This article covers the basics of DoS / DDoS attack protection and how to reduce its risk.
DDoS-attack is short for Distributed Denial Of Service Attack. The main characteristic of this type of computer crime is that the criminals are not intended to enter into a protected computer system to steal or destroy data. The main purpose of this attack is to paralyze the attacked site. DDoS-attack is a derivative of DoS and differ only a large number of requests to the server with a different IP address. This is why criminals collect their chain Trojans infected computers and cause them to turn to the server, making it not withstand such loads. The first reports of DDoS-attacks were known in 1996.
In most cases, global attack leads to financial losses on the part of the attacked. For example, if a commercial site will drop for a few hours, then it would damage the business, and if for a week, then the owner of the resource may well go under.
Denial of service can be made in two ways: using software vulnerabilities of victims and by sending a large number of specifically composed of network packets (flood). The first method consists in that using the buffer overflow vulnerabilities, by sending the code to the server that performs DoS. Since the attack will be “inside”, then after a very short time the object will be “frozen” or is disconnected from the Internet. This method does not require large computational resources hitter, but this attack uses security vulnerabilities, which in itself complicates the task. The second method is by using of brute force, which practically does not require any special skills. The idea is to send as many as possible requests to the server (those requests also could be the huge number of normal packets, such as GET-requests for HTTP-server hosts.) The fact that the server receives a data packet that is processed by the server. If a packet arrives, but the server is busy receiving or processing of another package, then coming back a request is put in place, taking up part of the system’s resources. In carrying out DoS-attack server sends a large number of packets of a certain size. In this case, the server’s response is not expected. As a result, due to the fact that the server is overloaded with information, it is either disconnected from the Internet, or “frozen”. In any case, normal users some time can not use the services of the affected server.
Schematically, DDoS-attack looks like this: on the selected server as a victim collapses a huge amount of false requests from multiple computers from different parts of the world. As a result, the server spends all its resources to service these requests and is virtually inaccessible to ordinary users. Cynicism of the situation lies in the fact that users of computers to which requests are sent are false, may not even be aware that their machine is being used by hackers. Programs installed by hackers on these computers are called “zombies” (examples of such programs could be Trojans). Perhaps this preparatory stage is the most time-consuming for an attacker.
Most often, attackers during the DDoS-attacks are using three-tier architecture, which is called “cluster DDoS”.This hierarchical structure includes:
- management console (there may be several), ie it is the computer from which the attacker sends a signal the start of an attack;
- mainframe computers. These are the machines that receive the signal of an attack with a control console and transmit it to the agents, “zombies.” One management console, depending on the size of the attack, can account for up to several hundred of hosts;
- Agents are directly called “zombie” computers, their requests are attacking a target node.
DDoS software was originally produced in a DDoS “peaceful” purposes and used for experiments on the network bandwidth and their resistance to stresses. Over the years, this software is constantly being modified. For more detailed understanding of DoS-attacks, I will review five most popular types of DDoS-attacks:
- UDP flood – sending to the address of the target multiple packets UDP (User Datagram Protocol). This method was used in earlier attacks and is now considered the least dangerous. Programs that use this type of attack are easily detected, as in the exchange of a master controller and agents are used unencrypted protocols TCP and UDP.
- TCP flood – sending to the address of the target set for TCP-packets, which also leads to the “binding” of network resources.
- TCP SYN flood – sending a large number of requests for initializing TCP-connections with the target node, which, as a result, have to spend all their resources to track these half-open connections.
- Smurf-attack – ping requests ICMP (Internet Control Message Protocol) address directed broadcast packets using the query fake source address as a result turns out to be the target of attack.
- ICMP flood – attack, similar to Smurf, but without the use of mailing lists.
The most dangerous are the programs that use multiple types of attacks described. They are called TFN and TFN2K and require a high level of training. One of the latest software for organizing DDoS-attacks is Stacheldracht (barbed wire), which allows you to organize a variety of types of attacks and avalanches broadcast ping requests with encrypted communications between controllers and agents.
Of course, in this review I’ve covered only the most well-known programs and methods of DDoS. In fact, a much wider range of programs and is constantly updated. For the same reason, it would be naive enough description of universal reliable methods of protection from DDoS-attacks. Generic methods do not exist, but the general guidelines to reduce the risk and minimize damage from attacks include such measures as the competent configuration features anti-spoofing and anti-DoS on routers and firewalls. These features limit the number of half-open channels, preventing overload the system.
Here are several ways you can protect yourself against DoS attacks
- Filtering is method in which blocking outbound traffic from the attacking machines. This can be handled with the help of .htaccess file located in your root folder on the server. Or, it can be achieved by having the correct settings in the control panel (such as Cpanel). If you are unable to use them, you should consult your administrator. If you are the administrator of the site pay attention to the specialized software or option with the acquisition of more reliable servers that can tolerate minor or moderate attacks on the site without serious consequences.
- Eliminating vulnerabilities is often the result of successful DDoS attacks. It may be the damage of your database such as MySQL, or even the loss of data on the server. However, remember to create copies of data for enhances security.
- At the server level, it is desirable to have the output of the console server to another IP-address on the SSH-protocol for remote restart the server.
- Another fairly effective method of combating DDoS-attacks is masking IP-address.
- Creating a mirror site is a very common way to “stay afloat.” Make sure that the site is hosted on multiple servers, the second of which is an exact replica of the first, and is available with a domain as the mirror. A very good solution, but it requires quite deep knowledge of the administration of the site.
- The response to DoS or DDoS attack. Cause and effect is clear.
- The introduction of specialized equipment to repel DoS-attacks: DefensePro ® or Radware, Arbor Peakflow and others.
- A very important part in this regard is prevention is the software that should be capable of “patching” against all kinds of “holes.”