Jump toUpdate content

Preventing outgoing DDoS

Important:

The explanations given below are known best-practices. They do not guarantee that your resources will not be locked if we detect that they are part of a DDoS attack.

DoS Overview

Denial of Service (DoS) attack is an attack through which a person can render a system unusable, or significantly slow it down for legitimate users, by overloading its resources.

A Distributed Denial of Service (DDoS) attack (PDF, 263.3KB) is a DoS attack that is performed at the same time by a multitude of compromised systems.

The goal of a DoS is not to gain unauthorized access to machines or data but to prevent legitimate users of a service from using it.

You are responsible for your resources. If a resource you control takes part in a DDoS you will be considered responsible for attacking the target of this DDoS.

Scaleway will lock any resources (e.g. Instances, Kubernetes clusters, Elastic Metal servers) that are identified as a contributor to a DDoS. This lock can be done without prior notice to protect our network and the target network; this is written in our Terms and Conditions (Scaleway, Online).

Preventing Memcache from being used in a DDoS attack

Memcached is a free & open-source, high-performance, distributed memory object caching system. It is used as a key-value store in memory.

Memcached can be used in DDoS because of its large amplification factor.

Recommendations

To configure securely your memcache, proceed as follows:

Ensure that in your /etc/memcached.conf you have both settings defined:

# Disable UDP listening
-U 0`
# Listen only on localhost
-l 127.0.0.1

Preventing NTP to be used in a DDoS attack

Network time protocol (NTP) servers are regularly being used to reflect and amplify spoofed UDP packets towards the target of a DDoS attack.

NTP servers where the monlist command can be run by any unauthorized users are particularly troublesome. These commands provide a huge amplification effect to the attacker.

Recommendations

To configure securely your NTP server, proceed as follows:

  • If you need to have an NTP server running, upgrade your NTP server as much as possible.
  • Use a secure configuration as much as possible
  • Avoid having an NTP server open on the Internet. Try to restrict access to localhost only.
  • If you need to have an NTP server open, be sure to specify which range of IP can access your NTP server.

Preventing DNS from being used in a DDoS attack

Domain Name System (DNS) is a commonly used protocol to perform DDoS attacks because of its UDP-based protocol and lack of security features by default. DNS amplification attacks almost always take advantage of open resolvers. An open resolver is a DNS server that answers queries for a domain name without restrictions: anybody on the Internet can query it and it will answer. This makes it particularly troublesome as a spoofed IP address that will generate a reflection attack.

In addition to that, a DNS reply is usually larger than its corresponding query. Therefore, DNS can be used to have an amplification effect.

Recommendations

To configure securely your DNS server, proceed as follows:

  • Do not run an open DNS resolver on the Internet. Restrict your DNS server to answer only requests coming from your IP range.
  • Do not enable recursion on your DNS server
  • If you need recursion, limit the authorized range of IPs that can perform those requests.
  • Enable RateLimiting of queries and answers from your authoritative DNS
  • Set ACL on your remote control if used and limit it to localhost if possible

Preventing HTTP(s) proxy from being used in a DDoS attack

HTTP(s) proxies are software that will perform an HTTP(s) request in place of a client and forward the response to the client. This can be used in the case of a DDoS attack to perform amplification (a small request can generate a large answer) and reflection (IP address can be spoofed).

Recommendations

To configure securely your HTTP proxy, proceed as follows:

  • Do not run HTTP proxies that are open on the Internet.
  • Limit as much as possible the range of IP of machines that can connect to your HTTP(s) proxy.

External References