DDoS as a topical security issue for business

In recent months, many Russian companies have become victims of DDoS attacks, whose online services are critical for business - including online stores, the media and financial institutions. DDoS attacks are gaining popularity and have become commonplace for online businesses.

For those who are new to these attacks, we have prepared a brief on distributed denial of service attacks.

The purpose of the DDoS attack is to block access to the online resource for a while by overloading the channel with “junk” requests, as a result of which the business incurs significant financial and reputation losses. The situation is aggravated by the fact that today anyone can organize a DDoS attack - its cost is low, the contacts of the performers can be found using search services. Such accessibility and simplicity of organizing DDoS attacks jeopardize almost any company that has ill-wishers. The number of victims varies depending on the geographical location and the scope of the companies. Even if the attackers cannot completely deprive the user of access to the company's information resources, their partial unavailability is also a serious problem. Many organizations still do not consider them a serious threat. At the same time, site inaccessibility and failed transactions are just the tip of the iceberg. If, in the event of a system hacking, attackers steal customer data and confidential information, then a DDoS attack can cause a loss of reputation, an outflow of existing customers or claims for services not provided.

What do we mean by DDoS attack:

DoS-attack (Denial of Service) - an attack aimed at denial of service of a resource or channel;
DDoS attack (Distributed Denial of Service) - multiple DoS attack, carried out from several sources.

DDoS attacks can be divided into three broad groups:

1. Attacks on the channel - this category of attacks is aimed at saturating the bandwidth. Hundreds of thousands of bots are commonly used.
2. Protocol-level attacks - this category is aimed at limiting equipment or vulnerabilities of various protocols, usually tens of thousands of bots are used
3. Attacks at the application level (7 lvl) - such attacks are aimed at vulnerabilities in applications and operating systems, they lead to the inoperability of any application or OS as a whole. Hundreds of bots are commonly used.

Consider the main types of DDoS attacks:

ICMP flood (Smurf attack). In it, the attacker sends a fake ICMP packet to the broadcast address, in which the address of the attacker changes to the address of the victim. All nodes send a response to this ping request.

UDP flood. This type of attack uses the UDP protocol. Its characteristic features are the absence of the need to establish a session and send any response. Countless packets arrive at random ports on the host machine, forcing you to constantly check if a given application is listening on a given port and, in case of an error, return an ICMP Destination Unreachable packet. Naturally, such activity absorbs host machine resources, leading to its inaccessibility.

SYN flood.This type of attack is based on an attempt to launch a large number of simultaneous TCP connections by sending a SYN packet with a non-existent return address. After several attempts to send in response an ACK packet to an inaccessible address, most operating systems queue an unsettled connection. And only after the nth attempt, the connection is closed. Since the stream of ACK packets is very large, the queue soon becomes full, and the kernel refuses to attempt to open a new connection.

HTTP flood. The attacker sends out small http-packets, which in turn make the server respond in packets that are much larger. Thus, an attacker has a great chance to saturate the victim’s bandwidth and cause a denial of service.

Reflected DDoS attack with gain.This attack is based on the UDP network protocol, which is actively used by many important Internet services, in particular DNS (the well-known Domain Name Service) and NTP (the less well-known Network Time Protocol), although attacks are already being carried out using streaming services. . The most important thing for us in this case is that there is no “handshake”, that is, the service “does not check” the sender's address. In other words, anyone can send a UDP packet on behalf of anyone (IP address). Accordingly, the attacker sends a UDP packet to the service (usually DNS or NTP) on behalf of the victim (from its IP address) and the service does not respond to the attacker's IP address, but to the victim's IP address. That's why the name of the attack is “reflection”. But that would not be enough for a successful DoS attack. The name also contains the word "gain." In this case, DNS and NTP services have a nice feature for the attacker - a multiplier. This is as follows: the attacker on behalf of the victim sends a 1 kbyte packet to the DNS or NTP server, and the DNS or NTP server responds to the victim’s address with a packet N-times larger! This is the very strengthening that was mentioned at the very beginning. Therefore, the name “enhanced reflected DDoS attack” accurately describes the technical essence of this phenomenon.

Slow HTTP Post. The attack consists in sending a large HTTP POST request to the server in small parts (1 byte each). According to the standard, the HTTP server must wait for the complete data transfer (after receiving the contents in byte size) and can close the connection only by timeout. Thus, in the case of such a DDoS attack with slow connections, the attacked server opens up a huge number of connections, disastrously consuming its resources (primarily file descriptors open in the system). The advantage of this attack is that it does not require the generation of huge traffic and is difficult enough to reveal.

Slow HTTP headers.Similar to the Slow HTTP Post method, only slow HTTP header is used instead of the post request. As with a Slow Post attack, the server waits for the headers to finish before closing the connection, which leads to a large number of open connections and, as a result, server overload. Such DDoS attacks are difficult to distinguish from ordinary requests with a slow connection.

Fake Googlebots. New technology for DDoS attacks. Its main feature is the use of bots disguised as Googlebots - Google search engine robots that track the appearance and updating of web pages to index sites in search engines.

There are many other types of attacks, and it often seems that the possibilities of attackers are endless - this statement is true if you do nothing. For any company working on the Internet, you need to protect yourself from DDos attacks. You should always remember that an attack costs less than competition and losses are more expensive than defense.

You can protect yourself from DDoS attacks in different ways.

The first method, which is usually resorted to at the beginning, is the organization of self-defense, but this type of security measure can only neutralize the simplest attacks: installing front-end Nginx, banning the ICMP and UDP protocols can greatly simplify the life of the service, but only to a certain level.

Also, the hosting provider or service provider can provide protection, but their capabilities are limited by the channel available to them, and neither one nor the other will parse the high-level HTTP / HTTPS protocols.

Best practice would be to use a cloud solution. However, a cloud that really protects against DDoS attacks must have the following properties:

• Distribution There must be several geographically dispersed nodes in the cloud so that the failure of any of them does not affect the service.
• Own autonomous system and its own address blocks, from which a new IP address is allocated for the protected service, hiding its true location on the network.
• Global connectivity of an autonomous system with the Internet. Only backbone operators as cloud service providers will give confidence to customers who are protected by the cloud solution that their traffic will not be lost no matter what attacks are carried out.
• Full automation of the filtering process. A good system of protection against DDoS attacks has thousands of clients and hundreds of incidents per day. This volume cannot be processed manually. Manual intervention generates errors, since a person must quickly decide which filters to connect, etc., which does not always lead to the desired result.
• Permanent filtering should be a priority service, since any switching using BGP or DNS means the site downtime, measured in tens of minutes, and revealing the true location of the server.
• Using MPLS (multiprotocol label switching) VPN technology as a backup connection between the security system and the server. This will allow to keep the server fully operational even if the channels of the data center are completely clogged with data.
• Using static content on a CDN.

The server itself should have a number of qualities that will allow it to always be available to the client: the ability to withstand the growth of legitimate workload so as not to “fall” during advertising campaigns and quickly recover when the filters are turned on. It is also important to understand that a certain number of bots (usually 1-2%) may be skipped, and the server must be able to withstand this.

"One server - one service." The web server should be the only application on its server. Otherwise, the attacker will know its IP, for example, from an MX record (Mail Exchanger is one of the types of records in DNS that indicates the way email is routed), or the Web server can be disabled by exhausting the processor due to another service. It is highly desirable to use a robust distributed DNS.

Whatever method of protection against DDoS the company chooses, the main thing is to remember that you need to be prepared in advance for attacks. In addition, the built IT infrastructure must fully comply with the company's business volume. This will help minimize damage and not lose customer loyalty even in the most active business season.