DDoS attack (Distributed Denial of Service) is a distributed attack that creates a load on the server and leads to a system failure. Under such conditions, users cannot access the site or web service, and project owners can lose profits.
The reason for a system failure is not always a DDoS attack. Server resources are limited, and if everything works under normal load, then with an abnormal jump, failures may occur. If you launched a promotion or advertising campaign on your website the day before, which caused a sharp surge in traffic, you may also encounter problems with access to the site.
If you are sure that the failure on the site is not related to your actions, read below why DDoS can be arranged on your site, how the attack itself occurs and how to deal with it.
Why might your site get attacked?
One of the reasons your site may be subject to a DDoS attack is competition. The attacked site is unavailable because it receives too many requests and cannot handle the load. Seeing a broken site, a client can go to an accessible competitor’s site. If your business is successful and the competition in the market is significant, be prepared that your site may be exposed to DDoS at any time.
In addition, your Internet resource may simply attract the attention of intruders. They can organize a DDoS attack for entertainment, personal animosity, or extortion.
According to a study by Kaspersky Lab, in 2017, every third Big company (36%) was subjected to a DDoS attack at least once. In 2018, compared to 2017, the number of attacks increased 5 times.
Who carries out DDoS attacks
Hacktivists are political activists who use DDoS as a civil protest. According to a report from Kaspersky, in May 2020, the number of attacks on human rights organizations in the United States increased. The number increased 1,120 times and coincided with mass protests.
Anonymous are the most famous representatives of hacktivism. This is a decentralized group of hacktivists, mostly consisting of users of image boards and Internet forums. They are known for hacking resources with illegal content and the subsequent publication of personal data of users of these resources. During their existence, they have successfully attacked the sites of the Vatican, Interpol and the European Parliament.
They even had a symbol – the mask of the protagonist of the movie “V for Vendetta”. In this mask, he fought the regime.
LulzSec is a group of 6 people. It appeared in May 2011 and existed until June 26. In such a short time, the group has become famous for successful attacks on the servers of Sony, Nintendo, the servers of the television companies FOX and PBS, as well as the website of the US Senate. LulzSec ceased their activities after the arrest of several members of the group.
Also, it is not uncommon for ordinary DDoS blackmailers to operate under the name of well-known groups. In 2020, some major companies received threats on behalf of Fancy Bear and the Armada Collective, notable hack groups. The copycats promised to launch an attack on the company’s website if they did not receive the ransom.
Which sites are more likely to be attacked?
The following sites are most frequently targeted by DDoS attacks:
- Government Agencies,
- Large Corporations,
- Healthcare Organizations,
- Local and Regional Media,
- Online Streaming Site
- Banks,
- Hosting providers,
- Online Schools,
- Game Services
This list does not change from year to year. However, which sphere will suffer from attacks more often depends on the social and political events taking place in the world at one time or another. This relationship can be traced in the quarterly reports of companies on cyber-security.
How does a DDoS attack happen?
The modern Internet operates on the OSI seven-layer network model. The model determines the levels of interaction between systems, each level is responsible for certain functions.
A DDoS attack can occur at any of seven levels, but most often it is:
Low-level attack – at the network and transport layers (the third and fourth layers of the OSI model). These layers exploit holes in network protocols for attacks. Free protection against these types of attacks is installed on shared hosting, VPS and dedicated servers.
High-level attack – attack at the session and application layers (the fifth and seventh layers according to the OSI model). Such attacks are similar to user behavior. In this case, fine-tuning the server or paid DDoS protection can help.
It’s worth noting that DDoS attacks are varied. Software developers improve their protection methods by releasing updates, but attackers come up with a new way every year to bring the system to failure.
A well-organized attack consists of many requests to the server from around the world. But where did the attackers get such resources?
By 2020, the most dangerous type of attack is considered to be a botnet attack.
A botnet is an interconnected network of devices on which stand-alone software is installed. Cybercriminals, disguised as programs, letters, files and other content, distribute malware that is secretly installed on the victim’s device and can be launched at any time. The intrusion goes unnoticed: users are unaware of the presence of malware.
Thus, any device that has access to the Internet (a mobile phone or a washing machine with WI-FI) can become a participant in a DDoS attack.
When attacking a server, it is impossible to determine its initiator: requests come from all over the world, from different devices. The attacker usually goes unpunished.
Types of DDoS attacks
The classification of DDoS attacks is described in the article DDoS Attacks: Types of Attacks and Layers of the OSI Model. Here we take a look at how the most popular types of DDoS work.
Ping of death- This is an attack that sends an echo request that exceeds the allowed size of 65535 bytes. The device does not know how to handle such a request and stops responding. Currently, Ping of death is no longer used – checking the size when building the package solved the problem. Packets that are oversized are discarded as invalid. This attack belongs to the DDoS class, since a single computer acts as the sender, and not a network of different devices, as is the case with DDoS.
SYN Flood- The client sends a huge amount of SYN packets to the server with a spoofed IP address. The server responds to every request and waits for the client to connect. The client ignores the invitation and creates new requests, which overflows the connection queue. As a result, server performance drops until it stops working completely.
HTTP Flood- Each botnet participant generates a large number of HTTP requests to the server, which greatly increases the load. These can be both GET and POST requests. In GET, the client requests the heaviest parts of the site. And in POST requests, it transfers large amounts of data to the server in the body of the request.
UDP Flood- The attacker sends a lot of large UDP packets to the victim on specific or random ports. The receiver wastes resources processing requests and sending an ICMP response, which can lead to a denial of service.
DNS Flood- This is a kind of UDP Flood. It differs in that the DNS server is attacked. The server cannot distinguish a participant in such an attack from an ordinary user and processes all requests, which may not have enough resources.
VoIP Flood- Again, a UDP Flood variant, the purpose of which is IP telephony. The server receives requests from different IP addresses, which have to be processed along with requests from legitimate clients.
ICMP Flood- Many ICMP requests are sent to the victim’s server from different IP addresses. This type of flood can be used both to overload the server and to gather information about the server in preparation for another attack.
DNS amplification- Attacking devices send small queries to public DNS servers. Requests are formed so that the response contains as much data as possible. In addition, the request replaces the IP address of the real sender with the address of the victim, to which the DNS server will send responses. As a result, the victim will receive many large data packets from the DNS server, which will cause the channel to overflow.
DDoS Protection
Let’s consider the main steps that can be used to protect the server from DDoS attacks. To minimize the risk of an attack and its consequences:
- Examine the software that you plan to use in your project or are already using for vulnerabilities and critical errors. They shouldn’t be. Choose the tools you are confident in. Update them regularly and make backups.
- Use complex passwords to access the administrative parts of your resource.
- Configure the network so that access to the admin panel is from only the internal network or through a VPN.
- Connect WAF and CDN. WAF is a web application firewall for checking traffic legitimacy and filtering it. CDN – content delivery network allows you to distribute the load on the servers and increase the speed of loading pages due to geographically distributed servers.
- Install captcha or other components in the feedback form on the site. This will protect the site from spambots.
- Distribute site resources across multiple servers that are independent of each other. In case of failure of one of the servers, spare servers will provide work.
- Redirect the attack to the attacker. Thus, you can not only reflect the blow, but also damage the attacker. This requires specialists, but it is quite possible.
- Check with your hosting provider what level of protection it guarantees for your hosting or VDS. If the hosting provider does not provide protection, choose another provider.
A2 Hosting offers virtual hosting, VPS and dedicated servers with free protection against low-level DDoS attacks – DDoS-GUARD. DDoS-GUARD uses a series of reliable filters that sequentially analyze passing traffic, detecting anomalies and non-standard network activity.
High-level attacks are quite rare due to the complexity of implementation and the required resources, so they are rare on shared hosting, and on a VPS you can configure a server based on the installed software.
As a rule, if you do not take any action to protect, the DDoS attack will end in a couple of days. Therefore, you can choose the tactics of non-interference and wait until it ends.