Whether you own a small blog or a major business website, you should be aware of DDoS attacks and how to protect yourself from them. According to the ATLAS threat report published by Arbor Networks, an Internet security company, DDoS attacks are on the rise, and the attacks themselves are becoming bigger. Also, attackers aren’t just going after large websites because, quite often, the motive for the attack isn’t money or sensitive information (e.g., credit card numbers).
What is a DDoS attack?
A distributed denial of service (DDoS) attack is a coordinated outside effort to make an online service or website unavailable by bombarding it with traffic that exceeds its bandwidth. The traffic itself often originates from botnets, which are networks of infected computers that are controlled remotely by the attackers. Once coordinated, botnets can create a flood of traffic that overwhelms the victim’s system, rendering it inaccessible. Other botnets might send endless connection requests, while others might send random data packets.
Botnets used to be created through the careful work of hackers who would send infected emails to unwitting recipients over extended periods of time and slowly build up their zombie army of bots. Thus, a DDoS attack was reserved for businesses and companies that had the collateral to negotiate with hackers and pay money for restoration of order.
Times have changed and nowadays, botnets and DDoS attacks are available for sale through specialized marketplaces and forums. The prices are fairly reasonable too; for example, a single month-long DDoS attack might cost $1,000. Thus, for a blog or website that someone wishes to silence cheaply and efficiently, a black market DDoS attack is the way to go. Alternately, an attacker may want to eliminate a competitor in the affiliate marketing sphere- for just $1,000, a DDoS attack provides great ROI.
Types of DDoS attacks
There are several common methods through which attackers target a vulnerable system and make it unresponsive to legitimate traffic. In actuality, there are many different levels and types of DDoS attacks.
SYN flood– A server can only make a finite number of connections with querying sites. A SYN flood takes advantage of this connection limit by sending a TCP/SYN packet flood to the target system. Once those requests are received, the system opens them and sends back a TCP/SYN-ACK (acknowledgement) packet. However, these open connections are never answered back because the attacker’s addresses are fake. So, the connections continue to stay open and severely limit other connections with legitimate addresses.
Teardrops– In a teardrop attack, damaged or incomplete IP fragments are directed at the target system and cause an operating system crash because they can’t be reassembled. However, the server will continually try to reassemble the fragmented packets, leading to site timeouts and other issues when outside traffic tries to access the site.
Application layer attacks– Also called Layer 7 attack or HTTP floods, this form of DDoS exploits a specific portion of the victim’s software or application, repeatedly requesting its opening, download and/or reply. The system is easily overwhelmed and leads to a crash. There are several types of http floods, from basic (one page, one IP address) to randomized (many pages, many IP addresses), and from cache-bypass (randomized flood that bypasses application caching) to WordPress XMLRPC (uses WP pingback).
User Datagram Protocol (UDP)- based attack– In a UDP-based attack, fake IP addresses will query a publicly available UDP servers; these servers act as query amplifiers and reflect the requests back to the victim’s system rather than that of the attacker, resulting in a DDoS. DNS-based attacks will create a similar type of DDoS by using fake ‘victim’ IPs to query the DNS; the DNS then sends back large amplified (up to 70X) ‘replies’ to the victim’s system, resulting in a crash.
How to protect your system
Don’t assume that your ‘little’ blog or website is beyond the interests of a hacker who’d shut it down with a DDoS attack. In many cases, DDos attacks are launched to silence a differing view or political opinion. If you are exposing a scammer or even just publishing an unflattering product review, you are at risk.
What can you do? Here are some tips:
Start with a firewall. Although it’s not foolproof, a firewall can be set up with a simple rule that excludes traffic from a given protocol, port or even a single IP address. The risk with using any simple rule to exclude traffic is that you might also kick out legitimate traffic; however, it’s handy to use if you notice that an excessive amount of suspicious activity is originating from one or two geographic locations.
Simple L3/L4 firewalls protect against traditional DDoS attacks, while Web Application Firewalls (WAFs) protect web applications from more directed DDoS attacks.
Examine your router. ISPs that provide routers for your home or business often feature access control list and rate-limiting functions within them. You can call your respective ISP and ask about best practice traffic control options and settings.
Get a DoS defense system. An all-around solution to different types of DDoS attacks is the DoS defense system, which different vendors offer. This may be a good solution for protecting larger networks and specific applications.
Get upstream filtering. Dedicated vendors offer “scrubbing” services that will link into your network (through a proxy, tunnel or direct circuit) and separate the good traffic from the bad before it reaches your server. This can be another useful solution to preventing DDoS attacks if you have tried other prevention methods and noticed only limited success.
DDoS attacks are common but preventable.
While DDoS attacks are on the rise, they can be prevented by understanding their origin and nature and taking steps to reduce their frequency or eliminate them altogether. Individual firewalls and router settings are a good start, and more advances defense systems exist on the market for bigger websites and networks.