Over the past three weeks — here, here, and here, — I have described some enormous DDoS attacks that can be launched anonymously, cutting you off the Internet by overwhelming your connection to your ISP.
What defenses are available? Learning Tree’s Cloud Security Essentials course describes some cloud-based solutions that can mitigate DDoS problems for non-cloud operations.
Your ISP can’t filter out the bad packets with an ACL or filter rule. Routers are optimized to route, and high-performance designs do some of the work in silicon. The first 4 bits of an IP header specify the version, which specifies where the destination address always appears. If the version is 0100 or IPv4, the destination address is in bits 128-159; if it’s 0110 or IPv6, the destination address is in bits 192-319.
ACLs or filters can be based on other IP header fields including the protocol encapsulated within IP, and fields of those encapsulated protocol headers such as TCP or UDP port numbers and flags. But it really slows down a router if it has to process every packet against the ACL list. Routers interconnecting high throughput networks would have to drop significant percentages of packets, and ISPs simply aren’t going to do that.
ISPs can apply two route filtering techniques, blackhole routing and sinkhole routing.
Blackhole routing directs traffic to a null interface, a “black hole” it can’t escape and where it is dropped.
Sinkhole routing forwards suspicious traffic to a valid IP address where it can be analyzed. If legitimate, it is forwarded to the next hop; if not, it is dropped.
Blackhole routing is more effective at dropping DDoS traffic, but at the expense of rejecting the good along with the bad. Sinkhole routing is more selective, less of a self-imposed limitation, but it takes more resources and cannot withstand as large an attack.
Here’s a case where cloud technology can come to the rescue of your entirely in-house operation. Arbor, Cloudflare, SAVVIS, and others provide cloud-based DDoS mitigation.
Some of these sinkhole your traffic through their system, “scrub” it to drop what appears to be DDoS, and forward the remainder to you. Other techniques can involve them hosting your external DNS with short time-to-live records. That provides agility to rapidly change how your hostnames resolve to sinkhole or at least blackhole traffic.
There are still limits on what can accomplished. One group I work with has a 1 Gbps connection to their ISP. A 3 Gbps flood was directed at them for a few days, overwhelming that link. They’re now comparison shopping between the “scrubbing” cloud DDoS services.
Another group has three 1 Gbps links, one to each of three major ISPs. All of those were saturated simultaneously in an attack. Two of the ISPs did nothing. The third blackholed the eight target IP addresses, reducing the traffic across that link to only about 30% utilization. The problem was that two of those blackholed addresses were their external DNS servers. So while they could connect out to the Internet, no remote clients could figure out how to could reach them. I believe they’re looking at a cloud DNS-based solution.