Web resources are now increasingly becoming a means of basic earnings. Commercial and entertainment sites are appearing, which are popular with thousands of users. And the larger and more significant the service, the more it is lost for both owners and users. Because of this, hacker DoS-attacks became especially popular. What is it and how you can fight it, we will consider in this article below.
What is a DDoS attack
There are quite a few options how attackers can affect the Internet resource. One of the most common methods of manipulation is DoS – a type of interference with a website, server or any other service, when a large number of client requests are generated, which puts an excessive load on hardware and bandwidth. Such an attack can be filtered out, as it is performed from a single source.
DDoS is a more complex network attack performed with a large number of third-party clients. In other words, the hacker starts a simultaneous interaction with the service from several computers at the same time, as a result, the victim simply can not cope with this flow.
The main purpose of DDoS is to create certain conditions under which an average user will not get access to the services of the attacked resource. The victim’s work is completely blocked. In this case, the hacker does not need to gain direct access to databases and program code.
DDoS-attacks always involve third-party client computers, whose users do not suspect that illegal activity is being performed from their devices. Due to the fact that thousands of infected PCs may participate in one attack, it is very difficult to trace the original source. Another attractive factor for attackers is that DDoS does not leave legally relevant evidence for which the hacker may be held accountable.
Classification of attacks and what they lead to
DDoS-attacks can be carried out under several scenarios. In fact, the process depends on the functionality of a particular service. There are both universal methods and highly specialized types of influences. The following types of DDoS attacks can be distinguished:
- pass bandwidth overflow – flood;
- Hardware resource load;
- weaknesses of program codes.
Each of these types includes several subcategories. The specific DDoS attack method is selected depending on the victim’s security and the attacker’s capabilities.
During this manipulation, the hacker expects to exhaust the victim’s bandwidth. The main condition for performing a DDoS attack is the presence of an attacking channel with the ability to perform more requests than the attacked resource can accept. Bypassing this rule helps the attackers to use packet data that require the victim to respond to a larger number of requests. The following subtypes are distinguished:
HTML and PING-flood. Sending primitive queries that force the victim to respond automatically.
HTML and PING Flood.
SMURF attack. The hacker arranges to send out a malicious command that requires verification of all participants in the network, sending a task to determine the delay – ping request. It uses a system ICMP protocol to transmit information about errors and other emergency situations.
- Fraggle – this method is similar to the previous one. However in this case the ECHO command sent in UDP packet to the seventh port of the attacker is used to overflow the bandwidth. The request is sent out over a broadcast connection, then the attacker’s address is replaced by the victim’s address which receives multiple responses from the network members. Disabling the ECHO causes an ICMP message to be generated, which also leads to channel saturation.
- SYN. This is one of the oldest methods of DDoS attack. During this attack, an attacker requests a TCP connection from the victim to transfer data. This type of connection involves reserving a certain amount of system resources. By sending several such requests, it is possible to exhaust the attacker’s capabilities.
Hardware Resource Load
This DDoS method implies full CPU load, exhaustion of RAM or physical memory. One of the main conditions of this attack is that the hacker has control over a part of the victim’s resources. The following types are distinguished:
- Heavy teams. The hacker sends a request that takes up most of the CPU time. In such an attack, the server becomes incapable of performing complex calculations and the bandwidth remains free.
- Log file overflow. These packages keep program and user actions, if unqualified administrator doesn’t set a limit on the number of Logs, hacker will be able to send bulk packages, information about which will be written to hard disk. Gradually, the physical media will overflow.
- Unadjusted allocation of processor resources for script execution. At many sites, server interaction with external programs is used. A hacker accessing the communication interface writes a script that cyclically sets up a complex mathematical computation for the system. The result is a higher percentage of dedicated processor resources;
- User data control. Numerous requests to the database to check the login password or other profile information, can be used to load RAM;
- DoS secondary order attack. The hacker causes a false alarm of the protection, which blocks the resource for third parties.
Shortcomings in Program Code
Experienced hackers rarely bet on the saturation of the pass channel. A much more dangerous type of DDoS is source code error search. An intruder tries to find a way to execute illegal commands or access unused address space. The result of this action is automatic shutdown of the server program. There are two types of attacks aimed at code algorithms:
- Exceptions. All program codes are written by people, so there are tasks that are not envisaged. The hacker finds such a request and sends it as part of a package.
- Bufer overflow. Attacker defines protocols that server doesn’t fully use. Remaining space is written forcibly. So, with new data packet, resource will get more than expected. Excess space is written outside the buffer.
Two types of DDoS attacks used to impact DNS are distinguished separately:
- Routing through vulnerable sections of program code. Attacker spoofs the IP address of the victim’s DNS, so users can’t get to the right web page.
- Channel oversaturation. Since the server has high bandwidth, this DDoS will require an impressive number of infected computers to attack the server at the same time.
Currently, only the first hacker attack method is applicable. Most ISPs detect suspicious traffic corresponding to the second type of attack on DNS.
How to protect against DDoS
Unfortunately, full protection against DDoS is not possible at the moment. It is said the human factor. In codes of large volume there are almost always errors and defects. When testing them, you can miss them, but a person, having set a goal to attack the resource, is very likely to be able to find them. One of the easiest ways to prevent a hacker attack is to use cloud servers or hosting with built-in protection.
DDoS Protection in Colocation Service Package
Many data centers, providing users with the services of placing their server on their media – colocation, provide their customers with protection from DDoS-attacks.
The principle of such protection is to create a filter that eliminates most of the flaws and errors that could allow the developers of the server. Blocks unnecessary third-party teams, additionally controlled all incoming protocols. Of course, primitive attacks associated with bandwidth overflow by garbage monotonous traffic are excluded.
How IaaS vendors prevent DDoS attacks
The fact that cloud resources are freely available on the network makes them vulnerable to hacker attacks. Such services are regularly faced with DDoS. Therefore, they are forced to timely identify and neutralize any threats.
IaaS vendors can offer their customers the following types of protection:
- Antiviruses. This kind of software helps to control traffic and detect malware in third-party code.
- Mesheset screens. This is one of the most effective means of protecting the internal part of the network from unauthorized access.
- DLP Protection. Data leakage can lead to both the loss of user accounts and third party tampering with the resource’s algorithm.
- Protected backup storage. The data in it will be encrypted. Typically, this database is outside the main cloud.
Cloud storage, which is used in conjunction with IaaS, has a greater stock of machine resources. Service providers are constantly developing their servers, increasing hardware capacity, which also makes DDoS difficult.
Tariffization of protection
As a rule, DDoS protection is not included in the main service package. This can be attributed to both Colocation, and to IaaS. If necessary, the customer pays separately for the period of using the system means of preventing hacker attacks.
The function is connected optionally due to the fact that many consumers of the main service resort to the use of third-party security features. However, as practice shows, this method is less effective than the use of systems available in the cloud or hosting countermeasures against third-party interference.
The cost of DDoS protection depends on the width of the link: the higher the connection speed, the more data needs to be filtered and the higher the cost of this filtering. To select rates with DDoS protection on the Market.CNews IT marketplace, you need to tick “DDoS Protection” or select “Yes” in the DDoS drop-down list.
According to IT-marketplace Market.CNews, the minimum rental cost of 1 unit in a Tier III reliability level data center rack in Moscow without DDoS protection is ₽1 thousand per month. The cost of a similar unit with DDoS protection starts from ₽1920 per month.
Since most Colocation tariffs include a fixed-width communication channel, then DDoS protection is provided for this channel width. As for IaaS, the channel is often customized to the needs of the client and usually lies in the range from 10 to 10,000 Mbit / s. Accordingly, the cost of DDoS protection will vary greatly from client to client.
Rare providers offer free traffic filtering. However, it is likely to be the simplest type of protection at the level of network protocols L2 and L3 in order to filter the flood.
Filtering attacks at the L4-L7 protocol level and cleaning traffic at the DNS, HTTP and SIP level will eventually be paid and can reach ₽150 thousand – 200 thousand per channel width of only 100Mbit / sec. The cost of the most advanced protection against DDoS attacks for a 10 Gbit/s communication channel may reach ₽10 million rubles per month.
All prices are as of September 2020.