4

I understand that there are network and IP-level mitigations for DDoS attacks, but I'm not clear on how they work in practice.

My hope is that this question and answer will help to frame how the core transit routers handle these attacks, and also how a single client host (be it a proxy or end-device) can handle it, without basically removing it from the Internet.

P.S. I've edited this question to address the "too broad" flag. If this is still "too broad", I'll take it down if this doesn't fit SE's goals. Cheers.

Jesse Adelman
  • 978
  • 5
  • 15
  • Do you know how the Internet works? BGP, AS, communities, all that stuff. Because this is prerequisite to understand the correct answer :) – Nikita Kipriyanov Oct 15 '19 at 18:11
  • @NikitaKipriyanov Howdy. I have a basic understanding of BGP, Autonomous Systems, but not "communities". My hope is to read an answer that is geared for those with a basic understanding of how the Internet is organized, but not how the implementation details actually deal with DDoSes. Can I learn more, and have I forgotten some things? Yes, probably. :) But, this question hopefully will be useful for more than just myself. I did search for the question, and didn't see an answer. – Jesse Adelman Oct 15 '19 at 18:16
  • 3
    https://www.noction.com/blog/bgp-blackhole-community – Jacob Evans Oct 15 '19 at 18:25
  • 3
    https://essay.utwente.nl/73795/1/Kuipers_MA_EWI.pdf – Jacob Evans Oct 15 '19 at 18:25
  • @JacobEvans The second PDF link gets me a "BACKENDS UNAVAILABLE No backend servers could be contacted. Additional information: Your IP Address: <...>" Did you just make me DDoS utwente.nl? haha – Jesse Adelman Oct 15 '19 at 18:53
  • "While the approach allows to keep a network up during an attack, this is more of a mitigation technique, rather than protection. Although the use of the technique allows the wider network to stay up, ultimately the target machine is still going down." (from https://www.noction.com/blog/bgp-blackhole-community). So, there is not a true way to protect the target, DDoS prevention and remediation is mostly about protecting the networks between the offender and the offended, it seems. – Jesse Adelman Oct 15 '19 at 18:56
  • 1
    More bandwidth than the attacker, and filters to drop the badness. Larger attacks exceed what a single link/node/datacenter can handle, so a distributed solution is likely necessary. – John Mahowald Oct 16 '19 at 15:09
  • @JohnMahowald Yes, thank you. I'm hoping an authoritative answer on what things like the "distributed solution" actually are will emerge. My gut is telling me that there actually may not really be a solution - if a governmental actor in an authoritarian country with huge resources wants to take you off the net, from any country that is on the net, you're just out of luck. (I imagine Wikipedia, for example, must deal with this often?) Cheers! – Jesse Adelman Nov 01 '19 at 18:57
  • As I said, more bandwidth and smarter filters than your attacker. Many DDoS case studies have been written, review some. Specific discussion depends on the threats to your organization, and infrastructure of the services you want to protect. Neither of which you provided. – John Mahowald Nov 02 '19 at 04:03

1 Answers1

2

Short answer is CDN. Take a look at CloudFlare as an example.

https://support.cloudflare.com/hc/en-us/articles/205177068-How-does-Cloudflare-work-

https://www.sitepoint.com/what-is-a-cdn-and-how-does-it-work

https://www.imperva.com/learn/performance/what-is-cdn-how-it-works

In a nutshell: CDN both absorbs the load from multiple remote hosts and provides scalable way to handle filtering, these two prevent your single server CPU from need to process DDoS organizer’s TCP packets AND (more important!) from exhausting your server Internet uplink.

RiGiD5
  • 1,241
  • 1
  • 8
  • 12
  • Sadly, this isn't really an answer, more a link to contact Cloudflare sales, with diagrams. :) It's about what they do, not how they do it. – Jesse Adelman Oct 15 '19 at 18:57
  • 2
    I’ve added more links and sort of TL;DR thing. Hope this helped :) – RiGiD5 Oct 16 '19 at 04:25
  • Isn't CDN really only for static assets, though? (Of course, that's good to have!) Is that really "it" to DDoS from a networking perspective? How do *the CDNs themselves* prevent DDoSes on their own networks? In asking this question, I was hoping to foster an answer that pulls back the curtain a bit on how things actually work, not what products are available to buy for those of us making applications and small networks. Thank you for contributing! We're getting there! :D – Jesse Adelman Nov 01 '19 at 18:50
  • Fancy firewall rules, lots of cheap bandwidth and compute, routing tricks, deep IP protocol knowledge. Similar to scaling up (or rather, scaling out) any other service, but with a stupid high packets per second volume. – John Mahowald Nov 02 '19 at 04:21