DDoS - thinking out loud ...
Hello harabrachitel. Today I decided to share with you my thoughts about DDoS attacks. I’m not going to talk about this — I think even a schoolboy knows about it today. In general, reflecting once again the powerful attack of hooligans on one of my resources, I thought, and not to offer me a community of educated people a number of ideas to combat one of the most common methods of such attacks - HTTP - flood.
The essence of this attack comes down to the following: infected computers, managed by the host server, generate a huge number of requests of the form:
')
Requests can naturally be on any as an existing page of the attacked resource, and not existing. Moreover, depending on the “education” of the botnet and its owners, the attack can go immediately to several URLs and, depending on the actions of the administrators of the attacked resources, can also change the tactics of the attacks.
To track such an attack is quite simple - it can be clearly seen when “online” - viewing the logs of the web server. But to reflect this (as well as any other type of attack) is quite difficult, and the greater the intensity of the attack and the number of infected computers participating in it, the harder it is to do. Yes, there are many ways - both scripts run on the attacked server, and specialized equipment installed in front of the attacked server. I will not describe these methods today. I want to write a little about a different method of struggle.
Working in a fairly large telecommunications company, I realized that after all, an Internet provider will not be hard-pressed to set up their equipment to filter traffic. What is this:
Now about the most important thing - about the ethical and legislative side of my proposals. Yes, we do not have a legal basis for these measures, and from the point of view of a simple user of Internet services - at least they will not be delighted, knowing that some of his traffic can simply get into the "trash can", because the end user of these services is usually and does not realize that his computer has become a part of a huge botnet. It will be added by the support service of providers - now they are far from giving notice to the client that there is viral traffic coming from him. How to deal with “Chinese” traffic is also a difficult question - you need to filter on highways, because based on my personal data for analyzing flood traffic, 40-60% come from China.
But once we will come to this anyway.
Thanks for attention!
The essence of this attack comes down to the following: infected computers, managed by the host server, generate a huge number of requests of the form:
"GET / HTTP/1.1" XXX XXXX "')
Requests can naturally be on any as an existing page of the attacked resource, and not existing. Moreover, depending on the “education” of the botnet and its owners, the attack can go immediately to several URLs and, depending on the actions of the administrators of the attacked resources, can also change the tactics of the attacks.
To track such an attack is quite simple - it can be clearly seen when “online” - viewing the logs of the web server. But to reflect this (as well as any other type of attack) is quite difficult, and the greater the intensity of the attack and the number of infected computers participating in it, the harder it is to do. Yes, there are many ways - both scripts run on the attacked server, and specialized equipment installed in front of the attacked server. I will not describe these methods today. I want to write a little about a different method of struggle.
Working in a fairly large telecommunications company, I realized that after all, an Internet provider will not be hard-pressed to set up their equipment to filter traffic. What is this:
- We monitor traffic, with a homogeneous and large volume of requests from the client to the network, which are typical of DDoS attacks or even mass spamming, discarding the flood packets, thereby not loading our network and allowing you to prevent the traffic overrun by the client. Caring for the client so to speak.
- We warn mass attacks as such; it will not be as effective on the scales of one Internet provider, but if a well-thought out filtering system is introduced at least among the main backbone providers, then it will be easier for simple administrators of web resources to live with us.
Now about the most important thing - about the ethical and legislative side of my proposals. Yes, we do not have a legal basis for these measures, and from the point of view of a simple user of Internet services - at least they will not be delighted, knowing that some of his traffic can simply get into the "trash can", because the end user of these services is usually and does not realize that his computer has become a part of a huge botnet. It will be added by the support service of providers - now they are far from giving notice to the client that there is viral traffic coming from him. How to deal with “Chinese” traffic is also a difficult question - you need to filter on highways, because based on my personal data for analyzing flood traffic, 40-60% come from China.
But once we will come to this anyway.
Thanks for attention!
Source: https://habr.com/ru/post/46806/
All Articles