DDoS great and terrible
Did you know that according to research done by Arbor Networks, Verisign Inc.? and some other companies:
What is DDoS, can you deal with it and how can you be warned? I will briefly describe this in this article.
')
All DDoS attacks can be divided into three large groups:
More specific types of attacks will be discussed below, but for now - a small overview of the groups.
This category of attacks is aimed at bandwidth saturation, respectively, the attack power is measured in bits per second. Different types of flood are carried to this category: UDP, ICMP and other streams of falsified packets. The attack force is growing every year, and if back in 2002, 400 Mbit / s seemed something out of the ordinary, now individual attacks exceed 100 Gbit / s and are able to “blow away” some “pocket” data centers.
Perhaps the only way to deal with such attacks is filtering at the data center level (if it provides such a service) or specialized protection services. They have sufficient channel capacity and computational resources to absorb the volume and transmit already filtered traffic to the user's server. You can also use hardware protection for “pulling out” the remnants of parasitic traffic.
This category focuses on hardware limitations or vulnerabilities of various protocols. Such attacks clog up the server or intermediate equipment resources (firewalls, load balancers, etc.) with parasitic packets, as a result of which systems are unable to process useful ones. Attack power is measured in packets per second. This category includes SYN flood, death ping, fragmented packet attacks, and others.
At this level, hardware protection becomes significantly more efficient. Specially designed by the manufacturers of such devices, algorithms help sort and filter traffic. Naturally, any algorithms are imperfect, and some of the parasitic traffic still breaks through to you, and some of the useful ones can be lost. Third-party filtering services can also be quite effective.
As the name implies, attacks are aimed at vulnerabilities in applications and operating systems (Apache, Windows, OpenBSD, etc.). They lead to the inoperability of any application or OS as a whole. Among such attacks: Slowloris, zero-day attacks and others. As a rule, consisting of completely innocent svid requests, such attacks "lay down" the web server. Intensity is measured in requests per second.
This type of attack is the most "deadly". They are extremely narrowly targeted, so that they can create very serious problems for the attacker at low cost of the attacker's resources. Over the past 3-4 years, this type of attack has become predominant, and a simple flood of HTTP GET requests is one of the most common types.
In addition to the above-mentioned external services and hardware protection, you can also add built-in software algorithms that analyze requests and create firewall rules based on the results of this analysis.
There are many types of DDoS attacks, each with its own handwriting and ways to overcome it. Not all attacks can be weakened or overcome. Sometimes it makes no sense to try, and it's easier to wait out, sadly counting the losses. It is impossible to present in detail the mechanisms of confrontation to each type, it is possible to write books about it and to defend dissertations However, I will try to provide descriptions of the essence of the most common types of attacks and the basic principles of countering them.
This type of attack uses the simplest UDP protocol. Its characteristic features are the absence of the need to establish a session and send any reply. An infinite number of packets arrive at random ports on the host machine, forcing it to constantly check whether the given port is listening to some application, and in case of an error to return the ICMP Destination Unreachable packet. Naturally, such activity absorbs the resources of the host machine, leading to its inaccessibility. One of the easiest ways to partially protect against this problem is to block UDP traffic (if your application does not require it, of course). To combat larger-scale attacks, hardware protection and filtering networks will do.
Similar to UDP flood. Ping requests are sent to the host machine with the maximum frequency, forcing it to give echo replies. An innocent network node availability checker is becoming an evil system resource eater. That is why some system administrators completely block ICMP requests at the firewall level. The server or any other network equipment will be quite affordable, but you will not be able to ping it.
This type of attack uses one of the basic principles laid down in the TCP protocol - the principle of the “triple handshake”. The machine initiating the connection sends a SYN packet to the host machine. The host responds with a SYN-ACK packet, to which the initiator must respond with an ACK packet. In case of SYN flood, the ACK packet is not sent, with the result that the connection hangs open for some time and closes with a timeout. Since the number of connections that can simultaneously be kept open by the host machine is limited, saturation sooner or later results in failure to process payloads.
A very exotic type of attack, aimed mainly at network equipment. The attacker sends empty Ethernet packets with different MAC addresses. The switch treats such packages as separate, and reserves a certain amount of resources for each of them. Resource saturation can cause the switch to stop responding, and in some cases to a complete failure of the routing table.
This species has different names: Ping of Death (Ping of Death), Teardrop (teardrop) and some others. Today, it is no longer such a serious threat, but in earlier times it was a little different. The maximum size of an IP packet is 65535 bytes. However, in the process of transmission over the network, the packet is split up into parts corresponding to the window size. As a result of manipulations with the resulting subpackages, it can be achieved that in the reverse “assembly” a packet exceeding the maximum size will be obtained. This can lead to an overflow of allocated memory buffer and denial of service to other packets.
A particularly sophisticated and narrowly specialized type of attack, allowing relatively small resources (one server is enough) to put a web server without affecting other protocols. The attacking server tries to open as many HTTP connections as possible and keep them as long as possible, gradually sending partial requests. The limit of simultaneous connections on the attacked server ends very quickly, and it ceases to accept useful requests. It is treated by trapping and blocking such tightened connections.
In this type, packets with a spoofed IP sender are sent to the maximum possible number of machines. Machine responses flock to the victim's IP, overloading its server. One common example is the use of incorrectly configured DNS servers. Small requests are sent to DNS servers, ostensibly from the victim's IP. The size of the server response is on average 10 times the size of the request. Thus, an attacking server sending out 100 Mbit / s of false requests can bring down parasitic traffic on the attacked order of gigabit.
The main essence of this type is the multiple simulation of the actions of a real audience. The most primitive option - frequent requests to the same page of the site. It is treated by temporarily blocking the page with returning an error message. More sophisticated attack systems will randomly walk through your site, requesting not only the html document, but also all the accompanying images, scripts and style files. As a result, zombie computers will deplete server resources and lead to degradation (or, in common, “brakes”).
The general principle of the fight is behavioral analysis and screening of suspicious IP at the firewall level. For example, the increased frequency of requests, the repetition of routes for moving around the site with different IPs or a request for html documents only look suspicious and indicate the need to block such IPs. However, the more complex the algorithm is inherent in the attacking program, the more difficult it is to detect spurious traffic and the more false positives that block access to the resource for real users. Not everyone will want to put up with it.
Actually, this can not be called an attack. This type of DDoS occurs when a link to a site falls, for example, into a top news resource or a popular blog, causing a sharp increase in traffic to which the site is not ready. A well-known example in narrow circles is habraeffekt. There is no need to fight this; rather, you should be glad that your site is growing. Well, it's time to think about upgrading.
This type includes attacks that are recorded for the first time. As is the case with new viruses, new bacteria and new parasites, it will take time to analyze the attack and find an effective medicine.
The most difficult type of attack. The attacker uses several different types and tools of attack, which significantly complicates or even makes impossible the identification of components and the selection of means of struggle.
Immensely available. To date, there are many freely available on the Internet applications for DDoS attacks. Some of them use attack mechanisms that are difficult to counteract, others allow all users to be combined into a voluntary botnet, which makes it possible to use other people's resources to conduct attacks and distribute their own in return. At the same time, this seemingly amateurish attack can be difficult to resist even well-prepared commercial systems.
Another way is to rent botnet resources. The Internet is full of resources that provide similar services at very symbolic prices: from $ 5 per hour, from $ 40 per day. For such, one might say, ridiculous money, you can easily “order” your e-commerce competitors and bring them much more substantial losses.
I think the answer is known to all. The most common cause is unfair competition. The range of attacked sites and resources is extremely wide. Today, these are not only financial institutions, gaming sites and online stores, there have been cases of attacks even against government sites and pizza delivery services.
The wide availability of tools for attacks gradually translates them from the category of purely economic struggle weapons to wider use, up to ideological struggle, popular protest, revenge of the offended client for objectionable service and banal Internet vandalism. Personally, I still have little faith in it, but some reports claim that in recent years, it was ideological hacktivism and Internet vandalism that topped the list, pushing the competition to lower positions.
Together with our clients, we have repeatedly encountered the problem of DDoS of various types and sizes. Some attacks were treated with proper firewall configuration on the server, while others required hardware or external filtering. It happened that the data center simply nullified IP, because the incoming traffic volume suddenly exceeded the incoming channel not only of the server, but of the cabinet as a whole. As a server rental service provider, we preach a policy according to which the user and only he is the main party interested in the safety and availability of data. Thus, backups, timely elimination of software gaps in security, and availability of an agreement with the DDoS protection service are the sacred duties of any person experiencing a project.
However, we will be happy to share some useful recommendations in our opinion. If your project belongs to those categories of resources that are most often under attack, you should timely think about a few simple and obvious, but often ignored steps that will help you if you do not protect yourself from attacks, then at least reduce their negative impact.
Explore your network. Any service has some characteristic features of network usage: traffic types and volume, daily curve, etc. For example, adult sites are characterized by smooth traffic growth in the evening with a gradual decline after midnight, plus a small peak during the lunch break. Do not be lazy to study the standard specifications and regularly monitor the current picture. Attacks rarely come at the click of a switch, more often they come like a wave. It all starts with a small rise of activity, which soon begins to actively grow. If you can catch the beginning of the wave, you will have a chance to take action in advance.
Know who to contact. You should clearly know who to turn to in case you are already under attack or feel its approach. This may be an internal security department, a remote employee, a data center engineer, security escort service, etc. Shoveling search results, read hastily reviews, ring up or write off with representatives of various services - this is the last thing you need when trouble has already come. As long as you choose a performer, the attack may already resolve itself, and the question of having guaranteed contact assistance will again be postponed until the next critical situation. And so on to infinity
.
Work out an action plan. Despite the spontaneity characteristic of the Slavic soul, critical business processes should be standardized and documented whenever possible. Having a “rescue service” contact is important, but your employees need to know how to interact with it correctly and optimally. If two or three people are involved in the project, you can simply speak the sequence of actions in words. But if you have a large enough staff, there are round-the-clock network attendants on duty, it’s best to have a brief step-by-step instruction written on paper and hang next to the fire evacuation plan. At the moment of an attack at a shift, an employee with little qualifications or no practical experience in solving such a problem may be, and it is important that he does not have to think much and look for a solution.
Conduct "training alarms." Especially this point is relevant if you have a large enough and critical application. In factories (and not only) periodically conduct evacuation checks in case of a fire or some other natural disaster. DDoS is also a kind of natural disaster. Why not make periodic checks on how to handle critical situations? This will consolidate the skills and identify weaknesses in the procedures. Adjusted for our mentality, it is also necessary to correctly present these trainings to the staff so that it is not perceived as “another corporate durik”.
Know what to block. Any service has a certain set of basic ports necessary for its operation. Prevent everything unnecessary on the firewall in advance. This will narrow the field to attack. If you have a specific list of key clients, take care to add their addresses to the predefined whitelist so that in the event of an attack, do not cut their requests.
Know where to block. Block traffic on the firewall or on the router? Connect hardware DDoS or external traffic filtering service? If you have chosen not to give protection completely at the mercy of third-party services, but to carry out basic diagnostics and solve at least some of the problems yourself, do not forget to write down diagnostic procedures and rules of action in certain situations in the liquidation plan. This will get rid of the trial and error method when there is absolutely no time for it.
As I have already said, these steps will not be a panacea, but they will help minimize downtime and losses. I would appreciate any additions and recommendations from personal practice.
Clean you channel.
- about 2000 DDoS attacks are observed daily;
- an attack that can "put" a small company for a week costs only $ 150;
- about 2/3 of study participants (63%) suffered at least once from DDoS during the year;
- in addition to direct losses and loss of user loyalty, attacks also affect staff productivity;
- 11% of respondents were under attack six or more times a year;
- among those who were under attack in the past 12 months, 46% lay more than 5 hours, and 23% lay more than 12 hours;
- About a third of all downtime cases in respondents are caused by DDoS attacks.
What is DDoS, can you deal with it and how can you be warned? I will briefly describe this in this article.
')
What are you, DDoS?
All DDoS attacks can be divided into three large groups:
- volumetric;
- protocol level attacks;
- application-level attacks.
More specific types of attacks will be discussed below, but for now - a small overview of the groups.
Attacks to volume
This category of attacks is aimed at bandwidth saturation, respectively, the attack power is measured in bits per second. Different types of flood are carried to this category: UDP, ICMP and other streams of falsified packets. The attack force is growing every year, and if back in 2002, 400 Mbit / s seemed something out of the ordinary, now individual attacks exceed 100 Gbit / s and are able to “blow away” some “pocket” data centers.
Perhaps the only way to deal with such attacks is filtering at the data center level (if it provides such a service) or specialized protection services. They have sufficient channel capacity and computational resources to absorb the volume and transmit already filtered traffic to the user's server. You can also use hardware protection for “pulling out” the remnants of parasitic traffic.
Protocol-level attacks
This category focuses on hardware limitations or vulnerabilities of various protocols. Such attacks clog up the server or intermediate equipment resources (firewalls, load balancers, etc.) with parasitic packets, as a result of which systems are unable to process useful ones. Attack power is measured in packets per second. This category includes SYN flood, death ping, fragmented packet attacks, and others.
At this level, hardware protection becomes significantly more efficient. Specially designed by the manufacturers of such devices, algorithms help sort and filter traffic. Naturally, any algorithms are imperfect, and some of the parasitic traffic still breaks through to you, and some of the useful ones can be lost. Third-party filtering services can also be quite effective.
Attacks at the application level
As the name implies, attacks are aimed at vulnerabilities in applications and operating systems (Apache, Windows, OpenBSD, etc.). They lead to the inoperability of any application or OS as a whole. Among such attacks: Slowloris, zero-day attacks and others. As a rule, consisting of completely innocent svid requests, such attacks "lay down" the web server. Intensity is measured in requests per second.
This type of attack is the most "deadly". They are extremely narrowly targeted, so that they can create very serious problems for the attacker at low cost of the attacker's resources. Over the past 3-4 years, this type of attack has become predominant, and a simple flood of HTTP GET requests is one of the most common types.
In addition to the above-mentioned external services and hardware protection, you can also add built-in software algorithms that analyze requests and create firewall rules based on the results of this analysis.
Little more
There are many types of DDoS attacks, each with its own handwriting and ways to overcome it. Not all attacks can be weakened or overcome. Sometimes it makes no sense to try, and it's easier to wait out, sadly counting the losses. It is impossible to present in detail the mechanisms of confrontation to each type, it is possible to write books about it and to defend dissertations However, I will try to provide descriptions of the essence of the most common types of attacks and the basic principles of countering them.
UDP flood
This type of attack uses the simplest UDP protocol. Its characteristic features are the absence of the need to establish a session and send any reply. An infinite number of packets arrive at random ports on the host machine, forcing it to constantly check whether the given port is listening to some application, and in case of an error to return the ICMP Destination Unreachable packet. Naturally, such activity absorbs the resources of the host machine, leading to its inaccessibility. One of the easiest ways to partially protect against this problem is to block UDP traffic (if your application does not require it, of course). To combat larger-scale attacks, hardware protection and filtering networks will do.
ICMP flood
Similar to UDP flood. Ping requests are sent to the host machine with the maximum frequency, forcing it to give echo replies. An innocent network node availability checker is becoming an evil system resource eater. That is why some system administrators completely block ICMP requests at the firewall level. The server or any other network equipment will be quite affordable, but you will not be able to ping it.
SYN flood
This type of attack uses one of the basic principles laid down in the TCP protocol - the principle of the “triple handshake”. The machine initiating the connection sends a SYN packet to the host machine. The host responds with a SYN-ACK packet, to which the initiator must respond with an ACK packet. In case of SYN flood, the ACK packet is not sent, with the result that the connection hangs open for some time and closes with a timeout. Since the number of connections that can simultaneously be kept open by the host machine is limited, saturation sooner or later results in failure to process payloads.
MAC flood
A very exotic type of attack, aimed mainly at network equipment. The attacker sends empty Ethernet packets with different MAC addresses. The switch treats such packages as separate, and reserves a certain amount of resources for each of them. Resource saturation can cause the switch to stop responding, and in some cases to a complete failure of the routing table.
Ping of death
This species has different names: Ping of Death (Ping of Death), Teardrop (teardrop) and some others. Today, it is no longer such a serious threat, but in earlier times it was a little different. The maximum size of an IP packet is 65535 bytes. However, in the process of transmission over the network, the packet is split up into parts corresponding to the window size. As a result of manipulations with the resulting subpackages, it can be achieved that in the reverse “assembly” a packet exceeding the maximum size will be obtained. This can lead to an overflow of allocated memory buffer and denial of service to other packets.
Slowloris
A particularly sophisticated and narrowly specialized type of attack, allowing relatively small resources (one server is enough) to put a web server without affecting other protocols. The attacking server tries to open as many HTTP connections as possible and keep them as long as possible, gradually sending partial requests. The limit of simultaneous connections on the attacked server ends very quickly, and it ceases to accept useful requests. It is treated by trapping and blocking such tightened connections.
Reflected attacks
In this type, packets with a spoofed IP sender are sent to the maximum possible number of machines. Machine responses flock to the victim's IP, overloading its server. One common example is the use of incorrectly configured DNS servers. Small requests are sent to DNS servers, ostensibly from the victim's IP. The size of the server response is on average 10 times the size of the request. Thus, an attacking server sending out 100 Mbit / s of false requests can bring down parasitic traffic on the attacked order of gigabit.
Service degradation
The main essence of this type is the multiple simulation of the actions of a real audience. The most primitive option - frequent requests to the same page of the site. It is treated by temporarily blocking the page with returning an error message. More sophisticated attack systems will randomly walk through your site, requesting not only the html document, but also all the accompanying images, scripts and style files. As a result, zombie computers will deplete server resources and lead to degradation (or, in common, “brakes”).
The general principle of the fight is behavioral analysis and screening of suspicious IP at the firewall level. For example, the increased frequency of requests, the repetition of routes for moving around the site with different IPs or a request for html documents only look suspicious and indicate the need to block such IPs. However, the more complex the algorithm is inherent in the attacking program, the more difficult it is to detect spurious traffic and the more false positives that block access to the resource for real users. Not everyone will want to put up with it.
Unintended DDoS
Actually, this can not be called an attack. This type of DDoS occurs when a link to a site falls, for example, into a top news resource or a popular blog, causing a sharp increase in traffic to which the site is not ready. A well-known example in narrow circles is habraeffekt. There is no need to fight this; rather, you should be glad that your site is growing. Well, it's time to think about upgrading.
Zero day attack
This type includes attacks that are recorded for the first time. As is the case with new viruses, new bacteria and new parasites, it will take time to analyze the attack and find an effective medicine.
Multi-vector attacks
The most difficult type of attack. The attacker uses several different types and tools of attack, which significantly complicates or even makes impossible the identification of components and the selection of means of struggle.
How much is it available?
Immensely available. To date, there are many freely available on the Internet applications for DDoS attacks. Some of them use attack mechanisms that are difficult to counteract, others allow all users to be combined into a voluntary botnet, which makes it possible to use other people's resources to conduct attacks and distribute their own in return. At the same time, this seemingly amateurish attack can be difficult to resist even well-prepared commercial systems.
Another way is to rent botnet resources. The Internet is full of resources that provide similar services at very symbolic prices: from $ 5 per hour, from $ 40 per day. For such, one might say, ridiculous money, you can easily “order” your e-commerce competitors and bring them much more substantial losses.
Why do you need it?
I think the answer is known to all. The most common cause is unfair competition. The range of attacked sites and resources is extremely wide. Today, these are not only financial institutions, gaming sites and online stores, there have been cases of attacks even against government sites and pizza delivery services.
The wide availability of tools for attacks gradually translates them from the category of purely economic struggle weapons to wider use, up to ideological struggle, popular protest, revenge of the offended client for objectionable service and banal Internet vandalism. Personally, I still have little faith in it, but some reports claim that in recent years, it was ideological hacktivism and Internet vandalism that topped the list, pushing the competition to lower positions.
How to live with it?
Together with our clients, we have repeatedly encountered the problem of DDoS of various types and sizes. Some attacks were treated with proper firewall configuration on the server, while others required hardware or external filtering. It happened that the data center simply nullified IP, because the incoming traffic volume suddenly exceeded the incoming channel not only of the server, but of the cabinet as a whole. As a server rental service provider, we preach a policy according to which the user and only he is the main party interested in the safety and availability of data. Thus, backups, timely elimination of software gaps in security, and availability of an agreement with the DDoS protection service are the sacred duties of any person experiencing a project.
However, we will be happy to share some useful recommendations in our opinion. If your project belongs to those categories of resources that are most often under attack, you should timely think about a few simple and obvious, but often ignored steps that will help you if you do not protect yourself from attacks, then at least reduce their negative impact.
Explore your network. Any service has some characteristic features of network usage: traffic types and volume, daily curve, etc. For example, adult sites are characterized by smooth traffic growth in the evening with a gradual decline after midnight, plus a small peak during the lunch break. Do not be lazy to study the standard specifications and regularly monitor the current picture. Attacks rarely come at the click of a switch, more often they come like a wave. It all starts with a small rise of activity, which soon begins to actively grow. If you can catch the beginning of the wave, you will have a chance to take action in advance.
Know who to contact. You should clearly know who to turn to in case you are already under attack or feel its approach. This may be an internal security department, a remote employee, a data center engineer, security escort service, etc. Shoveling search results, read hastily reviews, ring up or write off with representatives of various services - this is the last thing you need when trouble has already come. As long as you choose a performer, the attack may already resolve itself, and the question of having guaranteed contact assistance will again be postponed until the next critical situation. And so on to infinity
.
Work out an action plan. Despite the spontaneity characteristic of the Slavic soul, critical business processes should be standardized and documented whenever possible. Having a “rescue service” contact is important, but your employees need to know how to interact with it correctly and optimally. If two or three people are involved in the project, you can simply speak the sequence of actions in words. But if you have a large enough staff, there are round-the-clock network attendants on duty, it’s best to have a brief step-by-step instruction written on paper and hang next to the fire evacuation plan. At the moment of an attack at a shift, an employee with little qualifications or no practical experience in solving such a problem may be, and it is important that he does not have to think much and look for a solution.
Conduct "training alarms." Especially this point is relevant if you have a large enough and critical application. In factories (and not only) periodically conduct evacuation checks in case of a fire or some other natural disaster. DDoS is also a kind of natural disaster. Why not make periodic checks on how to handle critical situations? This will consolidate the skills and identify weaknesses in the procedures. Adjusted for our mentality, it is also necessary to correctly present these trainings to the staff so that it is not perceived as “another corporate durik”.
Know what to block. Any service has a certain set of basic ports necessary for its operation. Prevent everything unnecessary on the firewall in advance. This will narrow the field to attack. If you have a specific list of key clients, take care to add their addresses to the predefined whitelist so that in the event of an attack, do not cut their requests.
Know where to block. Block traffic on the firewall or on the router? Connect hardware DDoS or external traffic filtering service? If you have chosen not to give protection completely at the mercy of third-party services, but to carry out basic diagnostics and solve at least some of the problems yourself, do not forget to write down diagnostic procedures and rules of action in certain situations in the liquidation plan. This will get rid of the trial and error method when there is absolutely no time for it.
As I have already said, these steps will not be a panacea, but they will help minimize downtime and losses. I would appreciate any additions and recommendations from personal practice.
Clean you channel.
Source: https://habr.com/ru/post/233903/
All Articles