The first public account: Code farm architecture
1. Principles of DDOS attacks
Distributed Denial of Service (DDoS) attack means that an attacker controls a large number of zombie hosts (nationwide or even global hosts) to send a large number of attack requests to one or more targets through remote connected malicious programs, consuming the performance of the target server or network bandwidth. It cannot respond to normal service requests.
Common attack types include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, and DNS/NTP/SSDP/memcached reflected attacks.
DDoS attacks may cause the following damage to your services:
-
When a DDoS attack hits the service bandwidth of an enterprise, users cannot access your services, resulting in huge economic losses.
-
Due to vicious competition in some industries, competitors may attack your services by means of DDoS attacks. As a result, your services fail in the competition.
2. DDos Attack case analysis
Background: The Test service of enterprise A suffered multiple DDoS attacks within A month, with the attack traffic volume reaching more than 300 GB from less than 10 Gbps at the beginning.
Service domain name: test.com
IP address for domain name resolution: primary CLB 1.1.1.1 (public network bandwidth 1 Gbps), backup CLB 1.1.1.2
The first DDoS attack is a tentative attack. The attack traffic is 8 Gbps. Assume that the target IP address of the attack is 1.1.1.1, and the service architecture diagram is as follows:
As the attack traffic does not exceed 10 GB of the donated defense traffic, the attack has no impact on test services and does not attract enterprise A’s attention.
The traffic of the second DDos attack increased to 40 Gbps. The attack exceeded the 10 GBIT/s defense value (and also exceeded the public bandwidth of the CLB by 1 Gbps). As a result, the service test cannot access after the primary IP address 1.1.1.1 is blocked.
Although the primary CLB cannot provide service due to DDoS attack, it can quickly switch to backup VIP through DNSpod: 2.2.2.2 Restore 90% user access within 10 minutes (provided backup VIP can be switched).
There are two solutions for the above scenario:
-
If important viPs are added to high defense packets, subsequent attacks will use high defense packets to clean attack traffic.
-
If important service VIPs are bound to high defense IP addresses, subsequent attacks will be cleaned by high defense IP addresses and then return to the actual service VIPs
Finally, company A selects A high-defense IP address with A maximum defense capability of 300 GB to avoid DDoS attacks.
The traffic of the third wave of DDos attacks increased to 160 Gbps. As the high IP protection capability is up to 300 GB, this attack has no impact on services.
Although the attack defense succeeds, you still need to consider the extreme case. If the attack traffic exceeds 300 GB, service access may be affected. To protect against more than 300 GB of attack traffic, you are advised to purchase a three-network IP address to protect against 1 Tbps of attack traffic.
The traffic of the fourth wave of DDoS attacks exceeded 300 Gbps, resulting in the blocking of the high defense IP address (3.3.3.3). However, the bottom-pocket solution automatically switches and resolves to three network IP addresses (public IP addresses of China Telecom, China Unicom, and China Mobile) through CNAME, and finally restores service access.
When a high-defense IP address is blocked, it is immediately resolved to a three-network IP address through the Cname switchover. The whole resolution switchover process is in the second level, that is, the recovery time of a high-defense IP address is in the second level even though it is blocked.
The case shows that the impact on services ranges from minutes to seconds from the initial tentative attack to the gradual increase of attack traffic. However, as long as the protection is in place, the duration of service damage can be reduced, or even completely avoid service damage.
However, safety protection capability needs to pay a cost, and many enterprises choose more suitable protection schemes for cost reasons.