Good afternoon, dear users of the site. Each blog owner tries to protect his resource with all his might, use plugins, complicate passwords, make logging into the control panel more difficult, delete lines in the page's source code, etc.
But what if your site is attacked? In such situations, blogosphere users tend to panic. Well, of course, who would not worry about what he devoted more than one year and put a lot of his time and nerves into this business.
One of these troubles can be a ddos attack!
In this article, I would like to tell you about the following:
What is ddos attack?
DDoS Attack stands for Distributed Denial Of Service Attack. There are also DoS attacks, which differ from the first type in that the attack does not come from different IP addresses. But now, let's talk about everything in order.
DDos attacks are not simple attempts to hack your blog and throw a virus there. The main goal of hackers is to paralyze your site or any other web site. Such hacking attempts have been known for a long time, back in 1999 the Internet resources of several large companies were disabled. This happened in 2000 and the system administrators could do nothing.
And all why? Because at that time no one knew how to deal with such attacks.
So let's take a closer look at how hackers have compromised well-protected Web sites?
Everything looks simple enough, but still it is not so easy to do it.
The DDoS attack scheme is structured like this. The hackers have chosen one server, which they will now attack. And at once they bombard him with a bunch of false requests, and in all this is done from all over the world, which means from different IP addresses. In the end, the resource spends all its energy on processing.
Such attacks lead to the fact that ordinary users do not have access to the site. I would like to note that false requests are performed from PCs, laptops of those people who do not even mean it.
To be sure, attackers first hack into computers of hundreds of users, and then organize a massive attack. Hacking someone's computer is also not always easy. Some use Trojans, others penetrate unprotected networks and then zombify the device and the IP address is completely subordinate to them.
Dos attack.
Now a little about the Dos attack. This is slightly different from ddos, but you will also get a denial of service resource.
Its essence lies in the fact that a hacker exploits a vulnerability on a computer, which contributes to the appearance of an error. It, in turn, suspends the work of the web resource.
If the vulnerability on the PC could not be thrown, then the attacker uses the second option, which is a bit similar to the ddos attack.
In general, a lot of information is sent from different addresses. The system processes one file and so gradually all the others. If you massively pile up a bunch of information, then the computer is overloaded and possibly "freezing", which is what hackers want to achieve.
Types of ddos attacks and how to defend against them?
You cannot completely secure your site against ddos attacks. As a rule, all those who want to protect their resource never find one hundred percent information. Therefore, protection is mainly based on competent prevention and configuration.
Here's what you need to do, or rather, the operations need to be performed:
Prevention.
First of all, it is very important not to incite ddos attacks against yourself, because they are done by people who need something from you. Most often, all this happens due to a conflict on the basis of religion, politics, some other disagreements. I can say for sure that it is rare that such attacks occur for the sake of curiosity and play.
Filtration.
If you notice traffic from attacking machines, then feel free to block it by any means. For example, use the WordFence Security plugin to block access to IP addresses, even of entire countries. But it is very dangerous to indulge in this, and you can ruin yourself. In short, only act when you are sure you are right. There is no such expression here: "Risk is a noble cause" or "He who does not take risks does not drink champagne."
Reverse DDOS.
It is possible to redirect traffic to the attacker. I don’t know how to do that, so I don’t teach you either, but there are specialists who understand such things.
Elimination of vulnerabilities.
The vulnerability can be removed using the Anti-Virus. Personally, I use Kaspersky, you can find out about its advantages and characteristics in the article about
Dispersion.
An important fact is the duplication of the system, that is, if you were attacked and the attack was successful on the part of hackers, then you simply work through another system that supports your site. It is very convenient, but at the same time it is not easy to do.
This method of prevention is perfect for the resources of corporations, large companies, firms, etc.
Building distributed and duplicating systems that will not stop serving users, even if some of their elements become unavailable due to a DoS attack.
Evasion.
Constantly monitor when attacks occur on other resources and try not to save any information about your domain on such sites.
Proactive response.
I think that a simple blogger simply will not be able to influence hackers who carry out ddos attacks. For this business, we need more powerful webmasters, or at least those who know a lot about their work. If you fight back, then later they will not want to waste their time fighting.
We got acquainted with preventive measures. Now I will introduce you to the types of ddos attacks.
Types of ddos attacks.
First, I'll touch on the topic of flood attacks. They are aimed at exhausting the system resource, and this is the amount of memory, communication channel, or the same processor.
pamtHTTP flood.
HTTP files are uploaded to someone's web resource, and the server responds with even more information. If you perform this action with a large stream, then the victim's bandwidth is replenished and the system replenished. As a result, the refusal of work. Not available to anyone. But how does a hacker get there? It changes its network address to the address of web sites that are inside the channel.
ICMP flood (Smurf attack).
This is the most dangerous type of ddos attack. Everything happens like this: a fake packet of information with data is sent to the system. The hacker changes his address to the address of the attacked object. For a more effective attack, they use "zombie computers". At the beginning of the article, I talked about this. Let's say they typed 1000 IP-addresses and send a packet of information, but not just like that, but amplifying 1 to the computer by 1 times. This means sending 1000 requests to the resource, while increasing their number by a thousand times.
Once in my life there was such a case when the power of an attack on a server reached 300 Gbps. But at the same time, the system was able to withstand the attack. The main element of protection was reverse attacks and redirecting traffic to their additional data centers.
Can you imagine what it is? Probably not. In general, millions of PC and other gadget users have experienced this power. After all, many sites and blogs began to fail, and all because of some kind of ddos attack.
Now I have told you about two types of flooding. I will not touch on the rest, since their essence is the same. Everyone wants to perform a banal overload and thereby force the system to slow down.
How to understand that there is a ddos attack on the site?
As a rule, no programs are required for this, since everything is visible to the naked eye. However, this is not always the case. Sometimes you come in, and already the whole site refuses to work.
To avoid this, you need to take care of detecting ddos attacks on your blog in advance.
First of all, you should monitor the traffic on your resource. The analysis can be carried out from the control panel. I never get tired of understanding that the service is really unique, there are no others like that.
You can observe from where people come to your site, from which countries. But here, of course, everything may look plausible, but these IP addresses may already be in the hands of attackers. Therefore, we will use Scrutinize. With it, you can analyze network traffic.
Hope you can protect your blog from ddos attacks. Apply in practice all the methods of struggle that I described in the article and then you will be able to secure your web resource.
Goodbye, dear readers!
Sincerely, Zhuk Yuri.
If you read our guide and implement all the described technologies - protect your computer from hacker threats! Don't neglect this!
In the field of information security, ddos attacks occupy one of the leading places in the ranking of electronic threats. But most users have very limited knowledge of this topic. Now we will try to cover this topic in the most detailed and accessible way so that you can imagine what this type of electronic threat means, how it is carried out, and, accordingly, how to effectively deal with it. So get acquainted - DDOS attack.
Terminology
To speak the same language, we must introduce terms and their definitions.
Dos attack is a denial of service attack. Hence the English abbreviation dos - Denial of Service. One of the subtypes is a distributed attack carried out simultaneously from several, and usually from a large number of hosts. We will devote the main part of the discussion to this option, because the ddos attack carries more destructive consequences, and the only significant difference is in the number of hosts used for the attack.
To make it easier for you to understand... Such actions are aimed at temporarily stopping the operation of any service. It can be a separate website on the network, a large Internet or cellular provider, as well as a separate service (accepting plastic cards). In order for the attack to succeed and bring destructive actions, it must be performed from a large number of points (this moment will be discussed in more detail below). Hence the "distributed attack". But the essence remains the same - to interrupt the work of a certain system.
To complete the picture, you need to understand who and for what purpose is carrying out such actions.
Denial of service attacks, like other computer crimes, are punishable by law. Therefore, the material is presented for informational purposes only. They are carried out by it-specialists, people who are well versed in the subjects of "computers" and "computer networks", or as it has become fashionable to say - hackers. Basically, this event is aimed at making a profit, because as a rule, unscrupulous competitors order ddos attacks. A small example is appropriate here.
Let's say there are two large Internet providers in the service market of a small town. And one of them wants to oust a competitor. They order a distributed dos attack on a competitor's servers from hackers. And the second provider, due to the overload of its network, is no longer able to provide Internet access to its users. As a result - the loss of customers and reputation. Hackers get their reward, unscrupulous providers get new customers.
But it is not uncommon for people to "ddos" just for fun, or to hone their skills.
Distributed Ddos attack
Let's agree right away - we will analyze computer attacks. Therefore, if we are talking about several devices from which an attack is carried out, these will be computers with illegal software.
Here it is also appropriate to make a small digression.. In fact, in order to terminate the operation of a service or service, you need to exceed the maximum allowable load for it. The simplest example is website access. One way or another, it is designed for a certain peak attendance. If at a certain point in time ten times more people visit the site, then the server will accordingly not be able to process such a volume of information and will stop working. And connections at this moment will be made from a large number of computers. These will be the same nodes that were discussed above.
Let's see how it looks in the diagram below:
As you can see, the hacker took control of a large number of user computers and installed his spyware on them. It is thanks to him that he can now perform the necessary actions. In our case, to carry out a ddos attack.
Thus, if you do not follow the safety rules when working at a computer, you can be exposed to a virus infection. And it is possible that your computer will be used as a host to carry out malicious actions.
Will come in handy for you: we have described some aspects of security in the article.
But how they will be used depends on which option is chosen by the attacker.
Classification of ddos attacks
The following types of attacks can be attempted by intruders:
- Bandwidth congestion... In order for computers connected to the network to communicate normally with each other, the communication channel through which they are connected must function normally and provide sufficient parameters for specific tasks (for example, bandwidth). This type of attack is aimed specifically at overloading network communication channels. This is achieved by constantly sending incoherent or system information (ping command)
- Resource limitation... We have already discussed this type above, in the example with access to a website. As we noted, the server was able to handle a limited number of concurrent connections. An attacker would need to direct a large number of concurrent connections to the server. As a result, the server will not cope with the load and will stop working.
- DNS server attack... In this case, the DDOS attack is also designed to terminate access to the website. Another option is to redirect the user from the correct site to a fake one. This can be done for the purpose of stealing personal information. This is achieved by attacking DNS servers, and substituting fake IP addresses. Let's take a look at this with an example. A bank uses its website to settle online. The user needs to go to it and enter the data of his plastic card. In order to steal this information, an attacker creates a site of the same type and attacks DNS servers (name servers). The purpose of this event is to redirect the user to the attacker's website when he tries to enter the bank's website. If this succeeds, the user, unaware of the threat, will enter his personal data on the attacker's website, and he will gain access to them.
- Software flaws... The most difficult is this type of attack. Attackers identify software flaws and use them to destroy the system. To order such a ddos attack, you will need to spend a lot of money
How to carry out a do-it-yourself DDOS attack
As an example, we decided to show you how you can carry out a DDOS attack using special software.
To get started, download the program at this address. Then launch it. You should see a start window:
You need to make the minimum settings:
- In the "URL" column, write the address of the site that we want to attack
- Then we press the "Lock on" button - We will see the target resource
- We put the TCP method
- Choosing the number of threads (Threads)
- Set the sending speed using the slider
- When all the settings are finished, press the button "IMMA CHARGIN MAH LAZER"
That's it - the attack has begun. Once again, I repeat, all actions are presented for informational purposes only.
How to protect against DDOS attacks
You probably already understood that this type of threat is very dangerous. Therefore, it is very important to know the methods and principles of combating and preventing distributed attacks.
- Setting up filtration systems is a task for system administrators and hosting providers
- Purchase of protection systems against DDOS attacks (software and hardware systems)
- Using Firewall and Access Control Lists (ACL) - this measure is aimed at filtering suspicious traffic
- Increasing available resources and installing redundancy systems
- Reciprocal technical and legal measures. Up to bringing the culprit to criminal responsibility
Video for the article:
Conclusion
Now you probably understand the whole danger of DDOS attacks. The issues of ensuring the safety of your resources must be approached very responsibly, not sparing time, effort and money. Better yet, have a separate specialist, or an entire information security department.
Regular readers very often asked the question of how you can edit text if the file is in PDF format. The answer can be found in the material -
You can use a whole range of measures to protect your data. One of these options is
If you need to edit your video online, we have prepared an overview of popular ones for you.
Why look for information on other sites if everything is collected from us?
Undoubtedly, a DDOS attack is bad, a DDOS attack is unexpected, a DDOS attack is unprofitable. But don't panic. Distributed attacks are the realities of the modern Internet, they should be perceived as traffic jams. And you should never make hasty decisions. Don't buy fancy firewalls and stuff like that. Just be patient and read specialized sites, for example. And you will find solutions in any case. If not, ask us for advice, we understand something in this and will definitely help you. And for those who are looking - read the article.
Introduction
Imagine that now 100 thousand people from the Internet will simultaneously connect to your WEB server and try to load its main page. Will there be enough bandwidth on the Internet? How can you protect yourself from malicious overloading of your communication channels?
Definitions
There are a large number of infected computers on the Internet that execute commands remotely, including on command they can connect and download any page from any WEB server. Such a controlled computer is called a bot. Many of these managed computers are called botnets. Every such computer in this network is a zombie, which is always ready to obey the command of its master. Such a bot network can include up to several hundred thousand computers simultaneously.
Where do bots come from?
Real computer owners often do not suspect that someone can control their computer remotely. Now Trojans work unnoticed and we, without noticing it, allow unknown people to use the resources of our computers for their own purposes. People who run such a large bot network can blackmail large companies, owners of online stores, online casinos, news sites, payment systems and other popular resources, offering to pay a ransom so that they will not attack them using their bot network.
Certainly, such computing resources are of clear practical interest. You can not only conduct DDoS attacks, but also send spam or carry out distributed computing, such as password guessing. Therefore, very often attempts are made to steal the botnet. In order for a zombie computer to accept a command from the owner, you need to prove that you are the owner, for example, using a password. If you guess this password, then there is a chance to become the master of a small flock of computers. For example, this is possible for a network based BlackEnergy bots that are password protected only.
Example 1. The largest botnets
A new bot network called Kraken has been discovered, which includes about 400 thousand computers. The size of the botnet is larger than the world famous Storm botnet, which is about 100 thousand computers in size. Source: Damballa at RSA conference 7.04.2008
Ask yourself: what guarantees do I have that my computer is not included in the bot network? Does the installed signature antivirus provide such guarantees? Does not look like it. According to statistics 40% computers included in the bot network have an antivirus that does not detect that the computer is infected. Is the installed behavioral antivirus or attack prevention system guaranteed? Perhaps, but many people don't even know what it is. And, on purpose, when leaving work, they never turn off the computer. Nobody is safe from complicity in organizing DDOS attacks.
For your computer to become a member DDoS attacks it doesn't have to have a vulnerability or any malicious code installed. Your neighbor on the network or on a popular website on the Internet can have the code for the attack. So Trojan-Downloader.JS.Agent inserts malicious javascript to all neighboring computers with the help of an attack, while they load pages in their browser from the Internet. It can be any code, including DDoS attack code. This code in your browser will make 10,000 connections to any website:
< div id = "attack" style = "visibility:hidden" > < / div > |
If you read a page through a WEB browser, for example, a page with this article, and this javascript code is embedded in it, then you become an accomplice in a DDoS attack and attack the site selected by the author of the script 10,000 times. And if 10,000 people read this article, then 100,000,000 (100 million) connections will already be made to the site. Another option, if one of the users inserts this javascript into the site, where the site content is filled by the users themselves (forums, blogs, social networks), then any person who comes to the site will help in carrying out the attack. For example, if it is odnoklassniki.ru, where there are already 20 million users, then theoretically it is possible to carry out an attack on the site using 200,000,000,000 (200 billion) connections. and this is not the limit So you already imagine the scale of the threat. You need to defend yourself. Both the owners of network resources are prevented from attacks, and users are prevented from becoming accomplices in the attack.
Example 2: How to carry out a DoS attack on a WEB server using two screwdrivers and a browser.
Launch Internet Explorer, enter the address of the required site, fix the Ctrl button with one screwdriver, and F5 with the other. The number of requests per second that your Internet Explorer will send can hinder the operation of the site and even prevent other people from visiting the same resource.
You need to prepare for a DDoS attack
The Internet is an aggressive enough environment to start a business in it without worrying about your protection. But many companies live in it according to the saying: until the thunder breaks out, the man does not cross himself. DoS and DDoS attacks differ in that they cannot be dealt with without prior preparation. And on top of that, and this is even worse, they are still difficult to deal with, even if you prepared in advance. If DNS and WEB sites are now suffering, then a threat to such increasingly popular services as VoIP and IPTV is on the way.
Example 3: DDoS attack on Estonian government websites
The attacks against Estonian government sites began after the authorities moved the Bronze Soldier statue from the center of Tallinn to the outskirts. As a result, many Estonian government sites stopped working, and the local computer rapid response team was forced to close access to sites from abroad. Attacks peaked on May 8 and 9, 2007. According to the Estonian Prime Minister, the attacks were an avalanche of requests, sometimes up to 5 million per second against the usual attendance. 1-1.5 thousand per day. Russia was blamed for this attack, especially since some Russian hackers claimed responsibility for these actions. Read whether Russia was really the source of the attack at the end of the article.
Unfortunately, many servers are exposed on the Internet even without firewall protection, not to mention more sophisticated security systems such as attack prevention systems. As a result, at the moment when the attack begins, it turns out that there is nothing to defend with and companies are forced to spend precious (at the time of the attack) time on simple things, such as installing a firewall on a server, installing an attack prevention system, or switching to another provider. But, since DDoS attacks are difficult to stop even with installed protection systems, and at the time of the attack you will not have time to choose the right method of protection, you can only rely on the means of protection of your provider. And, as a rule, the provider is responsible for the failure of the DDoS attack. It is about the right choice of the provider that the story will go in this article. First, let's take a closer look at what denial-of-service attacks are.
DoS attack types
There are several ways to group DoS attacks by type. One of the logical categorizations of DoS attacks is here http://www.niser.org.my/resources/dos_attack.pdf
There are several types of DoS attacks.
- Destructive
- Attacks that lead to the fact that a device on the network becomes completely inoperative: freezes, the operating system or configuration is destroyed. Such attacks are based on the software vulnerabilities of the attacked systems.
- System resource attacks
- Attacks that significantly reduce the performance of devices or applications. For example, this class includes the attack
- Channel capacity filling
Attacks that aim to overflow the bandwidth of channels fall into this category. Usually, any kind of TCP, ICMP or UDP packets are used to overflow the channel with fake source addresses randomly varying in the range of all possible values, the recipient addresses in the packet are likewise randomly selected from the range of the network that is on the attacked channel. However, now such attacks have begun to be carried out using networks of infected computers, where the addresses of the attack sources are real, and thus practically indistinguishable from the connecting computers of real users.
Another type of DDoS attack of this type is DRDoS attacks (Distributed Reflection DoS) that can use any server on the Internet as a source of their attack. Idea DRDoS: any server will respond to a TCP packet with a SYN flag with a TCP packet with flags SYN + ACK... If the source address in the first packet is the victim's address, the server will send several TCP packets with SYN + ACK flags to the victim's address until it realizes that the victim does not want to connect and there will be no connection. If you use many of these powerful servers for an attack, responding to false packets at a false address, then the victim will be flooded with a stream of packets.
Example 4: DDoS on Kommersant
The general director of the publishing house "Kommersant" Demyan Kudryavtsev said in an interview with the "Interfax" agency on March 14, 2008 that the company's financial losses associated with blocking the site www.kommersant.ru as a result of DDoS attacks amount to tens or even hundreds of thousands of dollars.
Kudryavtsev stressed that DDoS attacks on the Kommersant website are unprecedented for Russia: “ If the known attacks on the websites of the Estonian embassy, radio stations "Echo of Moscow" amounted to 200-300 megabytes of garbage traffic per second, then yesterday its level on our site reached 2 gigabytes per second“, - he noted.
Source: securitylab.ru
Attacks of types 1 and 2 are quite common and administrators have long been effectively using both network and host-based attack prevention systems (IPS) to combat them. In this article, we will talk about protection against type 3 attacks, since there is still no information about these protection methods on the Russian-speaking Internet. An attack of the third type can be detected by an attack detection or prevention system, but unfortunately no defense system will be able to block such an attack on the channel itself. The channel is full during an attack and a higher-level provider must take part in protecting against attacks. IPSs are usually not used to defend against such attacks, although signatures for protection SYN-Flood and UDP-Flood help reduce the impact of these attacks by offloading the attacked servers.
Most often, botnets are used for attacks of this type, which perform completely legitimate connections and work with your network. But the problem is that there are too many of them and it is almost impossible to distinguish a zombie computer from a real user. Attacks of the third type are familiar to all summer residents trying to leave Moscow on Friday and return to Moscow on Sunday: the Moscow Ring Road and all highways in the region are clogged and no means can get rid of them. Everyone who tries to break through the traffic swears, although in fact they themselves are part of this traffic. You just have to wait for it to end by itself.
DDoS protection for the corporate network
If your provider does not offer a service for blocking DDoS attacks, then you have the option of asking someone else to do this, but without changing the provider. We will analyze such a service using the example of a company. Antiddos(). Even if you are currently under attack, you can quickly block it using the Antiddos service using one of the following options.
DNS redirection and use of proxies
You can register the IP addresses of the company's network in the DNS. Let's say that your WEB server is on the IP addresses of Antiddos. As a result, the attack will be directed to their network, DDoS traffic will be cut off, and the necessary traffic from your WEB site will be delivered to all clients using a reverse proxy. This option is very suitable for Internet banks, Internet shops, online casinos or electronic magazines. In addition, the proxy allows you to cache data.
BGP routes and GRE tunnels
Can use BGP routing protocol to tell the whole Internet that your network is on the network site and all traffic will be redirected to them, where it will be cleaned of malicious content. Pure traffic will be redirected to you using the GRE protocol, which transfers data to your network as if there was no DDoS attack. And you from your network will respond to the packets that come to you as usual, since your channel will no longer be congested.
Direct connection to the site
You can directly connect your network through and always be under them, but for obvious reasons this is not always possible .. And it will be difficult to carry out a DDoS attack on you.
Our company protects against DDoS attacks using its unique technologies. We do not use active remedies. Our entire infrastructure is built on a software and hardware complex of our own design, which allows us to flexibly configure the protection system to meet the needs of any client, as well as to resist attacks of any force.
Service from Akamai
Large companies such as IBM, Microsoft, Apple, Sony, AMD, BMW, Toyota, FedEx, NASA, NBA, MTV protect their WEB sites from DDoS attacks using the Akamai service (www.akamai.com). However, DDoS protection is just one of the features of the Akamai service. This service allows companies to have a mirror of their sites in thousands of different locations around the globe, guaranteeing 100% availability at all times. Typically, mirrors contain multimedia data such as video, audio and graphics. Akamai uses mathematical algorithms to solve congestion problems on web servers on a global scale. These algorithms were developed at the Massachusetts Institute of Technology (MIT). And it is thanks to them that Akamai ensures fast and reliable delivery of content to Internet users. There is also a sad fact in the fate of the company: one of the founders of Akamai, Daniel Levin, was killed while trying to stop terrorists in one of the planes hijacked on September 11, 2001 in the United States.
Example 6.
But even Akamai was once taken out of action for an hour in 2004. They say it was an attack on the DNS, but this is also one of the dark stories. More details here www.washingtonpost.com/wp-dyn/articles/A44688-2004Jun15.html
DDoS protection for providers
In a normal situation, it is impossible to separate the traffic of bots from the traffic of real users: it looks like these are exactly the same requests from different source addresses. 99% of these source addresses can be bots, and only 1% are real people who want to use your site. And then a completely expected solution appears: you just need to have a list of these zombies and block them. But how to collect such a global list, because it affects the whole world? And as it turns out for us, this is elementary.
There are commercial companies that continually collect a list of addresses from infected computers. All that remains is to pass your traffic through a filter that will cut off unnecessary requests and leave the necessary ones. Here the filter can be either a firewall on which a new filtering policy was installed or a router to which a new access list was sent, but the most effective is the use of special blockers. It's time to name the names of such manufacturers (in alphabetical order):
Arbor (www.arbornetworks.com/en/threat-management-system.html)
Cisco (www.cisco.com/en/US/products/ps5888/index.html)
CloudShield (www.cloudshield.com/Products/cs2000.asp)
Narus (www.narus.com/products/index.html)
Arbor collects lists of botnets (http://atlas.arbor.net/summary/botnets) for use in products from Arbor and its partners. Such address lists are constantly updated every 15 minutes and, for example, are used to detect the connection of protected workstations to botnets in the IBM Proventia Anomaly Detection System product. In the first case, providers use Peakflow SP technology, in the other, in corporate networks, Peakflow X technology. Devices of manufacturers of protection systems against distributed attacks differ primarily in the maximum speeds at which they operate and the number of simultaneously protected clients. If you have data transmission channels using or planning more than one 10Gbit connection, then you need to think about which manufacturer to choose. In addition, manufacturers differ in various additional functionality, the time required to detect an attack and enable protection, performance, and other parameters.
Automation versus intelligence
In the case when the attack is directed not at the server, but at the overflow of the channel, then the bots substitute any addresses as the source address and the traffic looks like a stream of some data from all Internet addresses to all addresses of the attacked network. This is the most difficult type of attack.
Example 7: Attacking a provider
On May 30-31, 2007 the St. Petersburg provider Infobox underwent a massive DDoS attack - up to 2 GB per second. The attack was carried out from tens of thousands of addresses located around the world, including from Russia, Korea, the United Arab Emirates, and China. DNS servers were attacked. As a result, most of the channels were congested. The website, servers and mailboxes hosted by the provider were completely or partially inaccessible. Tech support said: “ We try to minimize the damage caused by the attack, but this is quite problematic and can cause inconvenience for some customers (blocking access from the networks of large providers)“. According to Aleksey Bakhtiarov, the general director of Infobox, the attack was carried out from tens of thousands of addresses located around the world. "
Probably, many modern computer and Internet users have heard about the presence of DDoS attacks carried out by cybercriminals against any sites or servers of large companies. Let's see what a DDoS attack is, how to do it yourself, and how to protect yourself from such actions.
What is a DDoS attack?
To begin with, perhaps it is worthwhile to figure out what such illegal actions are. Let's make a reservation right away that when considering the topic "DDoS attack: how to do it yourself", the information will be provided solely for information and not for practical use. All actions of this kind are criminally punishable.
The attack itself, by and large, is the sending of a sufficiently large number of requests to a server or site, which, when the limit of requests is exceeded, block the operation of a web resource or provider's service in the form of shutting down the server with security software, firewalls or specialized equipment.
It is clear that a do-it-yourself DDoS attack cannot be created by one user from one computer terminal without special programs. In the end, well, he will not sit for days on end and every minute send requests to the attacked site. Such a number will not work, since every provider has protection against DDoS attacks, and one user is not able to provide such a number of requests to a server or website that would exceed the request limit in a short time and trigger various protective mechanisms. So you have to use something else to create your own attack. But more on that later.
Why is there a threat?
If you figure out what a DDoS attack is, how to do it and send an exceeded number of requests to the server, it is worth considering the mechanisms by which such actions are performed.
These may be unreliable ones unable to cope with a huge number of requests, gaps in the provider's security system or in the "operating systems" themselves, lack of system resources to process incoming requests with further system freeze or emergency shutdown, etc.
At the dawn of this phenomenon, the DDoS attack with their own hands was carried out mainly by the programmers themselves, who created and tested the performance of protection systems with its help. By the way, even such IT giants as Yahoo, Microsoft, eBay, CNN and many others suffered from the actions of cybercriminals who used DoS and DDoS components as weapons. The key point in those situations was attempts to eliminate competitors in terms of restricting access to their Internet resources.
In general, modern e-merchants do the same. To do this, you simply download a program for DDoS attacks, and then, as they say, it's a matter of technology.
Types of DDoS attacks
Now a few words about the classification of attacks of this type. The main thing for all is to disable the server or site. The first type can be attributed to errors associated with sending incorrect instructions to the server for execution, as a result of which an abnormal termination of its work occurs. The second option is the mass sending of user data, which leads to an endless (cyclic) check with an increase in the load on system resources.
The third type is flood. As a rule, this is the task of previously incorrectly formed (meaningless) requests to the server or network equipment in order to increase the load. The fourth type is the so-called clogging of communication channels with false addresses. An attack can also be used, leading to the fact that the configuration of the computer system itself changes, which leads to its complete inoperability. In general, the list can be long.
DDoS attack on the site
As a rule, such an attack is associated with a specific hosting and is aimed exclusively at one predetermined web resource (in the example in the photo below, it is conventionally designated as example.com).
If there are too many calls to the site, communication breakdown occurs due to the blocking of communication not by the site itself, but by the server part of the provider service, or rather, not even by the server itself or the security system, but by the support service. In other words, such attacks are aimed at ensuring that the hosting owner receives a denial of service from the provider when a certain contractual traffic limit is exceeded.
DDoS attack on the server
As for server attacks, here they are not directed at any particular hosting, but at the provider that provides it. It doesn't matter that the site owners may suffer because of this. The main victim is the provider.
DDoS Attack Application
Now we come to an understanding of how to make it using specialized utilities, we will now figure it out. Immediately, we note that applications of this type are not particularly classified. They are available for free download on the Internet. For example, the simplest and most well-known DDoS attack program called LOIC is freely available on the World Wide Web for download. It can only attack sites and terminals with previously known URL and IP addresses.
For ethical reasons, we will not consider now how to obtain the victim's IP address. We proceed from the fact that we have the initial data.
To start the application, the executable file Loic.exe is used, after which the source addresses are entered in the top two lines on the left side, and then two buttons "Lock on" are pressed - slightly to the right opposite each line. After that, the address of our victim will appear in the window.
Below there are sliders for adjusting the request transmission rate for TCP / UDF and HTTP. By default, the value is set to "10". Increase it to the limit, then press the big button "IMMA CHARGIN MAH LAZER" to start the attack. You can stop it by pressing the same button again.
Naturally, one such program, which is often called a "laser cannon", will not be able to cause trouble for some serious resource or provider, since the protection against DDoS attacks is quite powerful there. But if a group of people use a dozen or more of these guns at the same time, you can achieve something.
DDoS protection
On the other hand, anyone who tries to attempt a DDoS attack should understand that there are no fools on the "other" side either. They can easily figure out the addresses from which such an attack is made, and this is fraught with the most dire consequences.
As for ordinary hosting owners, usually the provider immediately provides a package of services with appropriate protection. There can be a lot of means to prevent such actions. This is, say, redirecting an attack to an attacker, redistributing incoming requests to several servers, filtering traffic, duplicating protection systems to prevent false alarms, increasing resources, etc. By and large, an ordinary user has nothing to worry about.
Instead of an afterword
It seems that from this article it becomes clear that making a DDoS attack yourself with special software and some initial data will not be difficult. Another thing is whether it is worth doing this, and even an inexperienced user who decided to indulge, so for the sake of sports interest? Everyone should understand that his actions will in any case cause the use of retaliatory measures on the part of the attacked side, and, as a rule, not in favor of the user who launched the attack. But, according to the Criminal Codes of most countries, for such actions you can get, as they say, in places that are not so distant for a couple of years. Who wants this?
In this article, I would like to consider DDOS attacks from the point of view of an ordinary webmaster or site owner. For the first time, an incident like this can surprise and make you nervous. But in reality, the problem is quite frequent, and sooner or later almost every website owner faces it.
Why was the site under attack? How long can an attack last?
Before taking action, you need to analyze the situation and understand the possible reasons for the attack on the site. Is the attack random, or can it be considered legitimate?
If your resource is a commercial one, the attack may well be the intrigues of competitors.
If the resource is non-commercial, but popular, you could become a victim of Internet ransomware (often schoolchildren) who will soon send you a letter demanding you to pay a certain amount to stop the attack. Do not under any circumstances enter into such negotiations! Light to medium attacks are fought off without significant costs, and the cost of large attacks will still cost the customer more than the cost of protection. In addition, serious attacks rarely last more than a day due to the high cost of organizing them.
Projects that are a priori susceptible to DDOS attacks should be considered separately: online gaming sites (Lineage 2), investment projects, and so on. If your project is initially in a high-risk zone, then you need to think about protection against attacks in advance, even before launching.
What kind of attack did you face?
If the site is hosted on a regular web hosting, then you will learn about the fact of a DDOS attack directly from your hosting provider. This unpleasant news, most likely, will be accompanied by a blocking of hosting and a requirement to switch to a dedicated server or, at least, remove the problem resource from the hosting.
During an attack, the hoster is just as hostage to the situation as you are, if not to a greater extent - after all, tens or hundreds of other server users are affected. Blocking an account on a server with shared resources is a measure available to the provider for a quick solution to the problem, unless, of course, the hosting conditions provide for protection against attacks.
Only a hoster can provide reliable information about an attack. If the hoster is limited to excuses and does not contribute to the solution of the problem in any way, then it is worth thinking about moving (unfortunately, today this situation is not uncommon).
The hoster usually divides attacks into two levels: flood - an initial or medium-level attack that can be repelled without external protection by placing the site on dedicated resources and configuring the server accordingly, and a high-level DDOS attack itself, which can only be repelled using external software and hardware protection.
If the site is hosted on a VPS, you can determine the level of attack yourself by temporarily disabling the web server and analyzing its logs, or by contacting server administration specialists for help. You can find such specialists, for example, on freelance exchanges in the "System Administration" section or on webmaster forums in the hosting sections. Server audit will be either free or not very expensive. Of course, the audit should only be trusted by reputable specialists.
Knowing the details of the attack will make it easier for you to decide exactly what action to take to solve the problem.
In most cases, site owners are faced with an http flood - an attack in which a web server is overloaded with many simultaneous requests from a relatively small number of IP addresses (usually within a few thousand).
The hoster usually offers a transition to a VPS or a dedicated server, where you can configure filtering of problem requests at the level of the Nginx web server, or block the ip addresses of bot machines with a firewall (iptables, APF, ipfw). Scripts for analyzing web server logs can be run regularly via cron, which provides automatic protection against medium attacks.
If a hoster offers to switch to a VPS or a dedicated server, then before agreeing to the offer, check whether he is ready to configure the appropriate protection against attacks on the server, and under what conditions. A self-respecting hoster is often ready to help in the fight against flooding when switching to a server, either for free or for relatively little money - up to $ 30-50 one-time.
If the hoster is not ready to help with protection against an attack, or cannot give any guarantees that it will cope with an attack of the current level, then do not rush to switch to the server. Consider available external remedies. For example, the service http://www.cloudflare.com, where even a free data plan can help fight off floods and mid-level attacks. The setup comes down to just registering with CloudFlare, and changing the DNS for your site's domain. Similar services can be obtained from Highloadlab.
If you are faced with a high-level attack, which is not possible to fight back without external means of protection, you need to make a decision by comparing the cost of repelling the attack and the damage from downtime. Sometimes it is easier to wait out the attack for a day or two, leaving a stub on the site with a message about the temporary unavailability of the project and a 503 code for search engine bots, rather than repel the attack right away. Keep in mind that the cost of really serious attacks is higher than your defense costs, which means that the attack may stop sooner than you think.
