aebian

Who am I?

Musician, Programmer, Linux Geek and what not.  more...


The Categories



Stuff

Arma CodeList
GitHub Projects
Media (Gallery)
Privacy Policy
My Hardware
My Wishlist


December 21st at 12:56pm
Report a website issue
For best viewing experience use a 4k screen.

nethavn Logo

❬ Back to Blog


Distributed Denial of Service


This post will explain some facts of DDoS and filtering systems aswell compare some of them.

Q: What is Distributed Denial of Service
A: Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.


Q: Can I protect myself against a DDoS Attack?
A: That depends. Opinions go apart which means the below statement is my own opinion.

Yes, its possible to protect against an attack (95%).
95% of all DDoS attacks are originating from a Booter / Stresser and these services have very limited bandwidth (not all but the most).
Also most of these services only use standard attacks (e.g. DNS, NTP, SYN, ACK) and these types of attacks are easy to fend off, only because they have low bandwidth (On average 10-20Gbit/s) and therefore are no problems for modern filtering systems (Cisco, Arbor, Juniper) + infrastructure of the host.

However, there are also some Booter / Stresser which use complex public scripts aswell as private scripts.
These scripts are generating attacks that will bypass default filtering systems and are subjected for a complex filtering besides the default one. Public scripts are likely implemented in modern filtering systems by default and do not pose a major threat.
On the other hand, private scripts can be a problem for some Anti-DDoS provider because they don't use dynamic rules which means they are static and don't adjust with the attack traffic.

Therefore many known providers are using hybrid solutions. This is a combination of both "standard" systems and "complex" systems. So they can block dull attacks and efficiently react to complex attacks.


Q: Why are some services (teamspeak 3, websites) faster down then others e.g. gameservers?
A: That's a wrong assumption. Most gameservers are just as fast down as a website or teamspeak-server.

The services are using the User Datagram Protocol (UDP) which means only a complex filtering will be efficient. Some gameservers and teamspeak are using a closed communication system. That means that voice-packages respectively gameserver-packages are not public available, encrypted and the protocol can't be recreated.
Thats one reason why there are no custom clients available for e.g. teamspeak.

On the one hand this is positive because attackers can't imitate packages. On the other hand it is negative because providers have no basis checking the packages for accuracy. The only reaspn why some services are easier to guard is the reasonable packet size. HTTP / HTTPS is based on TCP and can thus be validated by the connection-oriented protocol (Three-Way-Handshake).

However its hard to distinguish between legitimate and non-legitimate requests. Therefore, web pages are vulnerable to complex Layer 7 attacks (Application Layer).


Q: Differences bewteen HTTP, UDP and TCP attack?
A: HTTP floods are attacks on the application layer and cause server loads and to kill the web server

UDP floods are attacks that are often used to overload the network connection, as it is a fast protocol.
Since a couple of years more complex application attacks on gameservers or voiceservers are done (TS3INIT1 as an example)

TCP Floods are attacks that overload the resources of the server. Thousands of open and unanswered requests force a server to its knees. (Countermeasure would be for example SynCookies / SynProxy)


Q: How exactly does the DDoS affect the server?
A: Depending on the type of attack, either the network connection can be overloaded, the resources of a server can be overloaded (for example: CPU, RAM), but there is also DoS Attack on the hard disks (eg: overfilling the memory).


Q: Can damage be sustained after an attack?
A: On the hardware side, unlikely, because the server systems are tested for high loads and have implemented protective measures. However, for companies, an image or financial loss may arise.


Q: How can you secure your server?
A: Even as a server operator, you can only do something about small attacks that do not overload the network connection of your server, as well as its resources. You can work there with software firewalls and block many small attacks (for example: iptables, pfw etc.). Iptables includes the ability to block certain source IP addresses, packet sizes, TTL or packet contents.

In addition, you are able to limit certain requests. Often you use this as an addition to professional protection solutions of the provider (For example, to minimize attacks that the provider does not filter). But in this case, keep in mind that each filter rule costs the server resources.


Q: What do you think is currently the best DDoS protection provider?
A: I can not say that flat-rate. It always depends on what protection you need. So what services are running on the server, etc. But I can give you a little overview:

Gameserver:

In order to effectively protect a game server, Game Protection by OVH is currently recommended. But only if the game is supported. OVH has created a very robust system with this protection solution. They use the capacities of their network (soon 7.1 Tbit: \o/ ) and can filter large and rough attacks without any problems.

In addition to permanent protection, OVH has upgraded its Tilera Firewall with packet validation. In a communication, this works as a middleman, so to speak. Accepts the requests, checks them and forwards them. In addition, this checks the outgoing packets for accuracy. Thus, the Tilera Firewall has full control over the communication and thus can very well distinguish the legitimate requests from the wrong requests.

If it passes a request that is incorrect, it will reach the server but the server responds with an error message that Tilera receives and knows that the request is not legitimate. It updates its filter rules and all other requests are filtered successfully. (Damn hard to explain lol.)


Voiceserver:
Again, I can only recommend the OVH Game Protection. This works with Teamspeak as efficiently as with the supported games.


Web sites:
Akamai or Prolexic. Since Akamai owns a large global infrastructure, they are forearmed for big attacks. They also have their own filters for HTTP attacks. However, their offers are also very expensive but unreservedly recommendable. And even if they have just recently dropped Krebsonsecurity.

We're talking about attacks beyond good and evil. Over 1 Tbit / s SYN is very very out of touch with reality and is extremely rare.

There are many other providers and everyone has their strengths and weaknesses.
The best protection does not exist, because each one is better for a different kind of service.
It should definitely be placed on providers with specific solutions developed for an application.


Differences bewteen DDoS filtering solutions
OVH VAC
VAC by OVH is a very well developed Anti-DDoS solution. They filter pretty much all attacks (except application-specific UDP attacks for example Teamspeak 3, Counter Strike etc.) and knows almost no limits. Since 2013 there is OVH VAC and since then no customer has been routed to zero.

According to OVH, the official limits are around 640 Gbit / s (160 Gbit / s per VAC), but in 2016 OVH received an attack of 1.1 Tbit / s TCP and was able to successfully fendof the attack without any significant traffic congestion.
Only small problems with Spanish customers. Furthermore, the OVH VAC responds within a few seconds and is very good as "In case if ...." Protection.

But as you know, this is also available in the permanent version. Another point for OVH VAC is the upcoming upgrade this year. Which increases the capacity of 640 Gbit / s to about 5 Tbit / s 8o The whole succeeds by FPGA controllers, which are able to very CPU intensive calculations (DDoS Traffic filter?!: P) a lot faster than ordinary CPU's to manage something. If that's not a word. The only downside right now is the missing Layer 7 filter for web attacks such as Wordpress Pingback or Joomla Amplification.
OVH VAC Game
Because OVH VAC is unable to effectively filter UDP attacks, OVH has integrated packet validation into its Tilera firewall. The Tilera serves as a kind of cache and controls the incoming and outgoing traffic. Thus, it is better able to distinguish evil from good UDP traffic.

OVH has developed profiles for each service (Teamspeak, Mumble, CSGO, Minecraft), allowing only specific traffic. OVH has been very successful in this solution and is currently the most effective way to ward off DDoS attacks for the supported applications.
Arbor filtering systems
The best known are Arbor Peakflow and Pravail. Many hosters use the anti-DDoS systems to filter large and "simple" attacks (NTP, DNS, SSDP, batches, etc.) for which these systems are designed and work optimally. OVH and Voxiltiy also use these systems. They are perfect for what we call rough attacks.

Arbor Pravail, on the other hand, also works at the application level and can filter various application-specific attacks. With a large infrastructure and other complementary systems, Arbor systems can be wonderfully harmonized as DDoS protection. See OVH, Voxilty, FirstColo etc. There are so to speak required for various large providers
Voxility
Also Voxility has an effective DDoS protection, which also like OVH consists of a cloud system with various scrubbing centers and hardware firewalls, which filter application specific traffic. Here is a small overview:

As you can see, Voxlity filters out the specific application-specific attacks on various standard ports. Thus, Voxility has a general protection that works for many applications. Both in sensor mode and in permanent mode. I personally see voxiltiy as a good general solution. They also filter pretty much all attacks even more than OVH but their filters are not so optimally adapted to the applications.

This can be seen, for example, from the fact that a Teamspeak server has packet loss behind the permanent protection of voxility. Which amounts to up to 8%. I've had a lot of talk with Voxiltiy about this problem and towards the end the blame has been put on the Teamspeak application. It will therefore change little on this point, I think.

Unlike OVH VAC, Voxility includes an inline Layer 7 filter for attacks on the web server. This means that large HTTP attacks such as Wordpress Pingback or Joomla Amplification, which cause queries on average of 20,000 per second, are filtered. These attacks are often used to attack websites because they cause high requests. In addition, basic HTTP floods are filtered.

But if we come to complex Layer 7 attacks on websites, you have to create your own hand again (Javascript Bypass, Dynamic HTTP Requests, etc.) For these reasons, Voxility is often used as remote protection. It is an effective well-maintained general filter for a variety of applications.

As with OVH, all resources are shared. Voxility has a filter capacity of about 1 TBit / s at the moment Zero routes are performed at in the range of 100-300 Gbit / s. Depending on whether you have dedicated packages or general packages at Voxility.