Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection
Abstract: This white paper describes the classification of DDoS attacks, the disadvantages of traditional DDoS protection and the technical principles and typical networking application of H3C DDoS protection.
Distributed Denial of Service
Denial of Service
Table of Contents
A DoS attack is launched in a one-to-one manner, while a DDoS attack controls many compromised "zombie" hosts to attack a single target. By planting the zombie program on these machines, a hacker can quickly build an army of zombies for launching DDoS attacks. With enough zombie hosts participating (one hundred thousand or more), the volume of an attack can be staggering.
By taking advantage of the weaknesses of some TCP/IP protocols, hackers can overwhelm a target network or server by simply sending to it a huge amount of traffic, or incomplete and malformed packets, making the victim unable to provide normal services.
DDoS attacks are difficult to defend because illegitimate packets have no difference from legitimate packets and thus cannot be identified through a signature database. In addition, DDoS attacks use spoofed valid source IP addresses, thereby eluding source identification by anomaly-based monitoring tools.
The two most common types of DDoS attacks are as follows.
These DDoS attacks send a large number of seemingly legitimate packets to a specific router, server, or firewall which generally has limited processing resources, thus causing the victim to deny normal access requests.
These DDoS attacks use the characteristics of protocols such as TCP and HTTP to consume up the resources of victims and prevent them from processing requests. HTTP half-open and HTTP error attacks are some examples of application attacks. When agents are used, application attacks are more disruptive.
The main method of traditional DDoS protection is to set traffic thresholds for different attack behaviors. It has following disadvantages:
l Complex configuration and insufficient adaptation: As the user may not have a good understanding of different attack behaviors, it is hard for the user to make correct settings. In addition, this method cannot adjust thresholds according to dynamic changes of traffic.
l Limited defense: Today’s DDoS attacks are more complicated and disruptive. A DDoS attack process may involve half-open attacks such as SYN flood, UDP flood and ICMP flood, connection attacks such as TCP connection flood, and application attacks such as HTTP get flood and HTTP put flood. Traditional DDoS protection aims at a specific type of attack, such as SYN flood, and it cannot satisfy current defense requirements.
l No capability against unknown DDoS attacks: As the source codes of DDoS attack tools spread across the Internet, attackers can easily change the types of DDoS attack packets, which traditional DDoS protection cannot identify or take countermeasures against.
H3C DDoS protection adopts an adaptive, multi-level architecture to detect and defend against DDoS attacks. It identifies DDoS attacks through authentication and analysis and then adopts countermeasures against them.
As shown in Figure 1, the H3C DDoS protection architecture comprises the following modules.
Filtering rule module
Filtering rules are either static or dynamic. A static filtering rule is configured manually. A dynamic filtering rule is dynamically generated when the traffic anomaly and application anomaly identification modules detect abnormal traffic through traffic statistics and behavior analysis. .
The filtering rule module filters traffic with filtering rules. It blocks attack traffic and sends suspicious traffic to the dynamic authentication module for authentication.
Dynamic authentication module
The dynamic authentication module uses various methods, such as HTTP/DNS request redirection, to authenticate the traffic passing the filtering rule module, and blocks packets having spoofed source IP addresses.
Traffic anomaly identification module
The traffic anomaly identification module counts the traffic passing the filtering rule and dynamic authentication modules and compares the result to the normal traffic baseline. If the result exceeds the baseline, the traffic anomaly identification module generates a dynamic filtering rule used by the filtering rule module to filter subsequent traffic.
The normal traffic baseline is learned when the protected object works normally. If the baseline is exceeded, this indicates that abnormal traffic may exist. In this case, authentication and confirmation measures need to be taken.
Application anomaly identification module
The application anomaly identification module performs in-depth analysis on the application-layer traffic passing the filtering rule and dynamic authentication modules. Upon detection of an application anomaly, it generates a dynamic filtering rule used by the filtering rule module to filter subsequent traffic.
Bandwidth control module
Packets passing all preceding modules are considered normal, but a large number of such packets can also overload the protected object. The bandwidth control module solves this issue by limiting the bandwidth to be occupied by incoming traffic.
H3C DDoS protection is implemented as follows.
l Traffic learning: Uses the traffic detection parameters embedded in the system to learn and count traffic, and generate the normal traffic baseline when the protected object works normally.
l Threshold adjustment: Uses the traffic detection parameters embedded in the system to learn and count traffic, and integrates the result to the normal traffic baseline to generate a new normal traffic baseline.
l Detection and protection: Counts and analyzes traffic, and compares the result to the normal traffic baseline. Upon detection of anomalies, DDoS protection generates dynamic filtering rules to check and filter traffic, such as checking the validity of the source IP address, and dropping abnormal traffic.
The threshold adjustment feature and detection and protection feature can work continuously to implement dynamic threshold adjustment and protection, which enable the system to adapt to various dynamic traffic changes.
l Comprehensive DDoS protection against IP layer attacks such as IP fragment attack, TCP layer attacks such as TCP half-open attack, and application layer attacks such as HTTP connection flood and HTTP get flood.
l Defense capability against unknown DDoS attacks, which identifies and takes countermeasures against any traffic that exceeds the normal traffic baseline.
l Taking countermeasures based on protocols. For example, for Spoof, SYN cookie is used for authentication and defense; for HTTP, HTTP redirection is used.
l Using network traffic model-based statistics methods, which feature good scalability.
l Supporting dynamic traffic learning and threshold adjustment, which simplify configuration and avoid making wrong settings.
As shown in Figure 2, DDoS protection can be deployed at different positions on a network.
l IPS 1: It is deployed at the edge of the WAN to defend against DDoS attacks from the Internet and braches.
l IPS 2: It is deployed at a data center to defend against DDoS attacks from the Internet and the data center.
l IPS 3 to IPS 5: They are deployed between internal LANs to defend against DDoS/DoS attacks from the internal network.
l IPS 6: At the edge of the Internet, it is deployed between the firewall and the web/POP3/SMTP servers to defend against DDoS attacks from the Internet.
H3C has developed a suite of effective DDoS protection methods based on in-depth analysis, classification and abstract of all available DDoS attacks. H3C DDoS protection is capable of defending against all known DDoS attacks and most unknown DDoS attacks. As new DDoS attack tools and methods are ever emerging, H3C will closely trace and analyze them to provide effective DDoS protection solutions to customers.
Copyright © 2009 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.
The information in this document is subject to change without notice.