DDoS attack - what is it? DDoS attack program. The FSB has opened a criminal case regarding a massive DDoS attack on Russian banks. How to protect yourself from flooding

An attack during which users cannot access certain resources is called a DDoS attack, or a Denial of Service problem. The main feature of such hacker attacks is simultaneous requests from a large number of computers around the world, and they are directed mainly at the servers of well-protected companies or government organizations, and less often at individual non-commercial resources.

A computer that has become infected becomes a kind of “zombie,” and hackers, using several hundred or even tens of thousands of such “zombies,” cause a failure of resources (denial of service).

There can be many reasons for DDoS attacks. Let’s try to identify the most popular ones, and at the same time answer the questions: “DDoS attack - what is it, how to protect yourself, what are its consequences and by what means is it carried out?”

Competition

The Internet has long been a source of business ideas, implementation of large projects and other ways to earn quite a lot of money, so a DDoS attack can be carried out to order. That is, if an organization, when a competitor arises, wants to remove it, then it can simply turn to a hacker (or a group of them) with a simple task - to paralyze the work of an unwanted company through Internet resources (DDoS attack on a server or website).

Depending on the specific goals and objectives, such an attack is established for a certain period and with the use of appropriate force.

Fraud

Quite often, a DDoS attack on a website is organized at the initiative of hackers in order to block the system and gain access to personal or other important data. After attackers paralyze the system, they may demand a certain amount of money to restore the functionality of the attacked resources.

Many Internet entrepreneurs agree to the conditions put forward, justifying their actions by downtime in their work and incurring colossal losses - it is easier to pay a small amount to a scammer than to lose significant profits for each day of downtime.

Entertainment

Many users, just out of curiosity or fun, are interested in: “DDoS attack - what is it and how to do it?” Therefore, there are often cases when novice attackers, for fun and a test of strength, organize such attacks on random resources.

Along with the reasons, DDoS attacks have their own classification characteristics.

1. Bandwidths. Today, almost every computer place is equipped with either local network, or simply connected to the Internet. Therefore, there are frequent cases of network flooding - a large number of requests with an incorrectly formed and meaningless system to specific resources or equipment with the aim of its subsequent failure or failure hard drives, memory, etc.).
2. System exhaustion. This DDoS attack on the Samp server is carried out to capture physical memory, CPU time and other system resources, due to the lack of which the attacked object simply cannot work fully.
3. Looping. Endless data checking and other loops that operate in a circle cause the object to waste a lot of resources, thereby clogging the memory until it is completely exhausted.
4. False attacks. This organization is aimed at false triggering of protection systems, which ultimately leads to the blocking of some resources.
5. HTTP protocol. Hackers send low-capacity HTTP packets with special encryption, the resource, naturally, does not see that a DDoS attack is being launched on it, the server program, while doing its job, sends back packets of much larger capacity, thereby clogging the victim’s bandwidth, which leads to again to the failure of services.
6. Smurf attack. This is one of the most dangerous species. The hacker sends a fake ICMP packet to the victim via a broadcast channel, where the victim's address is replaced with the attacker's address, and all nodes begin to send a response to the ping request. This DDoS attack is a program aimed at using large network, i.e. a request processed by 100 computers will be amplified 100 times.
7. UDP flood. This type of attack is somewhat similar to the previous one, but instead of ICMP packets, attackers use UDP packets. The essence of this method is to replace the victim's IP address with the hacker's and completely load the bandwidth, which will also lead to a system crash.
8. SYN flood. Attackers try to simultaneously launch a large number of TCP connections through a SYN channel with an incorrect or completely missing return address. After several such attempts, most operating systems queue the problematic connection and close it only after a certain number of attempts. The SYN channel flow is quite large, and soon, after many such attempts, the victim kernel refuses to open any new connection, blocking the entire network.
9. "Heavy packages". This type provides an answer to the question: “What is a DDoS attack on a server?” Hackers send packets to the user's server, but the bandwidth does not saturate, the action is aimed only at processor time. As a result, such packages lead to a failure in the system, and it, in turn, to its resources.
10. Log files. If the quota and rotation system has security holes, then attackers can send large packets, thereby taking up everything free space on hard drives server.
11. Program code. Hackers with extensive experience can completely study the structure of the victim’s server and launch special algorithms (DDoS attack - exploit program). Such attacks are mainly aimed at well-protected commercial projects of enterprises and organizations in various fields and areas. Attackers find holes in the program code and run invalid instructions or other exceptional algorithms that cause the system or service to crash.

DDoS attack: what is it and how to protect yourself

There are many methods of protection against DDoS attacks. And all of them can be divided into four parts: passive, active, reactionary and preventive. Which we will talk about in more detail later.

Warning

Here we need to prevent the very causes that could provoke a DDoS attack. This type can include some personal hostility, legal disagreements, competition and other factors that provoke “increased” attention to you, your business, etc.

If you react to these factors in time and draw appropriate conclusions, you can avoid many unpleasant situations. This method can be considered more of a problem than a problem. technical side question.

Response measures

If attacks on your resources continue, then you need to find the source of your problems - the customer or the contractor - using both legal and technical leverage. Some companies provide services to search for intruders technically. Based on the qualifications of the specialists involved in this issue, it is possible to find not only the hacker carrying out the DDoS attack, but also the customer himself.

Software protection

Some hardware and software manufacturers, along with their products, can offer quite a few effective solutions, and a DDoS attack on a site will be stopped in the bud. A separate small server aimed at countering small and medium-sized DDoS attacks can act as a technical defender.

This solution is perfect for small and medium-sized businesses. For more large companies, enterprises and government agencies, there are entire hardware systems to combat DDoS attacks, which, along with the high price, have excellent protective characteristics.

Filtration

Blocking and carefully filtering incoming traffic will not only reduce the likelihood of an attack. In some cases, a DDoS attack on the server can be completely excluded.

There are two main ways to filter traffic - firewalls and full list routing.

Filtering using lists (ACLs) allows you to filter out unimportant protocols without disrupting TCP or reducing the speed of access to the protected resource. However, if hackers use botnets or high frequency queries, then this method will be ineffective.

They protect against DDoS attacks much better, but their only disadvantage is that they are intended only for private and non-commercial networks.

Mirror

The essence of this method is to redirect all incoming attacker traffic back. This can be done by having powerful servers and competent specialists who will not only redirect traffic, but will also be able to disable the attacker’s equipment.

The method will not work if there are errors in system services, program codes and other network applications.

Search for vulnerabilities

This type of protection is aimed at patching exploits, eliminating errors in web applications and systems, as well as other services responsible for network traffic. The method is useless against flood attacks that are aimed specifically at these vulnerabilities.

Modern resources

This method cannot guarantee 100% protection. But it allows you to more effectively carry out other measures (or a set of them) to prevent DDoS attacks.

System and resource allocation

Duplicating resources and distributing systems will allow users to work with your data, even if your server is under a DDoS attack at that moment. For distribution, you can use various server or network equipment, and it is also recommended to physically separate services across different duplicate systems (data centers).

This method of protection is the most effective today, provided that the correct architectural design has been created.

Evasion

The main feature of this method is the output and separation of the attacked object ( domain name or IP address), i.e. all working resources located on one site must be divided and located on third-party network addresses, or even on the territory of another state. This will allow you to survive any attack and preserve your internal IT structure.

Services for protection against DDoS attacks

Having told everything about such a scourge as a DDoS attack (what it is and how to deal with it), we can finally give one good advice. Many large organizations offer their services to prevent and prevent such attacks. Basically, such companies use a whole range of measures and various mechanisms to protect your business from most DDoS attacks. They employ specialists and experts in their field, so if your resource is dear to you, then the best (albeit not cheap) option would be to contact one of these companies.

How to carry out a DDoS attack yourself

Aware is forearmed - a true principle. But remember that intentionally organizing a DDoS attack by an individual or a group of people is a criminal offense, so this material is provided for informational purposes only.

American IT threat prevention experts have developed a program to test the resistance to server loads and the possibility of attackers carrying out DDoS attacks and then eliminating this attack.

Naturally, “hot” minds turned this weapon against the developers themselves and against what they were fighting against. The product code name is LOIC. This program is freely available and, in principle, not prohibited by law.

The interface and functionality of the program is quite simple; anyone interested in a DDoS attack can use it.

How to do everything yourself? In the interface lines, just enter the IP victims, then set the TCP and UDP flows and the number of requests. Voila - after pressing the coveted button, the attack began!

Naturally, any serious resources will not be affected by this software, but small ones may experience some problems.

This organization, in addition to registering domain names in the .tr zone, also provides backbone communications to Turkish universities. Anonymous hacktivists claimed responsibility for the attack, accusing the Turkish leadership of supporting ISIS.

The first signs of DDoS appeared on the morning of December 14; by noon, five NIC.tr servers had collapsed under the onslaught of junk traffic with a capacity of up to 40 Gbps. The problem also affected the RIPE coordination center, which provides an alternative NS infrastructure NIC.tr. RIPE representatives noted that the attack was modified in such a way as to bypass RIPE's security measures.

Large-scale DDoS attacks are becoming the most effective way to disrupt web services - the cost of attacks is constantly decreasing, which allows for increased power: in just two years, the average power of a DDoS attack has quadrupled to 8 Gbps. Compared to average values, the attack on the national domain zone of Turkey looks impressive, but experts emphasize that DDoS attacks at the level of 400 Gbps will soon become the norm.

The uniqueness of the Turkish attack is that the attackers chose the right target: by concentrating on a relatively small number of IP addresses, they were able to practically cripple the infrastructure of an entire country with just a 40-gigabit attack.

Turkish national center response to cyber incidents blocked all traffic coming to the NIC.tr servers from other countries, which is why all 400 thousand Turkish sites became inaccessible, and all messages email returned to senders. Later, the center decided to change tactics, selectively blocking suspicious IP addresses. DNS servers for domains in the .tr zone were reconfigured to distribute requests between public and private servers, with help from Turkish Internet providers Superonline and Vodafone.

The attacked domains returned online the same day, but many sites and postal services They worked intermittently for a few more days. Not only local companies and government organizations were affected, but also many national web resources that chose a domain name in the .tr zone; in total this is about 400 thousand websites, 75% of which are corporate. Turkish national domain is also used educational institutions, municipalities and military.

Until “anonymous” made a statement, many blamed the Russians for the DDoS attack - due to tense relations between Turkey and Russia. At one time, for similar reasons, Russian hackers were suspected of involvement in large-scale cyber attacks on Estonia (2007), Georgia (2008) and Ukraine (2014). Some experts considered the Turkish DDoS to be the Russians’ response to a DDoS attack by Turkish cyber groups on the Russian news site Sputnik.

The Anonymous statement deprived the hypothesis of a “Russian trace” of any basis. Hacktivists are also threatening to attack Turkish airports, banks, government servers and military organizations if Türkiye does not stop helping ISIS.

Who is being attacked?

According to the Central Bank, in 2016 the number of Russian financial institutions almost doubled. In November, DDoS attacks were aimed at five large Russian banks. At the end of last year, the Central Bank reported DDoS attacks on financial organizations, including the Central Bank. “The purpose of the attacks was to disrupt services and, as a result, undermine trust in these organizations. These attacks were notable because it was the first large-scale use of the Internet of Things in Russia. The attack mainly involved Internet video cameras and household routers,” noted the security services of large banks.

At the same time, DDoS attacks did not cause significant damage to the banks - they are well protected, so such attacks, although they caused trouble, were not critical and did not disrupt a single service. However, it can be stated that the anti-banking activity of hackers has increased significantly.

In February 2017 technical services The Russian Ministry of Health repelled the largest DDoS attack in recent years, which at its peak reached 4 million requests per minute. There have also been DDoS attacks on state registers, but they were also unsuccessful and did not lead to any data changes.

However, numerous organizations and companies that do not have such powerful “defenses” become victims of DDoS attacks. In 2017, damage from cyber threats – ransomware, DDoS and attacks on Internet of Things devices – is expected to increase.

IoT devices are becoming increasingly popular as tools for carrying out DDoS attacks. A significant event was the DDoS attack launched in September 2016 using malicious code Mirai. In it, hundreds of thousands of cameras and other devices from video surveillance systems acted as means of attack.

It was carried out against the French hosting provider OVH. It was a powerful DDoS attack - almost 1 Tbit/s. Hackers used a botnet to exploit 150 thousand IoT devices, mostly CCTV cameras. The Mirai botnet attacks have given rise to many IoT device botnets. According to experts, in 2017, IoT botnets will continue to be one of the main threats in cyberspace.

According to the 2016 Verizon data breach incident report (DBIR), the number of DDoS attacks increased markedly last year. In the world, the entertainment industry, professional organizations, education, IT, and retail are suffering the most.

A notable trend in DDoS attacks is the expansion of the “list of victims.” It now includes representatives from almost all industries. In addition, attack methods are being improved.
According to Nexusguard, at the end of 2016, the number of mixed-type DDoS attacks - using several vulnerabilities at once - increased noticeably. Most often, financial and government organizations were subjected to them. The main motive of cybercriminals (70% of cases) is the theft of data or the threat of its destruction for ransom. Less often – political or social goals. This is why a defense strategy is important. It can prepare for an attack and minimize its consequences, reducing financial and reputational risks.

Consequences of the attacks

What are the consequences of a DDoS attack? During the attack, the victim loses clients due to slow work or complete inaccessibility of the site, the reputation of the business suffers. The service provider may block the victim's IP address to minimize damage to other clients. It will take time and possibly money to restore everything.
According to the company's survey, DDoS attacks are considered by half of organizations as one of the most serious cyber threats. The danger of DDoS is even greater than the danger of unauthorized access, viruses, fraud and phishing, not to mention other threats.

Average losses from DDoS attacks are estimated globally at $50,000 for small organizations and almost $500,000 for large enterprises. Eliminating the consequences of a DDoS attack will require additional staff time, diversion of resources from other projects to ensure security, development of a software update plan, equipment modernization, etc.

The reputation of the attacked organization may suffer not only due to bad work site, but also due to theft of personal data or financial information.
According to a company survey, the number of DDoS attacks is growing annually by 200%; 2 thousand attacks of this type are reported every day in the world. The cost of organizing a week-long DDoS attack is only about $150, and the victim’s losses on average exceed $40,000 per hour.

Types of DDoS attacks

The main types of DDoS attacks are massive attacks, protocol-level attacks, and application-level attacks. In any case, the goal is to disable the site or steal data. Another type of cybercrime is the threat of a DDoS attack to obtain a ransom. Such hacker groups as Armada Collective, Lizard Squad, RedDoor and ezBTC are famous for this.

Organizing DDoS attacks has become noticeably simpler: now there are widely available automated tools that require virtually no special knowledge from cybercriminals. There are also paid services DDoS to attack the target anonymously. For example, the vDOS service offers its services without checking whether the customer is the owner of the site who wants to test it “under load”, or whether this is done for the purpose of an attack.

DDoS attacks are multi-source attacks that prevent legitimate users from accessing the targeted site. To do this, it sends to the attacked system huge amount requests that she cannot cope with. Typically, compromised systems are used for this purpose.

The annual increase in the number of DDoS attacks is estimated at 50% (according to), but data different sources differ, but not all incidents become known. The average power of Layer 3/4 DDoS attacks has increased in recent years from 20 to several hundred GB/s. Although massive DDoS and protocol-level attacks are bad enough in themselves, cybercriminals are increasingly combining them with Layer 7 DDoS attacks, that is, at the application level, which are aimed at changing or stealing data. Such “multi-vector” attacks can be very effective.

Multi-vector attacks make up about 27% of the total number of DDoS attacks.

In the case of a mass DDoS attack (volume based), a large number of requests are used, often sent from legitimate IP addresses, so that the site is “choked” in traffic. The goal of such attacks is to “clog” all available bandwidth and block legitimate traffic.

In the case of a protocol-level attack (such as UDP or ICMP), the goal is to exhaust system resources. To do this, open requests are sent, for example, TCP/IP requests with fake IPs, and as a result of exhaustion of network resources, it becomes impossible to process legitimate requests. Typical representatives are DDoS attacks, known in narrow circles as Smurf DDos, Ping of Death and SYN flood. Another type of protocol-level DDoS attack involves sending a large number of fragmented packets that the system cannot handle.

Layer 7 DDoS attacks involve sending seemingly innocuous requests that appear to be the result of normal user actions. Typically, they are carried out using botnets and automated tools. Notable examples are Slowloris, Apache Killer, Cross-site scripting, SQL injection, Remote file injection.

In 2012–2014, the majority of massive DDoS attacks were Stateless attacks (without remembering states or tracking sessions) - they used the UDP protocol. In the case of Stateless, many packets circulate in one session (for example, opening a page). Stateless devices, as a rule, do not know who started the session (requested the page).

The UDP protocol is susceptible to spoofing - address replacement. For example, if you wanted to attack the DNS server at 56.26.56.26 using a DNS Amplification attack, you could create a set of packets with the source address 56.26.56.26 and send them to DNS servers around the world. These servers will send a response to 56.26.56.26.

The same method works for NTP servers, SSDP-enabled devices. NTP protocol is perhaps the most popular method: in the second half of 2016, it was used in 97.5% of DDoS attacks.
Best Current Practice (BCP) Rule 38 recommends that ISPs configure gateways to prevent spoofing - the sender address, the originating network are controlled. But not all countries follow this practice. In addition, attackers bypass BCP 38 controls by using Stateful attacks at the TCP level. According to the F5 Security Operations Center (SOC), such attacks have dominated over the past five years. In 2016, there were twice as many TCP attacks as UDP attacks.

Layer 7 attacks are mainly used by professional hackers. The principle is as follows: a “heavy” URL is taken (with PDF file or a query to a large database) and is repeated tens or hundreds of times per second. Layer 7 attacks have severe consequences and are difficult to detect. They now make up about 10% of DDoS attacks.

Ratio different types DDoS attacks according to the Verizon Data Breach Investigations Report (DBIR) (2016).

DDoS attacks are often timed to coincide with periods of peak traffic, for example, online sales days. Large flows of personal and financial data at this time attract hackers.

DDoS attacks on DNS

The Domain Name System (DNS) plays a fundamental role in the performance and availability of a website. Ultimately - in the success of your business. Unfortunately, DNS infrastructure is often the target of DDoS attacks. By suppressing your DNS infrastructure, attackers can damage your website, your company's reputation, and impact your financial performance. To combat today's threats, DNS infrastructure must be highly resilient and scalable.
Essentially DNS is distributed base data, which, among other things, matches easy-to-read site names to IP addresses, which allows the user to get to the desired site after entering a URL. A user's first interaction with a website begins with DNS queries sent to the DNS server with the Internet domain address of your website. Their processing can account for up to 50% of a web page's loading time. Thus, reduced DNS performance can lead to users leaving the site and business losses. If your DNS server stops responding as a result of a DDoS attack, then no one will be able to access your site.

DDoS attacks are difficult to detect, especially in the beginning when the traffic appears normal. DNS infrastructure may be subject to various types DDoS attacks. Sometimes this is a direct attack on DNS servers. In other cases, exploits are used by using DNS systems to attack other elements of the IT infrastructure or services.

In DNS Reflection attacks, the target is exposed to massively spoofed DNS responses. For this purpose, botnets are used, infecting hundreds and thousands of computers. Each bot in such a network generates several DNS queries, but uses the same target IP address as the source IP (spoofing). The DNS service responds to this IP address.

This achieves a double effect. The target system is bombarded with thousands and millions of DNS responses, and the DNS server may go down, unable to cope with the load. The DNS request itself is usually less than 50 bytes, but the response is ten times longer. In addition, DNS messages can contain a lot of other information.

Let's say the attacker issued 100,000 short DNS requests of 50 bytes each (5 MB in total). If each response contains 1 KB, then the total is already 100 MB. Hence the name – Amplification. The combination of DNS Reflection and Amplification attacks can have very serious consequences.

The requests look like normal traffic, and the responses are many large messages directed to the target system.

How to protect yourself from DDoS attacks?

How to protect yourself from DDoS attacks, what steps to take? First of all, don’t put it off “for later.” Some measures should be taken into account when configuring the network, running servers and deploying software. And each subsequent change should not increase vulnerability to DDoS attacks.

Software code security. When writing software, security considerations must be taken into account. It is recommended to follow "safe coding" standards and test software thoroughly to avoid typical errors and vulnerabilities such as cross-site scripting and SQL injection.

Develop a software update plan. There should always be a rollback option if something goes wrong.

Update your software promptly. If you were able to download the updates, but problems appeared, see point 2.

Don't forget about access restrictions. admin and/or accounts should be protected with strong and regularly changed passwords. A periodic audit of access rights and timely deletion of accounts of resigned employees are also necessary.

The admin interface should only be accessible from the internal network or via VPN. Promptly close VPN access for quitting and, especially, terminated employees.

Incorporate DDoS attack mitigation into your disaster recovery plan. The plan should include ways to detect the fact of such an attack, contacts for communication with the Internet or hosting provider, and a “problem escalation” tree for each department.

Vulnerability scanning can help identify problems in your infrastructure and software, reduce risks. A simple OWASP Top 10 Vulnerability test will reveal the most critical issues. Penetration tests will also be useful - they will help you find weak points.

Hardware protection against DDoS attacks can be expensive. If your budget does not allow for this, that is good alternative– DDoS protection “on demand”. This service can be included simple change traffic routing schemes in an emergency situation, or is constantly protected.

Use a CDN partner. Content Delivery Networks allow you to deliver website content over a distributed network. Traffic is distributed over multiple servers, reducing the delay in access of users, including geographically remote ones. So while the main benefit of a CDN is speed, it also serves as a barrier between the main server and users.

Use Web Application Firewall - a firewall for web applications. It monitors traffic between a site or application and the browser, checking the legitimacy of requests. Working at the application level, WAF can detect attacks based on stored patterns and detect unusual behavior. Application-level attacks are common in e-commerce. As with CDN, you can use WAF services in the cloud. However, configuring the rules requires some experience. Ideally, all core applications should be protected by WAF.

DNS protection

How to protect your DNS infrastructure from DDoS attacks? Conventional firewalls and IPS will not help here; they are powerless against a complex DDoS attack on the DNS. In fact, firewalls and intrusion prevention systems are themselves vulnerable to DDoS attacks.
They can come to the rescue cloud services traffic cleaning: it is sent to a certain center, where it is checked and redirected back to its destination. These services are useful for TCP traffic. Those who manage their own DNS infrastructure can take the following steps to mitigate the effects of DDoS attacks.

Monitoring DNS servers for suspicious activity is the first step in protecting your DNS infrastructure. Commercial DNS solutions and open source products source code, such as BIND, provide real-time statistics that can be used to detect DDoS attacks. Monitoring DDoS attacks can be a resource-intensive task. It is best to create a baseline profile of the infrastructure under normal operating conditions and then update it from time to time as the infrastructure evolves and traffic patterns change.

Additional DNS server resources can help combat small-scale attacks by adding redundancy to the DNS infrastructure. Server and network resources should be sufficient to handle a larger volume of requests. Of course, redundancy costs money. You are paying for server and network resources that are not normally used under normal conditions. And with a significant “reserve” of power, this approach is unlikely to be effective.

Enabling DNS Response Rate Limiting (RRL) will reduce the likelihood that the server will be involved in a DDoS Reflection attack by reducing the speed at which it responds to repeated requests. RRLs are supported by many DNS implementations.

Use configurations high availability. You can protect against DDoS attacks by deploying DNS service on a high availability (HA) server. If one physical server goes down as a result of an attack, the DNS service can be restored on a backup server.

The best way to protect DNS from DDoS attacks is to use a geographically distributed Anycast network. Distributed DNS networks can be implemented using two different approaches: Unicast or Anycast addressing. The first approach is much easier to implement, but the second is much more resistant to DDoS attacks.

In the case of Unicast, each of DNS servers your company receives a unique IP address. DNS maintains a table of your domain's DNS servers and their corresponding IP addresses. When a user enters a URL, one of the IP addresses is randomly selected to complete the request.

With the Anycast addressing scheme, different DNS servers share a common IP address. When a user enters a URL, the collective address of the DNS servers is returned. The IP network routes the request to the nearest server.

Anycast provides fundamental security advantages over Unicast. Unicast provides individual server IP addresses so attackers can launch targeted attacks on specific physical servers and virtual machines, and when the resources of this system are exhausted, a service failure occurs. Anycast can help mitigate DDoS attacks by distributing requests across a group of servers. Anycast is also useful for isolating the effects of an attack.

Provider-provided DDoS protection

Designing, deploying and operating a global Anycast network requires time, money and know-how. Most IT organizations do not have the talent or finances to do this. You can trust your DNS infrastructure to a managed service provider that specializes in DNS. They have necessary knowledge to protect DNS from DDoS attacks.

Managed DNS service providers operate large-scale Anycast networks and have points of presence around the world. Network security experts monitor the network 24/7/365 and apply special means to mitigate the effects of DDoS attacks.

Some hosting providers also offer services: network traffic analysis is carried out 24/7, so your site will be relatively safe. Such protection can withstand powerful attacks - up to 1500 Gbit/sec. Traffic is paid for.

Another option is IP address protection. The provider places the IP address that the client has chosen as protected into a special network analyzer. During an attack, traffic to the client is matched to known attack patterns. As a result, the client receives only clean, filtered traffic. Thus, site users may not even know that they have been attacked. To organize this, a distributed network of filtering nodes is created so that for each attack the closest node can be selected and the delay in traffic transmission can be minimized.

The result of using DDoS attack protection services will be timely detection and prevention of DDoS attacks, continuity of site operation and its constant availability for users, minimization of financial and reputational losses from site or portal downtime.

DoS and DDoS attack is an aggressive external impact on the server’s computing resources or workstation, carried out with the aim of bringing the latter to failure. By failure we mean not the physical failure of a machine, but the inaccessibility of its resources to bona fide users—the system’s refusal to service them ( D enial o f S ervice, which is what the abbreviation DoS comes from).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DiDoS or DDoS), which means "D istributed D enial o f S ervice" - distributed denial of service. Next, we’ll talk about why attackers carry out such attacks, what they are, what harm they cause to the attacked, and how the latter can protect their resources.

Who can suffer from DoS and DDoS attacks?

Corporate servers of enterprises and websites are attacked, much less often - personal computers individuals. The purpose of such actions, as a rule, is one - to cause economic harm to the attacked person and remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, a company or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the instigation of dishonest competitors. So, by “crashing” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Your resources can be attacked by home-grown amateur hackers out of interest, avengers from among fired employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

To servers of state companies and well-known organizations often attack anonymous groups highly skilled hackers with the aim of influencing officials or causing public outcry.

How attacks are carried out

The operating principle of DoS and DDoS attacks is to send a large flow of information to the server, which to the maximum (as far as the hacker's capabilities allow) loads the computing resources of the processor, RAM, clogs communication channels or fills disk space. The attacked machine is unable to process incoming data and stops responding to user requests.

This is what normal server operation looks like, visualized in the Logstalgia program:

The effectiveness of single DOS attacks is not very high. In addition, an attack from a personal computer exposes the attacker to the risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much greater profit.

This is how the Norse-corp.com website displays the botnet’s activity:

A zombie network (botnet) is a group of computers that do not have physical connection among themselves. What they have in common is that they are all under the control of an attacker. Control is carried out through a Trojan program, which for the time being may not manifest itself in any way. When carrying out an attack, the hacker instructs the infected computers to send requests to the victim's website or server. And he, unable to withstand the pressure, stops answering.

This is how Logstalgia shows a DDoS attack:

Absolutely any computer can join a botnet. And even a smartphone. It is enough to catch a Trojan and not be detected in time. By the way, the largest botnet consisted of almost 2 million machines around the world, and their owners had no idea what they were doing.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out in different directions, which will significantly complicate counteraction. Therefore, it is important for every server administrator to study all its “bottlenecks” and, if possible, strengthen them.

Flood

Flood, speaking in simple language, this is information that does not carry any semantic load. In the context of DoS/DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another, which the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels and saturate the bandwidth to the maximum.

Types of flood:

• MAC flood - impact on network communicators (blocking ports with data flows).
• ICMP flooding - inundating a victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked node so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flood is ping flood (sending ping requests to the server).
• SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (waiting for client confirmation) connections.
• UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
• HTTP flood - flooding the server with numerous HTTP messages. A more sophisticated option is HTTPS flooding, where the sent data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.

How to protect yourself from flooding

• Configure network switches to check the validity and filter MAC addresses.
• Restrict or disable the processing of ICMP echo requests.
• Block packets coming from a specific address or domain that gives reason to suspect it of unreliability.
• Set a limit on the number of half-open connections with one address, reduce their holding time, and lengthen the queue of TCP connections.
• Disable UDP services from receiving traffic from outside or limit the number of UDP connections.
• Use CAPTCHA, delays and other bot protection techniques.
• Increase maximum quantity HTTP connections, configure request caching using nginx.
• Expand throughput network channel.
• If possible, dedicate a separate server to handle cryptography (if used).
• Create a backup channel for administrative access to the server in emergency situations.

Hardware resource overload

There are types of flooding that affect not the communication channel, but the hardware resources of the attacked computer, loading them to their full capacity and causing a freeze or crash. For example:

• Creating a script that will post on a forum or website where users have the opportunity to leave comments, a huge amount of meaningless text information until all disk space is full.
• The same thing, only the server logs will fill the drive.
• Loading a site where some kind of transformation of the entered data is performed, continuously processing this data (sending so-called “heavy” packets).
• Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run any external program on the server).
• Triggering the security system, making the server inaccessible from the outside, etc.

How to protect yourself from overloading hardware resources

• Increase equipment productivity and volume disk space. When the server is operating normally, at least 25-30% of the resources should remain free.
• Use traffic analysis and filtering systems before transmitting it to the server.
• Limit the use of hardware resources by system components (set quotas).
• Store server log files on a separate drive.
• Distribute resources across several servers independent of each other. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out this type of attack than using flooding. Their implementation depends on the qualifications and experience of the attacker, his ability to find errors in the program code and use them to his benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (an error in software that can be used to disrupt the operation of the system), all he has to do is create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control of the resource and use this “gift of fate” at his own discretion. For example, use for distribution malware, steal and destroy information, etc.

Methods to counter the exploitation of software vulnerabilities

• Timely install updates that cover vulnerabilities of operating systems and applications.
• Isolate all services intended for solving administrative tasks from third-party access.
• Use means of continuous monitoring of the operation of the server OS and programs (behavioral analysis, etc.).
• Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
• Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine that a resource has been attacked by a hacker

If the attacker succeeds in achieving the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, several hours sometimes pass from the onset of the attack to noticeable symptoms. However, during hidden influence (until the server goes down), certain signs are also present. For example:

• Unnatural behavior of server applications or operating system(hanging, shutting down with errors, etc.).
• CPU load, RAM and the accumulation increases sharply compared to the initial level.
• The volume of traffic on one or more ports increases significantly.
• There are multiple requests from clients to the same resources (opening the same website page, downloading the same file).
• Analysis of server logs, firewall and network devices shows a large number of monotonous requests from various addresses, often directed to specific port or service. Especially if the site is targeted at a narrow audience (for example, Russian-speaking), and requests come from all over the world. A qualitative analysis of traffic shows that the requests have no practical meaning for clients.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.