DDoS - Thinking Aloud ...

    Hello habrachitatel. Today I decided to share with you my thoughts on DDoS attacks. I won’t tell you what it is - even a schoolboy, in my opinion, knows about it today. In general, reflecting once again the mighty attack of hooligans against one of my resources, I wondered if I could offer me a community of educated people a number of ideas to combat one of the most common methods of such attacks - HTTP flood.

    The essence of this attack is as follows - infected computers managed by the host server generate a huge number of requests of the form:

    "GET / HTTP/1.1" XXX XXXX "


    Requests can naturally be on any existing page of the attacked resource, or nonexistent. Moreover, depending on the "education" of the botnet and its owners, an attack can go to several URLs at once and, depending on the actions of administrators of the attacked resources, also change the tactics of attacks.


    Tracking such an attack is quite simple - it can be clearly seen when “online” - viewing the web server logs. But to reflect this (as well as any other kind of attack) is quite difficult, and the greater the intensity of the attack and the number of infected computers participating in it, the more difficult it is to do it. Yes, there are many ways - both scripts running on the attacked server, and specialized equipment installed in front of the attacked server. I will not describe these methods today. I want to write a little about another method of struggle.

    When I worked for a fairly large telecommunications company, I realized that after all, an ISP would have no trouble setting up its equipment to filter traffic. What is this:

    • We monitor the traffic, with a uniform and large volume of requests from the client to the network that are specific to DDoS attacks or even mass spamming, we discard flood packets, thereby not loading our network and allowing the client to prevent traffic overruns. Customer care so to speak.
    • We warn of mass attacks as such, on the scales of one Internet provider this will not be so effective, but if you introduce a well-thought-out filtering system at least at the main backbone providers, then it will become easier for us to live with simple administrators of web resources.


    Now about the most important thing - about the ethical and legislative side of my proposals. Yes, we do not have a legal basis for these measures, and from the point of view of a simple user of Internet services, they will at least not be delighted, knowing that part of its traffic can simply fall into the “trash can”, because the end user of these services is usually and does not suspect that his computer has become part of a huge botnet. The work of the support service providers will be added - now far from everywhere they notify the client that virus traffic is coming from him. How to deal with "Chinese" traffic is also a difficult question - it is necessary to filter on highways, because based on my personal data on the analysis of flood traffic - 40-60% comes from China.

    But sometime we will come to this anyway.

    Thanks for attention!

    Also popular now: