In July, 2019, Cloud DPS, a cloud cleaning product from NSFOCUS, managed to withstand a wave of DDoS attacks over 100 Gbps that lasted one week. Targeting a board/card game vendor, those attacks exhibited perfect regularity, with the traffic averaging 100 Gbps and peaking at 431.6 Gbps.
Volumetric attacks are frequently seen in the gaming sector as attackers tend to produce high-volume traffic against this sector by resorting to reflection attacks. With the emergence of Memcached attacks, the peak traffic of DDoS attacks has seen a further increase. For Memcached DRDoS attacks occurring in 2018, the peak size stood at 1.35 Tbps. Reflection attacks, however, are not a type of complicated attacks and can be rapidly blocked after being identified based on source port. Combating this kind of attack, in essence, is a rivalry between the offensive and defensive parties in resource reserve. According to Cloud DPS, gaming vendors that are easy targets of DDoS attacks should hold Tbps-level cleaning resources to counter high-volume attacks.
What Happened?
July, the business peak period of this gaming vendor, also saw malicious DDoS attacks come in large numbers. Since mid-July, multiple IP addresses of this vendor had been hit by high-volume pulsing attacks every night (Beijing time). At 11:00 p.m. on July 17 Beijing time, Cloud DPS, after withstanding multiple 100 Gbps pulsing attacks, started to beat back the most fierce attack, 420 Gbps volumetric attack with the traffic peak hitting a record high, 431.6 Gbps, two days later. By collaborating with the vendor’s on-premises ADS, Cloud DPS cleaned the attack traffic in a hierarchical manner. Specifically, Cloud DPS cleaned most of the network-layer attack traffic in the cloud and then ADS further cleaned the traffic with more fine-grained protection policies that are configured on it. Ultimately, the vendor’s business operated properly on the whole and was not affected by those attacks.
Then, how did the attacker implement such attacks and how did Cloud DPS effectively defend against them?
Figure 1 Distribution of attack peaks
Attack Analysis
The attacker mainly targeted two aspects of the vendor’s business:
- Advertisement redirect page that provides game advertisements and download addresses. This page is the important channel for traffic diversion. On this page, data is transmitted via a pure TCP connection and the application layer uses the HTTPS protocol.
- Game server. For the business traffic of the server, most is mainly based on UDP and some uses TCP.
An analysis of attack traffic reveals that the attack traffic on the advertisement redirect page is mainly contributed by SSDP reflection attacks, NTP reflection attacks, and few HTTPS attacks, while the traffic on the game server is chiefly produced during UDP flood attacks, ACK flood attacks, and SYN flood attacks. This is the usual practice of launching a standard DDoS attack, that is, saturating the bandwidth with a large number of UDP packets and initiating other attacks as auxiliary means to consume performance resources of the server. What auxiliary attacks to execute depends on characteristics of the actual business. In this attack, the majority of traffic is attributed to UDP flood attacks and reflection attacks (SSDP reflection and NTP reflection).
Figure 2 Attack type distribution
Tips: What Are SSDP Reflection Attacks and NTP Reflection Attacks?
Reflection attacks are commonly seen among volumetric attacks. In a reflection attack, an attacker crafts a large number of UDP packets with the source IP address forged to the victim’s IP address and then sends them to numerous SSDP terminals or NTP servers. As a result, a great many UDP ports with a fixed source port are sent to the victim’s IP address. Such an attack can have an amplification factor of up to dozens or even hundreds. Worse still, a Memcached reflection attack’s amplification factor can reach 50,000. That is to say, each time an attacker sends a request packet, up to 50,000 packets will be destined for the victim’s IP address. By identifying reflection attacks based on source port, most of DDoS protection products can block such attacks rapidly. Combating this kind of attack, in essence, is a rivalry between the offensive and defensive parties in resource reserve. Local bandwidth alone cannot withstand such attacks.
Cloud DPS Scheduling 7 Tbps Protection Resources for Rapid Near-Source Cleaning
To fight against such high-volume pulsing attacks, Cloud DPS scheduled 7 Tbps cleaning resources worldwide for near-source cleaning. Obviously, this product took the upper hand in the rivalry in resources. Cleaning centers dispersed in many regions participated in the cleaning of such attacks, including cleaning nodes in Los Angeles, Frankfurt, and London playing a dominant role during the cleaning.
Figure 3 Traffic cleaning of each cleaning node
In recent years, Cloud DPS has seen rapid development worldwide. As NSFOCUS has continuously deployed cleaning nodes and cooperated with top carriers to constantly improve the cleaning capacity and bandwidth. Currently, there are a total of seven cleaning centers distributed in Europe, Asia, and America, providing an overall cleaning capacity of 7 Tbps. Cloud DPS implements worldwide near-source cleaning around the globe through the adaption of the Anycast technology. This product cleans DDoS traffic through collaboration of multiple cleaning centers that back up each other for disaster recovery.
Cloud DPS has a natural advantage in defending against volumetric attacks: As for resource reserve, seven high-quality cleaning nodes around the world are sufficient to defend against Tbps-level attacks; in terms of technical means, it inherits the mature anti-DDoS technology of NSFOCUS anti-DDOS products to implement rapid cleaning of network-layer attack. Also, it provides nine HTTP protection algorithms for cleaning of traffic of complicated application-layer attacks.
DDoS defense is a dynamic process. Cloud DPS’s Managed Security Service (MSS) provides 24/7 anti-DDoS support for customers. Each time an attack is launched against customers, NSFOCUS’s Security Operations Center (SOC) team will defend against it together with them by making a thorough analysis of the attack and tuning protection policies in alignment with the customers’ actual business needs to give full play to the protection effect of those policies.
Anti-DDoS Suggestions for Our Gaming Customers Wanting to Do Overseas Business
The gaming sector is always severely hit by DDoS attacks. According to 2018 DDoS Attack Trend Report issued by NSOFCUS, the gaming sector came second in terms of the number of DDoS attacks (27.6%) it received. On the part of attackers, DDoS attacks can be initiated at a low cost to impose a serious impact on victims. More often than not, a DDoS attack against the gaming sector can generate proceeds of millions of RMB for attacks. Meanwhile, as the gaming sector features cut-throat competition, DDoS has become a normal means to defeat competitors. These account for why DDoS attacks are so commonly seen in the gaming sector.
For our gaming customers who have overseas servers or intend to do overseas business, the Cloud DPS team provides the following DDoS protection suggestions:
- Deploy servers in load balancing mode to mitigate the impact of CC attacks.
- Regularly make security enhancements to servers by applying system patches in time.
- Make a detailed analysis of the use of service protocols and ports to block unnecessary protocols and ports to reduce the attack surface.
- Make full use of ACLs and the whitelist and blacklist to complete simple blocking and forwarding settings, for instance, blocking requests from IP addresses in an unwanted geographic location or only allowing requests from IP addresses in a whitelisted geographic location.
- Assess attack risks. If DDoS attacks occur frequently and some are high-volume ones, you are advised to prepare Tbps-level protection resources. For this reason, you need to select a cloud cleaning vendor with a worldwide cleaning capacity to ensure continuous and stable business operations.