Author | Ali Cloud Security Operations Center contributor
Zebian | TANG lead
Head Figure | CSDN download from Eastern IC
Exhibition | CSDN (ID: CSDNnews)
Application-layer DDoS attacks with conventional DDoS attack has a very different. Traditional DDoS attack caused by sending a large concurrent access to the target service is unavailable, system failures, this approach is relatively easy to see through, and there is already a mature response options on the market.
In recent years the rise of application-layer DDoS attack traffic will be disguised as normal traffic and normal business even as to bypass the defense equipment, resulting in enterprise server is unavailable, such as business cards Dayton, caused great distress to the defender.
Ali cloud security operations center for application-layer DDoS attacks during the epidemic made a thorough analysis, hoping to provide a reference level enterprises to enhance their defense.
During the attack on the order of the epidemic continued high
The outbreak during the Spring Festival, January to March 2020, the fight against application-layer DDoS attacks during the epidemic continues at a high volume. Especially in mid-January to mid-February during the worst of the epidemic, and the amount of attacks compared to the pre-Spring Festival, it has been significantly increased dramatically. As it can be seen from Figure 1, the attacker in the fight against the epidemic during the "stepped in", trying to profit from it.
Games, and online medical education industry to focus on new target
According to our statistical analysis found that in 2020 January 16 to March 15 hardest-hit during the application-layer DDoS attacks qoq growth rate of the top three were health care, education and online office online, game three major sectors, as 2 shown in FIG.
Healthcare, online education and online office received unprecedented attention, a lot of resources to put into these two industries. Driven by profit-driven hackers properties, making these two industries have become the focus of attack objects. At the same time easy to see, during the epidemic, people confined to their homes, a limited choice of recreational activities, making the game industry booming, and thus makes the game industry growth of the number of attacks by more than 300%.
The main source of the attack evolved into a proxy, infected chickens, the cloud platform server
By doing map clustering during the epidemic hundreds of application-layer DDoS attacks and hundreds of millions of attack request analysis found that the source of attack is mainly divided into three categories: proxy, infected broilers, the major cloud platform server, and single attack attack type single source, as shown in FIG.
It is found from FIG. 3, a single attack source typically utilizes a single attack attack, attack sources using different cross attacks launched fewer. For example, if an attack takes advantage of the agent as a source of the attack, it is almost no longer infected broiler or while using the cloud platform server attack.
Different characteristics of different types of attacks, companies need to make the appropriate defensive measures
The proportion of the number of attacks launched by different attack vectors, respectively, accounting for 78.6% proxy attack, attack broiler accounting for 20.65% of infection, the major cloud platform server attacks accounted for 0.68%. As shown in Figure 4.
The proportion of different types of attacks are the source, the agent used to attack the source of the attack accounted for 12.40%, the proportion of infected broiler attack attack source used was 87.42%, the major cloud platform server attacks accounted used attack vectors 0.18%. As shown in FIG.
Comprehensive analysis Figure 4 Figure 5, we can see:
Acting attack has become the norm, companies need to pay sufficient attention
Acting highest proportion of all attacks in the attack, while the number of attack vectors only 12.40%. For an attacker, most cost-effective source of such attacks, the attacker IP readily available and inexpensive, for better performance when the attack attack, so become the main force of the attack.
For enterprises, we recommend that on the basis of business-related release agents on site without having to use a proxy to access the banned agents, can act as a "skillfully deflected the question" effect in the defense.
Infected broiler attack dispersed, enterprises should dynamically adjust the defense strategy
By infected broiler launched attacks accounted for 20.65%, but the maximum number of attack source, accounting for up to 87.42%. Such attacks attack vectors widely dispersed, and often the corresponding IP broadband / IP base station outlet. Attacker, the source of such attacks online situation is not stable, single source of the attack attack performance in general.
For this type of attack launched attacks, not recommended enterprises to adopt IP granularity defense. Broilers infected with the corresponding IP is often the broadband / IP export base, many normal users behind the ban a history of attacking IP may be the cost of hundreds of thousands of potential users organize regular visits.
Further speaking, IP change rapidly infected broilers, change the device's location, and the operator's IP dynamic allocation mechanism will change their IP, so easy to get around banned.
Protection such attacks, characteristics required of normal service request, wherein the request beforehand impossible banned, as pure ban App traffic may request from PC-based; matter based on differences and attack normal request service request, or dynamically adjusting strategy .
Cloud platform launched by the amount of attacks decreased significantly
With the major cloud platform server-initiated attacks accounted for a minimum of only 0.68%, and the number of the source of the attack was only 0.18%. Thanks to the major cloud platform for DDoS attacks made strict control, also caused the attacker to use such attacks to attack the source of the high fixed costs.
Therefore, we recommend that if you find the attack source IP from a few C segment, and rarely request the IP segment normally accessed, consider its ban, to avoid potentially malicious requests.
Security Advice
Based on the above analysis, how to defend against application-layer DDoS attacks, we suggest the following:
Pull the black history of attacking IP risk, add the need to be cautious
Pull the black attack appeared previously been the source of attacks are more common after the reinforcement of the means of defense when attacked from a proxy server or major cloud platform, this approach indeed for subsequent attacks immune effect to some extent. However, if the face of a challenge infection broiler initiated, that the history of attacking IP banned the practice is "Kill 10000, from the loss of three thousand," the. So, before pulling the black history of attacking IP source must first distinguish between the type of attacks, to avoid the risk.
Restrict access to only high frequency of IP, the defense limited effect
Pull the black high-frequency request IP is the most conventional means of defense in the matter, when the small number of attack sources, this approach is very effective. However, the above three categories in any type of attack, even the smallest attack accounted for the major cloud platform server, the number of attacks are the source observed among all of the order. This means that even defense strategy demanding to be released per second per IP only one request, there will be a total of tens of thousands of requests per second flock to the site, the vast majority of small and medium site's server also can not afford.
Therefore, to completely suppress the attack, need to play a combination of boxing: ban request beforehand unlikely source as much as possible and request features; things based on the difference in dynamic attack with the normal business of fine adjustment of the defense strategy. Frequency policy can only play a supporting role in the defense.
【End】
Recommended Reading
☞ Tencent closed beta a new Tim 3.0, support micro-channel logon; the bit line ride night service; Angular 9.1 released | Geeks headlines
☞ Huawei P40 "a cell three children", the most expensive price of 10,854 yuan
☞ no code era, the programmer how to keep their jobs?
☞ GitHub suspected to have been the middleman attacks, you can not access the greatest Dark Web hosting providers no longer be black!
☞ Why do you think the SaaS always fail? Clearly thought these four reasons may continue to fail!
You look at every point, I seriously as a favorite
