A DoS and DDoS attack is an aggressive external impact on the computing resources of a server or workstation, carried out with the goal of bringing the latter to failure. By failure we mean not the physical failure of a machine, but the inaccessibility of its resources to bona fide users—the system’s refusal to service them ( D enial o f S ervice, which is what the abbreviation DoS comes from).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DiDoS or DDoS), which means "D istributed D enial o f S ervice" - distributed denial of service. Next, we’ll talk about why attackers carry out such attacks, what they are, what harm they cause to the attacked, and how the latter can protect their resources.

Who can suffer from DoS and DDoS attacks?

Corporate servers of enterprises and websites are attacked, much less often - personal computers individuals. The purpose of such actions, as a rule, is one - to cause economic harm to the attacked person and remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, a company or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the instigation of dishonest competitors. So, by “crashing” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Your resources can be attacked by home-grown amateur hackers out of interest, avengers from among fired employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

The servers of state-owned companies and well-known organizations are often attacked by anonymous groups of highly skilled hackers in order to influence officials or cause public outcry.

How attacks are carried out

The operating principle of DoS and DDoS attacks is to send a large flow of information to the server, which to the maximum (as far as the hacker's capabilities allow) loads the computing resources of the processor, RAM, clogs communication channels or fills disk space. The attacked machine is unable to process incoming data and stops responding to user requests.

This is what normal server operation looks like, visualized in the Logstalgia program:

The effectiveness of single DOS attacks is not very high. In addition, an attack from a personal computer exposes the attacker to the risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much greater profit.

This is how the Norse-corp.com website displays the botnet’s activity:

A zombie network (botnet) is a group of computers that have no physical connection with each other. What they have in common is that they are all under the control of an attacker. Control is carried out through Trojan horse, which for the time being may not manifest itself in any way. When carrying out an attack, the hacker instructs the infected computers to send requests to the victim's website or server. And he, unable to withstand the pressure, stops answering.

This is how Logstalgia shows a DDoS attack:

Absolutely any computer can join a botnet. And even a smartphone. It is enough to catch a Trojan and not be detected in time. By the way, the largest botnet consisted of almost 2 million machines around the world, and their owners had no idea what they were doing.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out in different directions, which will significantly complicate counteraction. Therefore, it is important for every server administrator to study all its “bottlenecks” and, if possible, strengthen them.

Flood

Flood, in simple terms, is information that does not carry any meaning. In the context of DoS/DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another, which the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels and saturate the bandwidth to the maximum.

Types of flood:

• MAC flood - impact on network communicators (blocking ports with data flows).
• ICMP flooding - inundating a victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked node so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flood is ping flood (sending ping requests to the server).
• SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (waiting for client confirmation) connections.
• UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
• HTTP flood - flooding the server with numerous HTTP messages. A more sophisticated option is HTTPS flooding, where the sent data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.

How to protect yourself from flooding

• Configure network switches to check the validity and filter MAC addresses.
• Restrict or disable the processing of ICMP echo requests.
• Block packets coming from a specific address or domain that gives reason to suspect it of unreliability.
• Set a limit on the number of half-open connections with one address, reduce their holding time, and lengthen the queue of TCP connections.
• Disable UDP services from receiving traffic from outside or limit the number of UDP connections.
• Use CAPTCHA, delays and other bot protection techniques.
• Increase the maximum number of HTTP connections, configure request caching using nginx.
• Expand network channel capacity.
• If possible, dedicate a separate server to handle cryptography (if used).
• Create a backup channel for administrative access to the server in emergency situations.

Hardware resource overload

There are types of flooding that affect not the communication channel, but the hardware resources of the attacked computer, loading them to their full capacity and causing a freeze or crash. For example:

• Creating a script that will post a huge amount of meaningless text information on a forum or website where users have the opportunity to leave comments until the entire disk space is filled.
• The same thing, only the server logs will fill the drive.
• Loading a site where some kind of transformation of the entered data is performed, continuously processing this data (sending so-called “heavy” packets).
• Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run any kind of software on the server external program).
• Triggering the security system, making the server inaccessible from the outside, etc.

How to protect yourself from overloading hardware resources

• Increase hardware performance and disk space. When the server is operating normally, at least 25-30% of the resources should remain free.
• Use traffic analysis and filtering systems before transmitting it to the server.
• Limit the use of hardware resources by system components (set quotas).
• Store server log files on a separate drive.
• Distribute resources across several servers independent of each other. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out this type of attack than using flooding. Their implementation depends on the qualifications and experience of the attacker, his ability to find errors in the program code and use them to his benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (an error in software that can be used to disrupt the operation of the system), all he has to do is create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control of the resource and use this “gift of fate” at his own discretion. For example, use for distribution malware, steal and destroy information, etc.

Methods to counter the exploitation of software vulnerabilities

• Install updates that cover vulnerabilities in a timely manner operating systems and applications.
• Isolate all services intended for solving administrative tasks from third-party access.
• Use means of continuous monitoring of the operation of the server OS and programs (behavioral analysis, etc.).
• Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
• Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine that a resource has been attacked by a hacker

If the attacker succeeds in achieving the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, several hours sometimes pass from the onset of the attack to noticeable symptoms. However, during hidden influence (until the server goes down), certain signs are also present. For example:

• Unnatural behavior of server applications or the operating system (freezes, termination with errors, etc.).
• CPU load, RAM and the accumulation increases sharply compared to the initial level.
• The volume of traffic on one or more ports increases significantly.
• There are multiple requests from clients to the same resources (opening the same website page, downloading the same file).
• Analysis of server, firewall and network device logs shows a large number of monotonous requests from various addresses, often directed to a specific port or service. Especially if the site is targeted at a narrow audience (for example, Russian-speaking), and requests come from all over the world. A qualitative analysis of traffic shows that the requests have no practical meaning for clients.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.

The FSB is investigating a criminal case regarding a massive hacker attack using the Internet of Things (IoT) on financial sector facilities in the fall of 2016, the targets of which were Sberbank, Rosbank, Alfa-Bank, Bank of Moscow, Moscow Exchange and others .

As Kommersant writes, Deputy Director of the FSB Dmitry Shalkov spoke about this when speaking in the State Duma at the presentation of a package of government bills on the security of critical information infrastructure (CII) of the Russian Federation.

In 2016, about 70 million DDoS attacks were recorded on Russian official information resources, which is three times more than the year before. However, the November hacker attacks are different from most of them, Shalkov noted.

According to him, between November 8 and November 14, medium-power DDoS attacks were carried out on eight organizations. They involved so-called botnets (computers with Internet access hacked and taken under control by hackers), using IoT devices connected to the network, and in particular web cameras. The deputy director of the FSB noted the similarity of the coordinated attack on Russian structures with the six-hour October attack in the United States aimed at the services of the Internet provider Dyn, as a result of which a whole series major American resources (Twitter, CNN, Spotify, The New York Times and Reddit) were unavailable for a long time.

However, the attacks were not accompanied by theft cash, and the attacked banks did not record any disruption to their services. After the November attacks, such incidents did not recur, the Central Bank of the Russian Federation reported.

Kommersant notes that DDoS attacks themselves are not aimed at stealing money; they are used, as a rule, to block websites and online banking services. Gleb Cherbov, deputy head of the security audit department at Digital Security, explained that “devices and servers controlled by attackers are united in botnets, ready to generate network traffic that acquires fatal proportions for the system under attack.” However, massive DDoS attacks can cause serious losses for banks. For example, the unavailability of services can cause panic among depositors, who will begin to withdraw deposits en masse. In addition, massive DDoS attacks are often used to disguise other activities. In particular, while security experts are fixing the vulnerability, attackers can penetrate the banking infrastructure.

According to the publication, the initiation of a criminal case by the FSB into hacker attacks in November 2016 means that the suspects have already been identified by the investigation. The investigation deals with such cases for at least six months, but in reality the period stretches for two to three years, the publication’s source notes.

Who is being attacked?

According to the Central Bank, in 2016 the number of Russian financial institutions almost doubled. In November, DDoS attacks were aimed at five large Russian banks. At the end of last year, the Central Bank reported DDoS attacks on financial organizations, including the Central Bank. “The purpose of the attacks was to disrupt services and, as a result, undermine trust in these organizations. These attacks were notable because it was the first large-scale use of the Internet of Things in Russia. The attack mainly involved Internet video cameras and household routers,” noted the security services of large banks.

At the same time, DDoS attacks did not cause significant damage to the banks - they are well protected, so such attacks, although they caused trouble, were not critical and did not disrupt a single service. However, it can be stated that the anti-banking activity of hackers has increased significantly.

In February 2017 technical services The Russian Ministry of Health repelled the largest DDoS attack in recent years, which at its peak reached 4 million requests per minute. There have also been DDoS attacks on government registries, but they were also unsuccessful and did not lead to any changes to the data.

However, numerous organizations and companies that do not have such powerful “defenses” become victims of DDoS attacks. In 2017, damage from cyber threats – ransomware, DDoS and attacks on Internet of Things devices – is expected to increase.

IoT devices are becoming increasingly popular as tools for carrying out DDoS attacks. A significant event was the DDoS attack launched in September 2016 using the Mirai malicious code. In it, hundreds of thousands of cameras and other devices from video surveillance systems acted as means of attack.

It was carried out against the French hosting provider OVH. It was a powerful DDoS attack - almost 1 Tbit/s. Hackers used a botnet to exploit 150 thousand IoT devices, mostly CCTV cameras. The Mirai botnet attacks have given rise to many IoT device botnets. According to experts, in 2017, IoT botnets will continue to be one of the main threats in cyberspace.

According to the 2016 Verizon data breach incident report (DBIR), the number of DDoS attacks increased markedly last year. In the world, the entertainment industry, professional organizations, education, IT, and retail are suffering the most.

A notable trend in DDoS attacks is the expansion of the “list of victims.” It now includes representatives from almost all industries. In addition, attack methods are being improved.
According to Nexusguard, at the end of 2016, the number of mixed-type DDoS attacks - using several vulnerabilities at once - increased noticeably. Most often, financial and government organizations were subjected to them. The main motive of cybercriminals (70% of cases) is the theft of data or the threat of its destruction for ransom. Less often – political or social goals. This is why a defense strategy is important. It can prepare for an attack and minimize its consequences, reducing financial and reputational risks.

Consequences of the attacks

What are the consequences of a DDoS attack? During an attack, the victim loses customers due to slow operation or complete unavailability of the site, and the reputation of the business suffers. The service provider may block the victim's IP address to minimize damage to other clients. It will take time and possibly money to restore everything.
According to the company's survey, DDoS attacks are considered by half of organizations as one of the most serious cyber threats. The danger of DDoS is even greater than the danger of unauthorized access, viruses, fraud and phishing, not to mention other threats.

Average losses from DDoS attacks are estimated globally at $50,000 for small organizations and almost $500,000 for large enterprises. Eliminating the consequences of a DDoS attack will require additional staff time, diversion of resources from other projects to ensure security, development of a software update plan, equipment modernization, etc.

The reputation of the attacked organization may suffer not only due to bad work site, but also due to theft of personal data or financial information.
According to a company survey, the number of DDoS attacks is growing annually by 200%; 2 thousand attacks of this type are reported every day in the world. The cost of organizing a week-long DDoS attack is only about $150, and the victim's losses on average exceed $40,000 per hour.

Types of DDoS attacks

The main types of DDoS attacks are massive attacks, protocol-level attacks, and application-level attacks. In any case, the goal is to disable the site or steal data. Another type of cybercrime is the threat of a DDoS attack to obtain a ransom. Such hacker groups as Armada Collective, Lizard Squad, RedDoor and ezBTC are famous for this.

Organizing DDoS attacks has become noticeably simpler: now there are widely available automated tools that require virtually no special knowledge from cybercriminals. There are also paid DDoS services for anonymously attacking the target. For example, the vDOS service offers its services without checking whether the customer is the owner of the site who wants to test it “under load”, or whether this is done for the purpose of an attack.

DDoS attacks are multi-source attacks that prevent legitimate users from accessing the site being attacked. To do this, a huge number of requests are sent to the attacked system, which it cannot cope with. Typically, compromised systems are used for this purpose.

The annual increase in the number of DDoS attacks is estimated at 50% (according to data), but data from different sources differs, and not all incidents become known. The average power of Layer 3/4 DDoS attacks has increased in recent years from 20 to several hundred GB/s. Although massive DDoS and protocol-level attacks are bad enough in themselves, cybercriminals are increasingly combining them with Layer 7 DDoS attacks, that is, at the application level, which are aimed at changing or stealing data. Such “multi-vector” attacks can be very effective.

Multi-vector attacks make up about 27% of the total number of DDoS attacks.

In the case of a mass DDoS attack (volume based), a large number of requests are used, often sent from legitimate IP addresses, so that the site is “choked” in traffic. The goal of such attacks is to “clog” all available bandwidth and block legitimate traffic.

In the case of a protocol-level attack (such as UDP or ICMP), the goal is to exhaust system resources. To do this, open requests are sent, for example, TCP/IP requests with fake IPs, and as a result of exhaustion of network resources, it becomes impossible to process legitimate requests. Typical representatives are DDoS attacks, known in narrow circles as Smurf DDos, Ping of Death and SYN flood. Another type of protocol-level DDoS attack involves sending a large number of fragmented packets that the system cannot handle.

Layer 7 DDoS attacks involve sending seemingly innocuous requests that appear to be the result of normal user actions. Typically, they are carried out using botnets and automated tools. Notable examples are Slowloris, Apache Killer, Cross-site scripting, SQL injection, Remote file injection.

In 2012–2014, the majority of massive DDoS attacks were Stateless attacks (without remembering states or tracking sessions) - they used the UDP protocol. In the case of Stateless, many packets circulate in one session (for example, opening a page). Stateless devices, as a rule, do not know who started the session (requested the page).

The UDP protocol is susceptible to spoofing - address replacement. For example, if you wanted to attack the DNS server at 56.26.56.26 using a DNS Amplification attack, you could create a set of packets with the source address 56.26.56.26 and send them to DNS servers around the world. These servers will send a response to 56.26.56.26.

The same method works for NTP servers, SSDP-enabled devices. The NTP protocol is perhaps the most popular method: in the second half of 2016, it was used in 97.5% of DDoS attacks.
Best Current Practice (BCP) Rule 38 recommends that ISPs configure gateways to prevent spoofing - the sender address, the originating network are controlled. But not all countries follow this practice. In addition, attackers bypass BCP 38 controls by using Stateful attacks at the TCP level. According to the F5 Security Operations Center (SOC), such attacks have dominated over the past five years. In 2016, there were twice as many TCP attacks as UDP attacks.

Layer 7 attacks are mainly used by professional hackers. The principle is as follows: a “heavy” URL is taken (with PDF file or a query to a large database) and is repeated tens or hundreds of times per second. Layer 7 attacks have severe consequences and are difficult to detect. They now make up about 10% of DDoS attacks.

Ratio different types DDoS attacks according to the Verizon Data Breach Investigations Report (DBIR) (2016).

DDoS attacks are often timed to coincide with periods of peak traffic, for example, online sales days. Large flows of personal and financial data at this time attract hackers.

DDoS attacks on DNS

The Domain Name System (DNS) plays a fundamental role in the performance and availability of a website. Ultimately - in the success of your business. Unfortunately, DNS infrastructure is often the target of DDoS attacks. By suppressing your DNS infrastructure, attackers can damage your website, your company's reputation, and impact your financial performance. To combat today's threats, DNS infrastructure must be highly resilient and scalable.
Essentially, DNS is a distributed database that, among other things, maps human-readable site names to IP addresses, allowing the user to get to the desired site after entering a URL. A user's first interaction with a website begins with DNS queries sent to the DNS server with the Internet domain address of your website. Their processing can account for up to 50% of a web page's loading time. Thus, reduced DNS performance can lead to users leaving the site and business losses. If your DNS server stops responding as a result of a DDoS attack, then no one will be able to access your site.

DDoS attacks are difficult to detect, especially in the beginning when the traffic appears normal. DNS infrastructure may be subject to various types DDoS attacks. Sometimes this is a direct attack on DNS servers. In other cases, exploits are used by using DNS systems to attack other elements of the IT infrastructure or services.

In DNS Reflection attacks, the target is exposed to massively spoofed DNS responses. For this purpose, botnets are used, infecting hundreds and thousands of computers. Each bot in such a network generates several DNS queries, but uses the same target IP address as the source IP (spoofing). The DNS service responds to this IP address.

This achieves a double effect. The target system is bombarded with thousands and millions of DNS responses, and the DNS server may go down, unable to cope with the load. The DNS request itself is usually less than 50 bytes, but the response is ten times longer. In addition, DNS messages can contain a lot of other information.

Let's say the attacker issued 100,000 short DNS requests of 50 bytes each (5 MB in total). If each response contains 1 KB, then the total is already 100 MB. Hence the name – Amplification. The combination of DNS Reflection and Amplification attacks can have very serious consequences.

The requests look like normal traffic, and the responses are many large messages directed to the target system.

How to protect yourself from DDoS attacks?

How to protect yourself from DDoS attacks, what steps to take? First of all, don’t put it off “for later.” Some measures should be taken into account when configuring the network, running servers and deploying software. And each subsequent change should not increase vulnerability to DDoS attacks.

Software code security. When writing software, security considerations must be taken into account. It is recommended to follow "secure coding" standards and thoroughly test your software to avoid common errors and vulnerabilities such as cross-site scripting and SQL injection.

Develop an Upgrade Action Plan software. There should always be a rollback option if something goes wrong.

Update your software promptly. If you were able to download the updates, but problems appeared, see point 2.

Don't forget about access restrictions. admin and/or accounts should be protected with strong and regularly changed passwords. A periodic audit of access rights and timely deletion of accounts of resigned employees are also necessary.

The admin interface should only be accessible from the internal network or via VPN. Promptly close VPN access for quitting and, especially, terminated employees.

Include DDoS mitigation in your plan disaster recovery. The plan should include ways to detect the fact of such an attack, contacts for communication with the Internet or hosting provider, and a “problem escalation” tree for each department.

Vulnerability scanning will help identify problems in your infrastructure and software and reduce risks. A simple OWASP Top 10 Vulnerability test will reveal the most critical issues. Penetration tests will also be useful - they will help find weak points.

Hardware protection against DDoS attacks can be expensive. If your budget does not allow for this, that is good alternative– DDoS protection “on demand”. This service can be included simple change traffic routing schemes in an emergency situation, or is constantly protected.

Use a CDN partner. Content Delivery Networks allow you to deliver website content over a distributed network. Traffic is distributed over multiple servers, reducing the delay in access of users, including geographically remote ones. So while the main benefit of a CDN is speed, it also serves as a barrier between the main server and users.

Use Web Application Firewall - a firewall for web applications. It monitors traffic between a site or application and the browser, checking the legitimacy of requests. Working at the application level, WAF can detect attacks based on stored patterns and detect unusual behavior. Application-level attacks are common in e-commerce. As with CDN, you can use WAF services in the cloud. However, configuring the rules requires some experience. Ideally, all core applications should be protected by WAF.

DNS protection

How to protect your DNS infrastructure from DDoS attacks? Conventional firewalls and IPS will not help here; they are powerless against a complex DDoS attack on the DNS. In fact, firewalls and intrusion prevention systems are themselves vulnerable to DDoS attacks.
They can come to the rescue cloud services traffic cleaning: it is sent to a certain center, where it is checked and redirected back to its destination. These services are useful for TCP traffic. Those who manage their own DNS infrastructure can take the following steps to mitigate the effects of DDoS attacks.

Monitoring DNS servers for suspicious activity is the first step in protecting your DNS infrastructure. Commercial DNS solutions and open source products source code, such as BIND, provide real-time statistics that can be used to detect DDoS attacks. Monitoring DDoS attacks can be a resource-intensive task. It is best to create a baseline profile of the infrastructure under normal operating conditions and then update it from time to time as the infrastructure evolves and traffic patterns change.

Additional DNS server resources can help combat small-scale attacks by adding redundancy to the DNS infrastructure. Server and network resources should be sufficient to handle a larger volume of requests. Of course, redundancy costs money. You are paying for server and network resources that are not normally used under normal conditions. And with a significant “reserve” of power, this approach is unlikely to be effective.

Enabling DNS Response Rate Limiting (RRL) will reduce the likelihood that the server will be involved in a DDoS Reflection attack by reducing the speed at which it responds to repeated requests. RRLs are supported by many DNS implementations.

Use high availability configurations. You can protect against DDoS attacks by deploying DNS service on a high availability (HA) server. If one physical server goes down as a result of an attack, the DNS service can be restored on a backup server.

The best way to protect DNS from DDoS attacks is to use a geographically distributed Anycast network. Distributed DNS networks can be implemented using two different approaches: Unicast or Anycast addressing. The first approach is much easier to implement, but the second is much more resistant to DDoS attacks.

With Unicast, each of your company's DNS servers receives a unique IP address. DNS maintains a table of your domain's DNS servers and their corresponding IP addresses. When a user enters a URL, one of the IP addresses is randomly selected to complete the request.

With the Anycast addressing scheme, different DNS servers share a common IP address. When a user enters a URL, the collective address of the DNS servers is returned. The IP network routes the request to the nearest server.

Anycast provides fundamental security advantages over Unicast. Unicast provides individual server IP addresses so attackers can launch targeted attacks on specific physical servers and virtual machines, and when the resources of this system are exhausted, a service failure occurs. Anycast can help mitigate DDoS attacks by distributing requests across a group of servers. Anycast is also useful for isolating the effects of an attack.

Provider-provided DDoS protection

Designing, deploying and operating a global Anycast network requires time, money and know-how. Most IT organizations do not have the talent or finances to do this. You can trust your DNS infrastructure to a managed service provider that specializes in DNS. They have the necessary knowledge to protect DNS from DDoS attacks.

Managed DNS service providers operate large-scale Anycast networks and have points of presence around the world. Network security experts monitor the network 24/7/365 and use special tools to mitigate the effects of DDoS attacks.

Some hosting providers also offer services: network traffic analysis is carried out 24/7, so your site will be relatively safe. Such protection can withstand powerful attacks - up to 1500 Gbit/sec. Traffic is paid for.

Another option is IP address protection. The provider places the IP address that the client has chosen as protected into a special network analyzer. During an attack, traffic to the client is matched to known attack patterns. As a result, the client receives only clean, filtered traffic. Thus, site users may not even know that they have been attacked. To organize this, a distributed network of filtering nodes is created so that for each attack the closest node can be selected and the delay in traffic transmission can be minimized.

The result of using DDoS attack protection services will be timely detection and prevention of DDoS attacks, continuity of site operation and its constant availability for users, minimization of financial and reputational losses from site or portal downtime.

An attack during which users cannot access certain resources is called a DDoS attack, or a Denial of Service problem. The main feature of such hacker attacks is simultaneous requests from a large number of computers around the world, and they are directed mainly at the servers of well-protected companies or government organizations, and less often at individual non-commercial resources.

A computer that has become infected becomes a kind of “zombie,” and hackers, using several hundred or even tens of thousands of such “zombies,” cause a failure of resources (denial of service).

There can be many reasons for DDoS attacks. Let’s try to identify the most popular ones, and at the same time answer the questions: “DDoS attack - what is it, how to protect yourself, what are its consequences and by what means is it carried out?”

Competition

The Internet has long been a source of business ideas, implementation of large projects and other ways to earn quite a lot of money, so a DDoS attack can be carried out to order. That is, if an organization, when a competitor arises, wants to remove it, then it can simply turn to a hacker (or a group of them) with a simple task - to paralyze the work of an unwanted company through Internet resources (DDoS attack on a server or website).

Depending on the specific goals and objectives, such an attack is established for a certain period and with the use of appropriate force.

Fraud

Quite often, a DDoS attack on a website is organized at the initiative of hackers in order to block the system and gain access to personal or other important data. After attackers paralyze the system, they may demand a certain amount of money to restore the functionality of the attacked resources.

Many Internet entrepreneurs agree to the conditions put forward, justifying their actions by downtime in their work and incurring colossal losses - it is easier to pay a small amount to a scammer than to lose significant profits for each day of downtime.

Entertainment

Many users, just out of curiosity or fun, are interested in: “DDoS attack - what is it and how to do it?” Therefore, there are often cases when novice attackers, for fun and a test of strength, organize such attacks on random resources.

Along with the reasons, DDoS attacks have their own classification characteristics.

1. Bandwidths. Today, almost every computer place is equipped with either local network, or simply connected to the Internet. Therefore, there are frequent cases of network flooding - a large number of requests with an incorrectly formed and meaningless system to specific resources or equipment with the aim of its subsequent failure or failure hard drives, memory, etc.).
2. System exhaustion. This DDoS attack on the Samp server is carried out to capture physical memory, CPU time and other system resources, due to the lack of which the attacked object simply cannot work fully.
3. Looping. Endless data checking and other loops that operate in a circle force the object to waste a lot of resources, thereby clogging up memory until it is completely exhausted.
4. False attacks. This organization is aimed at false triggering of protection systems, which ultimately leads to the blocking of some resources.
5. HTTP protocol. Hackers send low-capacity HTTP packets with special encryption, the resource, naturally, does not see that a DDoS attack is being launched on it, the server program, while doing its job, sends back packets of much larger capacity, thereby clogging the victim’s bandwidth, which leads to again to the failure of services.
6. Smurf attack. This is one of the most dangerous species. The hacker sends a fake ICMP packet to the victim via a broadcast channel, where the victim's address is replaced with the attacker's address, and all nodes begin to send a response to the ping request. This DDoS attack is a program aimed at using a large network, i.e. a request processed by 100 computers will be amplified 100 times.
7. UDP flood. This type of attack is somewhat similar to the previous one, but instead of ICMP packets, attackers use UDP packets. The essence of this method is to replace the victim's IP address with the hacker's and completely load the bandwidth, which will also lead to a system crash.
8. SYN flood. Attackers try to simultaneously launch a large number of TCP connections through a SYN channel with an incorrect or completely missing return address. After several such attempts, most operating systems queue the problematic connection and close it only after a certain number of attempts. The SYN channel flow is quite large, and soon, after many such attempts, the victim kernel refuses to open any new connection, blocking the entire network.
9. "Heavy packages". This type gives an answer to the question: “What is a DDoS attack on a server?” Hackers send packets to the user's server, but the bandwidth does not saturate, the action is aimed only at processor time. As a result, such packages lead to a failure in the system, and it, in turn, to its resources.
10. Log files. If the quota and rotation system has security holes, then attackers can send large packets, thereby taking up all the free space on the computer. hard drives server.
11. Program code. Hackers with extensive experience can completely study the structure of the victim’s server and launch special algorithms (DDoS attack - exploit program). Such attacks are mainly aimed at well-protected commercial projects of enterprises and organizations in various fields and areas. Attackers find holes in the program code and run invalid instructions or other exceptional algorithms that cause the system or service to crash.

DDoS attack: what is it and how to protect yourself

There are many methods of protection against DDoS attacks. And all of them can be divided into four parts: passive, active, reactionary and preventive. Which we will talk about in more detail later.

Warning

Here we need to prevent the very causes that could provoke a DDoS attack. This type can include some personal hostility, legal disagreements, competition and other factors that provoke “increased” attention to you, your business, etc.

If you react to these factors in time and draw appropriate conclusions, you can avoid many unpleasant situations. This method can be attributed more to the problem than to the technical side of the issue.

Response measures

If attacks on your resources continue, then you need to find the source of your problems - the customer or the contractor - using both legal and technical leverage. Some companies provide services to search for intruders using a technical method. Based on the qualifications of the specialists involved in this issue, it is possible to find not only the hacker carrying out the DDoS attack, but also the customer himself.

Software protection

Some hardware and software manufacturers have quite a lot to offer with their products. effective solutions, and the DDoS attack on the site will be stopped in the bud. A separate small server can act as a technical defender, aimed at countering small and medium-sized DDoS attacks.

This solution is perfect for small and medium-sized businesses. For larger companies, enterprises and government agencies, there are entire hardware systems to combat DDoS attacks, which, along with a high price, have excellent protective characteristics.

Filtration

Blocking and carefully filtering incoming traffic will not only reduce the likelihood of an attack. In some cases, a DDoS attack on the server can be completely excluded.

There are two main ways to filter traffic - firewalls and full list routing.

Filtering using lists (ACLs) allows you to filter out non-essential protocols without disrupting TCP or reducing the speed of access to the protected resource. However, if hackers use botnets or high-frequency requests, then this method will be ineffective.

They protect against DDoS attacks much better, but their only disadvantage is that they are intended only for private and non-commercial networks.

Mirror

The essence of this method is to redirect all incoming attacker traffic back. This can be done by having powerful servers and competent specialists who will not only redirect traffic, but will also be able to disable the attacker’s equipment.

The method will not work if there are errors in system services, program codes and other network applications.

Search for vulnerabilities

This type of protection is aimed at patching exploits, eliminating errors in web applications and systems, as well as other services responsible for network traffic. The method is useless against flood attacks that are aimed specifically at these vulnerabilities.

Modern resources

This method cannot guarantee 100% protection. But it allows you to more effectively carry out other measures (or a set of them) to prevent DDoS attacks.

System and resource allocation

Duplicating resources and distributing systems will allow users to work with your data, even if your server is under a DDoS attack. For distribution, you can use various server or network equipment, and it is also recommended to physically separate services across different duplicate systems (data centers).

This method of protection is the most effective today, provided that the correct architectural design has been created.

Evasion

The main feature of this method is the output and separation of the attacked object ( domain name or IP address), i.e. all working resources located on one site must be divided and located on third-party network addresses, or even on the territory of another state. This will allow you to survive any attack and preserve your internal IT structure.

Services for protection against DDoS attacks

Having told everything about such a scourge as a DDoS attack (what it is and how to deal with it), we can finally give one good advice. Many large organizations offer their services to prevent and prevent such attacks. Basically, such companies use a whole range of measures and various mechanisms to protect your business from most DDoS attacks. They employ specialists and experts in their field, so if your resource is dear to you, then the best (albeit not cheap) option would be to contact one of these companies.

How to carry out a DDoS attack yourself

Aware is forearmed - a true principle. But remember that deliberately organizing a DDoS attack by an individual or a group of people is a criminal offense, so this material is provided for informational purposes only.

American IT threat prevention experts have developed a program to test the resistance to server loads and the possibility of attackers carrying out DDoS attacks and then eliminating this attack.

Naturally, “hot” minds turned this weapon against the developers themselves and against what they were fighting against. The product code name is LOIC. This program is freely available and, in principle, not prohibited by law.

The interface and functionality of the program is quite simple; anyone interested in a DDoS attack can use it.

How to do everything yourself? In the interface lines, just enter the IP victims, then set the TCP and UDP flows and the number of requests. Voila - after pressing the coveted button, the attack began!

Naturally, any serious resources will not be affected by this software, but small ones may experience some problems.