DDoS as a current security issue for a business

The victims of DDoS attacks over the past months are many Russian companies whose online services are critical for business - among them are online stores, media and financial institutions. DDoS attacks are gaining popularity and have become commonplace in Internet business.

For those who are not familiar with these attacks, we have prepared a brief on distributed denial of service attacks.
')
The purpose of a DDoS attack is to block access to an online resource for some time by overloading the channel with “garbage” requests, as a result of which the business incurs significant financial and reputational losses. The situation is aggravated by the fact that almost anyone can organize a DDoS attack today - its cost is low, the contacts of the performers can be found using search services. Such accessibility and ease of organizing DDoS attacks threaten virtually any company that has detractors. The number of victims varies depending on the geographical affiliation and scope of the companies. Even if attackers fail to completely deprive the user of access to the company's information resources, their partial inaccessibility is also a serious problem. Many organizations still do not consider them a serious threat. At the same time, the inaccessibility of the site and the failed transactions are only the tip of the iceberg. If in the case of a hacking system, attackers steal customer data and confidential information, then a DDoS attack can cause a loss of reputation, the outflow of existing customers or claims for services not provided.

What do we mean by DDoS attack:

DoS-attack (Denial of Service) - an attack aimed at denial of service to a resource or channel;
DDoS-attack (Distributed Denial of Service) - a multiple DoS-attack, carried out from several sources.

DDoS attacks can be divided into three broad groups:

1. Attacks to the channel - this category of attacks is aimed at bandwidth saturation. Usually used hundreds of thousands of bots.
2. Protocol-level attacks - this category is aimed at limiting equipment or vulnerabilities of various protocols. Usually, tens of thousands of bots are used.
3. Attacks at the application level (7 lvl) - such attacks are aimed at vulnerabilities in applications and operating systems, they lead to the inoperability of any application or OS as a whole. Usually used hundreds of bots.

Consider the main types of DDoS attacks:

ICMP flood (Smurf-attack). In it, the attacker sends a fake ICMP packet to the address of the attacker in which the address of the attacker is changed to the address of the victim. All nodes send a response to this ping request.

UDP flood. This type of attack uses the UDP protocol. Its characteristic features are the absence of the need to establish a session and send any reply. An infinite number of packets arrive at random ports on the host machine, forcing it to constantly check whether the given port is listening to some application, and in case of an error to return the ICMP Destination Unreachable packet. Naturally, such activity absorbs the resources of the host machine, leading to its inaccessibility.

SYN flood. This type of attack is based on an attempt to launch a large number of simultaneous TCP connections via sending a SYN packet with a nonexistent return address. After several attempts to send in response an ACK packet to an unavailable address, most operating systems queue an unspecified connection. And only after the n-th attempt to close the connection. Since the flow of ACK packets is very large, the queue is soon full, and the kernel refuses to attempt to open a new connection.

HTTP flood. The attacker sends small http-packets, which in turn force the server to respond with packets that are much larger. Thus, the attacker has a great chance to saturate the victim's bandwidth and cause a denial of service.

Reflected DDoS attack with enhancement. This attack is based on the UDP network protocol, which is actively used by many important Internet services, in particular DNS (the well-known, Domain Name Service) and NTP (the lesser-known Network Time Protocol), although today attacks are also being conducted using streaming services . The most important thing for us in this case is that there is no “handshake”, that is, the service “does not check” the sender’s address. In other words, anyone can send a UDP packet on anyone’s name (IP address). Accordingly, the attacker sends a UDP packet to the service (usually DNS or NTP) on behalf of the victim (from its IP address) and the service responds not to the attacker's IP address, but to the victim's IP address. That is why the name of the attack is “reflection”. But this would not be enough for a successful DoS attack. The name also contains the word "gain". In this case, the DNS and NTP services have a pleasant feature for the attacker — a multiplier. It looks like this: an attacker on behalf of the victim sends a 1 Kbyte packet to the DNS or NTP server, and the DNS or NTP server responds to the address of the victim N times as large! This is the very reinforcement that was mentioned at the very beginning. Therefore, the name “enhanced reflected DDoS attack” quite accurately describes the technical essence of this phenomenon.

Slow HTTP Post. The attack consists in sending a large HTTP POST request to the server in small pieces (1 byte each). According to the standard, the HTTP server must wait for the full data transfer (having received the contents in the size of bytes) and can close the connection only after a timeout. Thus, in the case of such a DDoS attack with slow connections, the attacked server opens up a huge number of connections, disastrously spending its resources (first of all, the file descriptors opened in the system). The advantages of this attack are that it does not require the generation of huge traffic and is rather difficult to reveal.

Slow HTTP headers. It is similar to the Slow HTTP Post method, only instead of a post-request, the HTTP header is sent slowly. As with the Slow Post attack, the server waits for the end of the headers before closing the connection, which leads to a large number of open connections and, consequently, to server overload. It is difficult to distinguish similar DDoS attacks from regular requests with a slow connection.

Fake Googlebots. New technology to make DDoS attacks. Its main feature is the use of bots disguised as Googlebots - Google search engine robots that track the appearance and updating of web pages for indexing sites on search engines.

There are many other types of attacks, and it often seems that the possibilities of attackers are limitless - this statement is true if nothing is done. For any company operating on the Internet, you need to defend against DDos attacks. You should always remember that an attack costs less than competition and losses cost more than protection.

You can protect yourself from DDoS attacks in different ways.

The first method, which is usually resorted to initially, is self-defense, but this kind of security measures can neutralize only the simplest attacks: installing a front-end Nginx, prohibiting ICMP and UDP protocols can make life much easier for a service, but only to a certain level.

Protection can also be provided by a hosting provider or service provider, but their capabilities are limited by the channel available to them, and neither one nor the other will parse the high-level HTTP / HTTPS protocols.

The best practice would be to use a cloud solution. However, a cloud that truly protects against DDoS attacks must have the following properties:

• Distribution. There should be several geographically separated nodes in the cloud so that the disabling of any of them does not affect the service.
• Own autonomous system and own address blocks, from which a new IP address is allocated to the protected service, hiding its true location in the network.
• Global autonomous system connectivity with the Internet. Only backbone operators as providers of cloud services will give confidence to clients under cloud protection that their traffic will not be lost no matter what attacks are being carried out.
• Full automation of the filtering process. A good DDoS protection system has thousands of clients and hundreds of incidents per day. This volume cannot be processed manually. Manual intervention generates errors, because a person must quickly decide which filters to connect, etc., which does not always lead to the desired result.
• Permanent filtering should be a priority service, since any BGP or DNS switching means a site idle time, measured in tens of minutes, and disclosing the true server location.
• Using MPLS (multiprotocol label switching) VPN technology as a backup protection system and server connectivity. This will allow even when the data center channels are completely clogged with "garbage", to keep the server fully operational.
• Use static content on a CDN.

The server itself should have a number of qualities that will allow it to be always accessible to the client: the ability to withstand the growth of legitimate workload, so as not to "fall" during advertising campaigns and quickly recover when the filters are turned on. It is also important to understand that a number of bots (usually 1–2%) can be skipped, and the server should be able to withstand it.

"One server - one service." The web server must be the only application on its server. Otherwise, the attacker will know his IP, for example, from an MX record (Mail Exchanger is one of the types of DNS records indicating the way email is routed), or the Web server can be disabled by the exhaustion of processor resources at the expense of another service. It is highly desirable to use robust distributed DNS.

Whatever method of protection against DDoS the company chooses, the main thing is to remember that you need to be prepared for attacks in advance. In addition, the IT infrastructure should be fully consistent with the volume of the company's business. This will help minimize damage and not lose customer loyalty even in the most active business season.