Website under DDoS attack. DDoS protection.

What is modern ddos ​​attack

DDoS stands for Distributed Denial of Service – an attack on an information system in order to bring it to a state where it can not serve the requests of customers for which it works. DDoS attack can be carried out both on a separate site and on a server or a network serving a large-scale information system (for example, a data center).

What is the essence of ddos ​​attack? At its core, this is a distributed DoS (Denial of Service) attack. The difference between DoS and DDoS is that DoS is just a single attack, and DDoS is a large-scale attack consisting of many attacks from different places.

Types of DDoS Attacks

For conducting ddos ​​attacks, botnet is most often used.

The size of the botnet depends on the power of attack. From the definition, it is clear that ddos ​​is when many requests are sent to any target. But the goals and types of requests may be fundamentally different. Consider the main options ddos ​​attacks that are found in the modern Internet. They can be divided into 2 main types:

The attack is at the L7 level, that is, at the seventh level of the OSI model.

The load on the application. This is usually HTTP Flood, but not desirable. The attack may be open to the world of MySQL or another database, mail server, or even SSH. This attack is aimed at straining the most difficult and vulnerable place of the service with the least possible traffic. Malicious requests are usually disguised as legitimate, which complicates reflection.

Level L3 L4, that is, the network and transport layers of the OSI model.

Most often this is a SYN or UDP flood. With the help of DDoS attacks of this type, they try to download all communication channels in order to prevent the service from working. As a rule, malicious traffic is easily distinguishable from legitimate traffic, but there is so much of it that filtering simply cannot cope. All incoming channels are clogged with flooding.
Let us consider in more detail the specific objectives for the attacks described above. Let’s start with L7 attacks. The following objects can be used as targets:

Some heavy page on the site.

The attacker simply viewing the site using DevTools identifies the most difficult pages. Most often this is a search, large product catalogs or fillable forms. Having identified the bottleneck, a flurry of requests is sent there to put the site down. For efficiency, you can load immediately everything that seemed heavy. With this approach, it is possible and ten requests per second drop unprepared site.

Download files from the site.

If you place more or less large files directly on a web server, then through them it will be very easy to put them, if you do not configure download restrictions. Normal parallel downloads can load the server so that the site will stop responding.

Attack to the public API.

Now it is a very popular tool because of its simplicity and ease of use. Defending him is difficult, so he can often be the target of ddos ​​attacks.
Any other applications that are available from the Internet. Often these are mail programs, ssh server, database servers. All these services can be loaded, if they look directly to the Internet.
From level L3, L4 usually do the following ddos ​​attacks:

UDP flood.

This is generally a classic. Practically everyone who keeps open dns and ntp services has encountered similar attacks. They constantly find vulnerabilities that allow using these services for ddos ​​attacks on servers. Malefactors scan the Internet, find incorrectly configured or vulnerable servers, send requests there, forging the source address. In response, these servers send several requests to fake addresses. In this way, attackers increase their attacks several times.

SYN-flood.

Also an old type of denial of service attacks. The attacker sends a large number of SYN requests to establish a connection. In general, using syn requests, the entire queue for connections is clogged. As a result, legitimate traffic stops walking, the service does not respond to customers.
Based on the description of the main types of ddos ​​attacks, we consider simple and obvious ways to counter.

 

Protection against ddos ​​attacks using paid services

For the usual DoS attacks can be used by some programs or scripts. Such attacks is not very difficult to defend. I will give examples of such programs separately. If there is a large-scale ddos ​​attack, then there is a completely different matter.

Protection of the site from ddos ​​attacks can be of two types:

  • Professional protection using paid services and redirect traffic to them.
  • Protect your server from ddos ​​on your own.

Below I will describe the various methods of protection against ddos. I must say right away that it will not be possible to fight off a serious attack on your own. You can stupidly fill in so much traffic that all communication channels will be loaded and the hoster will immediately turn you off. Himself with this several times encountered. No organizational measures will help. But first things first. Let’s start with paid protection services.

 


Hiding and protecting real ip address

How to protect your site from ddos ​​attacks? The first and most important rule, if you need high-quality and professional protection from DDoS – do not disclose your direct ip addresses. If you are attacked, and you need to defend yourself as soon as possible – immediately select the DDoS protection service, set up traffic proxying through it, change your direct IP addresses and in no case shine them anywhere. Otherwise, no paid service will help. You will directly arrange ddos ​​attack on ip, bypassing the defense.

A simple port scan using the old ip will allow you to identify all available services on the server and continue the attack on the server directly at the address, bypassing the protection. You need to allow connections to your server only from security service addresses. Do not forget to close the ssh firewall service. An unprotected server can be easily dumped through ssh with the usual syn flood and fail2ban will not save. There such a log will be that fail2ban itself will put the server.

The real ip address can be determined through subdomains that you forget to close with protection, via email headers, if the mail is located on the same server where the site is, via http headers, if you added ip information to them. There are many places where you can burn your real ip. You need to work hard and close all these places. Until you do this, professional protection may not be effective.

Also on the Internet there are services that by the name of the domain allow you to determine all of their external ip addresses that were previously exposed. If you have been available on the Internet for a while under your real ip address, it is almost 100% likely to be spotted and will be easily determined.

What service to protect against ddos ​​attacks choose, I do not know. Of course, the easiest way to start is with cloudflare, as they have a free rate. But there are a lot of limitations, plus you need to understand a bit how this service works. In general, for free, without the proper experience of protection against ddos, you are unlikely to do anything. Choose someone else. As an example, I have already given StormWall above. The initial fare is lifting there, you can start with it.

Firewall setup

As I said above, be sure to close everything you can with the firewall. Malefactors should not see anything on your real server. Just transferring, for example, ssh to some other port other than 22 will not work here. Close everything and open access only from your trusted addresses. Allow Web traffic only from security servers. Their addresses will provide you with support.

More information about configuring iptables, if you use this firewall, you can read in my material on the topic.

Rental hosting with protection from ddos

A desirable, but not obligatory, step to protect a server from ddos ​​attacks is to increase its performance, or to move to special virtual servers that initially support DDoS protection. This does not necessarily help, but if it is possible, then increase the power or move to another place. This will allow you to live a little longer and expand the area for maneuver.

When your server and so barely pulls the load, and then there is an attack, it will be bent very quickly. If the power is not enough with sufficient margin, then the attackers can pass protection with a very small amount of traffic that cannot be distinguished from the legitimate, and this will be enough to make the site unavailable. Specialized hosting takes into account these moments and offers solutions.

Caching setting

Caching should be done immediately, but not when you are already attacked. However, if your site or service is not optimized, it will be very difficult to protect it. As I wrote above, the protection can pass through some of the traffic, which will be very similar to legitimate. And this traffic may be enough to load the server to failure.

The issue of caching is quite complicated and immediately it will be difficult to offer effective solutions. However, if it is important for you to at least respond to users, and not to show a web server error, then static what should be given dynamically. Let during the attack at least remain the appearance of the fact that the site is working. It is still better than a full stop work.

Sometimes a ddos ​​attack can be triggered by legitimate means. For example, a link to your site was published somewhere in a very popular place. And you went to a flurry of real users. They are all real, but in fact you get a ddos ​​attack on your site, which can lead to its refusal and you will not get a profit, for example, from showing advertisements at these moments.

In this case, it would be better to quickly cache the pages you visit and give static, despite the fact that comments, some kind of tape, etc. will not work. The main thing is that users will be able to read the content, see the ads, and you make a profit. When the load drops, you can analyze the situation and work out some kind of working solution for the future.

Move smtp to a separate server

Do not use the web server as a mail server. If possible, take out the function of sending emails somewhere on the side. This can be either a special mail service or your own, but configured separately. This is a useful practice not only during ddos ​​attacks, but also in the general case. How to configure the mail server can read in my articles.

Not only that through the mail server you can easily find out your real ip addresses, so these are additional points for finding vulnerabilities and denial. Better to play it safe and minimize risks.

I told how protection against ddos ​​attacks can be configured using paid services. As an example, cited the company StormWall. She is well known, prices are available, Russian support. They perform at various events and share knowledge. Here is an example of an excellent performance, which I myself once looked at with pleasure and took them into account.

 


Self protection against DDoS

Let’s now consider what we can do to protect our site from a distributed attack. I must say that not very much. I discussed this topic a bit in a separate article on protecting a web server from ddos. There are described some simple and effective actions that will allow you to protect yourself from a simple attack that some amateur or student from a small number of places will perform.

If the attack is distributed and large-scale, then on your own you can not do anything. You will simply be turned off by the hoster if you are using a regular VPS or a dedicated server, without protection from DDoS. I myself came across this several times. Whatever you do, nothing helps. As soon as there is too much traffic, you are disconnected, even if the server is still quite pulling the load. It is necessary to contact specialized services, forward all traffic there and proxy it to itself already cleared.

How to make ddos ​​attack yourself

Let us consider with examples how in principle ddos ​​attack can be carried out. “To catch a criminal, you need to think like a criminal.” For obvious reasons, I will tell only a little theory, without practical examples, in order to avoid, so to speak. Although I have no examples. I myself have never seriously engaged in ddos ​​attacks.

Yandex has a great tool for load testing – Yandex.Tank. When I got to know him, I decided to load the first few sites I came across. To my surprise, I put all the sites that I tried to load 🙂 I must say that these were small blogs of blogging fans like me.

In order to make ddos ​​an attack on an unprepared site itself, it is enough to run Yandex.Tank from 3-5 different places and specify the set of the most heavy pages as targets. An ordinary dynamic site will immediately become bad. When the owner remembers and begins to understand, he will quickly ban your ip addresses himself, or with the help of a hoster and this will complete your ddos ​​attack.

You will have to look for new ip addresses for the next DDoS attack, which is very troublesome, but it will be easy to block them. Next you need to turn on your head and think about how to quickly and easily change ip addresses. Ready lists with proxies, scripts, curl, python, etc. come to mind. I will not further develop this thought. In general, it’s not so difficult to learn how to do ddos ​​yourself at the primary level. Enough basic knowledge of linux and scripting.

At once I will say that professional services for protection against DDoS, like StormWall or CloudFlare, will mark such your attacks without even noticing. This can only be interesting as self-development. All modern and effective ddos ​​attacks are done using botnet networks.

 

Programs for ddos ​​attacks

I decided to make a section with a description of the programs for DDoS for this purpose. If it is interesting to you, then for sure you will look for similar programs on the Internet, as I did in my time. Immediately I warn you that these programs themselves and the sites that distribute them are full of viruses and other malware. Be very careful and cautious when searching for programs.

Such programs are recommended to use to check how your site will work under their onslaught. If they organize ddos ​​for you, they will probably start with just such simple tools. So it makes sense to look after setting up protection, and how it really works.

Ddos programs are divided into 3 types:

  • Programs for syn and udp flooding.
  • Software systems for creating your botnet.
    Stresser services.
  • Programs for syn and udp flooding

From the first the most popular:

Server Flooder. A simple program that can peg requests with a specific ip address and port. Protection from such a program is very simple – ban ip address with a large number of requests from it. I don’t know where to download the normal Server Flooder. In most places, instead of him in the archives will be viruses, so be careful.

Loic. The program is old. It can spam http requests, as well as flood tcp and udp packets. You can download loic at sourceforge.

MummyDDOS. The same tcp flood as the first two.

Software systems for creating your botnet

In the public access get some old crafts that have lost relevance due to the fact that they detect all modern antiviruses. You can use them only for some academic purposes on the machines under your control. It is impossible to really assemble your botnet for powerful ddos ​​attacks using public free programs.

These botnets include Zemra Botnet, Dirt Jumper, Solar, etc. All this is freely available. You can install it for general development and see how it all works.

Stresser panel

Modern, convenient, functional tools for conducting ddos ​​attacks. Unfortunately 🙁 Stresser is a kind of service with a web panel, a personal account. You pay for the service to access the ddos ​​panel and you can use it for some paid time. The cost for simple attacks is low. Just for 3-5 dollars a day you can two- three times arrange the site with a powerful enough ddos ​​for 3-5 minutes every day. Sometimes this time is enough for the hoster to take the site out of service.

In the backend of such panels, the usual botnet. There are test access panels for conducting powerful ddos ​​attacks completely free of charge. Yes, it will be short-lived, but it can still harm the resource. Such panels work quite legally, providing their access supposedly to test the reliability of resources. And the fact that they are used for ddos ​​attacks, it does not concern them.


Author: Zerox

Original article: serveradmin.ru

Leave a Reply