Table of contents
Distributed Denial of Service - or a distributed denial of service attack - has long been known and, unfortunately, a common phenomenon on the network. A site subject to DDoS ceases to function normally, and its owner loses profit. The reputation of the company suffers - users are unlikely to like it if they see an error message instead of the requested page when they access the resource. All this is unpleasant. But the problem can be dealt with. In this article, we will talk about the most effective solutions.
How it works
The server cannot process an infinite number of user requests at the same time. If the request limit is exceeded, the server response time will slow down significantly or the connection will be completely interrupted. The vulnerability also lies in the limited bandwidth of the gateway connecting the server to the external network.
To create an artificial load, hackers create botnets, or zombie farms - networks of computers that, at the command of the “owner”, simultaneously try to open the attacked resource.
The main principle of DDoS attacks, reflected in the name itself, is distribution. Unlike DoS, when a server is attacked from a single point, a DDoS attack involves many disparate devices that can be scattered around the world.
Computers or smartphones usually end up in a botnet after being infected with viral Trojans distributed through links in emails or private messages on websites and social networks. The attacker gains control over the victim's device and can give him orders at any time. In recent years, the so-called “Internet of Things” – smart refrigerators, washing machines, and other equipment – has been increasingly connected to attacks. There are still many vulnerabilities in their systems. But manufacturers are actively working to eliminate the weaknesses of network devices.
Sometimes a site can go down without the intervention of hackers. For example, if a company ordered advertising integrations from well-known bloggers and did not prepare its resource for a sharp influx of traffic from real users.
Types of DDoS attacks
Denial of service is achieved in a variety of ways. Let's describe the most common of them.
Ping of death
Deprecated type of threat. Associated with sending a request that exceeds the allowed size in bytes. Now this type of attack is not relevant, since the sizes of sent packets are checked during assembly. Too “heavy” are marked as incorrect and rejected by the system.
Generation of "fake" SYN packets to communicate with the server. When a response is received, the user's IP ignores it and sends a new request. Thus, the server is flooded with a large number of unprocessed requests for response ACK packets, its work slows down or stops completely.
Sending multiple HTTP GET and POST requests. As a rule, the appeal goes to the heaviest parts of the site. In the case of a POST request, the maximum possible amount of data is sent to the server.
UDP, DNS and VoIP Flood
Attacking the victim's network ports via UDP packets, DNS server, or VoIP. The principle is similar - sending a lot of requests that the site cannot physically process.
Hacking a site through public DNS servers. When accessing these servers, the sender's IP address is replaced with the address of the attacked resource. Thus, the site receives many response requests from public servers at once - usually with a large amount of data.
Loading the memory allocated on the server with "garbage" - logs, fake comments, etc. In this way, you can fill the entire disk if there is no limit on the amount of information loaded.
Hacking CGI scripts
Scripts that use the Common Gateway Interface - or in a simple way - a common gateway to communicate with external software, are vulnerable. Having gained access to CGI, a hacker can rewrite the program code in such a way that it will completely consume the resources of the service - time for processing requests or allocated RAM.
Using security signals
Submit a false warning message, after which the security system temporarily blocks access to the resource.
Insufficient data validation
In the absence of a proper check of the characteristics of received packets, the system is artificially overloaded.
Servers that associate a site's IP address with its URL also have vulnerabilities. If such a server is not available, users will not get to the site. Using the Fast Flux DNS method, attackers can covertly conduct activities to create and manage a botnet.
Who and why becomes a victim
There are several reasons for a resource to fall under a hacker attack.
- The intrigues of competitors.
If your site goes down for a while, competitors can benefit from it. Some businesses deliberately resort to such a black method of dealing with market neighbors.
- Political motives.
The websites of government and non-profit organizations are often attacked. As a rule, structures or people of opposite views and ideas are behind this.
- “Sports” interest.
Single hackers or special hacker groups can hack a resource they like just for fun or to show others their abilities and skills.
Attackers often demand money from site owners to stop the attack and restore the resource.
- Personal conflict.
Attack on a website can be revenge on a corporation or even an entire state.
There are several notorious hacker groups online like Anonymous and LulzSec, known for attacking government websites or media giants like FOX and Sony.
The following types of sites on the network are under the greatest threat:
- large online stores;
- websites of government agencies;
- corporations with broad public influence;
- Media and information portals;
- medical organizations;
- financial corporations;
- cryptocurrency platforms;
- online games.
How to understand that the site is under DDoS attack
A DDoS attack doesn't always mean the site is down in a matter of seconds. On the contrary, as a rule, the webmaster has the opportunity to notice something is wrong and take the necessary actions. You should be wary if:
- small but regular failures in the network infrastructure;
- traffic is growing rapidly - for no apparent reason and does not match your target audience geographically and demographically;
- requests coming to the server or other network devices are of the same type and come in bulk from different sources;
- Users perform many repetitive actions - submitting forms, uploading files, etc.;
- Security systems can signal increased load on specific network nodes.
Depending on the size of the company and the duration of the attack, a business can lose tens or hundreds of thousands of dollars as a result of a DDoS. In addition, the reputation of the company suffers, which leads to losses in the future. In general, a distributed attack poses a greater risk for a company than a virus infection of the network infrastructure or unauthorized access of third-party users to confidential information.
How to protect yourself
In order not to lose profits, not to lose the trust of customers, it is necessary to take preventive measures against hacker attacks on your site.
- Be careful about the installed software - CMS, hosting manager, firewall, etc. They should not have loopholes and weaknesses. Read the reviews of experts about the programs, conduct your own tests.
- Update the software periodically, otherwise it may become vulnerable.
- Protect the privacy of your company's IT infrastructure. Use strong passwords. Grant administrative access only to those employees who really need it. Remove obsolete accounts.
- Check the system for vulnerabilities. Stay tuned for professional cybersecurity publications.
- Allow access to the administration panel only from the intranet or through a VPN service.
- Use an access control list that clearly defines the officials and their rights to control the system or a specific software/file.
- Use a firewall to check the credentials of users making requests.
- Put captcha or reCaptcha on all interactive forms on the site, set the time check for completion.
- Purge your DNS cache regularly
- Store data not on one, but on several unrelated servers. So you will have a physical backup of resources, which will allow you to continue the stable operation of the site in a critical situation.
- With the help of experts, configure the system so that it strikes back at the attacker's resources. This is called the reverse attack principle.
- Set up a distributed content delivery network (CDN). Using many separate servers, such a network evenly distributes the load and provides users with quick access to the resource.
- Use robust hardware security to control access, encrypt information, and handle temporary files. Well-known companies from this field are Cisco, CloudFlare, Qrator.
- Find out what measures your hosting provider is taking to prevent cyberthreats. Choose a service provider with 24/7 technical support.
- Make sure that the DNS server has enough resources to process requests - it is desirable that they be several times more than you need according to statistics in normal operation.
- Monitor DNS servers for suspicious activity whenever possible.
DDoS attacks pose a tangible threat to businesses, despite the development of protection tools and the vigorous activity of the cyberpolice. In order not to lose money and customer loyalty, companies need to take care of the security of their IT infrastructure in advance. Financial organizations, online stores and socio-political structures are most at risk.
If an attack still occurs, you should immediately contact the technical support of the hosting provider or your system administrator. Specialists will take measures to limit malicious traffic and restore server resources.