Distributed Denial of Service (DDoS)

is currently one of the most common types of network attacks. Its attack techniques are relatively easy to execute, with many attack programs readily available. Moreover, the targets of such attacks are often internet services provided by industries such as finance, gaming, e-commerce platforms, and online streaming, which are accessible to the public. Due to this widespread availability, traditional network firewall restrictions may not be sufficient to completely block these attacks, resulting in significant business losses due to service unavailability.

Common objectives of DDoS attacks include:

1. Consuming network bandwidth resources: Flooding the target server with a large volume of traffic to cause network congestion. Examples include ICMP Flood, UDP Flood, SSDP Attack, NTP Amplification Attacks, DNS Amplification Attacks, and Memcached Amplification Attacks.
2. Consuming server resources: Overloading the target server's CPU and RAM by exploiting the characteristics of the TCP three-way handshake protocol. Examples include SYN Flood, SYN ACK Flood, ACK Flood, ICMP Flood, and Sockstress Attack.
3. Consuming application service resources: Increasing response times and creating bottlenecks in application functionality through the use of large numbers of sessions and special packet patterns. Examples include HTTP Flood (CC), DNS Flood, SSL Flood, and Slowloris Attack.

 

 

 

Common Types of DDoS Attacks

Although application layer attacks such as HTTP flood can be effectively mitigated using a Web Application Firewall (WAF), WAF only analyzes application layer behavior and applies precise access rules. It does not protect against attacks at the network and transport layers. Particularly, attacks at the transport layer often generate massive traffic leading to network congestion. When facing attacks at the TCP, UDP, and other transport layers, Alibaba Cloud provides global Anycast Anti-DDoS protection, which can effectively mitigate the impact of attacks.

The Anti-DDoS Premium instance operates through a proxy setup, redirecting incoming traffic from the Internet to the Anti-DDoS cleaning center. Packets are automatically compared against a database of malicious attack signatures and filtered, allowing legitimate traffic to be forwarded to the backend servers. This approach ensures that the service remains unaffected and uninterrupted by mitigating potential threats.

What is Anycast?
DDoS protection instances are based on Anycast IP network architecture globally. Through a distributed approach, Anycast ensures that the sources of distributed denial-of-service attacks cannot aggregate, preventing a single cleaning center from being overwhelmed by a large volume of network attacks.

What is a Traffic Scheduler?
The traffic scheduler is an additional service of DDoS protection. By combining DNS with attack signature matching, the DDoS protection service can intelligently switch between content delivery networks (CDNs) and other optimized cloud services.

Practical Operation of Anti-DDoS Next, a layer of DDoS protection service will be added before the WAF to protect network security at layers 3-7. The DNS scheduling feature provided by the DDoS protection service will ensure that, before experiencing a large-scale DDoS attack, the service will use CDN to provide visitors with the best possible browsing experience.

1. In the product list under the Security category, locate Anti-DDoS (DDoS Protection) services.

2. There are three main types of Anti-DDoS options to choose from:

• DDoS Protection (International): Targeted towards global users.
• DDoS (New BGP): Primarily for users in China.
• Native DDoS Protection: Designed to protect services hosted on Alibaba Cloud within the same region.

Protection plans are categorized as follows:

• Insurance Edition: Provides 2 instances of 24-hour attack protection per month. Suitable for preventing promotional losses during events within a limited budget.
• Peace of Mind Edition: Offers unlimited protection but comes with relatively higher costs.
• Accelerated Line: Mainly facilitates Chinese users' access to global services. This additional service does not include DDoS protection on its own and needs to be combined with one of the other two editions for full protection.

Functionality options include:

• Standard Functions: Default features. Additional functionalities such as WebSocket(s), CDN scheduling, and accelerated line scheduling require the selection of Enhanced Functions

3. After setting up the Anti-DDoS instance, you can view the configured Anti-DDoS Anycast instance IP in the instance management.

4. Next, you can choose the proxy method:

• Domain Access: This method uses Layer 7 proxying. Here, you'll add the WAF's CNAME address to the backend server address.
• Port Access: This method uses Layer 4 proxying. It's suitable for services using ports other than TCP, UDP, and ports 80, 443, and 8080.

5. Once configured, simply resolve the Anti-DDoS CNAME to the website domain to complete the Anti-DDoS integration. However, for this experiment, the CNAME won't be resolved to the website domain yet, as we need to switch between CDN and Anti-DDoS using the scheduler.

6. In the traffic scheduler, you can see several scheduling methods. Choose CDN-linked scheduling and click "Add Linked."

7. Alibaba Cloud will automatically detect if the domain is on Alibaba Cloud CDN. Select the associated Anti-DDoS instance and set the QPS threshold to complete the association settings.

8. After setting up, the scheduler will generate a CNAME domain containing the CDN and Anti-DDoS instance domain addresses. It will intelligently determine if incoming traffic exhibits attack behavior and switch services accordingly.

9. Finally, resolve the scheduler's CNAME to the website domain.

 

10. Through local nslookup, you can verify that, when not under attack, the scheduler's CNAME resolves to the address of the scheduler and Alibaba Cloud CDN's CNAME and node IP addresses.

11. To verify the switching functionality, stress test your service using various methods. After a period of stress testing, if the scheduler detects an attack, it will resolve to the Anycast IP of the Anti-DDoS instance. You can verify this through the developer mode of the website.

12. On the Alibaba Cloud platform, you can analyze ongoing events. In this case, Alibaba Cloud identified an HTTP flood attack, so it switched to the Anti-DDoS line for malicious traffic filtering.

13. In the Security Overview of the Anti-DDoS, you can see real-time and historical attack traffic conditions, including Layer 4 and Layer 7 attacks.

 

 

14. After the attack ends, the default scheduler will automatically switch traffic back to the CDN. Alternatively, you can manually switch it on the platform.

Through Anti-DDoS, you can effectively reduce losses caused by network attacks. As network attacks become increasingly severe with the rapid development of technology and the gradual popularity of 5G high-speed networks on mobile devices, it's essential to continuously evolve and sustain information security defenses.

---