05

DDoS-Resistant Architecture

DDoS attacks are always present, and adversaries constantly innovate and develop new attack strategies. Nevertheless, it’s possible to stop 90 percent of DDoS attacks from being launched with minimal effort by blocking IP address spoofing and controlling inbound traffic.

IP Address Spoofing

When attackers launch reflection/amplification attacks, they often use IP address spoofing, which occurs when a device forges its source address for the purpose of impersonating another device. Doing so forces an unwilling service to send its replies to the victim under attack. There is no practical reason to allow spoofed traffic on the internet; as such, blocking this type of activity has no impact on legitimate traffic.

If IP address spoofing were universally blocked, attackers couldn’t launch spoofed DDoS attacks, which would then block all reflection/amplification DDoS attacks. Frustratingly, only 64 percent of autonomous system numbers (ASNs) block IPv4 address spoofing. Likewise, only 78.9 percent of currently announced IPv4 CIDR blocks do so (see the Caida spoofer project). Blocking IP address spoofing is simple to do at the edges of the internet and should be done at the physical edge for each device or at the first routing edge.

It’s imperative that corporate networks block IP address spoofing, because attackers look for vulnerable devices inside corporate networks to launch spoofed DDoS attacks. Implementing an access control list (ACL) at the internet-facing edge of the network is a simple process that uses negligible resources, while allowing only legitimate traffic to reach a company network.

ISPs should also implement ACLs at the subscriber edges, which allows only inbound traffic originating from subnets allocated to respective customers. This type of control can also be done at the edges between local and regional ISPs, where the regional ISP can control the traffic originating from local ISPs.

Although blocking IP address spoofing adds some complexity, the benefits of doing so include:

  • 1

    Decreasing the frequency and volume of spoofed DDoS attacks

  • 2

    Reducing load on ISP infrastructure worldwide

  • 3

    Freeing up resources for legitimate internet traffic

Stopping IP Address Spoofing Can Be Done Manually or by Using uRPF

computer screen with IP with arrows going to server and exclamation mark with warning

Controlling Traffic Toward Your Services

Enterprises use the internet for two primary purposes: accessing services/information and providing services/information to others—including things such as web services, SIP services, and DNS services. But no company offers all services to everyone. Because such services are often are specialized, it makes sense to control the kinds of network traffic granted access to them. For example, a web hosting service almost never needs to allow UDP packets toward the service, because all the traffic is inbound on TCP port 80 or 443. Likewise, an authoritative DNS service only needs inbound UPD traffic on port 53 with fallback to TCP port 53 when the topology change Truncate bit is enabled.

By understanding the type of services deployed, it’s possible to configure strict access controls, thereby effectively blocking the majority of DDoS attacks with minimal effort. This strategy is especially effective when an attacker launches multivector DDoS attacks, because the majority of attack vectors will be blocked, allowing the security team to focus on attacks that are more serious.

Using Traffic Separation to Defend Against Common DDoS Attack Vectors

graph with services outbound DNS inbound DNS and outbound traffic details

Real-World Examples

  • 1

    In 2021, a large service provider that followed these design examples was hit with a massive reflected DDoS attack that attempted to take down its DNS server farm. Without any additional effort, the attack was mitigated by predeployed ACL filters.

  • 2

    Likewise, a service provider in Europe that followed these examples faced a similar attack against its authoritative DNS server, and attackers initially were able to disrupt service. It was quickly discovered that a newly deployed edge router was lacking an ACL filter used to block external attacks from source IP addresses. When the ACL was corrected, attack traffic reduced by more than 70 percent, and services were restored.

Summary

By blocking IP address spoofing, implementing best current practices (BCPs), and leveraging intelligent DDoS mitigation solutions (IDMS) such as Arbor Sightline with Sentinel, TMS, AED, and Arbor Cloud, it’s possible to fully block or dramatically reduce the impact of DDoS attacks and methodologies like carpet-bombing attacks, TCP-based floods, application-layer attacks, and any other attacks manufactured by adversaries.