Distributed Denial-of-Service (DDoS) attacks attempt to flood a server with as many requests as possible from different systems so that the server is no longer able to perform its actual function (e.g. hosting a website).
There are many strategies for deploying a DDoS attack, but one of the most common ways is what is referred to as a ‘reflection’ attack. This strategy involves using forged packets with the IP address of the victim as the sender and then sending them to a multitude of servers, which usually respond by sending larger packets back to the target of the attack.
This allows the attacker to send out many small packets, which are then increased in size by open DNS resolvers, for example, before they reach their target. This can quickly generate multiple Gbps of traffic, which can overload the network connection of the victim. The services that are most frequently exploited for this purpose include poorly configured DNS and NTP servers.
Many large-scale DDoS attacks follow smaller attacks, which are usually accompanied by a blackmail threat sent by e-mail. The extortionists generally demand that a certain amount be paid in Bitcoins in order to avoid the “real” attack from taking place. It is often announced that the bigger attack will take place a few hours after the first attack. We strongly recommend that you do not comply with the demands of these extortionists.
Emergency procedures taken by nine.ch in the event of an attack
To prevent other nine.ch customers from being affected by a large-scale attack (multiple Gbps), the IP address under attack will be “null-routed” as quickly as possible. In other words, all packets sent to this IP address will be rejected by our routers and those of our peering providers. Unfortunately, this means that the website with the affected IP address will be inaccessible. However, no other services will be dragged down with it.
Unfortunately, there are very few ways to keep an affected website online in the event of a DDoS attack consuming multiple Gbps of traffic. It is often recommended that you simply filter out the malicious traffic. However, if this occurs on a server with 1 Gbps, and the attack is of a greater magnitude, the connection to the server will become jammed, making the filter useless.
To defend against this kind of attack, it is therefore necessary to configure a filter that is upstream from the server and can filter several hundred Gbps and route only legitimate traffic to the server.
This is where providers like CloudFlare come into play. CloudFlare operates an infrastructure distributed across 71 computing centres around the world for a traffic processing capacity of approximately 400 Gbps.
When accessing a site with CloudFlare protection, the data packet containing the request searches for the fastest route to a CloudFlare server, where the packet is then inspected to determine whether the request is legitimate. Next, the request is forwarded to the actual web server. The response sent to the web browser then takes the same route in the reverse direction (via CloudFlare). Firstly, this blocks attacks on the server. Secondly, the attacker cannot find out the actual server responsible for hosting the website, making it impossible to attack the server simply by taking a different route.
DDoS protection at nine.ch
The Managed DDoS Protection product from nine.ch is a solution designed to protect websites against these attacks, whereby nine.ch uses the CloudFlare method described above to route traffic.
To ensure that access to websites is not slowed down by CloudFlare, we also use the company’s Railgun™ product. Railgun™ is a proprietary innovation from CloudFlare and basically creates a situation whereby only the actual changes on a dynamic page have to be transferred between the server hosted by nine.ch and the CloudFlare infrastructure.
We have installed the Railgun™ service separately on two different servers. It temporarily saves each new state of a website and compares it with the latest version of the dynamic page each time a new request is received. This way, only the differences between the old and new version of the webpage are sent to CloudFlare, where the changes are then added to the cached site and can be sent onward to the requesting browser. This makes it possible to cache greater volumes with CloudFlare, resulting in faster loading times of the individual pages.
No major changes are required to use CloudFlare to “conceal” a website hosted by nine.ch. The relevant domain is first stored by CloudFlare, and then the basic configuration steps are performed. Once this is completed, the owner of the customer domain must change the name server entries saved with the registrar over to CloudFlare’s DNS servers. All requests will then be routed via the CloudFlare servers. No further action is required by the customer. The only step left is to make sure everything is working normally. nine.ch will make any other minor changes such as activating Railgun™ and correctly configuring the SSL certificate.
Unfortunately, increased security is always accompanied by certain limitations. Perhaps the greatest limitation of CloudFlare is that the DNS entries belonging to the protected domain can no longer be managed by you. The reason for this is that the DNS entries have to be configured with CloudFlare’s name servers, meaning that after the changeover, all DNS changes must be completed by the staff at nine.ch.
In addition, CloudFlare only forwards HTTP requests. In other words, SSH or SFTP access via the protected domain will no longer be possible and must instead occur directly via the server name.
We also recommend that you do not send e-mails directly with PHP, for example. An SMTP server should instead be used to send e-mails in order to conceal the IP address of the actual server.
Martin Wittwer works as a Linux System Engineer at nine.ch. He is part of the „systems“ team which is responsible for the continuous development of our infrastructure and Managed Services and he contributed significantly to the successful development of the product “Managed DDOS Protection”.