Related Resources

Introduction to DDoS attacks

Distributed Denial of Service (DDoS) combines multiple computers as an attack platform, and uses malicious programs through remote connections to launch DDoS attacks on one or more targets, consuming target server performance or network bandwidth, resulting in The server cannot provide services normally.

Principle of Attack

Usually, an attacker uses an illegal account to install the DDoS master control program on one computer and install the agent program on multiple computers on the network. In the set time, the main control program communicates with a large number of agent programs. The agent program launches an attack on the target when receiving instructions. The main control program can even activate hundreds of agent programs within a few seconds.

The harm of DDoS attacks

DDoS attacks can cause the following harm to your business:
Heavy economic loss
After suffering a DDoS attack, your origin server may not be able to provide services, resulting in users unable to access your business, resulting in huge economic losses and brand losses.
For example: When an e-commerce platform is under a DDoS attack, the website cannot be accessed normally or even temporarily shut down, causing legitimate users to be unable to place orders to purchase goods, etc.。
Data breach
When hackers conduct DDoS attacks on your server, they may take the opportunity to steal the core data of your business.
Malicious competition
Vicious competition exists in some industries. Competitors may maliciously attack your services through DDoS attacks to gain an advantage in industry competition.
For example, a game business suffered a DDoS attack, and the number of game players dropped sharply, resulting in the game business being quickly and completely offline within a few days.

Common types of DDoS attacks

DDoS attack classification
Attack subclass
Description
Malformed message
Malformed packets mainly include Frag Flood, Smurf, Stream Flood, Land Flood, IP malformed packets, TCP malformed packets, UDP malformed packets, etc.
Malformed packet attack refers to the purpose of denial-of-service attack by sending defective IP packets to the target system, causing the target system to crash when processing such packets.
Transport layer DDoS attack
Transport layer DDoS attacks mainly include Syn Flood, Ack Flood, UDP Flood, ICMP Flood, RstFlood, etc.
Take the Syn Flood attack as an example. It uses the three-way handshake mechanism of the TCP protocol. When the server receives a Syn request, the server must use a listening queue to save the connection for a certain period of time. Therefore, by continuously sending Syn requests to the server, but not responding to Syn+Ack messages, the resources of the server are consumed. When the listening queue is full, the server will not be able to respond to requests from normal users, achieving the purpose of denial of service attacks.
DNS DDoS attack
DNS DDoS attacks mainly include DNS Request Flood, DNS Response Flood, fake source + real source DNS Query Flood, authoritative server attack, and local server attack.
DNS DDoS attacks mainly include DNS Request Flood, DNS Response Flood, fake source + real source DNS Query Flood, authoritative server attack, and local server attack.
Connected DDoS attacks
Connected DDoS attacks mainly refer to TCP slow connection attacks, connection exhaustion attacks, Loic, Hoic, Slowloris, Pyloris, Xoic and other slow attacks.
Take the Slowloris attack as an example. The target of the attack is the concurrency limit of the Web server. When the number of concurrent connections to the Web server reaches the upper limit, the Web service cannot accept new requests. When the web service receives a new HTTP request, it establishes a new connection to process the request, and closes the connection after the processing is complete. If the connection is always connected, a new connection needs to be established for processing when a new HTTP request is received. When all connections are in the connected state, the Web will not be able to process any new requests. The Slowloris attack uses the characteristics of the HTTP protocol to achieve the purpose of the attack. The HTTP request ends with \r\n\r\n. If the Web server only receives \r\n, it is considered that the HTTP Headers part is not over, and the connection will be retained and the subsequent request content will be awaited.
Web application layer DDoS attack
Web application layer attacks mainly refer to attacks such as HTTP Get Flood, HTTP Post Flood, and CC.
Generally, application layer attacks completely simulate user requests, similar to various search engines and crawlers. These attacks have no strict boundaries with normal businesses and are difficult to distinguish.

Some resource-intensive transactions and pages in Web services. For example, for paging and table splitting in Web applications, if the parameters of the control page are too large, frequent page turning will occupy more Web service resources. Especially in the case of high concurrency and frequent calls, transactions like this have become the target of early CC attacks.

Since most of the current attacks are mixed, frequent operations that simulate user behavior can be considered as CC attacks. For example, visits to websites by various ticketing software are, to some extent, CC attacks.

The CC attack is aimed at the back-end business of Web applications. In addition to causing denial of service, it also directly affects the functions and performance of Web applications, including Web response time, database services, disk read and write, etc.

How to judge whether the business has been attacked by DDoS?

When the following situations occur, your business may have been attacked by DDoS:
When the network and equipment are normal, the server suddenly experiences disconnection, access freezes, and user disconnection.
The server CPU or memory usage has increased significantly.
The outbound or inbound traffic of the network has increased significantly.
Suddenly a large number of unknown visits to your business website or application.
Login to the server failed or was too slow.
DDoS attack mitigation best practices
Distributed denial of service attack (DDoS attack) is a malicious network attack against the target system. DDoS attacks often cause the victim's business to be unable to access normally, which is the so-called denial of service.
DDoS attacks can cause the following harm to your business:
Network layer attack
The typical attack type is UDP reflection attack, such as NTP Flood attack. This type of attack mainly uses large traffic to congest the attacker's network bandwidth, causing the attacker's business to fail to respond to customer visits normally.
Transport layer attack
Typical types of attacks include SYN Flood attacks and connection number attacks. This type of attack achieves the purpose of denial of service by occupying the server's connection pool resources.
Session layer attack
The typical attack type is SSL connection attack. Such attacks occupy the server's SSL session resources to achieve the purpose of denial of service.
Application layer attack
Typical types of attacks include DNS flood attacks, HTTP flood attacks (CC attacks), and game dummy attacks. This type of attack occupies the server's application processing resources and greatly consumes the server's computing resources, thereby achieving the purpose of denial of service.

DDoS attack mitigation best practices

Provide margin bandwidth
Through server performance testing, evaluate the bandwidth and the number of requests that can be sustained under normal business environments. When purchasing bandwidth, ensure that there is a certain margin of bandwidth, which can avoid the situation that the bandwidth is greater than the normal usage when being attacked and affects normal users.
Reinforce server security and improve performance such as the number of connections of the server.
Reinforce the operating system and software services on the server to reduce the points that can be attacked and increase the attack cost of the attacker:
Ensure that the system file of the server is the latest version and update the system patch in time.
Check all server hosts to know the source of visitors.
Filter unnecessary services and ports. For example, for the WWW server, only open port 80, close all other ports, or set a blocking policy on the firewall.
Limit the number of SYN semi-connections opened at the same time, shorten the timeout time of SYN semi-connections, and limit SYN and ICMP traffic.
Check carefully the logs of network equipment and server systems. Once a loophole or time change occurs, it means that the server may have been attacked.
Restrict network file sharing outside the firewall. Reduce the chance of hackers intercepting system files. If hackers replace it with a Trojan horse, the file transfer function will be paralyzed.
Make full use of network equipment to protect network resources. When configuring the router, you should consider the policy configuration for flow control, packet filtering, semi-connection timeout, junk packet discarding, source forged data packet discarding, SYN threshold, disabling ICMP and UDP broadcast.
Use software firewalls such as iptable to restrict new TCP connections of suspected malicious IPs and limit the connection and transmission rate of suspected malicious IPs.
Do business monitoring and emergency response
Pay attention to basic DDoS protection monitoring
When your business is subject to a DDoS attack, basic DDoS will send out warning messages via SMS and email by default. Basic DDoS protection for large traffic attacks also supports telephone alarms. It is recommended that you take emergency response as soon as you receive the warning.
monitor
The monitoring service can be used to collect and obtain resource monitoring indicators or user-defined monitoring indicators, detect service availability, and support setting alarms for indicators.
Establish emergency response plan
According to the current technical business structure and personnel, emergency technical plans are prepared in advance, and technical drills can be carried out in advance if necessary to test the rationality of the emergency response plans.
Web Application Firewall (WAF)
For website applications, such as common HTTP Flood attacks, WAF can be used to provide effective defense against connection layer attacks, session layer attacks, and application layer attacks.
Game shield
Game Shield is an industry solution for DDoS attacks and CC attacks that are common in the game industry. Compared with high-defense IP services, the game shield solution is more targeted, with better attack defense effects and lower costs for the game industry.

Things to avoid

DDoS attacks are recognized as the industry's public enemy in the industry. DDoS attacks not only affect the attacked, but also affect the stability of the service provider's network, which will also cause losses to other users' businesses under the same network.

Computer network is a shared environment and requires multiple parties to maintain stability. Some behaviors may affect the overall network and other tenants’ networks. You need to pay attention to:
Avoid using cloud product mechanisms to build DDoS protection platforms.
Avoid releasing instances in a black hole state.
Avoid continuously replacing, unbinding, adding SLB IP, flexible public IP, NAT gateway and other IP products for servers in a black hole state.
Avoid setting up IP pools for defense, and avoid allocating attack traffic to a large number of IPs for defense.
Avoid using Cerberus cloud non-network security defense products (including but not limited to CDN, OSS), and precede the business with attacks.
Avoid using multiple accounts to bypass the above rules.
DDoS High Defense FAQ
Anti-DDoS Premium what happens after the instance expires?

After the DDoS high defense instance expires, there is no defense capability. The forwarding rule configuration takes effect normally within 7 days after the expiration, and the traffic exceeding the limit will trigger the traffic rate limit, which may cause random packet loss. Service traffic forwarding will be stopped after 7 days after the expiration. In this case, if your business access address still resolves to the DDoS high-defense instance, the business will not be accessible.

Anti-DDoS Premium service bandwidth description

The service bandwidth of a DDoS high-defense instance refers to the normal service traffic that accesses the protection service of the current instance. The larger value of the inbound and outbound traffic is taken, in Mbps. You can upgrade the instance on the instance management page of the DDoS Anti-DDoS console to increase the service bandwidth of the current instance. For more information, see Upgrade DDoS High Defense Instance Specifications.

What is the impact of exceeding the Anti-DDoS Premium service bandwidth?

If your business traffic exceeds the business bandwidth of the purchased DDoS Anti-DDoS instance, the traffic rate limit will be triggered, which may cause random packet loss.

Does DDoS Anti-DDoS support manual unblocking after being black holed?

Anti-DDoS Premium (International): Not currently supported.

What are the return-to-source IP addresses of Anti-DDoS Premium?

You can view the back-to-source IP network segment of DDoS Anti-DDoS on the domain name access page of the DDoS Anti-DDoS console. For more information, see Release DDoS High Anti-Back-to-Source IP.

Can the source site IP in the Anti-DDoS Premium service fill in the intranet IP?

Not possible. Anti-DDoS Premium returns to the source through the public network, and does not support directly filling in the internal network IP.

Is there a delay in modifying the source site IP of the Anti-DDoS Premium service?

There is a delay. After modifying the source site IP protected by the Anti-DDoS Premium service, it takes about five minutes to take effect. It is recommended that you perform the change operation during the low peak period of the business. For more information, see Replacing the public network IP of the source site ECS.

The Anti-DDoS Premium instance is configured with multiple website services. After being attacked, how can I check which website was attacked?

In response to the high-traffic DDoS attack behavior of Anti-DDoS Premium, it is impossible to distinguish which website was attacked from the data packet level. It is recommended that you use multiple sets of high-defense DDoS instances and deploy your website on different high-defense DDoS instances to view the attack status of each website.

Does Anti-DDoS Premium support health check?

Yes,
The health check is enabled by default for website services. The health check is not enabled for non-website services by default, but it can be enabled through the Anti-DDoS Premium console. For details, see Setting Health Check. For more information about health check, please refer to Health Check Overview.

How to perform load balancing when Anti-DDoS Premium is configured with multiple sources?

The website business is load balanced through source address HASH. Non-website services can be polled and forwarded by weighted polling.

Does Anti-DDoS Premium service support session persistence?

Support.
For non-website services, you can enable session retention through the Anti-DDoS Premium console. For specific operations, see Setting Session Retention.

How is the session persistence of Anti-DDoS Premium service implemented?

After opening the session hold, the Anti-DDoS Premium service will continue to send requests for the same IP to a server in the origin site during the set period of session hold. However, if the client's network environment changes (for example, switching from wired to wireless, 4G network to wireless, etc.), the session will remain invalid due to IP changes.

What is the default connection timeout period for Layer 4 TCP of Anti-DDoS Premium?

900 seconds. For non-website services, you can adjust this setting through the Anti-DDoS Premium console. For specific operations, see Setting Session Retention.

What is the default connection timeout period for HTTP or HTTPS in Anti-DDoS Premium?

120 seconds

Does Anti-DDoS Premium service support IPv6 protocol?

Not currently supported.

Does Anti-DDoS Premium service support Websocket protocol?

Support. For more information, see Anti-DDoS Premium WebSocket configuration.

Does Anti-DDoS Premium service support HTTPS two-way authentication?

The website access method does not support HTTPS two-way authentication. When non-website access and TCP forwarding are used, HTTPS two-way authentication is supported.

Why can't old browsers and Android clients access HTTPS sites normally?

It may be because the client does not support SNI authentication. Please confirm whether the client supports SNI authentication. For problems that may be caused by SNI authentication, see HTTPS access exceptions that may be caused by SNI.

What are the SSL protocols and encryption suites supported by Anti-DDoS Premium?

支持的SSL協議:
- TLS v1.0- TLS v1.1
- TLS v1.2支持的加密套件:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA
- RSA+3DES

What are the restrictions on the number of protected ports and protected domains supported by Anti-DDoS Premium?

Number of protected ports:
A DDoS Anti-DDoS instance supports 5 ports by default and supports expansion to 400 ports.

Number of supported domain names:
A DDoS high defense instance supports 10 domain name configurations by default, and the maximum can be expanded to 200.

What happens after the Anti-DDoS Premium instance expires?

After the DDoS high defense instance expires, there is no defense capability.
The forwarding rule configuration takes effect normally within 7 days after the expiration, and the traffic exceeding the limit will trigger the traffic rate limit, which may cause random packet loss.
Service traffic forwarding will be stopped after 7 days after the expiration. In this case, if your business access address still resolves to the DDoS high-defense instance, the business will not be accessible.

What are the restrictions on the number of protected ports and protected domains supported by Anti-DDoS Premium?

Number of protected ports:
An Anti-DDoS Premium instance supports 5 ports by default and supports expansion to 400 ports.Number of supported domain names:
An Anti-DDoS Premium instance supports 10 domain name configurations by default, and the maximum can be expanded to 200.

The server's traffic does not reach the cleaning threshold. Why does the cleaning traffic appear in the security overview?

For services that have been connected to the Anti-DDoS Premium service, Anti-DDoS Premium will automatically filter some malformed packets in the network traffic (such as SYN packets, abnormal SYN flags, and other data packets that do not conform to the TCP protocol) to make your business The server does not need to waste resources processing these obviously malformed packets. Such filtered malformed packets will also be included in the cleaning traffic, so even if your server traffic does not reach the cleaning threshold, cleaning traffic may still occur.

Does the Anti-DDoS Premium service support access to websites that use NTLM protocol authentication?

not support. The access request forwarded by Anti-DDoS Premium may not pass the NTLM authentication of the origin server, and the client will repeatedly display authentication prompts. It is recommended that your website use other methods for authentication.

Contact Us

Cerberus.net
email: [email protected]