[LINUX] About AntiDDoS Premium and Special Features TOA

1.First of all

Games that communicate with the server are always exposed to attacks from the network. The most troublesome of these is the DDoS attack. In this article, by contracting with Alibaba Cloud,

-Introduction of AntiDDoS Premium that can protect systems running other than Alibaba Cloud, --About the special function TOA of AntiDDoS Premium

to introduce.

2. What is a DDoS attack?

A DDoS attack is an attack that interferes with a specific service by exposing it to a large amount of communication using a large amount of IT equipment around the world. The communication used for the attack is

――Use something that the telegram itself induces a malfunction of the service, --Usually harmless communication or invalid communication is exposed to the service line for hundreds of Gbps to saturate the line and force the service to stop.

there is.

Since the attacked side continues to be exposed to a large amount of communication that does not know which IP address it comes from, it cannot be properly protected by using the IP address, and the line equipment (line equipment) with too many invalid packets. Since the firewall, router, etc.) will be overloaded, the original service cannot be provided at all.


3. Alibaba Cloud's DDoS attack protection service

There are several DDoS attack protection services available on Alibaba Cloud. I will put this on the table.

Service name Overview
Anti DDoS Basic A service that DDoS protects systems on Alibaba Cloud.
Anti DDoS Premium A service that can protect systems installed outside Alibaba Cloud by DDoS
Anti DDoS Pro DDoS protection service that can be used for those who have servers in China
Game Shield It can defend against various attacks specialized for game applications. DDoS protection is also included. (However, it must be linked with the application)

This time, I would like to introduce Anti DDoS Premium.

4. How do you use Anti DDoS Premium?

Anti DDoS Premium is a service that can protect against DDoS attacks on systems running outside Alibaba Cloud. Like other cloud services, it is not a narrow service that only the cloud system that provides the service can protect from DDoS attacks. You can be confident about DDoS protection because you can fully protect the external system.

Let's draw a diagram of how to enter Anti DDoS Premium as seen from the protected system side. adv-ddos-02.png

As shown in the figure, the system to be protected is protected by entering as a Proxy server in front of the system.

In addition, the IP address of the client is saved as shown in the table below. Of course, WebSocket is also supported for HTTP / HTTPS. Unfortunately, there is currently no way for UDP to know the client's IP address as it is. The only way to know the client's IP address in UDP is to have the client application act like including the client's IP address in the UDP message.

protocol Type(※1) Where is the client's IP address stored?
HTTP/WebSocket(※2) Website X-Forwarded-For header
HTTPS(TLS1.2nd grade)/HTTP/2/WebSockets(※2) Website X-Forwaded-For header
Any TCP Non-Website Stored in the TCP Option field. You can restore a specific Linux Kernel with the TOA feature enabled.
Any UDP(※2) Non-Website Currently not recorded. (If you want to know, you need to embed the IP address information in the UDP message in the client application)

For HTTP / HTTPS only, Anti DDoS Premium records the client's IP address in the X-Forwarded-For header. For arbitrary TCP communication, the IP address of the client can be known on the server side by using TOA, which is a special function of Anti DDoS Premium, which will be described later. Unfortunately for UDP, there is no way to know the IP address of the client.

5. Use Anti DDoS Premium

Let's use it now. Step1. First, select the Anti DDoS Premium menu and perform the purchase operation. It's easy to buy because you just push a button! adv-ddos-03.png

Step2. Next, set the HTTP / HTTPS communication you want to protect. If there is HTTP / HTTPS communication that should be protected from DDoS, set it here. To set it, follow the procedure shown in the figure. adv-ddos-04.png   Step3. Next, set the communication that is not HTTP / HTTPS that you want to protect. To set it, follow the procedure shown in the figure. adv-ddos-05.png

Now your system is DDoS protected in no time.

5.1. When there are many communication settings

As you can see by actually setting the communication, it is difficult to set each communication you want to protect. Here, you can get the XML file of the settings, process it with your favorite editor, and specify it at once. I will introduce it in the figure. It's that easy! adv-ddos-07.png

6. About special function TOA

Even if you read the manual of Anti DDoS Premium on Alibaba Cloud, TOA is a function that is actually usable but not described. Here, we will describe TOA.

TOA is an abbreviation for TCP Option Address. The Option field of the TCP packet contains a special ID and the IP address of the client, which is restored by the toa module of the special Linux kernel and returned as a result of the system call. In fact, this function is available by default for TCP communication specified on the Non-Website of Anti DDoS Premium.

The advantages and disadvantages of this function are as follows.

  1. With a normal Socket program, the IP address of the client can be obtained by the normal procedure. You don't have to worry about having Anti DDoS Premium in between.

  2. Since iptables is processed before toa processing, it is processed by the source IP address of the TCP header. Therefore, it is not affected by the client IP address specified as TOA.

  1. Currently, a special Linux kernel is required, so it cannot be used in an environment (some cloud services) that cannot be booted with a special kernel.
  2. When a packet that abuses TOA is sent directly to the server, the program on the server side gets a spoofed client IP address.

6.1. Environment required to use TOA

To use TOA, the current system must be running in the following environment.

--The server must run the RHEL / Centos 6 series 64-bit x86 kernel. --The environment must be able to install and boot the non-standard OS kernel.

(There is no problem if the system you want to protect against DDoS is an on-premises environment!)

6.2. How to use TOA

Basically, follow the manual written on the Anti DDoS Pro side. You can also download the RPM from the kernel listed in this manual.

How can origins outside Alibaba Cloud get clients’ real IP addresses? https://www.alibabacloud.com/help/doc-detail/52477.htm

Step1. Get the following kernel package

$ wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/52477/cn_zh/1491917761209/kernel-2.6.32-220.23.2.ali_github.el6.x86_64.rpm

Step2. Installed with the rpm command.

$ sudo rpm -ivh kernel-2.6.32-220.23.2.ali_github.el6.x86_64.rpm

Step3. Reboot as it is

$ sudo reboot

Step4. Confirm uname

$ uname –r

Confirm that it comes out

Step5. Enable TOA

$ sudo modprobe toa 

Note: If you want to disable TOA

$ sudo modprobe -r toa

You can disable it with.

6.3. TOA results

The figure below shows the difference between the results of the nc command when TOA is disabled and when it is enabled. Mysteriously, when TOA is enabled, you can see that the nc command has obtained the IP address of the client.


6.4. What kind of communication is TOA?

The actual TOA communication is shown in the figure. The communication itself is normal TCP communication, but the TOA information is hidden in the TCP Option field.


Let's actually use the tcpdump command to see it.


The TOA value is the part surrounded by red and the part surrounded by blue in the above figure. This is explained below.



6.5. Structure of kernel and toa module

The structure of the kernel and toa module is illustrated below. You can see that the packet information is rewritten based on the information contained in TOA before it is passed to the system call.


6.6. Description of / proc / net / toa_status

Kernels with TOA enabled will now see statistics in / proc / net / toa_status. The content and meaning are shown in the figure.


I'm not afraid to have trouble with TOA! : laughing:

7. Summary

If you remember this much, DDoS is not scary!

-Alibi Cloud's Anti-DDoS Premium is easy to use and stubbornly protects infrastructure other than Alibaba Cloud from DDoS. It's easy because you can set it up immediately! -Alibi Cloud's Anti-DDoS Premium Non-Website is convenient because you can use the IP address of the client side as it is with the socket api by using the TOA function!

that's all.

Recommended Posts

About AntiDDoS Premium and Special Features TOA
About _ and __
About Class and Instance
About cumprod and cummax
About cross-validation and F-number