Protecting web applications: anti-DDoS

Ruslan Rakhmetov, Security Vision

Fig. 1 - defence against denial of service attacks

Before analysing the means of protection against DDoS attacks, it is worth to understand what it is. DDoS (Distributed Denial of Service) stands for Distributed Denial of Service. This is an attack on a web service that ‘drowns’ it with a stream of traffic and unnecessary requests, increasing the load on the equipment and simply making the resource unavailable to all other users.

There are different types of such attacks: mass attacks (which load the entire channel width), UDP, ICMP and other layers according to the OSI model. The goal of some attacks is to load the system resources with large requests. The capacity of the hardware on which the service runs is not infinite, so it is possible to cause access denial by filling the entire memory with hacker requests. Sometimes the attacker forces the victim's resources to respond to requests for spoofed addresses. Other attacks are based on the mass of attacking nodes. To organise an attack, attackers use a whole network of bots or virus-infected devices (smartphones, smart home devices, computers, etc.) that will be the sources of rubbish traffic. Another type of attack attempts to ‘frame’ the victim in sending out malicious traffic. In this case, the attacker organises a mass mailing, substituting his address with the victim's address in order to get ‘banned’.

Since there are several types of DDoS attacks, the defences themselves can also be divided into groups according to their effectiveness, speed of processing requests, ability to stop an attack of a certain type and other parameters. In this article we will look at the classification and peculiarities of different types of defence systems.

Fig. 2 - location of anti-DDoS services

Most of the anti-DDoS software products are deployed not on the perimeter of the company's network, but on global traffic routes around the world. Some vendors have a network of 12-15 urls on the main traffic routes, while others have more than 30 traffic processing points on smaller channels. Special services that process traffic ‘on the fly’ filter out rubbish requests before they reach the attacked server.

There are also services that are deployed locally. Such solutions are more expensive than their cloud-based counterparts, but they outperform their competitors in terms of response speed and latency minimisation. Systems operating at the L3-L4 layers of the network model can protect against packet flooding (attacks based on large data flows) such as UDP, ICMP and SYN flooding.

There are also hybrid solutions that try to take the best from cloud solutions: moving some support to in-house expertise and reducing the requirements for customer labour, filtering attacks on websites at the application (L7) layer, etc. Application-level defence is usually the most time-consuming and interesting, as the attacks themselves are perfectly disguised as payload traffic and difficult to detect.

Since anti-DDoS solutions themselves carry a huge amount of traffic wherever they are, they themselves can fall victim to an attack. Therefore, services are designed in such a way that they can handle a huge number of requests and the connection to the Internet is even wider than the protected service. It is because of this that the hardware requirements of such protection systems are so high that cloud or hybrid services are popular.

Fig. 3 - levels of protection of web applications from DDoS attacks

Almost all the solutions of the class we are considering today can filter packets of transport and network layers (as in the example with local services above), but since most attacks exploit weaknesses of the application layer, it is worth highlighting the protection at the L7 level. Some systems perform load balancing and resource allocation to handle requests. This provides not only protection but also speed optimisation for web applications running on unsuitable hardware. With a small reservation to anti-DDoS systems can be attributed and means of filtering mail traffic, screening out spam and unnecessary requests to the mail server. Another type of attack is password brute force, which can be effectively dealt with inside the perimeter. For this purpose, detectors and log collectors are used in conjunction with SIEM (which correlates individual password attempts) and IRP (which organises processes and automatic response without the need for a 24x7 analyst).

Fig. 4 - Anti-DDoS algorithms

Anti-DDoS services help to secure critical customer resources using behavioural analysis methods in addition to classical traffic filtering. At the same time, the filtering itself also varies: there are solutions that analyse only incoming traffic (such solutions use asymmetric algorithms) or the entire data stream (symmetric installation that analyses the whole interaction between the application and the user).

Due to the peculiarities of operation and differences in speed, these or those solutions are chosen for different tasks. Large data centres and communication providers usually choose an on-premise solution with flexible configuration options and the ability to arrange an MSSP licensing model for their customers. Often providers also use solutions with asymmetric analysis (inbound traffic only). However, to protect critical applications and services, customers choose anti-DDoS with full (symmetric) traffic analysis. To optimise the cost of additional hardware, cloud or hybrid systems are chosen.