How to prevent outgoing DDOS

Important: The explanations given below are known best-practices. They do not guarantee that your resources will not be locked if we detect that they are part of a DDoS attack.

DoS Overview

Denial of Service (DoS) attack is an attack through which a person can render a system unusable, or significantly slow it down for legitimate users, by overloading its resources.

A Distributed Denial of Service (DDoS) attack is a DoS attack that is performed at the same time by a multitude of compromised systems.

The goal of a DoS is not to gain unauthorized access to machines or data but to prevent legitimate users of a service from using it.

You are responsible for your resources. If a resource you control takes part in a DDOS you will be considered responsible for attacking the target of this DDoS.

Scaleway will lock any resources (instances, Kubernetes cluster, bare-metal server, …) that are identified as a contributor to a DDoS. This lock can be done without prior notice to protect our network and the target network; this is written in our Terms and Conditions (Scaleway, Online).

Preventing Memcache to be used in a DDoS attack

Memcached is a free & open-source, high-performance, distributed memory object caching system. It is used as a key-value store in memory.

Memcached can be used in DDoS because of its large amplification factor.

Recommendations

To configure securely your memcache, proceed as follows:

Ensure that in your /etc/memcached.conf you got both settings defined:

# Disable UDP listening
-U 0`

# Listen only on localhost
-l 127.0.0.1

Preventing NTP to be used in a DDoS attack

Network time protocol (NTP) servers are regularly being used to reflect and amplify spoofed UDP packets towards the target of a DDoS attack.

NTP servers where the monlist command can be run by any unauthorized users are particularly troublesome. These commands provide a huge amplification effect to the attacker.

Recommendations

To configure securely your NTP server, proceed as follows:

• If you need to have an NTP server running, upgrade your NTP server as much as possible.
• Use a secure configuration as much as possible
• Avoid having an NTP server open on the Internet. Try to restrict access to localhost only.
• If you need to have an NTP server open, be sure to specify which range of IP can access your NTP server.

Preventing DNS to be used in a DDoS attack

Domain Name System (DNS) is a commonly used protocol to perform DDoS attacks because of its UDP based protocol and lack of security features by default. DNS amplification attacks almost always take advantage of open resolvers. An open resolver is a DNS server that answers queries for a domain name without restrictions: anybody on the Internet can query it and it will answers. This makes it particularly troublesome as a spoofed IP address that will generate a reflection attack.

In addition to that, a DNS reply is usually larger than its corresponding query. Therefore, DNS can be used to have an amplification effect.

Recommendations

To configure securely your DNS server, proceed as follows:

• Do not run an open DNS resolver on the Internet. Restrict your DNS server to answer only on requests coming from your IP range.
• Do not enable recursion on your DNS server
• If you need recursion, limit the authorized range of IP that can perform those requests.
  • BIND
  • unbound
  • If you use PowerDNS, you can also use dnsdist.
• Enable RateLimiting of queries and answers from your authoritative DNS
  • BIND
  • unbound
  • If you use PowerDNS, you can also use dnsdist.
• Set ACL on your remote control if used and limit it to localhost if possible
  • rndc for BIND
  • dnsdist for PowerDNS
  • unbound-control for unbound

Preventing HTTP(s) proxy to be used in a DDoS attack

HTTP(s) proxies are software that will perform an HTTP(s) request in place of a client and forward the response to the client. This can be used in the case of a DDOS attack to perform amplification (a small request can generate a large answer) and reflection (IP address can be spoofed).

Recommendations

To configure securely your HTTP proxy, proceed as follows:

• Do not run HTTP proxies that are open on the Internet.
• Limit as much as possible the range of IP of machines that can connect to your HTTP(s) proxy.

External References

• (In English) Denial of Service (DoS) guidance
• (In French) Comprendre et anticiper les attaques DDOS