Cloudflare recently announced flowtrackd which can detect DDoS in [DSR]([[Direct Server Return]]) scenarios. It’s quite interesting since most DDoS protections need the gateway working in the reverse proxy mode, in which the traffic coming and leaving through the same device. Then the gateway can track connection statuses since it observes every packet. I am not an employee of Cloudflare and have no insight of how flowtrackd is designed, but I’d like to have an educated guess.
Here’re some things we need to know before talking about how flowtrackd works. Let’s go over them in case you can’t remember.
TCP connection establishment and termination
A TCP connection between the client and server is identified by Src_IP:Src_Port:Dst_IP:Dst_Port. Hence, there can be one TCP connection between the pair of Src_IP:Src_Port and Dst_IP:Dst_Port.
Whenever the client tries to establish a TCP connection to the server. A 3-handshake is required in the following steps:
- The client sends a TCP packet with SYN flag and a random SEQ number A
- Once the server receives the SYN packet, it returns a TCP packet with ACK flag and ACK number A+1, where the SYN flag is also set with another random SEQ B
- Similarly, once the client receives the packet from the server with ACK number A+1, it confirm the uni-directional tunnel is established from its side. It also responds an ACK packet with ACK number B+1 to acknowledge the server
- When the server have the ACK packet with number B+1, a second uni-directional tunnel is set up and the TCP connection is established
Similarly, a termination requires both tunnels to be torn down from both side:
- A FIN packet is sent to the other end, and the other end responds with a ACK
Packet visibility in reverse proxy and DSR
Reverse proxies have visibility of all packets in all connections, but DSR can see incoming traffic only as shown in the following picture (borrowed from Cloudflare).
My guess of how flowtrackd works
Indeed we have less information in DSR, but it doesn’t mean we can’t detect DDoS.
I believe the logic is straight forward and I present it as a flow chart to save time for you and me.
The flow won’t work well if we don’t have some assistance, which I have in mind are proper timers, especially the open connection timeout timer.