Close icon
Tutorial

DDoS Attack Mitigation using CrowdSec

DDoS attacks are a very popular way for criminals on the internet  (or bad people in general) to attack you either to hurt you or your business directly, to extort you or for practically any other reason. Depending on which kind of DDoS attack we’re talking about, CrowdSec may be able to help you out. Read along for a general introduction to DDoS as a concept and a discussion about what CrowdSec is and how it may be able to help you out fighting DDoS attacks towards your infrastructure.

DDoS attacks are a very popular way for criminals on the internet  (or bad people in general) to attack you either to hurt you or your business directly, to extort you or for practically any other reason. Depending on which kind of DDoS attack we’re talking about, CrowdSec may be able to help you out. Read along for a general introduction to DDoS as a concept and a discussion about what CrowdSec is and how it may be able to help you out fighting DDoS attacks towards your infrastructure.

This article briefly explains the nature of the DDoS Attacks and also how we can use CrowdSec as a mechanism for protection. The topics below are covered.

  • What does DDoS mean?
  • How is a DDoS attack conducted?
  • Different types of attacks.
  • What is CrowdSec?
  • How does CrowdSec work?
  • How can CrowdSec protect us from DDoS attacks?
  • 5 Reasons to consider using CrowdSec

The Concepts

First of all, what does DDoS mean?

A Distributed Denial of Service is a very simple yet efficient malicious attempt to disrupt the normal flow of traffic towards a server or a group of servers.

Basically, it works by sending a large number of requests to the target until it reaches a point where the machine simply drops all requests because it is unable to handle them.

 The source of these requests are usually compromised servers from attackers, which utilizes their resources in order to complete such an attack. This also makes it harder to find the actual source of the attacker. If the targeted machine has a lot of processing resources such as RAM and CPU, of course, we would need more than one machine to conduct a successful DDoS attack.

DiagramDescription automatically generated


Step one - Identification

The symptoms of a DDoS attack include low performance, non-availability, and strange behavior of your service or device. Depending on the attack, some resources are saturated (CPU, RAM, I/O) without normal reason The most common symptom is an instant spike in the traffic towards your machine or service.

But we have to be very careful when trying to identify a DDoS attack since an instant increase of the traffic flow doesn’t always mean that someone is attacking you. Always remember that statistically it’s more probable that whatever performance issue you see is just the symptom of a simple mishap. 

A good start is to check the log output and try to identify if the requests have the same source, but this can also sometimes be hard because the attacker may be attacking from multiple sources spread all around the world (hint: that’s where the “distributed” part comes from).

Another important identification to consider is on which layer of the network the attack is happening. Different layer attacks means different ways of stopping and preventing one.


Let’s take an example.

For instance, a Layer 3 attack with ICMP ping is currently happening on your machine. You start having connection issues with your machine and you suspect that it’s a DDoS attack. Even if you check the logs of your web server or the SSH service, you will see nothing because the attack is happening right under your feet, on a lower level which you might not have suspected.

This means that a defensive mechanism for one layer of the OSI model (example: Web Application Firewall for the service level), does not necessarily protect you on all levels (example: Level 3 ICMP Ping attack), and this is critically important to remember.

So this has to do more with “looking at the right place” in case you are being attacked, because it will help you easily identify the source and type of the attack and also the importance of ensuring protection on all levels.

Let’s take a look at the 7 Layer OSI Model of the Network.

If you want to learn more about this model, visit this thread:

https://www.geeksforgeeks.org/layers-of-osi-model/


Graphical user interface, textDescription automatically generated

Most commonly, the attacks happen at Layer 3 (Network Layer) or Layer 7 (Transport Layer).

-        Layer 3 DDoS Attacks

Attacks at this level target network equipment and infrastructure. A very important detail for these types of attacks is that it is connectionless, meaning that e.g. a TCP connection is not necessary for the attack to happen.

Layer 3 is responsible for the routing of the chunk of information spread across the network, otherwise known as packets. At Layer 3, protocols like IP, IPSec and ICMP take place. These protocols are not responsible for establishing connections, and opening ports; instead, they are responsible for data division into packets and routing them towards the destination.

Basically, Layer 3 DDoS Attacks are easier to conduct but do not happen as occasionally as attacks on another layer. This is because it is easier to mitigate attacks toward your machine rather than on your services.

A very important detail is that at this level, only network resources are consumed by the attack.

-        Layer 7 DDoS Attacks

Attacks at this level target services that require some sort of connection (for example TCP connection with an HTTPS Service). The core principle of the attack is the same with the Layer 3 Attack, sending a large number of requests from many devices towards a single destination.

But the key difference is the handler of these requests. Let’s consider the attack is happening on your HTTPS Service which consists of an NGINX Server listening on port 80 and 443 (HTTP/HTTPS).

NGINX is a high-performance and high-availability web server which is built to handle multiple requests at a time. This means that usually it is utilized to use as many resources as possible from your machine, to serve content to your users as fast as possible (which is quite reasonable). 

But this can have a negative side as well. Imagine multiple devices targeting your server at a time. NGINX (or any other web server), is not smart enough to distinguish normal traffic flow from the ones that have the purpose of shutting down the service. In the case of the attack, the NGINX Server will utilize as many resources as possible, until the service fails (it drops all connections from the lack of resources to compute them, the queue is full and the service cannot do anything but drop).


Step two – Recovery and Protection

Recovering from DDoS attacks can be as easy as restarting your machine or your service, and then manually blocking the harmful IP(s) from attacking you again.

But what if the attack happens again from another source? This would mean that your clients will not be able to normally access your services, leading to bad reviews, loss of clients and other things we do not want to happen. On the other hand, what if there was a solution that is easy to configure, ensures protection, and is also costeffective? At the beginning of this article, you were introduced to the name CrowdSec. So what is it and what role does it play in all these scenarios?


-        CrowdSec – What is it and how does it work?

CrowdSec is a community-driven, free open-source, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster patterns to parse logs and scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation).

CrowdSec Architecture

DiagramDescription automatically generated

CrowdSec works by reading log outputs of the applications it monitors. These logs, by default, are hard to read and process in their raw state, because in most situations applications and services dump information for all types of interaction, including information, warning, and error logs.

These logs are parsed meaning that only the necessary information is extracted from them making them easier to process and read.

Besides parsers, there are configurations called scenarios which basically describe harmful behaviors that need to be detected on your system such as DDoS Attacks, Brute Force, Probing, Crawling etc.

Another key component of the CrowdSec architecture is the bouncer(s). These are application-specific configurations which based on the scenarios triggered, take actions to protect the services they were configured for.

Also, CrowdSec incorporates an API which is the central processing unit similar to the CPU on a PC.

What makes CrowdSec very special, is the ability to report harmful IPs to a central database where communities all around the world (more than 150 countries) report these IPs and the types of attacks they have been getting from them.

Below, you can see the how CrowdSec mitigates the attacks:  

CrowdSec vs DDoS – Why and how does CrowdSec win?

Until now, we have covered the basics of DDoS and CrowdSec. But where do these two meet?

While CrowdSec’s primary objective is to secure your infrastructure, protecting your services from DDoS falls into that objective. We cannot deny that there are also other mechanisms that help you get protected from such attacks but they are either hard to implement, or they are commercial products (which means you will have to pay for such service).

On the other hand, CrowdSec’s simple and yet effective architecture allows you to have a free solution ready, even for your production servers.

Below, we will list 5 reasons why CrowdSec is the best solution when it comes to protecting your servers:

1.)   By the community, for the community. It’s FOSS!

When you consider any kind of solution for a problem that you might have been dealing with, if that solution is commercial of course you would need some sort of financing and approval from the team to go forward with it.

Besides that, you wouldn’t know if that would be the correct choice anyways.

With CrowdSec, you get all the benefits for free and not just in the beginning:CrowdSec will always be free of charge because it’s here for the community and by the community.

  

2.)   Installation takes less than a coffee break.

Even though in the background, CrowdSec is made up of a lot of pieces that combined together bring an all-in-one solution, it takes less than 5 minutes to install.

We all know that open source solutions can be effective sometimes but they either lack documentation, are hard to install and maintain and do not offer support.

With CrowdSec, it’s the complete opposite! With easy steps to install, a dedicated page for documentation and a large community rising by day you are guaranteed to have a smooth process of implementation.

Psst… We also have a Discord Server: https://discord.gg/crowdsec

 

3.)   It simply … works.

Sometimes, you don’t even want to bother how, why and when. You just want to have a working solution by the end of the day. 

By the time you install CrowdSec, you will already have mechanisms to protect you from:

-        DDoS Attacks

-        SSH Bruteforce

-        HTTP Bruteforce

-        HTTP Crawling/Probing

-        And more…

But hey, if you want to build up something custom, be aware that the documentation is there (and so is the community).

4.)   Customize your own security platform.

The default solution doesn’t always suit everyone.

But not in all cases are you given the possibility to change a product the way it works for you. With CrowdSec you have the freedom to choose how you want your security platform to react to such attacks.

CrowdSec is fully customizable and also encourages you to build new configurations and share them with the community, especially if they have proven worthy and effective. 

5.)   Privacy in mind

Crowdsec detects anomalies by comparing parser data and scenarios to create signals. It is these signals that will be shared with the rest of the community.

A signal is composed of the following elements

  • The IP address and its geolocation that attempted a malicious action
  • The version and hash of the scenario that detected the action
  • The time of detection
  • The machine ID

And that's all

6.)   You’re backed up by the community

If we haven’t been able to outsmart cybercriminals (at least so far), why don’t we try outnumbering them?

At least that’s the philosophy CrowdSec relies on.

Bear in mind that by the time you will have CrowdSec running on your machine, a list with blacklisted IP-s reported by a huge community will be blocked already, meaning that the first layer of protection has been already laid on your infrastructure.

Even better, you will have the possibility to report the IP-s that have attacked you, collaborating to the overall goal of securing the whole community.

As a conclusion, CrowdSec is not the only solution you can use to protect your infrastructure, but it has proven to be a very effective one.