Denial of Service attacks have been a hazard for web sites since the earliest days of the World Wide Web.
Although the average speeds and network capacities for the earliest users of Internet service were nowhere near as high as they are today, it was still possible to generate enormous volumes of traffic and direct them at servers that were totally unprepared for the onslaught.
Today, due to innovative and often fast-reacting defensive measures, it is possible to mitigate most of the damage from what is now more accurately referred to as a “distributed denial of service” attack or DDoS. The purpose of a denial of service is to overload a web server or other service with so much unauthorized traffic that legitimate users can’t make use of it. The distributed nature of the attack means that traffic is not directed to the target server from one source. Rather it is coordinated across many sources so blocking one attacking web address is insufficient to stop the attack entirely.
As these attacks have grown in sophistication and power, the measures available to combat them have advanced as well. With adequate planning and a proper understanding of the threat, many of the largest sites on the web have reached a point where they are well defended against all but the most unusually intense events.
The chances of any one site being targeted are low, but if you run a mission-critical service online, whether it is web-based or runs on its own protocol, you should at least be aware of the potential for denial of service attacks and prepare yourself and your organization to combat them. Here are some things to consider.
Know Your Traffic Patterns
There are three primary “loads” on a web or network server. Your analytics software should be able to track one. Your network security should be able to, at minimum, track the other two. The first is volume, which is a measure of how many and what kind of network connections are being made to your server. By and large, this number shouldn’t deviate more than a few percentage points in any given day. If it does, your monitoring software or IT staff should be alerted and prepared to determine causes.
The second load is CPU utilization. For a standard web server, processor utilization should rarely climb above sixty percent. While high CPU load isn’t technically a denial of service attack, when combined with a strategically organized surge of network traffic, CPU load can create cascade effects through all your network services and degrade other devices like failover servers and anti-virus services running elsewhere on your network.
Third is storage. A full disk can not only cause degradation of services but can also cause operating systems and other software to malfunction. On some kinds of servers, a strategically timed series of large uploads combined with one or more other attack vectors can not only degrade services, but cut them off entirely.
The longer your server is running, the more data you will have regarding the normal ranges for all these loads. You can then set up your monitoring and analytics to alert IT staff in the event any of them move out of normal ranges.
Here are some of the most popular and effective ways to defend against and prevent distributed denial of service attacks.
1. Know If It’s Happening
Use the data provided by your monitoring and analytics. Be particularly careful to notice any deviation from your rolling 30 and 90 day patterns for network load, CPU utilization and storage. Occasionally a slow increase in one will precede a spike in one or more of the others. Set up alerts in your monitoring and security systems to notify key personnel in the event of any anomalies. For one-off testing, you can use a speed test tool like Dotcom-Tools in order to spot check website performance issues that could be related to DDoS.
2. Failover and Provisioning
If your services are commercial in nature, you should have enough network capacity available at any given time to endure a minimum 200% temporary increase in traffic. This is called “provisioning” and it is a service that most network operations centers can provide at minimal cost. Under no circumstances should your server be running without a cloned backup ready to take over operations in the event the front-line machine goes off-line. This is known as fail over protection and it is particularly important in the event of a denial of service attack, especially if your network operations staff needs to hotfix or spin up new security on the fly.
3. Reinforce at the Router
While not a permanent solution to a DDoS attack, your router can buy you some time in the early phases of the build-up to an attack. Truly massive targeted attacks often require some time to reach full capacity. These minutes are crucial, as they can be the difference between an ability to get back on-line quickly and having your systems down for extended periods. There are several ways your router can help. For example, setting lower timeouts on certain kinds of connections, reducing thresholds on UDP and SYN packet floods and identifying remote IP ranges to block can buy you anywhere from ten to thirty minutes of up-time in some cases. Even that much time can often make all the difference.
4. UDP Phantom Zone
Unless your servers have a very good reason for receiving or sending UDP traffic, your best option is to simply ask your upstream providers to drop the packets at their routers. Some of the most popular DDoS strategies use NTP and UDP amplification which can overwhelm many networks with relatively minimal hardware. However, if your network sends all UDP traffic to the phantom zone, your servers will never see it.
5. Geographically Distributed Servers
One of the best ways to avoid a distributed attack is to have a distributed server network, according to Web Hosting Buddy. The fewer points of failure your system has, the more vulnerable it is. However, if a DDoS attack only affects a localized geographic area, your network operations can distribute legitimate traffic to other servers on your network automatically and isolate the attacker before the unauthorized traffic has a chance to cause any trouble.
There are commercial companies, naturally, that can provide all these services for high reliability web sites and web services. Although most sites likely don’t need industrial strength denial of service defense, it is something to consider as your traffic grows and your network’s importance increases.
The information contained in this website is for general information purposes only. The information is gathered from Hackers Online Club while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.