DDoS is great and terrible

    Did you know that according to research conducted by Arbor Networks, Verisign Inc. and some other companies:

    • about 2,000 DDoS attacks are observed daily;
    • an attack that can “put” a small company for a week costs only $ 150;
    • about 2/3 of the study participants (63%) suffered at least once from DDoS during the year;
    • in addition to direct losses and loss of user loyalty, attacks also affect staff productivity;
    • 11% of respondents were attacked six or more times a year;
    • among those who were under attack over the past 12 months, 46% lay more than 5 hours, and 23% - more than 12 hours;
    • approximately one third of all downtime cases in respondents are caused by DDoS attacks.

    What is DDoS, is it possible to deal with it, and how can one be warned? I will briefly talk about this in this article.

    What are you, DDoS?

    All DDoS attacks can be divided into three broad groups:

    • voluminous;
    • protocol-level attacks;
    • application level attacks.

    In more detail, certain types of attacks will be discussed below, but for now - a small overview of the groups.

    Volume Attacks

    This category of attacks is aimed at saturating the bandwidth; accordingly, attack strength is measured in bits per second. Various types of floods fall into this category: UDP, ICMP and other flows of falsified packets. The strength of the attack is growing every year, and if back in 2002 400 Mbit / s seemed something out of the ordinary, now individual attacks exceed 100 Gbit / s and are able to "blow off" some "pocket" data centers.

    Perhaps the only way to deal with such attacks is filtering at the data center level (if it provides such a service) or specialized protection services. They have sufficient channel capacities and computing resources to absorb the volume and transfer already filtered traffic to the user’s server. For "plucking" the remains of spurious traffic, you can also use hardware protection.

    Protocol level attacks

    This category is aimed at limiting equipment or vulnerabilities of various protocols. Such attacks clog the resources of the server or intermediate equipment (firewalls, load balancers, etc.) with spurious packets, as a result of which the systems are unable to process useful ones. Attack strength is measured in packets per second. This category includes SYN flood, "death ping", attacks with fragmented packets and others.

    At this level, hardware protection becomes significantly more effective. Algorithms specially developed by manufacturers of such devices help to sort and filter traffic. Naturally, any algorithms are imperfect, and some part of the spurious traffic will nevertheless break through to you, and some part of the useful may be lost. Third-party filtering services can also be quite effective.

    Application level attacks

    As the name implies, attacks are aimed at vulnerabilities in applications and operating systems (Apache, Windows, OpenBSD, etc.). They lead to the inoperability of any application or OS as a whole. Among such attacks: Slowloris, zero-day attacks and others. As a rule, consisting of completely innocent requests, such attacks "lay down" the web server. Intensity is measured in queries per second.

    This type of attack is the most "killer". They are extremely narrowly targeted, due to which they can create very serious problems for the attacked at low cost of the attacker's resources. Over the past 3-4 years, this type of attack has become dominant, and a simple flood of HTTP GET requests is one of the most common types.

    To the arsenal of fighting this category of attacks, in addition to the above-mentioned external services and hardware protection, you can also add built-in software algorithms that analyze requests and create rules for the firewall based on the results of such analysis.

    A bit more

    There are many types of DDoS attacks, each with its own handwriting and methods of overcoming. Not all attacks can be weakened or overcome. Sometimes it makes no sense to try, and it’s easier to wait, sadly calculating losses. It is impossible to explain in detail the mechanisms of opposition to each type; one can write books about this and defend dissertations. However, I will try to provide descriptions of the essence of the most common types of attacks and basic principles for countering them.

    UDP flood

    This type of attack uses the simplest UDP protocol. Its characteristic features are the absence of the need to establish a session and send any response. Countless packets arrive at random ports on the host machine, forcing you to constantly check if a given application is listening on a given port and, in case of an error, return an ICMP Destination Unreachable packet. Naturally, such activity absorbs host machine resources, leading to its inaccessibility. One of the simplest ways to at least partially protect yourself from this problem is to block UDP traffic (if your application does not require it, of course). To combat larger attacks, hardware protection and filtering networks are suitable.

    ICMP flood

    Similar to UDP flood. Ping requests are sent to the host machine at maximum frequency, forcing it to echo responses. An innocent tool for checking the availability of a network node becomes an evil devourer of system resources. That is why some system administrators completely block ICMP requests at the firewall level. The server or any other network equipment will be quite affordable, but you cannot ping it.

    SYN flood

    In this type of attack, one of the basic principles embedded in the TCP protocol is used - the principle of “triple handshake”. The machine initiating the connection sends a SYN packet to the host. The host responds with a SYN-ACK packet, to which the initiating machine must respond with an ACK packet. In the case of SYN flood, the ACK packet is not sent, as a result of which the connection hangs open for some time and closes by timeout. Since the number of connections that can be maintained open by the host at the same time is limited, sooner or later saturation occurs, leading to the refusal to process useful packets.

    MAC flood

    A very exotic type of attack, aimed mainly at network equipment. The attacker sends empty Ethernet packets with different MAC addresses. The switch considers such packets as separate, and reserves a certain amount of resources for each of them. Saturation of resources can cause the switch to stop responding, and in some cases to a complete failure of the routing table.

    Ping death

    This species has different names: Ping of Death (ping death), Teardrop (teardrop) and some others. Today it is no longer such a serious threat, but in the old days it was a little different. The maximum size of an IP packet is 65535 bytes. However, during transmission over the network, the packet is split into parts corresponding to the size of the window. As a result of manipulations with the resulting subpackages, it can be achieved that with the reverse “assembly”, a packet exceeding the maximum size will be obtained. This can lead to an overflow of the allocated memory buffer and denial of service for other packets.


    A particularly sophisticated and narrowly specialized type of attack that allows relatively small resources (just one server) to put a web server without affecting other protocols. The attacking server tries to open as many HTTP connections as possible and keep them as long as possible, gradually sending partial requests. The limit of simultaneous connections on the attacked server ends very quickly, and it ceases to accept useful requests. It is treated by trapping and blocking such protracted compounds.

    Reflected Attacks

    In this type, packets with falsified sender IP are sent to as many machines as possible. Machine responses flock to the victim's IP, overloading its server. One common example is the use of misconfigured DNS servers. DNS servers are sent small requests supposedly from the IP victim. The size of the server response is on average 10 times the size of the request. Thus, an attacking server sending 100 Mbit / s of false requests can bring down about a gigabit of spurious traffic to the attacked one.

    Service degradation

    The main essence of this type is multiple simulation of the actions of a real audience. The most primitive option is frequent requests for the same page on the site. It is treated by temporarily blocking the page with an error message. More complex attacking systems will randomly go around your site, request not only an html document, but also all related images, scripts and style files. As a result, zombie computers will deplete server resources and lead to degradation (or, in a popular way, “brakes”).

    The general principle of control is behavioral analysis and screening of suspicious IPs at the firewall level. For example, the increased frequency of requests, the rerouting of website promotion routes by different IPs, or the request of exclusively html documents look suspicious and testify to the need to block such IPs. However, the more complex the algorithm is in the attacking program, the more difficult it is to detect spurious traffic and the more false positives blocking access to the resource to real users. Not everyone will want to put up with this.

    Unintentional DDoS

    Actually, this cannot be called an attack. This type of DDoS occurs when a link to a website falls into, for example, a top news resource or a popular blog, causing a sharp increase in traffic, which the site is not ready for. A widely known example in narrow circles is the habraeffect. There is no need to deal with this; rather, you need to be glad that your site is growing. Well, it's time to think about an upgrade.

    Zero day attack

    This type includes attacks that are recorded for the first time. As in the case of new viruses, new bacteria and new parasites, it will take time to analyze the attack and find an effective medicine.

    Multi-vector attacks

    The most difficult type of attack. The attacking side uses several different types and tools of attack, which greatly complicates or even makes it impossible to identify the components and the selection of means of struggle.

    How accessible is it?

    Immensely accessible. To date, there are many applications freely available on the Internet for conducting DDoS attacks. Some of them use attack mechanisms that are difficult to counteract, while others allow us to unite all users into a voluntary botnet, which makes it possible to use other people's resources to conduct attacks and distribute theirs in return. At the same time, such seemingly amateurish attacks can be difficult to withstand even well-trained commercial systems.

    Another way is to rent botnet resources. The Internet is full of resources providing such services at very symbolic prices: from $ 5 per hour, from $ 40 per day. For such, you can say, ridiculous money, you can easily “order” your e-commerce competitors and bring them much more significant losses.

    Why is this needed?

    I think everyone knows the answer. The most common cause is unfair competition. The range of attacked sites and resources is extremely wide. Today it is not only financial institutions, gaming sites and online stores, there have been cases of attacks even on government sites and pizza delivery services.

    The wide availability of tools for attacks gradually transfers them from the category of purely economic weapons to wider use, up to and including ideological struggle, popular protest, revenge of an offended client for an objectionable service and banal Internet vandalism. Personally, I still have little faith in it, but some reports claim that in recent years, it is ideological hacktivism and Internet vandalism that top the list, pushing the competition to lower positions.

    How to live with it?

    Together with our clients, we have repeatedly encountered the DDoS problem of various types and sizes. Some attacks were treated with proper firewall settings on the server, while others required hardware or external filtering. It happened that the data center just nullrut IP, because the incoming traffic volume suddenly exceeded the incoming channel not only of the server, but of the entire cabinet as a whole. As a server rental service provider, we advocate a policy according to which the user and only he is the main party interested in the safety and availability of data. Thus, backing up, timely elimination of software security gaps and having an agreement with the DDoS protection service are the holy duties of any person who is worried about their project.

    However, we will be pleased to share some recommendations that are useful in our opinion. If your project belongs to the categories of resources that most often come under attack, you should think about a few simple and obvious, but often ignored steps that will help if you do not protect yourself from attacks, then at least reduce their negative impact.

    Explore your network.Any service has some characteristic features of using the network: types and volume of traffic, daily curve, etc. For example, adult sites are characterized by a smooth increase in traffic in the evening with a gradual decline after midnight, plus a small peak during the lunch break. Take the time to study standard features and regularly monitor the current picture. Attacks rarely come at the click of a knife switch, more often they come like a wave. It all starts with a small increase in activity, which soon begins to actively increase. If you can catch the beginning of the wave, you will have a chance to take action in advance.

    Know who to contact.You should clearly know who to contact if you are already under attack or you feel its approach. This can be an internal security department, a remote employee, a data center engineer, a security support service, etc. Shoveling search results, reading hastily reviews, phoning or chatting with representatives of various services is the last thing you need when the trouble has come. Until you select a contractor, the attack may already resolve itself, and the issue of having a guaranteed help contact will again be postponed until the next critical situation. And so on ad infinitum
    Work out an action plan.Despite all the characteristic Slavic spirit of spontaneity, critical business processes should be standardized and documented whenever possible. The presence of a “rescue service” contact is important, but your employees must know how to interact correctly and optimally with it. If two or three people participate in the project, you can simply say the sequence of actions in words. But if you have a fairly large staff, there are round-the-clock network managers on duty, it is best for a brief step-by-step instruction to be written on paper and hung next to the evacuation plan in case of fire. At the time of the attack, a shift may turn out to be an employee with low qualifications or without practical experience in solving such a problem, and it is important that he does not need to think a lot and look for a solution.

    Conduct training alarms.This item is especially relevant if you have a sufficiently large and critical application. At factories (and not only) periodically conduct test evacuations in case of fire or any other natural disaster. DDoS is also a kind of natural disaster. Why not arrange periodic skill checks to quickly handle critical situations? This will strengthen the skills and identify weaknesses in the procedures. Adjusted for our mentality - it is also necessary to properly submit these trainings to employees so that this is not perceived as "another corporate duristry."

    Know what to block.Any service has a certain set of main ports necessary for its operation. Block everything superfluous in advance on the firewall. This will narrow the field of attack. If you have a specific list of key customers, take care of adding their addresses to the predefined white list so that in case of an attack you don’t cut their requests.

    Know where to block.Block traffic on a firewall or router? Connect hardware DDoS or an external traffic filtering service? If you prefer not to give the full protection to third-party services, but to conduct basic diagnostics and solve at least some of the problems yourself, do not forget to prescribe diagnostic procedures and rules of action in certain situations in terms of elimination. This will allow you to get rid of the trial and error method when there is absolutely no time for it.

    As I said, these steps will not be a panacea, but will help minimize downtime and losses. I would be grateful for any additions and recommendations from personal practice.

    Clean you channel.

    Also popular now: