Definition: ddos attack - short for “distributed denial of service attack”.
With the help of these attacks, the largest and most famous companies, such as yahoo!, ebay, buy.com, amazon.com, cnn.com and a number of others, temporarily fell...
I won’t chew snot and will write what, as a rule, no one ever writes about in articles about ddos.
Basically, what we see on the Internet are superficial descriptions of successful attacks, or the cries of victims of them.
1) The purpose and principle of ddos
The purpose of ddos is to remove the target of the attack from its working state, which can lead to large financial losses during the attack or the cost of equipment to protect against it and the salary of specialists. Any webmaster understands that *** of his sites for 2-3 hours will cause serious harm to the business, and if for a week, then the resource will most likely have to be raised from scratch again. I’m not talking at all about the owners of paid sites and serious E-commerce resources, whose losses can amount to tens of thousands of dollars a day.
DDoS attack technology involves a brute force method - you are trying to “clog” the channel in one way or another, opening the maximum possible number of connections to a particular service or sending a huge amount of information that the server is not able to process. all this leads to a loss of speed or a complete stop (freeze) of the attacked resource.
2) ddos is a distributed attack,
that is, a widespread one, when you are attacked by more than one server from which you can easily be closed by a firewall, but thousands or tens of thousands at once, sometimes there can be hundreds of thousands and millions of attacking bots (many call them zombies)
What is zombie?
A zombie is a computer or server infected with a program (or broken) that will execute commands from the control server.
How does a computer become a zombie?
Zombies are usually created using OS exploits. By infecting machines through a web browser when visiting websites, receiving mail, or through installing software with Trojans installed in it.
How many zombies can there be?
There are holes that have not yet been closed and sometimes the percentage of traffic infection can reach 80% of all traffic on the site, spam can be sent in huge quantities and as a result we have tens of thousands of zombies.
Depending on the perfection of the code on the zombie itself, they can make different types of requests to servers, sometimes making themselves completely invisible to the firewall or difficult to distinguish from a real surfer, which of course complicates the fight against them.
I will not describe the types of attacks; they vary greatly from the old types of ping and syn flood to new ones developed personally for a new attack.
All of them lead to the fact that the server usually goes down and attempts to bring it back to life end in it going down again.
In general, a rather sad story with ddos attacks. Many hosters simply shut down the server if an attack is detected. This demonstrates that they can't really do anything about them.
Fighting ddos
This is probably the most interesting part, and also the most difficult.
The most difficult thing is that the fight against ddos in 98% of cases falls on the shoulders of the webmaster, since providers for the most part simply hit the bolt and their standard scheme is to set your IP routing to zero and thus the ddos problem is solved for them. The webmaster is not very happy with this decision, since his sites generally crash.
Of course, there are advanced providers who can help in the fight, but this is rare and, again, it would be necessary to pay them five-digit figures to have any influence on them. So all that remains is to solve the problems yourself, and I will tell you how to solve them.
1) At the server level.
The server must have a remote reboot and the server console output to a different IP address via the ssh protocol. This will allow you to quickly reboot the server, which is more than necessary at the very beginning of a DDoS attack. The console output will allow you to completely disable ssh on the server. This is necessary because it is also very often added together, for example, with a web server, in order to complicate the work of the server administrator or make the server completely inaccessible to the administration.
2) At the server service level.
Security audit is a must be, that is, in Russian, must be done, all services of the machine must be patched from all known and unknown holes. You could write a whole book about tuning a web server under ddos attacks, so I won’t deprive myself of a piece of bread.
3) At the network level.
To begin with, everything that could give the attacker more information about you is blocked. Ping and trace are blocked. The server is removed under nat. Its IP is masked as soon as possible. This is already a very professional way to protect a server by hiding its IP address. It is used in many paid ddos protection systems.
4) At the provider level.
Through packet analysis or blocking IP addresses.
5) At the iron level.
Using hardware solutions from leading manufacturers such as Cisco, 3com, nortel, etc. These solutions to fight at the hardware level will require large financial costs of 10k and above. Complex solutions will cost about 50-80 thousand dollars. This also includes manufacturers of 3rd party hardware protection equipment. Most of them operate on the principle of analyzing packets and further filtering them, where the necessary packets pass to the server, and unnecessary ones are filtered and the network segments from which they came are blocked by a router or firewall. More advanced systems are able to hide your server completely and its IP address will never be found on the network and its direct scanning and ddos attack are impossible.
6) At the admin level of your server.
Using the firewall server logs, you see a bunch of IP addresses from where attacks are coming at you. You can analyze it and look for vulnerable workstations among them; out of 10,000 machines, 1-3 will definitely be available for crawling. You can find the zombie himself who is attacking you. Then you can try to dig into it to find out who is launching attacks on you and, if you’re lucky, find the control server and, as an option, counterattack it. Although this will not be possible if the DDoS attack is not controlled, but for example a virus one. Let me remind you that when you are attacked by workstations that were previously infected and their actions are not controlled manually, they are not very dangerous because if you change, for example, ip and domain, then such an attack will die on its own.
7) Combined use of all systems.
In conclusion, I want to say that everything that is written here does not cover 80% of all methods of combating ddos, and a lot of people all over the world work on this topic. So I won’t be able to describe everything in this short article, even if I really wanted to. But I hope it will help you a little to understand the basics of how to deal with ddos attacks.
With the help of these attacks, the largest and most famous companies, such as yahoo!, ebay, buy.com, amazon.com, cnn.com and a number of others, temporarily fell...
I won’t chew snot and will write what, as a rule, no one ever writes about in articles about ddos.
Basically, what we see on the Internet are superficial descriptions of successful attacks, or the cries of victims of them.
1) The purpose and principle of ddos
The purpose of ddos is to remove the target of the attack from its working state, which can lead to large financial losses during the attack or the cost of equipment to protect against it and the salary of specialists. Any webmaster understands that *** of his sites for 2-3 hours will cause serious harm to the business, and if for a week, then the resource will most likely have to be raised from scratch again. I’m not talking at all about the owners of paid sites and serious E-commerce resources, whose losses can amount to tens of thousands of dollars a day.
DDoS attack technology involves a brute force method - you are trying to “clog” the channel in one way or another, opening the maximum possible number of connections to a particular service or sending a huge amount of information that the server is not able to process. all this leads to a loss of speed or a complete stop (freeze) of the attacked resource.
2) ddos is a distributed attack,
that is, a widespread one, when you are attacked by more than one server from which you can easily be closed by a firewall, but thousands or tens of thousands at once, sometimes there can be hundreds of thousands and millions of attacking bots (many call them zombies)
What is zombie?
A zombie is a computer or server infected with a program (or broken) that will execute commands from the control server.
How does a computer become a zombie?
Zombies are usually created using OS exploits. By infecting machines through a web browser when visiting websites, receiving mail, or through installing software with Trojans installed in it.
How many zombies can there be?
There are holes that have not yet been closed and sometimes the percentage of traffic infection can reach 80% of all traffic on the site, spam can be sent in huge quantities and as a result we have tens of thousands of zombies.
Depending on the perfection of the code on the zombie itself, they can make different types of requests to servers, sometimes making themselves completely invisible to the firewall or difficult to distinguish from a real surfer, which of course complicates the fight against them.
I will not describe the types of attacks; they vary greatly from the old types of ping and syn flood to new ones developed personally for a new attack.
All of them lead to the fact that the server usually goes down and attempts to bring it back to life end in it going down again.
In general, a rather sad story with ddos attacks. Many hosters simply shut down the server if an attack is detected. This demonstrates that they can't really do anything about them.
Fighting ddos
This is probably the most interesting part, and also the most difficult.
The most difficult thing is that the fight against ddos in 98% of cases falls on the shoulders of the webmaster, since providers for the most part simply hit the bolt and their standard scheme is to set your IP routing to zero and thus the ddos problem is solved for them. The webmaster is not very happy with this decision, since his sites generally crash.
Of course, there are advanced providers who can help in the fight, but this is rare and, again, it would be necessary to pay them five-digit figures to have any influence on them. So all that remains is to solve the problems yourself, and I will tell you how to solve them.
1) At the server level.
The server must have a remote reboot and the server console output to a different IP address via the ssh protocol. This will allow you to quickly reboot the server, which is more than necessary at the very beginning of a DDoS attack. The console output will allow you to completely disable ssh on the server. This is necessary because it is also very often added together, for example, with a web server, in order to complicate the work of the server administrator or make the server completely inaccessible to the administration.
2) At the server service level.
Security audit is a must be, that is, in Russian, must be done, all services of the machine must be patched from all known and unknown holes. You could write a whole book about tuning a web server under ddos attacks, so I won’t deprive myself of a piece of bread.
3) At the network level.
To begin with, everything that could give the attacker more information about you is blocked. Ping and trace are blocked. The server is removed under nat. Its IP is masked as soon as possible. This is already a very professional way to protect a server by hiding its IP address. It is used in many paid ddos protection systems.
4) At the provider level.
Through packet analysis or blocking IP addresses.
5) At the iron level.
Using hardware solutions from leading manufacturers such as Cisco, 3com, nortel, etc. These solutions to fight at the hardware level will require large financial costs of 10k and above. Complex solutions will cost about 50-80 thousand dollars. This also includes manufacturers of 3rd party hardware protection equipment. Most of them operate on the principle of analyzing packets and further filtering them, where the necessary packets pass to the server, and unnecessary ones are filtered and the network segments from which they came are blocked by a router or firewall. More advanced systems are able to hide your server completely and its IP address will never be found on the network and its direct scanning and ddos attack are impossible.
6) At the admin level of your server.
Using the firewall server logs, you see a bunch of IP addresses from where attacks are coming at you. You can analyze it and look for vulnerable workstations among them; out of 10,000 machines, 1-3 will definitely be available for crawling. You can find the zombie himself who is attacking you. Then you can try to dig into it to find out who is launching attacks on you and, if you’re lucky, find the control server and, as an option, counterattack it. Although this will not be possible if the DDoS attack is not controlled, but for example a virus one. Let me remind you that when you are attacked by workstations that were previously infected and their actions are not controlled manually, they are not very dangerous because if you change, for example, ip and domain, then such an attack will die on its own.
7) Combined use of all systems.
In conclusion, I want to say that everything that is written here does not cover 80% of all methods of combating ddos, and a lot of people all over the world work on this topic. So I won’t be able to describe everything in this short article, even if I really wanted to. But I hope it will help you a little to understand the basics of how to deal with ddos attacks.