Preventing outgoing DDoS
The explanations given below are known best-practices. They do not guarantee that your resources will not be locked if we detect that they are part of a DDoS attack.
Denial of Service (DoS) attack is an attack through which a person can render a system unusable, or significantly slow it down for legitimate users, by overloading its resources.
A Distributed Denial of Service (DDoS) attack (PDF, 263.3KB) is a DoS attack that is performed at the same time by a multitude of compromised systems.
The goal of a DoS is not to gain unauthorized access to machines or data but to prevent legitimate users of a service from using it.
You are responsible for your resources. If a resource you control takes part in a DDoS you will be considered responsible for attacking the target of this DDoS.
Scaleway will lock any resources (e.g. Instances, Kubernetes clusters, Elastic Metal servers) that are identified as a contributor to a DDoS. This lock can be done without prior notice to protect our network and the target network; this is written in our Terms and Conditions (Scaleway, Online).
Memcached is a free & open-source, high-performance, distributed memory object caching system. It is used as a key-value store in memory.
Memcached can be used in DDoS because of its large amplification factor.
To configure securely your memcache, proceed as follows:
Ensure that in your
/etc/memcached.conf you have both settings defined:
# Disable UDP listening-U 0`# Listen only on localhost-l 127.0.0.1
Network time protocol (NTP) servers are regularly being used to reflect and amplify spoofed UDP packets towards the target of a DDoS attack.
NTP servers where the
monlist command can be run by any unauthorized users are particularly troublesome.
These commands provide a huge amplification effect to the attacker.
To configure securely your NTP server, proceed as follows:
- If you need to have an NTP server running, upgrade your NTP server as much as possible.
- Use a secure configuration as much as possible
- Avoid having an NTP server open on the Internet. Try to restrict access to localhost only.
- If you need to have an NTP server open, be sure to specify which range of IP can access your NTP server.
Domain Name System (DNS) is a commonly used protocol to perform DDoS attacks because of its UDP-based protocol and lack of security features by default. DNS amplification attacks almost always take advantage of open resolvers. An open resolver is a DNS server that answers queries for a domain name without restrictions: anybody on the Internet can query it and it will answer. This makes it particularly troublesome as a spoofed IP address that will generate a reflection attack.
In addition to that, a DNS reply is usually larger than its corresponding query. Therefore, DNS can be used to have an amplification effect.
To configure securely your DNS server, proceed as follows:
- Do not run an open DNS resolver on the Internet. Restrict your DNS server to answer only requests coming from your IP range.
- Do not enable recursion on your DNS server
- If you need recursion, limit the authorized range of IPs that can perform those requests.
- Enable RateLimiting of queries and answers from your authoritative DNS
- Set ACL on your remote control if used and limit it to localhost if possible
HTTP(s) proxies are software that will perform an HTTP(s) request in place of a client and forward the response to the client. This can be used in the case of a DDoS attack to perform amplification (a small request can generate a large answer) and reflection (IP address can be spoofed).
To configure securely your HTTP proxy, proceed as follows:
- Do not run HTTP proxies that are open on the Internet.
- Limit as much as possible the range of IP of machines that can connect to your HTTP(s) proxy.
- (In English) Denial of Service (DoS) guidance
- (In French) Comprendre et anticiper les attaques DDoS (PDF, 1.44MB)