TDC DoS Protection
TDC DoS Protection fjerner DDoS-angreb centralt i TDC nets backbone, inden det rammer kundens internetforbindelse.
Produktet består af tre dele:
Monitorering for DDoS-angreb
Bekæmpelse af DDoS-angreb
Rapportering
Med TDC DoS Protection monitorerer TDC Erhverv kundens internetforbindelse døgnet rundt for DDoS-angreb. I tilfælde af et angreb udløses en alarm, som sendes til TDC Erhvervs 24/7 Security Operations Center (SOC). SOC'en kontakter kunden for at aftale, om angrebet skal bekæmpes. I givet fald dirigeres al trafikken til den angrebne ip-adresse via scrubber-bokse, der er placeret centralt i TDC nets backbone. Scrubber-boksene fjerner den uønskede trafik og videresender den legitime trafik.
Kunden har ligeledes mulighed for selv at kontakte SOC'en for at starte bekæmpelse af et DDoS-angreb.
En månedsrapport sendes til kunden med oplysninger om trafikken til de beskyttede servere samt en oversigt over de udløste alarmer. I tilfælde af bekæmpelse af et angreb udarbejdes en rapport med oplysninger om angrebet, og hvordan angrebet er blevet bekæmpet.
Som alternativ til den manuelle fremgangsmåde ved angreb, kan kunden tilvælge automitigering. Herved vil et angreb blive bekæmpet automatisk ud fra nogle forudaftalte teknikker og med en hurtig reaktionstid.
TDC DoS Protection Always On
TDC DoS Protection-løsningen kan suppleres med en boksløsning, TDC DoS Protection Always On, som opstilles i kundens net, og som så vil fungere som "first line of defence" ved DDoS-angreb.
Boksløsningen har følgende fordele:
Er "Always on" og ser al trafik på kundens linie
Stor "trafiksynlighed" betyder bedre muligheder for at bekæmpe applikationsrettede angreb
Hurtig reaktionstid ved angreb
Denne boks vil automatisk kunne bekæmpe de forskellige typer af DDoS-angreb - lige undtagen de store såkaldte "oversvømmelsesangreb" pga. boksens fysiske placering. Kommer kunden ud for et stort ”oversvømmelsesangreb”, vil boksen derfor automatisk signalere (”råbe om hjælp”) til den centrale løsning i TDC nets backbone (TDC DoS Protection) for at få umiddelbar hjælp til bekæmpelse af angrebet. Den centrale løsning vil herefter automatisk tage over mht. at bekæmpe angrebet.
De mest almindelige DDoS-angrebstyper
The most common DDoS attacks
TCP SYN flood
A known and extensively used method for causing overloading is based upon the three-way handshake (SYN, SYN-ACK, ACK packet sequence) process during a TCP connection setup. The attacker sends a SYN packet and the victim replies with a SYN-ACK packet. The victim then expects an ACK packet, which never comes.
After some time, the “call” ends but until then the resources at the victim are occupied. If the victim receives many simultaneous calls of this kind, from e.g. a botnet, all resources at the victim will be used up, and legitimate attempts to establish a TCP connection will be rejected. This type of DDoS attack goes by the name of TCP SYN flood, and even today is widely used due to its simplicity.
ICMP flood
An ICMP flood attack is a flooding attack where a botnet is typically sending so many ICMP Echo Request (ping) packets to the victim that the victim’s internet connection is overwhelmed and legitimate traffic cannot get through. An ICMP flood attack may also overload the server receiving the ICMP packets, as it uses resources to handle the packets.
UDP flood
A UDP flood attack is a flooding attack where a botnet is typically sending so many UDP packets to the victim that the victim’s internet connection is overwhelmed and legitimate traffic cannot get through. An UDP flood attack may also overload the server receiving the UDP packets, as it uses resources to handle the packets.
Amplification attack
In a reflection amplification attack (also just called an amplification attack) a botnet sends attack traffic via open internet servers (ports) to amplify the attack. For example, open servers supporting the following UDP based protocols are used:
DNS
NTP
SNMP
SSDP
CharGen
A DNS amplification attack works, for example, in such a way that several bot machines are configured to make DNS requests with a false sender IP address directed at open DNS servers. The DNS servers will, as DNS servers always do, return the replies to the sender address. As the sender address of the requests is spoofed to be the address of the server that the attacker wants to overwhelm, the many DNS replies are sent to this server.
In other words, the open DNS servers are used as reflectors (relay machines) for the attack, but also as amplifiers, as a DNS reply typically takes up much more space than a DNS request.