The purpose of ddos is to bring the object of attack out of working condition, which can entail large financial losses during down-time or the cost of equipment to protect against it and salaries of specialists. Any webmaster understands that downing his sites for 2-3 hours will seriously harm the business, and if for a week, then the resource will most likely have to be raised from scratch again. I’m not talking about the owners of paid sites and serious E-commerce resources, whose losses can amount to tens of thousands of dollars a day.
The technology of ddos attacks implies brute force method – in one way or another you are trying to “hammer” a channel by opening the maximum possible number of connections to a particular service or sending a huge amount of information that the server is not able to process. all this leads to a loss of speed or a complete stop (hang) of the attacked resource.
Ddos is a distributed attack, that is, widespread, when you are attacked by more than one server from which you can easily close with a firewall, but immediately by thousands or tens of thousands, sometimes there may be hundreds of thousands and millions of attacking bots (many call them zombies)
What is a zombie?
A zombie is a computer or server infected by a program (or broken) that will execute the commands of the managing server.
How does a computer become a zombie?
Zombies are usually created using exploits for the OS. Infecting machines through a web browser when visiting sites, when receiving mail, or through installing software with trojans installed in it.
How many can be zombies?
there are holes that are still not closed and sometimes the traffic infectivity percentage can reach 80% of all traffic on the site, spam can be sent in huge numbers and as a result we have tens of thousands of zombies.
Depending on the perfection of the code on the zombies themselves, they can execute different types of requests to the server, sometimes making themselves completely invisible to the firewall or difficult to distinguish from a real surfer, which of course complicates the fight against them.
I won’t describe the types of attacks; they vary greatly from the old types of ping and syn flood to the new ones developed personally for a new attack.
All of them lead to the fact that the server lays down as a rule and attempts to bring it back to life result in it lying again.
In general, a rather sad story with ddos attacks. Many hosters simply turn off the server in case of an attack. This demonstrates that they cannot really do anything with them.
Fighting ddos
This is probably the most interesting piece, as well as the most difficult.
The hardest thing about dealing with ddos in 98% of cases falls on the shoulders of the webmaster, as providers mostly just beat the bolt and the standard scheme they have is to put the null routing your ip and thus for them, the ddos problem is solved. Webmaster this solution is not very happy because his sites thus lie at all.
Of course, there are advanced providers that can posodeystvuet in the fight, but this is rare and again, Naji will pay them five digit numbers that would have some effect on them. So it remains to solve problems, how to solve them I will tell you.
1) At the server level.
The server must have remote reboot and console output of the server to another ip address via the ssh Protocol. This will allow you to quickly restart the server, which is more than you need at the beginning of the ddos attack. The console output will completely disable ssh on the server. This is because it is also very often doset together for example with a webserver that would complicate the work of the admin server or make the server not available for administration.
2) In the services of the server.
Sekyuriti audit – must be, that is, in Russian, needs to be done, all services of the machine should be otpatchena from all known and unknown holes. About tuning web server under ddos attacks, you can write a whole book, so I’m not going to deprive yourself of a piece of bread.
3) network level.
For starters, you can block all that can give more information about attacking you. Blocked ping and trace. The server is removed under nat. Masked his ip as soon as possible. This is a very professional way to protect the server by hiding its ip address. Used in many private ddos defense systems.
4) On the provider level.
Through the analysis of the packets or by blocking the ip addresses.
5) On the hardware level.
Applying hardware solutions from leading manufacturers of the type Cisco, 3com, nortel, etc. These solutions struggle at the hardware level would require large financial costs from 10K and above. Integrated solutions will cost around 50-80 thousand dollars. Also this could include manufacturers of 3rd party equipment hardware evil for protection. Most of them operates on the principle of packet analysis and further filtration where the desired packets come to the server and the junk is filtered out and the network segments where they came from blocked by the router or hairsalon. More advanced systems are able to hide your server completely and the network will never see its ip address and its direct scanning and ddos attack is impossible.
6) At the level of the admins of your server.
Using the logs of Fairvale server, you see a bunch of ip addresses from where you go on the attack.You can analyze it and look for vulnerable workstations among them, out of 10,000 machines 1-3 will certainly be available in order to climb on them. You can find the zombie who carries out an attack on you. Then you can try to pick it up to find who launches attacks on you and if you are lucky to find a control server and, as an option, counterattack it. Although this will not be possible if the ddos attack is not controlled, but for example a virus. Let me remind you that when you are attacked by workstations that were previously infected and their actions are not manually controlled, they are not very dangerous because if you change, for example, ip and domain, then such an attack will die by itself.
7) The combined use of all systems.
In conclusion, I want to say that everything that is written here does not cover and 80% of all methods of dealing with ddos and a lot of people around the world work on this topic. So in this short article I will not be able to describe everything, even if I really want to. But, I hope, it will help you a little for the concept of the basics of how to deal with ddos attacks.