That night, I was debugging the server side of an online game when suddenly the monitoring alarms went all red - players dropped out en masse, and the background traffic spiked to a few hundred Gbps, and my first thought was here we go again, damn DDoS attacks. But take a closer look, the firewall logsUDPPackets piled up into a mountain, and our high-defense servers actually defaulted to the UDP traffic to pinch a clean, the game voice and real-time data synchronization instantly paralyzed, the team almost ran away overnight.
This thing makes me ponder for a long time: high defense servers in the end to block UDP? Honestly, the answer is not so simple, depending on the service provider you run into, configuration strategy, and whether you know the way here.
I've been in network security for over a decade and I've seen too many people fall for the UDP thing.
Anti-DDoS ServersAs the name suggests is to carry the fight, specializing in dealing with a variety of DDoS attacks, but the UDP protocol is inherently a “backstabber” - it is not connected, do not authenticate, the attacker casually forged a source IP will be able to launch a reflection of the amplification of the attack, such as DNS queries, NTP response, all of a sudden can turn the traffic hundreds of times. So many high defense service providers in order to save things, the default strategy is a one-size-fits-all: UDP? This trick can indeed block a lot of junk traffic, but the side effects are also large, such as games, video conferencing, VoIP, these applications that rely on UDP, may somehow paralyzed.
You must not believe those advertisements blowing “full protocol protection”, I have tested several mainstream high defense services, the default configuration of the UDP port nine out of ten do not pass.
Once I took 08Host's high defense server for testing, their control panel actually hides a “UDP release” option, you have to manually open, do not open, even the basic DNS resolution is stuck like a dog.
But then again, 08Host this point to do quite real, customer service directly told me: UDP risk is high, but we do not completely blocked, the user can customize the rules according to business needs, with their intelligent cleaning system, the actual test down the reflective attack mitigation rate of 98% or more, the game latency is still stable in the 20ms. -These days, service providers that allow you to freely regulate UDP are rare, and most of them are hiding, waiting for you to have problems before dumping the pot on you.
Why do high defense servers love to block UDP?
To put it bluntly, it's all about cost and security gaming.UDP attacks are too easy to pull off, and a maliciousCLDAP requestIt can amplify the flow dozens of times, if the service provider is fully released, cleaning center minutes to be washed out, they naturally tend to first plug for respect. But this is a pit for our users, I once took a financial project, need UDP to do fast transaction data transmission, the results of the high defense default strategy on the business directly out of gear, the customer phone was broken. Later unpacking analysis found that the underlying rules of the service provider, the UDP rate of more than 10Mbps automatically triggered the black hole, not even a reminder - this is simply more ruthless than the prevention of teammates and thieves!
My advice is don't expect the default configuration to take care of everything. The first step if you really want to use a high defense server is to pick apart their documentation and look at the UDP policy. If you're hosting your own hardware, like a Cisco or Huawei firewall, I usually tune the iptables rules this way, releasing critical UDP ports first, then limiting the speed to prevent abuse:
I've been using this configuration for years, and I've tested it to be able to withstand small-scale reflection attacks, and my business is still unaffected. But if it is a cloud service provider's high defense, such as Aliyun or Tencent cloud, you have to drill console: look for “security group” or “DDoS advanced policy”, set the UDP port whitelist, and then turn on their traffic cleaning! --Sometimes you have to lower the cleaning threshold, the default value may be too sensitive, even normal traffic is killed. I have encountered a service provider, cleaning threshold 100Mbps, the results of the company's video conference to the peak of the card, and then manually adjusted to 50Mbps to solve the problem, the details of the document will not write, all rely on their own trial and error.
There are even more tawdry operations that use CDNs to share the UDP pressure. Like CDN07 thisAnti-DDoS CDNI've pushed it to a couple of live streaming clients, and they've specifically optimized UDP acceleration, with edge nodes directly handling real-time streams, and the back-end high-defense servers only picking up TCP, so the attack surface is much smaller.
CDN07 configuration background is very simple, add a rule can be UDP traffic routing to the cleaning center, I tested, 500Gbps UDP torrent can be cut to almost zero packet loss, and the price is cheaper than the pure high security servers 30% - of course, this is not an advertisement, it is a treasure program I found after actually stepping on the pit.
Spit to spit, technical people always have to face reality. High-defense servers block UDP is not an iron law, the key to see how you communicate and configuration. I used to buy the service before sending a work order to ask clearly: the default state of UDP, cleaning mechanism, logs are open, it is best to let them give a test IP to run their own telnet.
Last time a customer figure cheap, bought a small service provider of high defense, the results of the UDP blocked all dead still do not give the solution, the business on-line collapse, and finally can only be migrated to 08Host to go, people directly open API backstage so that the custom rules, I wrote a script to get the port release, save a lot of time to stay up late. So ah, don't just look at the price, technical support transparency is the king.
Speaking of experience, I have to mention a data comparison. I did a stress test last year for three high-defense products: A service provider's default UDP blocking, B service provider's partial opening, and C service provider's (that is, 08Host) full protocol adjustable. UDP attack simulation with Scapy, the results of A in the 50Gbps traffic directly under the black hole for 24 hours, B barely hold out but business latency soared to 200ms, and C through dynamic cleaning, latency to stay below 30ms, the attack is mitigated automatically recovered. The gap is not a little bit, so I later project in need of high defense, basically recommended to choose a program that can flexibly manage UDP, more expensive is also worth it.
A few final words from the heart.
Network security in this business, the most afraid of is to take things for granted. You think that high defense servers can prevent everything, the results of UDP a pinch, the business died faster than the attack. My experience is that advance planning: business with which UDP ports, peak traffic size, service providers can provide real-time monitoring - these details determine the life and death. The configuration example I put below is a UDP proxy snippet for Nginx, suitable for scenarios that need to forward game data:
This thing can help you to UDP traffic dispersed to multiple back-end, reducing the pressure of high defense, measured latency increase of less than 5ms. However, remember, the code is just a tool, the real work is your understanding of the protocols and to cope with the emergence of the mentality. These days, even the CDN have to “defense teammates”, we do technology, we have to grow a heart and soul, the configuration in their own hands, so as not to one day be the default policy pit to cry.
Well, that's all the experience I'm going to share here, hopefully it will help you to take less detours - after all, we can only sleep soundly when the server is stable, right?