Today we will learn how to protect against DDoS Attacks. As a webmaster, you’ve probably heard the terms DDoS and DoS as cybersecurity risks. Although some people throw the words interchangeably, they are different types of attacks. Your web host does what it can to protect against attacks, but knowledge is power and it helps your business if you know the signs of an attack and what you can do about it. Maybe you just want some general understanding, and (if so) this guide is for you.
Basic Web Communication
Before we get into DDoS, let’s first look at how web communication works. When you type a URL into your browser, it performs a DNS lookup of the domain, finds the IP address, and then makes a call to the domain’s web server to access the content. As a webmaster, you probably know how much traffic you get every day. You purchase resources on your server to account for average traffic and make sure your site is always fast. During your busy season, you can scale back a bit to increase traffic. Most webmasters understand that more traffic means more server resources are needed.
A common misconception among webmasters is that bandwidth equals network speed. When discussing DDoS attacks it should be noted that bandwidth is the amount of data that can be transferred over a period of time. Think of bandwidth as a water hose.
You can only fit so much water in the hose and shoot it out of the hole. If you need to transfer more water in a certain time, you need to expand the circumference of the hose. Your web server can only handle so many transactions, and your bandwidth can fit only so much data. These key elements are the target of a DDoS attack.
We’re just focusing on web servers for simplicity, but DDoS attacks can occur for numerous services, including DNS, DHCP, chat rooms, and even printers.
Early days of DoS
Denial of service attacks is nothing new on the Internet. In the early days of the Internet, a single person with a computer could cause a denial of service. In fact, the first DoS attack happened in 1974 and was created by a 13-year-old Illinois student.
The early Internet days didn’t take much computer power or bandwidth. The resources and bandwidth we have now were not available then. Having 1000 visitors per month to your site is a lot, and a few thousand calls to a web server don’t take much computing power.
As the Internet became more popular in the 1990s, a common DoS attack was called a “smurf attack.” The way it worked is again transmission over the internet. When your browser makes a connection with the server, it establishes an “SYN-ACK handshake”.
Your browser makes an SYN (synchronize) request to the server. The server accepts the request and sends an SYN-ACK (synchronize-acknowledge) message to your browser. After sending the SYN-ACK message, the server waits for your response. Your browser then sends another ACK (acknowledgment) message to the server.
You both establish a connection because you both synchronize and acknowledge the handshake. You are both aware that the other exists and once you shake hands both you and the server can transfer data.
We have highlighted important parts of this process. The server waits for an ACK back from the sender. What if the sender disappears or the sender’s IP address is fake? The SYN-ACK response goes into a dark void and returns nothing. One or two of these dropped connections is fine, but DoS occurs when there are thousands.
Note that the server is using resources to wait for a response With a DoS attack, thousands of such requests are sent and the sender’s IP is spoofed (spoofed). The SYN-ACK step goes into a void without expecting a response.
The server waits and waits as requests continue to be generated. More requests are queued but no response is ever made, leaving the server to queue more and more messages. Eventually, the server fills up resources and no more resources are available for valid requests.
It was the heart of a successful old-school DoS attack. Server resources were exhausted from spoofed messages that could only come from a few computers to succeed.
Advancing DDoS attacks
Old-school DoS attacks worked great for attackers as long as the server resources were strong enough to handle what any one computer could send to it. In fact, the attacker’s computer will crash before the server crashes.
Web servers available today won’t skip a beat if a single computer tries to bombard it with thousands of requests. As usual, cyber attackers always find ways to defend themselves, so they came up with a new way to deny service to a server. We are talking about denial of service delivery.
A DDoS works the same as a DoS, but imagine requests coming from thousands of computers around the world Most standard robust web servers are built to handle tens of thousands of people browsing the pages each day, but what happens when all 10,000 (for example) hit the server at the same time? The result is that even the most powerful servers have a limited amount of resources and eventually crash due to insufficient requests.
DDoS is much more complicated than a DoS attack. First, the attacker needs more than just a local computer. It distributes malware to thousands of machines allowing the attacker to control them. The attacker’s goal is to take control of machines around the world, so the victim can’t just block a subset of an IP range. Second, the attacker must have a central server application that tells these machines to flood the target’s server with as many ACK requests as possible.
We can return server bandwidth by being your “hose” for data. The host can only transfer so much data at the same time, and the more data you have to transfer, the longer it will take for all requests to go from the spigot (your customers’ browsers) to the server. If too much data floods the server, your customers will get a timeout error on their computers. The attacker successfully disrupts your business and your sales. DDoS is an effective way for a competitor to take down your business.
How do you know that this is happening?
Having a competitor destroy your business is a frightening proposition. Because a DDoS attack comes from hacked computers around the world, it’s hard to even pinpoint when it’s happening. Your first reaction might be “How can I identify one, so I can protect my site?” Rest assured that host providers have their own DDoS alerts, detection, and defenses. These defenses are usually effective, so you don’t need any kind of monitoring. For a non-technical person, the only sign of an attack is serious performance issues on your server. The server may even crash.
If you have the technical knowledge to look at a list of connections to your server, you will notice that you have hundreds or thousands of connections from the same IP range on adjacent port numbers. Your server may even start responding with a 503 error message, meaning “Service Unavailable.”
Your web host will likely know something is happening before you do, and may even call you. If you reboot the server and you still have performance issues and your site has an unusually high number of visitors, call your web host.
Is there any way to prevent a DDoS attack?
Cloud hosting is one way to help with small attacks. Another option that is much more efficient is to use proxy services such as CloudFlare. For larger sites that suffer from more collaborative, strategic attacks, enterprise solutions like Arbor, NSFocus, and Staminus are better.
These services have a large bandwidth capacity and can handle several gigabytes of traffic, filter it, and pass only legitimate traffic to your site. DDoS attacks are also detected on firewalls and routers, but you are unlikely to have access to these resources. However, your host does, and should they be able to help defend against an attack. Referred to as null routing, the host temporarily takes your site down, changes your IP, and re-enables your site for a period of time until the attack stops.
Mitigating a DDoS attack takes some basic defenses, but it also takes some support from your host. The best way to stop a DDoS attack is to put proper mitigation systems in place before it happens. Here’s a summary of what you can do to prevent attacks:
Use a proxy such as CloudFlare. CloudFlare has a sophisticated system that detects and blocks UDP and ICMP protocols. It detects SYN/ACK, DNS amplification, and Layer 7 attacks. This is sufficient for most small to medium-sized attacks.
If your site is a critical backbone for your infrastructure and revenue is severely affected by the attack, you can include more expensive filtering options like NSFocus, Arbor, or Staminus. It costs more than CloudFlare, but the resources are much safer for high-level, large attacks. Use a “null root” option. Access to your infrastructure is required, so for most clients, this option is only used in collaboration with your host. Note that this option temporarily brings the site down, so you will experience a short-term outage. However, this is an effective way to mitigate an ongoing attack that consistently affects your site’s uptime and lacks preventative measures.
