To protect a whole network or data canter from DDoS attacks you first have to understand that the malicious traffic will only traverse your defenses in one direction, referred to as asymmetric traffic.
Asymmetrical traffic, specifically on the Internet, is when the routing path from host A to host B is different from host B to host A. While it seems that this would be a detriment, this by itself does not pose any problems, as evidenced by the fact that the majority of Internet traffic is asymmetrical.
Symmetry however does become a factor when talking about internet security. Typically many firewalls, IDS/IPS, and other session based security devices need a symmetrical path. As such, these security measures are often implemented as close as possible to the host that they are to protect
For DOSarrest, this asymmetry is not a major issue. With our flagship product, the Web Proxy defence for websites, routing can by asymmetrical, whether it be from the visitor to the proxy, or the proxy to the customer origin(s). For our DDoS protection for infrastructure service platform, asymmetrical routing is also not required, for the most part. The DCD network is able to identify anomalous traffic on the ingress exclusively and does not need to see the return traffic back from the customers’ origin servers.
What can be difficult to mitigate with asymmetrical routing is mitigating various types of TCP protocol attacks (eg. TCP SYN, TCP SYN+ACK, ACK & PUSH ACK Flood, Fragmented ACK, etc.), especially if they are spoofed on the source address and/or source port. This is because the most common and effective methods of dealing with TCP Protocol attacks usually depends upon knowing TCP state, which are the phases a transmission between two hosts will go through. The types of TCP states are as follows:
Example image of a Spoofed TCP Attack:
To know the state of a TCP connection, the mitigation strategy would then need to see traffic in both directions. A good example of a mitigation strategy for dealing with TCP Protocol attacks is the use of a SYN PROXY. A SYN PROXY is essentially as the name indicates; a Proxy between a client and a sever, that intercepts traffic in both directions to verify that valid state transitions occur during the initial connection and once verified, removes itself as a proxy. A breakdown of the SYN Proxy function can be seen here:
- When a SYNPROXY is used, clients transparently get connected to the SYN PROXY. The 3-way TCP handshake happens first between the client and the SYN PROXY:
- Clients send TCP SYN to a Server
- The TCP SYN first connects to the SYN PROXY which is situated in front of the targeted server. When this packet arrives it is marked as UNTRACKED by the SYN PROXY
- The SYN PROXY responds, as the Server, with TCP SYN+ACK. The connection is still labelled as UNTRACKED
- Client responds with TCP ACK
- Upon receiving the SYN ACK, the SYNPROXY automatically initiates a 3-way TCP handshake with the real Server, spoofing the SYN packet so that the real server will see that the original client is attempting to connect:
- The real server responds with SYN+ACK to the client
- SYN PROXY receives this and responds back to the server with ACK. The connection is now marked as ESTABLISHED by the SYN PROXY
- Once the connection has been established, SYN PROXY leaves the traffic flow between the client and the server
This strategy, while highly effective, requires it inspect traffic from the server as well as the client, which make symmetrical traffic flow a must.
Because of this, you will see this type of strategy exist right in front of the host that needs protection, or on the host itself (eg. IPtables). Because of this requirement, it becomes quite easy to saturate and overwhelm the SYN PROXY mechanism with simple volumetric attacks (eg. UDP Floods). To try and avoid this aggregation problem, some vendors like Radware, Palo Alto and Fortinet, to name a few, will allow you to operate their security devices in Asymmetric mode, allowing you to move the security appliance closer to the edge of your networks. However, configuring these appliances in asymmetric mode is effectively neutering their capabilities to deal with TCP Protocol attacks, as they will simply pass through SYN, ACK or SYN-ACK packets and try to profile them on a source address basis, which is easily defeated by a even a small botnet using spoofed source addresses.
To deal with a spoofed source address/port TCP Protocol attack, one needs to employ a layered approach. SYN Proxy is still highly effective once you can deal with volumetric aspects of the attack; working with a cloud provider like DOSarrest who will have a much larger absorption network and can identify and mitigate attacks based on combinations of src/dst ports, IP Protocols, TTL, packet lengths and payload patterns, which will deal with the majority, if not all, of the DDOS traffic will ensure that your firewall/IPtables will never get overwhelmed with the remaining TCP SYN attack packets. Plus working with DOSarrest, you can employ other strategies that are better suited for your environment, such as TCP SYN cookies or TCP SYN caches.
Click here to read more about our Cloud based DDoS protection for network infrastructure service.
Jag Bains
CTO, DOSarrest Internet Security
