS attacks will be discarded by the device without getting to the DNS server.
4) HTTP Cookie Verification Protection
HTTP Cookie protection technology works by verifying whether the data packet of an HTTP request is initiated from a legal client in accordance with the HTTP protocol. After intercepting the GET request sent by the client to the server URL, the protection device constructs a redirect packet to be sent to the client so that the client will re-initiate a request of the redirected URL. In the redirect packet, a cookie field that requires authentication is added in two ways: the first is to set by the set-cookie field of the HTTP header, asking the upcoming HTTP requests to include the specified cookie field; the second is to add a cookie parameter at the end of the redirect URL, asking the user to access the URL address containing this cookie parameter. When a normal client receives the redirect packet, it will include the cookie field and access the specified URL address. Once it passes verification of the protection device, the added cookie field will be deleted before being transparent transmitted to the server. The specified cookie field cannot be added to an attack request, which will then be directly discarded during verification of the protection device.
The HTTP Cookie verification technology is shown below:
Fig. 5 HTTP Cookie protection
3.3 Traffic Traction
When the alarm logs of an IP address is found, the traffic of this IP will be pulled to the anti-DDoS cleaning system Guard3000 for filtering. After the attack, the anti-DDoS detection system Probe3000 will send an alarm log to indicate the end of the attack, and restore traffic of the IP to its original path.
Traffic traction technologies include BGP, OSPF, policy-go-together, MPLS and others, with BGP being the primary method generally.
In the event that an attack occurs, the Guard3000 issues a BGP routing update notification to the core router to update the routing table entry. All the traffic passing through the servers of the core devices under attack will be automatically and drawn to the cleaning center for cleaning. Meanwhile, a no-advertise attribute is added to the BGP routing to prevent the routing published by the cleaning device from spreading across the entire network.
Fig. 6 Diagram of traffic traction
3.4 Traffic Re-injection
3.4.1 policy-go-together
policy-go-together can be used to specify next-hop forwarding according to the incoming interface of the packet. By configuring policy-go-together on the core switch (Device A), the traffic re-injected from the protection device received from the Interface 2 is forwarded to the corresponding next hop of the protected device (Device B). Since policy-go-together takes precedence over normal routing, when the core switch (Device A) receives re-injection traffic, it will preferentially hit the policy-go-together instead of the normal routing used before traffic traction. In other words, re-injection traffic will not be sent back to the protection device to ensure a loop-free network.
Fig. 7 Re-injection of policy-go-together
3.4.2 GRE Re-injection
A GRE tunnel is established between the next hop (Device B) corresponding to the protection device and the protected device. In re-injection, the protection device encapsulates the traffic into GRE packets and sends them to Device A. However, the destination address of these GRE packets is Device B. Therefore, after receiving these GRE packets, Device A will not hit the normal routing used before traffic traction; instead, it will directly forward these packets to Device B, where GRE de-capsulation is performed and sent to the real customer network to avoid loops.
Fig. 8 GRE re-injection
3.4.3 VLAN Layer-2 Re-injection
The next hop (Device B) corresponding to the protection device and the protected device is deployed in the same VLAN, i.e. Interface 2 and Interface 3 are configured in the same VLAN on core switch Device A. In this way, the protection device can directly forward the re-injection traffic to Device B through Layer-2 forwarding in the VLAN. In other words, when the re-injection traffic reaches Device A, it will be sent to Device B through Layer-2 forwarding before finally reach the real customer network, without the need of carrying out Layer-3 forwarding. Therefore, it will not hit the normal routing used before traffic traction to avoid loops.
Fig. 9 VLAN Layer-2 re-injection
3.4.4 MPLS Re-injection
Akin to the GRE mode, an MPLS tunnel is established between the next hop (Device B) corresponding to the protection device and the protected device. MPLS encapsulation is performed on the protection device when re-injecting the traffic. Once it reaches Device A, the encapsulated packet will be directly forwarded to Device B, where MPLS de-capsulation is carried out before it is sent to the real customer network. At this time, the re-injection traffic passing through Device A will not hit the normal routing used before traffic traction as it is an MPLS packet, thus avoiding loops.
Fig. 10 MPLS Re-injection
3.5 Statistics and Logs
As a security service, the anti-DDoS system not only cleans abnormal traffic, but also provides the users with an overall understanding of the real-time status, attack status and cleaning status of protected services in a timely and intuitive manner. The Unified Management Center (UMC) carries out unified management of the Probe3000 and the Guard3000. In addition, the UMC provides a series of professional reports concerning the traffic status, cleaning result, historical logs and other reports. These rich and intuitive reports help the end users to understand the current service status and trace back historical status in real time.
With detailed reporting functions, the UMC also provides analysis charts and graphs based on statistical data. Available reports include:
Analysis reports based on the cleaning service and the types of attack traffic, such as SYN Flood, UDP Flood, etc.
Accurate traffic trend graphs in accordance with the real-time traffic of the protected target.
The statistical data can maintain cleaning records according to the storage capacity of the server and provide statistical reports of any time intervals within the data retention period.
All the reports can be automatically exported. After setting up an automatic export frequency, the system can export reports as per required frequency and format, and send the reports to specified recipients.