What is a symmetric and asymmetric connection scheme for protection against DDoS attacks? What are the advantages and disadvantages of each of them? Which protection is best for your project? You will find the answers to these questions under the cut.
Along the way, we'll talk about symmetry in telecommunication networks in general. You will find out how asymmetric the Internet is, where this asymmetry comes from, and in general it is good or bad. As a bonus - quick fix for the two most common problems when connecting network protection. And after reading, you can definitely understand what I tried to portray on the KDPV.
What is symmetry?
Everyone understands what is βsymmetricalβ at the level of βsensations,β but they cannot just immediately articulate what this means. Let's try. If something is called symmetrical, they mean that it does not change under the influence of certain transformations - symmetry transformations. The most obvious example is geometric symmetry.
90 , . : " 90 ". β . β "", . . .
β . . β . : . , , . , , β .
, . , Facebook Facebook . ? : , , , ..
β . . " " . . , . . β , . 1891 β . XX () ( ). , , "" . .
(), .
, .
, , 27 , 1% . , .
β , .
IP- (IP / ID ). . UDP β , . TCP , - , .
, . . ( ) , .
. . , .
:
- .
, .
, , , .
, " " β RFC β :
- Forward direction β , .
- Reverse direction β β , .
- Upstream link β , β downstream links.
. hot-potato routing. , , , . hot-potato β β "" .
?
, . "Observing routing asymmetry in Internet traffic". Tier-2, Tier-1, .
, "". (Flow) β IP , IP , , ID . , .
- .
- .
- , , .. , UDP.
, :
- β flows β / * 100
- β packets β (1-|Nab-Nba|/|Nab+Nba|)*100%, Nab β , Nba β .
- β bytes β (1-|Nab-Nba|/|Nab+Nba|)*100%, Nab β , Nba β .
, , . edge-.
.
"How Asymmetric Is the Internet?" , ( β IP- ).
- 4000 RIPE Atlas. β , . .
- Traceroute . Traceroute , .. , . .
- , 12.6% ( , 5 β 10%).
- , . , :
y β , ( ) A --> --> . x β . , β 1. , . β .
, ?
. DDoS.
DDoS- , , , : . - , , . , β , .
, . . ? .
, .
: , , , ?
:β¦
: ?
:β¦
: !
: ...
- . , , , " " .
: , , , ?
: . . .
: ?
: , , .
: !
: .
, , , , . DDoS-.
: SYN flood
, TCP. , (3-way handshake).
- SYN , .
- , SYN-ACK . SYN , A+1, B, .
- ACK B+1, TCP .
, ( ).
SYN flood β DDoS-, β . SYN (spoofed) IP . SYN-ACK ACK', β¦ . TCP .
? , β SYN cookie SYN proxy.
SYN cookie . , SYN (IP , TCP ..), , B SYN-ACK . SYN-ACK TCP cookie. (3 3-way handshake), B+1, ACK . .
ookie . , ACK . , . , , ACK cookie, SYN cookie. . , .
spoofing spoofing'o. , . β , , .
(UDP, QUIC, ICMP) TCP. . IP , .
, .
, , .
edge-, " " . , . : ( ).
, edge-, . :
, . , . edge ? β "", , ! .
, ? , 3. , . β . , .. 3 . 1 2 .
, , , β . , . , , 1, 2. . , , , , . , , " ".
DDoS
DDoS, , β . BGP, . . . , β . , , .
- β BGP. peering' .
- . , , , , . , , , troubleshooting' c . , " ". , .
- , , , .. , . , TCP. RTT (. Round Trip Time). .
- . - . , , 100% . .
2-4 , DDoS .
, . DDoS 100% . mitigation β , β . , - . " " , .
?
95% , , DDoS , . , . ( DDoS ) β , . , , , .
. , BGP.
DDoS-GUARD , , . .
BONUS: ,
, - uRPF strict loose. ? uRPF (Unicast Reverse Path Forwarding) . , , , source IP.
uRPF IP- . strict , c , IP, . spoof' IP . , , . loose IP- , .
/ GRE / IPIP-
MTU . :
- Maximal Transmission Unit (MTU) β Protocol Data Unit (PDU).
- PDU β + payload.
- Maximal Segment Size (MSS) β payload.
() PDU payload PDU . , MTU , payload.
MTU 1476, MSS β 1436 ( 1400) ( Don't fragment). - .
. MSS , . MSS : Juniper, Cisco, Mikrotik.