writing ｜ Aegis DDoS Protection team blizzard

0x00 Introduction

The fact proved that , Every Spring Festival holiday , unwilling to remain out of the limelight 、 In addition to the bear children, there are always others who are ready to move DDoS Hackers for their main business , And the happy Spring Festival holiday has become DDoS The peak of attack .

Aegis DDoS In fact, the protection team has long been used to working with various hackers " Spend the Spring Festival together ", but 2021 During the Spring Festival in, a large game company customer of Tencent cloud DDoS The attack and defense war is more fierce than the previous attacks 、 More adhesive . Hackers achieve their goals , It has specially customized a complete... For multiple game businesses of this customer DDoS Attack plan , It can be said that everything is extremely , Vow to kill this client …

0x01 Come unexpectedly , warning signals of approaching enemy forces are seen on all sides

2021 year 2 At the beginning of , One night near the Lunar New Year , The Aegis system sounded an emergency alarm ： A game customer of Tencent cloud has a lot of business IP Suffer from carpet style DDoS bombardment , Dozens of IP Be attacked by large traffic in a short time . Obviously, this is a malicious attack specifically aimed at the user DDoS Attacks . For this reason, aegis team and Tencent cloud advanced anti DDoS product team immediately contacted the user , Communicate with them about the current attack situation and protection countermeasures .

After preliminary analysis , In the first round of attack ： Every IP Average attack traffic peak 230G、 The attack continues 4 Hours 、 Multiple attacks DDoS and CC Mix the techniques 、 Attack business critical ports accurately 、 Select business peak attack . The combination of these features seems to be the clarion call for hackers to declare war on us , It indicates that more attacks will follow , A tug of war between attack and defense is about to begin .

0x02 prepared , Don't talk about military morality

It is as expected , In the next ten days , Hackers do not change every night 、 Be punctual on holidays " Clock in " attack , Show a ferocious face that vows to kill the game . According to aegis Statistics , In twenty days , The customer's multiple games suffered nearly 1300 Time DDoS attack , The peak traffic of a single attack is more than 500Gbps.

In terms of attack bandwidth , This attack peak is not very high ( As early as 2018 In, Tencent cloud successfully protected the peak value for a customer 1.23Tbps Of DDoS attack ). However, after the team carefully analyzed the attack methods and traffic composition, it was confirmed that these hackers were actually based on business characteristics and weaknesses , Well planned targeted attacks , Well prepared . From the following 3 It is obvious that ：

(1) Familiar with the business , Tailor made

According to the statistics , Attackers of the current network often prefer to use UDP Reflection （ Current network 80% above ）, But we found that these hackers never used . Because they know that the game business is based on TCP agreement , Therefore, the protection party will definitely disable the protection system UDP, And cloud manufacturers can customize with operators ACL, Directly block the backbone network of the operator UDP agreement , No matter how large the attack traffic is, it is often futile . So hackers are smart , Energy is spent on research TCP On the attack , And customize the attack scheme for the business .

(2) Be familiar with attack and defense , Tricky technique

Hackers are making TCP The attack plan shows that it is right DDoS In depth understanding of attack and defense technology , Most of the selected attacks are recognized by the industry as the most difficult to protect , Include ：TCP Reflection 、TCP Connection attack 、TCP four layers CC、HTTP CC etc. ( See figure for detailed data 3). Most of these attack traffic is based on complete TCP Connection or legal protocol stack behavior , It can even break through the traditional DDoS Protection strategy , It poses a great challenge to the defenders , It also poses a serious threat to the game business and even the stability of the platform .

(3) there can never be too much deception in war , Focus on bottlenecks

TCP It's a connection based protocol , So in TCP Attack protection confrontation , The number of connections to the server will often become the bottleneck of protection , Hackers seem to know this well , Initiate low-frequency connection requests by calling a large number of broilers , Exhausting server connections with very little traffic , This undoubtedly makes the protection much more difficult , It has to be said that these hackers really don't talk about martial virtue .

Be prepared for the future 、 Hacker attacks with strong technical ability , How does the aegis protection team break down one by one , Ensure the stability of business and platform ？ Next, I will share in detail .

0x03 TCP Reflection ： Self developed protection algorithm

TCP Reflection is not actually a novel attack technique , The aegis team was as early as 2018 The first technical article in the industry was published in 《 Inadvertently or intentionally ：TCP Reflection DDoS In depth analysis of attack methods 2.0》, Explain the principle and harm of this technique . However, this attack method has protocol stack behavior , The traditional reverse challenge 、 Such ideas as protocol stack behavior check are difficult to work , This makes this technique more and more favored by the black industry , Finally in the 2020 year Q3 Erupt in the cloud . According to aegis Statistics ,TCP Reflect the current number of network wide attacks from the original 10+ Time / Days rise to 1400+ Time / God , The flow peak value is changed from the original value 10+Gbps Sudden increase 500+G, thus it can be seen TCP Reflection has become a security problem that cannot be ignored , And it must become more and more rampant .

and TCP The main feature of reflection and the difficulty of protection are ：

(1) A large number of sources can be easily obtained through reflection IP Legitimate traffic with protocol stack behavior ;

(2) Professional anti D Devices are usually deployed by-pass , Only one-way inflow , Cannot implement two-way session checking ;

(3) Reflective synack、ack、rst blend , Make the traffic composition closer to normal business .

In the face of such a thorny attack , Tencent aegis team is already well prepared , stay TCP It was the first in the industry before the reflection burst TCP Reflection protection algorithm ： It can be done without human intervention 、 Players can accurately distinguish attack traffic from normal traffic without perception , Automation 、 Intelligent cleaning . So in this confrontation ,TCP Reflection is effectively protected , The hacker did not succeed .

0x04 TCP four layers CC：AI+DDoS protective

In fact CC There are two main categories ： Seven layers CC( be based on HTTP agreement ) And the fourth floor CC( be based on TCP agreement ). And because the game business being attacked has no HTTP, So the aegis team configured HTTP Disabling the policy can easily solve , But for the TCP four layers CC, The difficulty of protection is directly ” Laman ”.

So-called TCP four layers CC That is, hackers control a large number of broilers to establish a complete connection with the target server TCP Send a large number of forged data traffic after connection , This leads to the exhaustion of server resources and denial of service . This attack technique TCP Is more common in business scenarios , The difficulty of protection is that the business itself is based on TCP Developed private agreement , Itself is not standardized , Few protective features and rules are available , It is difficult to distinguish between attacks and normal traffic .

Industry protection TCP four layers CC The most thorough way is to let the client access SDK, The client traffic is completely handled by SDK To take over , In this way, the protection system can be based on SDK A mechanism developed through consultation , Effectively identify malicious traffic , Complete automatic protection . But this scheme requires the client and server to modify the code access , There must be a long development and testing cycle , therefore ” Far water cannot save near fire ”.

In fact, the aegis team is right TCP four layers CC Has many years of protection experience , And developed the industry's first deep learning based TCP four layers CC Solution ：

1、 Take advantage of Tencent's massive traffic data , Collect a large amount of data to train the deep learning model ;

2、 After the deep learning model converges, it has the ability to automatically identify and classify traffic ;

3、 During the protection of the existing network ,DDoS System and AI Engine linkage , Final realization TCP four layers CC Automatic identification and cleaning .

Strategies that depend on this in-depth learning scheme and are customized in combination with business characteristics , All the attacks launched by aegis against the hacker TCP four layers CC Attack traffic achieves high-precision cleaning , The hacker failed again .

0x05 TCP Connection attack ： Traffic fingerprint identification

stay TCP Reflection 、 four layers / Seven layers CC No attack effect , Hackers turn their eyes to TCP Connect in this direction , Finally came up with a more “ dirty ” The attack tactics of ： Low frequency TCP Connection attack . At this time, the protection is facing 4 Big problem :

1、 Attack the broiler IP All over the country , No obvious agglomeration , And the broiler IP Rotate constantly ;

2、 Broiler connection request frequency is very low , Close to normal players , Even lower than the player ;

3、 After the broiler establishes the request, it will send a very small amount of forged business data , The attack is not obvious ;

Facing many unfavorable factors and great pressure , After research and analysis, the aegis team , Decided to get rid of the blacklist 、 Speed limit and other traditional DDoS Antagonistic thinking , Instead, it is realized through the traffic fingerprint algorithm developed by aegis ” The Jedi overturned ”.

The so-called traffic fingerprint is through passive traffic analysis , Accurately identify the key information of the client , Include ： Type of operating system 、 The application type even locates to a terminal . So although the broiler is in the flow 、 Behavior has been infinitely close to normal players , However, there is no hiding place under aegis fingerprint recognition algorithm , Broilers and normal players are accurately identified , Attack traffic is accurately intercepted by the protection system .

After confrontation , All the attack methods of hackers are fully protected , Business is back to normal . The dawn of justice has finally arrived .

0x06 Tencent cloud has a large number of DDoS protective

Someone might say ： Is it possible that hackers will become angry one day , Instead, it will launch a super large flow DDoS Attack ？ Of course, it's possible . In the face of this threat , Tencent cloud relies on its huge bandwidth advantage and years of experience in attack and defense confrontation to build a global network DDoS The defense system , It can provide domestic cumulative protection capacity 5T、 Cumulative overseas protection capability 1.2T Service for . So even if this customer initiates a huge traffic DDoS The attack can only come back in vain .

( Tencent cloud DDoS See... For details of protective products https://cloud.tencent.com/product/ddos)

0x07 Return to peace ？

After the hacker's elaborate attack scheme fails to work , Actually, I didn't give up , For example, batch replacement of broilers IP、 Enlarge the broiler IP Number 、 Initiate protocol flooding 、 Pulse attack, etc , Intending to make waves , But these ” Strive ” All proved to be dying . After many days of fruitless attempts , Eventually the hacker loses patience , Give up the attack .

Is there peace in the world , Return to peace ？ The answer seems to be skinny ： Not at all . So-called “ As long as there is interest, there is struggle , There are business networks DDoS”. Both the business side and the protection side can never expect that hackers will suddenly improve their moral character , give up DDoS, Instead, we should constantly temper and innovate ourselves , In order to be more and more severe and complex D Hack first in the battlefield , take time for .

0x08 team introduction

tencent TEG The aegis project of the Security Platform Department is based on more than ten years of experience DDoS Accumulation of protection technology , Continued as QQ、 WeChat 、 Glory of Kings 、 Hero alliance and other self-developed businesses provide professional services 、 reliable DDoS Attack protection solutions . Cooperate with Tencent cloud security team to launch advanced anti DDoS products to provide professional services for customers on the cloud 、 reliable DDoS Solution .

appendix :

I'm in the wild ： be based on TCP Reflection DDoS Attack analysis

https://www.cnblogs.com/qcloud1001/p/9039227.html

Inadvertently or intentionally ：TCP Reflection DDoS In depth analysis of attack methods 2.0