DDoS Attacks, Protection and Anti-DDoS
Introduction
Hello everyone!
Today I’m gonna take you to a small journey about DDoS Attacks and how to protect ourselves from attacks in cloud environments. 😊
What is DDoS attack and goal of DDoS attack?
DDoS attack is a cyber-attack that makes a machine or network resource unavailable temporarily or indefinitely disrupting services of a host connected to network. Most common DDoS attack layers are at the Network(layer3), Transport(layer4), Presentation (Layer 6) and Application (Layer 7).
Imagine you have a nice little pizza house🍕, your customers giving orders to your shop daily and regularly. Then a joker comes up and makes a call to you for order 250 pizza at a time but the order has fake debit card credentials or delivery address. This order means, you can’t take another order and your contact with the customers can’t be established for the rest of the day.
What are the DDoS types?
There are three generalized categories of attack:
- Volumetric (raw attack)
- Protocol (mis-use of IT protocols)
- Application (mis-use of application features)
In these 3 categories, there are dozens of DDoS attack types such as UDP, ICMP, IP, TCP and HTTP.
Protection from DDoS Attacks at Cloud Environment
There are some techniques for protection, generally;
- Reducing the attack surface area
- Plan for Scale
- Be aware of which traffic is normal or abnormal
- Deploy Firewall for complicated attacks
Reducing the Surface Area
If you reduce the surface area and limit the options for attackers. You can defend the small area easier than trying to defend all system.
-It’s simple and easy to say but how to do it?
Answer is quite simple too.😅😅
Put your computation resources behind CDNs or Load Balancers and restrict your database servers from direct Internet Connection. Use firewalls and be meticulous when creating your rules about security.
Plan for Scale
Be sure that your hosting provider provides continuous, uninterrupted and reliable Internet Connectivity. Locating resources or applications closer to end user is a good solution but this solution may not be enough for high-availability. In some scenarios scaling the bandwidth for high volumes of traffic can be a MUST.
System should be quickly scalable up or down on the computation resources. Larger computation resources can be enough to solve the problem but when it’s not enough load balancers are common to use for monitoring redirecting the loads between resources.
💥Be scalable at transfer and server capacity all the time! 💥
Be Aware of Which Traffic is Normal or Abnormal
Key is; accept the traffic as much as your resources can handle. More advanced techniques can analyse the individual packets themselves by filtering the traffic. Think about a experienced police officer, some of them can understand what you hiding in your coat.
Deploy Firewalls for Complicated Attacks
This kind of attacks has unique nature. User should be able to create custom mitigations. Disguising as good traffic, traffic from bad IPs, unexpected geographies are some of the characteristics of complicated attacks.
What can we do in Huawei Cloud against DDoS attack?
Multiple security solutions against the DDoS attacks in Huawei Cloud. User can select one based on the service requirements.
Let’s talk about Anti-DDoS Service. This service includes; Cloud Native Anti-DDoS Basic (CNAD Basic), Cloud Native Anti-DDoS Advanced (CNAD Advanced), Advanced Anti-DDoS (AAD). CNAD Advanced and AAD are paid services while CNAD Basic is free. These subservices have some differences between them.
Let’s dive in!
Cloud Native Anti-DDoS Basic (CNAD Basic)
Detects attacks in real time. Scrubs attack traffic based on user-configured defense policies without interrupting the service. Also allows you to monitor the service traffic from the Internet to public IP addresses but it’s limited in some ways like:
- Maximum 5 Gbit/s DDoS mitigation capacity if the Huawei Cloud bandwidth is available
- 2 Gbit/s is traffic peak, maximum traffic that Anti DDoS can defense.
Cloud Native Anti-DDoS Advanced (CNAD Advanced)
This one provides higher DDoS protection capability for cloud services. Easier to use, easier to control, better protecting capability. Capabilities of this subservice:
- Advanced DDoS protection
- Maximum 20 Gbit/s bandwidth to defend against attacks.
Advanced Anti-DDoS (AAD)
If service servers are deployed outside Chinese Mainland and users are outside the mainland of China, user need to purchase Advanced Anti-DDoS(AAD). Capability for this subservice is, over 5 TB/s AAD defense capability, supporting unlimited AnyCast defense.
Conclusion
DDoS attacks aims for making a machine or network resource unavailable for a while. Sometimes this period can be minutes but sometimes days. Layer 3, Layer 4, Layer 6, Layer 7 are common DDoS attack layers. If the workload is critical in a server or user don’t want to get his data harmed, extra security options are MUST. Cloud environments is the best way to protect the data and uninterrupted workloads. Huawei Cloud has multiple security options and can protect the everything inside the environment with WAF, Anti-DDoS etc.
This article is just a beginning! Keep in touch 😊
