DDoS attacks and protection against them
Recently, the IT industry has seen a steady growth in distributed denial of service (DDoS) attacks. A few years ago, DDoS attacks were perceived as petty nuisances committed by novice attackers. They were relatively easy to eliminate. Unfortunately, defending against them has become more difficult today.
What is a DDoS attack?
DDoS is short for Distributed Denial of Service. Such threats are a subclass of denial-of-service (DoS) cyberattacks. A DDoS attack is carried out using different methods. Her goal is to flood the target site with fake traffic.
Attackers generate a large amount of garbage traffic, which overloads the server and can even take it down. The server is forced to process requests, and as a result it lacks the ability to interact with real users.
An online DDoS attack is a type of cyberattack in which attackers try to cause websites or other online services to fail by overloading them with large numbers of requests.
DDoS attacks can cause serious problems for website owners and online services. They can cause inaccessibility of the site, slowdowns, loss of data, reducing the level of confidence of customers and the reputation of the company. Therefore, protection against DDoS attacks is becoming increasingly important for online business owners.
A successful distributed DDoS attack is a highly visible event that affects site owners and visitors. This makes it a popular weapon among hackers and extortionists.
DDoS attacks can occur in short bursts or repeatedly, but in either case, the impact on a site can last days, weeks, or even months.
How the attack works
The goal of a DDoS attack is not to break into a site and steal data, but to crash a server, an individual website, network equipment, or connected devices. To this end, the attackers act according to a scheme:
- They check the domain, collect data about the website, the server on which it is located, the connected services and security programs. Depending on this, the method is chosen.
- Sending garbage requests from all the devices operated by the criminal group.
- Evaluate the results. If the goal is not achieved, the attackers can use other methods.
This is just a general scheme with basic steps. DDoS attacks are insidious and therefore difficult to detect. Attackers usually use three basic tactics:
- Spoofing. By default, IPv4 and IPv6 do not have the ability to authenticate and track traffic. Especially in IPv4 networks it is quite easy to spoof source and destination addresses.
- Reflection. The perpetrators want to hide any trace of their activities. To do this, they manipulate the behavior of Internet services, including thousands of Domain Name System (DNS), Network Time Protocol (NTP) and Simple Network Management Protocol (SNMP) servers.
- Amplification. This is a tactic that allows an attacker to generate a large amount of traffic using a source multiplier. Reinforcement attacks don’t use bots, it’s just a tactic that allows an attacker to send 1 fake package that tricks a legitimate service into sending hundreds, if not thousands of responses.
As a result of a successful cyberattack, a server or website can stop processing legitimate requests, lose performance, or even become completely unavailable.
Classification of DDoS attacks
During the attack, the interaction takes place at different layers of open OSI network systems, which are used to classify DDoS. They can be divided into two main categories: attacks at the application level and at the network level. Each of these types determines the parameters and behavior used during an attack, as well as its purpose.
- Network Layer (L3). IP, DVMRP, ICMP, IGMP, PIM-SM, IPsec, IPX, RIP, DDP, OSPF, OSPF protocols are used. Attacks are aimed at switches and routers.
- Transport Level (L4). TCP and UDP protocols, DCCP, RUDP, SCTP, UDP Lite subprotocols are used. They are used to attack servers and various services, such as gaming.
- Application level (L7). Usually use HTTP, HTTPS and DNS. Attacks can target services, sites and applications.
According to the method of interaction are distinguished:
- Attacks on protocol vulnerabilities. Allow for the denial of service of legitimate requests.
- Overloading with traffic that the victim will not be able to handle.
- Attacks on weaknesses in the application architecture. The functionality of the software system is disturbed.
Classifying and understanding how threats work will help you choose an effective way to protect yourself.
What is a DDoS attack on an IP?
A DDoS attack on an IP (Internet Protocol) is a cyberattack that aims to take down a specific IP address, not necessarily associated with a website or network server. Unlike a classic DDoS attack, which aims to take down an entire website or network server, a DDoS attack on an IP is aimed at overloading a specific IP address with traffic, making it unavailable for normal use.
Often a DDoS attack on an IP is used to extort money from the owner of the attacked IP address, or to disconnect a competitor from the network. Attackers can use various methods, such as synchronization or UDP flooding, to create a large volume of traffic and target a single IP address. This can cause the IP address to become inaccessible to other users or services that depend on it for work.
How are the attacks arranged?
Attackers rarely invent new ways, so DDoS attacks have a similar pattern.
Infrastructure-level (L3-L4) attacks are almost always designed to overwhelm network or application bandwidth. Attack vectors in this category include UDP flooding, SYN flooding, NTP amplification and DNS amplification attacks. Any of these can be used to prevent users from accessing servers. Such attacks are easy to detect.
Attacks at the application level
Application layer attacks (also known as application layer attacks, L6-L7) can represent either DoS or DDoS threats. Sending a large number of requests puts a strain on services. Attack vectors in this category include HTTP floods, slow attacks (such as Slowloris or RUDY) and DNS query attacks.
At the application level, mixed attacks (SYN + TCP Connect + HTTP-flood + UDP flood) are common. They come from different directions, and it is quite difficult to detect them.
Why are websites being attacked?
The main causes of DDoS attacks:
- unfair competition;
- blackmail attempts;
- conflicts in business;
Some novice hackers, wanting to hone their “skills,” launch attacks on resources where they have found vulnerabilities.
Damage from a DDoS attack carries financial and reputational risks. Site traffic drops, needs resources to recover. If the company website is often “lying”, it can be bad for the reputation.
Sometimes DDoS is just a cover. When the site is down and the technicians are busy restoring it, the attackers proceed to their main goal: stealing data, installing malicious code.
Against whom DDoS attacks are carried out
Attacks are on a variety of resources. In the special risk zone:
- government and financial institution websites;
- gaming portals;
- online movie theaters;
- online stores and marketplaces.
DDoS attacks can happen to all companies. However, it is worth being aware of the threat and being ready to take the appropriate steps to neutralize the attack.
How do I protect myself from a DDoS attack?
You’ve probably heard this many times, but prevention is the best way to protect yourself from any kind of cyberattack. A DDoS attack affects your networks differently than a malware or social engineering attack, so your response plan must take these nuances into account. Attacks on web applications with SSL encryption can be repelled with the Link11 solution.
The following steps will help protect against attacks and ensure the stable operation of the site.
Set up a firewall
Using the Web Application Firewall (WAF) as a layer of protection between the host server and visitors will ensure that all malicious HTTP/HTTPS traffic is filtered and blocked. You can configure firewall rules to filter out malicious IP addresses and traffic sources. In addition, a good WAF will protect against SQL injection, XSS (cross-site scripting), RCE (remote code execution), RFU and other known attacks.
Blocking the country
Blocking visitors based on geolocation is usually effective in reducing risk. Most of the attacks on websites come from countries such as China, Russia and Turkey. WAF allows you to block them from interacting with your site.
Most botnets are created on thousands of compromised servers and devices (IoT), so blocking a country can still prevent thousands of bots from spamming the connection logs.
Regular monitoring of traffic is important to detect any peaks that hint at a DDoS attack. In most cases, these attacks are volumetric and networked (at levels 3 and 4). Understanding what threats you are experiencing will help you effectively prevent and respond to DDoS.
To better detect and prevent DDoS, it is recommended to have monitoring tools and, of course, always check logs. Here are some indicators to help you determine if the traffic is legitimate or not:
- What time of day did these visits take place. For example, do you think your business will see a spike in traffic at 2:00 local time?
- Where the visits are coming from. If you sell coffee in Uzhgorod, do you really expect visitors from Indonesia?
- Seasonal surges. Keep in mind that during Black Friday or New Year’s Eve holidays there may be a real increase in attendance.
Buying hosting or VPS in TutHost, our customers get convenient analytics tools.
Imagine your network is like a highway. If there is a traffic jam, you need a highway with more lanes. If you are under a DDoS attack, the best way to prevent it is to increase bandwidth and absorb more traffic.
Cloud anti-DDoS solutions
Moving to the cloud will help prevent a DDoS attack, but will not eliminate it completely. Cloud services usually have more bandwidth than local solutions. Some services even offer mitigation assistance to clients. Cloud anti-DDoS is connected automatically at the beginning of suspicious activity.
One of the best solutions to neutralize attacks is to choose a reliable protection provider. Combined with reliable hosting, this significantly reduces the likelihood of a threat. The stability of your business depends on it.