DDoS attacks (called Distributed Denial of Service, in free translation: a distributed denial of service) are among the most common hacker attacks, which are directed to computer systems or network services and are designed to occupy all the available and free resources in order to prevent the functioning of the entire service on the Internet (e.g. your website and email hosted).
What is a DDoS attack?
A DDoS attack consists in carrying out an attack simultaneously from many places at the same time (from many computers). Such an attack is mainly carried out from computers over which control has been taken, using special software (e.g. bots and Trojans). This means that the owners of these computers may not even know that their computer, laptop or other device connected to the network may just be used, without their awareness, to conduct a DDoS attack.
A DDoS attack starts when all compromised computers start attacking the victim's web service or system simultaneously. The target of a DDoS attack is then flooded with false attempts to use the services (e.g. they may be attempts to call a website or other requests).
Why is a DDoS attack causing service interruptions?
Each attempt to use the service (e.g. an attempt to call a website) requires the attacked computer to allocate appropriate resources to service this request (e.g. processor, memory, network bandwidth), which, with a very large number of such requests, leads to the exhaustion of available resources, and as a result, a break in operation or even suspension of the attacked system.
How to protect yourself from DDoS attacks?
DDoS attacks are currently the most likely threat to companies operating in the network, and their consequences extend beyond just the IT area, but also cause real, measurable financial and image losses. Attacks of this type are constantly evolving and becoming more and more precise. Their purpose is to consume all available resources of the network infrastructure or internet connection.
You can find offers for protection against DDoS attacks on the Internet. Most often, activation of such protection against DDoS attacks is done by changing DNS records, which will direct all HTTP/HTTPS traffic through the filtering layer, in which detailed inspection of each packet and query is performed.
Then, advanced algorithms, as well as properly defined rules, filter out erroneous packets and attack attempts, so only pure traffic goes to your server. Companies protecting against DDoS attacks have locations in different parts of the world, thanks to which they can effectively block attacks at the source, as well as serve static data from the nearest data center, thus reducing page load time.
DDoS attack and blackmailing it is a crime
The threat of a DDoS attack is sometimes used to blackmail companies, e.g. auction sites, brokerage firms and similar, where the interruption of the transaction system translates into direct financial losses for the company and its clients. In such cases, the people behind the attack demand a ransom to cancel or stop the attack. Such blackmail is a crime.
How to protect yourself from DoS/DDoS attacks
In simple terms, DoS attacks are a form of malicious activity that aims to bring a computer system to the point where it cannot serve legitimate users or perform its intended functions correctly. Errors in the software (software) or excessive load on the network channel or the system as a whole usually lead to a "denial of service" condition. As a result, the software, or the entire operating system of the machine, "crashes" or finds itself in a "looped" state. And this threatens with downtime, loss of visitors/customers and losses.
Anatomy of a DoS attack
DoS attacks are classified as local and remote. Local exploits include various exploits, fork bombs, and programs that open a million files each time or run a circular algorithm that eats up memory and processor resources. We will not dwell on all this. Let's take a closer look at remote DoS attacks. They are divided into two types:
Remote exploitation of software bugs in order to render it inoperative.
Flood - sending a huge number of meaningless (less often meaningful) packets to the victim's address. The flood target can be a communication channel or machine resources. In the first case, the packet stream takes up the entire bandwidth and does not give the attacked machine the ability to process legitimate requests. In the second, the resources of the machine are captured by repeated and very frequent calls to any service that performs a complex, resource-intensive operation. This can be, for example, a long call to one of the active components (script) of the web server. The server spends all the resources of the machine on processing the attacker's requests, and the users have to wait.
In the traditional version (one attacker - one victim), only the first type of attacks is now effective. The classic flood is useless. Just because with today's bandwidth of servers, the level of computing power and the widespread use of various anti-DoS techniques in software (for example, delays when the same client repeatedly performs the same actions), the attacker turns into an annoying mosquito that is not able to inflict any nor was there any damage.
But if there are hundreds, thousands or even hundreds of thousands of these mosquitoes, they can easily put the server on its shoulder blades. The crowd is a terrible force not only in life, but also in the computer world. A distributed denial-of-service (DDoS) attack, usually carried out using many zombified hosts, can cut off even the toughest server from the outside world.
The danger of most DDoS attacks lies in their absolute transparency and "normality". After all, if a software error can always be corrected, then the complete consumption of resources is an almost common occurrence. Many administrators face them when the machine resources (bandwidth) become insufficient, or the website suffers a Slashdot effect (twitter.com became unavailable within minutes after the first news of Michael Jackson's death). And if you cut traffic and resources for everyone in a row, you will be saved from DDoS, but you will lose a good half of your customers.
There is virtually no way out of this situation, but the consequences of DDoS attacks and their effectiveness can be significantly reduced by properly configuring the router, firewall and constant analysis of anomalies in network traffic. In the next part of the article, we will take a look at:
ways to recognize an incipient DDoS attack;
methods of dealing with specific types of DDoS attacks;
general advice to help you prepare for a DoS attack and reduce its effectiveness.
At the very end, the answer will be given to the question: what to do when the DDoS attack began.
Fight against flood attacks
So, there are two types of DoS/DDoS attacks, and the most common of them is based on the idea of flooding, that is, flooding the victim with a huge number of packets. Flood is different: ICMP flood, SYN flood, UDP flood, and HTTP flood. Modern DoS bots can use all these types of attacks simultaneously, so you should take care of adequate protection against each of them in advance. An example of how to defend against the most common type of attacks.
One of the most widespread flooding methods today. It is based on endlessly sending HTTP GET messages on port 80 in order to load the web server so that it is unable to process all other requests. Often, the flood target is not the root of the web server, but one of the scripts that perform resource-intensive tasks or work with the database. In any case, an abnormally fast growth of web server logs will serve as an indicator of an attack that has begun.
Methods for dealing with HTTP flooding include tuning the web server and database to mitigate the impact of an attack, as well as filtering out DoS bots using various techniques. First, you should increase the maximum number of connections to the database at the same time. Secondly, install light and efficient nginx in front of the Apache web server - it will cache requests and serve static. This is a must-have solution that will not only reduce the effect of DoS attacks, but also allow the server to withstand enormous loads.
If necessary, you can use the nginx module, which limits the number of simultaneous connections from one address. Resource-intensive scripts can be protected from bots by using delays, "Click me" buttons, setting cookies, and other tricks aimed at checking "humanity".
In order not to get into a hopeless situation during the collapse of a DDoS storm on systems, you must carefully prepare them for such a situation:
All servers with direct access to the external network must be prepared for a quick and easy remote reboot. A big plus will be the presence of a second, administrative, network interface through which you can access the server in case of clogging of the main channel.
The software used on the server must always be up to date. All holes are patched, updates are installed (simple as a boot, advice that many do not follow). This will protect you from DoS attacks that exploit bugs in services.
All listening network services intended for administrative use must be hidden by the firewall from anyone who should not have access to them. Then the attacker will not be able to use them for DoS attacks or brute-force attacks.
At the approaches to the server (the nearest router), a traffic analysis system should be installed, which will make it possible to timely learn about an attack that is in progress and take timely measures to prevent it.
It should be noted that all techniques are aimed at reducing the effectiveness of DDoS attacks, which aim to use up the resources of the machine. It is almost impossible to defend against a flood that clogs the channel with debris, and the only correct, but not always feasible way of fighting is to "deprive the attack of meaning." If you have a really wide channel at your disposal that will easily allow traffic from a small botnet, consider that your server is protected from 90% of attacks.
There is a more sophisticated defense. It is based on the organization of a distributed computer network, which includes many redundant servers that are connected to different backbones. When computing power or bandwidth of the channel runs out, all new clients are redirected to another server or gradually. "
Another more or less effective solution is to buy hardware systems. Working in tandem, they can suppress an incipient attack, but like most other solutions based on learning and state analysis, they fail.
It seems to have begun. What to do?
Before the immediate start of the attack, the bots "warm up", gradually increasing the flow of packets to the attacked machine. It is important to seize the moment and start taking action. Constant monitoring of the router connected to the external network will help in this. On the victim server, you can determine the beginning of the attack by means of available means.