During a DDoS attack, the re-direction of traffic in the cloud comes in two varieties: DNS redirect (for application layer protection) and BGP redirect (for network/transport layer protection).
Redirecting Traffic via DNS
Domain Name Servers (DNS) are the Internet’s equivalent to the phone book. They maintain a directory of domain names and map them to Internet Protocol (IP) addresses.
In order to initiate redirecting traffic via DNS, you typically just need to switch the DNS A records for any hosts under attack to your assigned IPs from your mitigation provider. Traffic will begin to flow through its cloud service where it is cleaned and legitimate traffic is allowed to pass through to your infrastructure. Following a DDoS attack, simply switch your DNS A records back to your original IPs and resume business as usual.
It is important to have a low TTL as this will allow DNS changes to take effect more quickly across the Internet, guaranteeing you can redirect and protect your traffic from DDoS attacks.
Redirecting Traffic via BGP
Similarly, BGP can also be used to redirect traffic during a DDoS attack.
BGP is an internet routing protocol that broadcasts which Autonomous Systems (AS) can be reached from other networks. This helps routers know where to forward packets so that they reach a destination network. Links between networks continually change as a result of hardware failures, downed links, and changes in peering between networks. BGP is used to redirect traffic during a DDoS attack to scrubbing centers that filter out malicious traffic, particularly centers operated by cloud-based protection services.
For affected prefixes, withdraw BGP announcements from your routers. Your mitigation provider will then initiate BGP announcements, allowing it to absorb the attack, oversee prevention efforts, and filter bad and good traffic, allowing the good to pass through to your infrastructure via GRE tunnels. After the attack subsides, your security provider will help you re-establish BGP announcements on your routers for the affected prefixes.
In order to utilize BGP redirection, you need to have:
- A minimum of a /24 prefix;
- A BGP and GRE capable router;
- The IP address space to terminate GRE tunnels that lie outside the prefixes on which you need defense.
What are the Pros and Cons of DNS vs. BGP?
Most DDoS protection happens using DNS redirection as it is easier to deploy and maintain. However, if you have a more complicated Internet infrastructure, with a large number of hosts and IPs that need defense, BGP routing may be the better option for you.