The main objective for hackers is to make the targeted system unavailable for its users. For this purpose, hackers send a huge amount of dummy requests, making the server fail to handle them, and as a result, the system goes down. This can be compared with the situation when a weightlifter attempts to lift a barbell, which is many times heavier than the one he exercises with regularly. Of course, he will fail. The same happens with a website - when a web server that handles the requests becomes overwhelmed with enormous number of requests and stops operating. When this happens, a user in attempt to visit a website sees an error message instead of an expected page.

In order to produce malicious traffic, which in fact is a DDoS attack, a large number of network devices infected with malware are used in most cases. These devices (PCs, smartphones, "smart things", servers) combined together form a botnet, which sends multiple requests towards an IP address of the victim. Sometimes social networks can be a source of attacks in case when a link to the victim website is placed. In addition, on the Internet one can find a stresser service which can be used by anybody to conduct a DDoS attack.

what_is_ddos

What does a DDoS attack look like

 

Methods vary, but any DDoS leads to a loss of legitimate traffic, in other words - loss of users, and therefore, it is often used as an instrument of unfair competition. Online stores and games, electronic payment systems are among the victims that suffer from DDoS attacks the most.

So the question of how to stop a DDoS attack is an increasing concern. When it comes to protect a website, it seems logical to seek assistance from the hosting service provider that hosts the website. However, for many hosting companies with inexpensive service plans it's easier to disable the website that causes troubles rather than find a way to get rid of DDoS and at the same time keep the website running.

Having communication channels overwhelmed with attacks, an Internet service provider considers this as an emergency and a threat to its integrity. This will force the provider to completely discard all traffic coming towards the victim (and the less an owner of the targeted system pays for the hosting, the faster the provider makes a decision to null-route the victim).

What should we do? There are two solutions: self-implemented measures and professional protection against DDoS, including services from specialized companies. Note that universal methods of protection against DDoS attacks do not exist, because hackers are constantly in search of new vulnerabilities and ways to overcome the protection systems. However, there are simple effective techniques that website administrators should know. They will help to implement protection against DDoS attacks of the simplest form.

 

 

Scripts and firewalls

Let's assume that a website named n.com is under an ongoing DDoS attack. Judging by the logs (request history) it can be seen that a large number of GET requests are aimed at the main page. In this case, you can use javascript redirect, for example:

<script type="text/javascript">
window.location = "n.com/index.php"
</script>

 

After that, legitimate users who have not disabled javascript in their browser are redirected to index.php.

However, we are facing a problem here – the search engines bots (Google, Yandex) do not have a Javascript interpreter and will not be forwarded, as well as  the attack requests. This has a negative impact on the website position in the search results. To avoid this, you can write a small script that will count the number of connections from a certain IP address, and ban it. To define a bot, for example, you check its host

There is a free script called DDoS Deflate, which is a kind of an alarm that uses the "netstat" command to detect incoming flood (one of the types of DDoS), and after that it blocks suspicious IP addresses with help of iptables (or apf).

Apache settings

In order to prevent DDoS, one can make use of changing the Apache settings:

  • KeepAliveTimeout - it is necessary to reduce its value or completely disable it;
  • TimeOut - the least possible value must be set for this parameter (a web server that is under a DDoS attack).
  • LimitRequestBody, LimitRequestFieldSize, LimitRequestFields, LimitRequestLine, LimitXMLRequestBody must be configured to limit computing resource consumption caused by client requests.

The most dramatic method to stop a DDoS attack is to block all incoming requests from the countries where the "garbage" traffic originates from. However, it can cause a great inconvenience to legitimate users of these countries, because they have to use proxy to bypass the blocking.

And here we come to the question of why the above methods are unable to fully ensure protection against DDoS attacks. The fact is that it is very difficult to distinguish legitimate from malicious queries. For example, the notorious Mirai malware forced the DVRs to send requests over TCP that looked like legitimate, and that was the reason why those DDoS attacks were not stopped immediately. Today, there are more than 37 types of DDoS attacks, each has its own characteristics. In addition, it is likely to block legitimate requests together with malicious ones, i.e. to lose real users as a result.

Protection services

If you want to protect your online business, you should consider the services specialized in protection against DDoS attacks, which provide their services remotely.

How do most of these companies work? They have their own or rented scrubbing centers, equipped with a special filtering devices. The traffic of the protected infrastructure is sent there first, and after it is analyzed and checked for attacks, it is then routed towards the destination address. Modern technologies allow to perform data exchange and filtration procedures so fast that a user does not even notice any delays, which are measured not in seconds, but in CPU cycles.

The client traffic is monitored real-time by engineers of the protection service provider, and at any moment they can adjust the filtering process, including manually configure a blocking pattern for a new type of a DDoS attack.

The traffic redirection can be implemented in different ways:

  1. using proxy (no need for transfer of the protected system)
  2. configure a virtual tunnel (via IPIP or GRE),
  3. through a cross-connection (cabling between protected infrastructure and a scrubbing facility).

What DDoS mitigation service should be used? It depends on the parameters of the protected asset. For websites, the most appropriate solution is using a protect proxy or a protected server. In order to protect an autonomous system, a hosting service facility, and an entire ISP - BGP protection over a tunnel or a physical cross-connection are used.

 

 

In any case, a DDoS protection provider must have vast communication channels for receiving large amounts of traffic, because the size of cyber attacks is growing almost exponentially, and there has already been a 1Tbps DDoS attack. Therefore, when dealing with representatives of the protection service company, it is up to you to find out their technical capabilities.

A significant advantage is having filtering equipment located in different countries, because this allows to receive and process the traffic at the closest distance to its source, thus reduce latency to its minimum. In addition, the distribution of traffic among multiple points allows to reduce the overall load on each filtering node and its equipment, which also increases the network stability.

Besides, if you do not employ experienced network engineers who are able to set everything up themselves, then you will need technical assistance. It's a big plus if the support staff of the DDoS mitigation company is online 24/7 and speaks the same language with the customer.

Of course, all of these services are not free, but they are an essential option when implementing a DDoS prevention strategy. Otherwise, you have to fight the consequences that can be critical for specific business segments. In any case, the cost of this type of protection against DDoS is much lower than purchase and maintaining own filtering equipment.

Back