DDoS attacks on major corporations, popular websites and even governments of countries often make big news in the tech industry. Often times sites that seemed to be on top of security are brought to their knees and find themselves totally at the mercy of their attackers. Of all the types of security violations against a website, DDoS is one of the most powerful and effective.
What is DDoS?
DoS stands for Denial of Service and is a type of attack that seeks to flood a web server with so much traffic that it either causes the server to shut down or simply prevents legitimate users from accessing it. A DDoS or Distributed Denial of Service is one that involves multiple machines all attacking a single victim. The initiators of DDoS attacks often used covert methods, such as malware to infect other machines and use them to unwillingly carry out their attacks. In many cases the agents of these attacks are not even aware that they are being used.
A DDoS attack involves four types of systems:
- Client – This is the attacker, the one who initiates the attack. Even this may be a machine taken over by the actual cyber criminal.
- Handler – Any machines that have been compromised and are controlled by the client, but in this case, it is used to control other machines.
- Agent – The handler uses these machines to actually carry out the attack. Like the handler, this is a compromised machine, unaware of its attack.
- Target – This is the machine or machines ultimately subjected to the DDoS.
For an attack to be effective, it takes more than just a few handlers and agents. When you read about major infrastructure being attacked by a DDoS, it often involves thousands or even hundreds of thousands of agents in a coordinated attack to bring down servers or entire networks of servers. Because much of the process of attacking might be automated, it does not take long to execute from start to finish, possibly as little as an hour.
Types of Attacks
DDoS can take on a variety of forms depending on the resources the attacker has at their disposal, their knowledge of technology and their motives. The following are a few types of attacks that are known to be effective.
Ping Flooding – In this method, the attacker will send as many ICMP Echo Request (ping) packets to the target as possible in order to flood the server with unwanted bandwidth. Ultimately, the server will either slow down considerable or completely crash.
Smurf attack – This method is more distributed in that it piggy backs off multiple machines to make its attack. The attacker’s computer will send pings messages to IP broadcast addresses. The broadcasting machine, if it responds, will then send that ICMP echo request out to more machines. Although this attack method was common at one time, modern routers have now been designed to thwart this method.
SYN flood – This basic method works with many web servers because the attacker sends multiple SYN requests (a TCP connection) to the target. The target computer is supposed to respond with a SYN-ACK that tells the client to follow up with an ACK to make the connection. This would be a normal TCP connection, except with a SYN flood, the ACK is not sent. Instead the server continues to wait for it while multiple SYN requests continue to flood in, slowing or even crashing the server.
UDP attack – Rather than sending TCP packets, this method sends multiple UDP packets that flood the server and prevent normal activities. For this method to be effective, a server has to have a free, unused UDP port exposed to the Internet, which is not a normal thing for a server to have. The port must be free because the intent is to get the server to respond to UDP packets with an “ICMP destination unreachable” packet. If enough of these are sent, it can cripple a server.
Why They Happen
Part of effectively preventing and mitigating DDoS attacks is understanding why they happen. For the most part, DDoS attacks target high profile websites. A small blog or ecommerce site is generally not in much danger. Unfortunately, however, if these smaller sites are hosted by major companies that come under attack, they could still find themselves victimized.
The motives for DDoS attacks can be political, social, economical or even personal. They are often used to make a statement against the target, and many groups, such as Anonymous will claim responsibility for their attacks, much in the same way that terrorists have historical done.
In other cases, someone with the technological know-how might attack simply because they are disgruntled with service they have received. These types of attacks may not accompany a statement from any group, since the attacker may be more concerned about exposing his or herself to prosecution.
It might be shortsighted to think a government or corporation can avoid attacks by simply “doing no evil” as certain companies might say, but it might help them avoid the worst of attacks from major activist groups. Ultimately, however, it could even be a misunderstanding that leads to an attack, so in some cases, there may be no way to prevent an attempt.
Protection and Mitigation
Even if your server is not likely to be the victim of a DDoS attack, you also do not want it to be used as an agent or handler in an attack. Therefore, it is important to safeguard your server against the types of malware and intrusions that can lead to this. You can take the following steps:
- Ensure router and OS firewalls are activated and working properly
- Maintain your OS and server applications and keep them up to date
- Perform regular checks and audits for intrusion attempts, torjans, open email relays, software vulnerabilities, kernel vulnerabilities, rootkits, open ports and malware
- Install intrusion detection systems, such as Snort, and vulnerability scanners, such as NESSUS.
The following are some steps you can take to prevent actual attacks on your system:
- Make sure you are using a modern router that has DDoS prevention tools in place. Configure it to limit the rate of ICMP and SYN packets. Also, apply ingress and egress filtering and IP verification tools that makes sure the IP addresses point back to the same interface as the originating packets. Cisco has some helpful tips for configuring a router to prevent many types of attacks.
- On your server, install a good firewall that uses ingress and egress filtering. For example, APF (Advanced Policy Firewall) features an Anti-DoS mode.
- Contact the experts – If you have significant infrastructure and business that can be affected by a DoS attack, you should consider hiring a consulting firm to shore up your defenses. Many companies specialize in DoS and DDoS prevention and mitigation. They may be able to help you fill in any gaps you neglect to see.
- Drop any packets that appear to be spoofed or malformed
- Set any half-open connections to timeout more aggressively
- Rate limit your router so that your web server is not easily overwhelmed
- Work with your web host and/or ISP to make sure they have tools in place to fight DDoS attacks as well and to mitigate them in the event of an actual attack.
Even if you do everything in your power to prevent an attack, cyber criminals are always finding new ways to make their attacks more effective. Ultimately, you may still fall victim to a DoS attack. In such a case, you need to have mitigation measures in place to limit the damage the attack can actually do.
One of the main things you need to do to mitigate an attack is be aware that you are in fact under attack. By preparing your DNS infrastructure to detect early signs of an attack, you can be ready. Monitor your server statistics, error messages related to networking and sockets and any other indicators that might point to an attack. Many security vendors offer early detection systems that will alert you via email, text and other methods so that you will always be ready.
Over-provisioning your infrastructure can also limit the amount of damage an attack can do. This, however, requires more investment, but it can greatly help in the long run. If attackers bring down one server in one location, having another than can take over the load in another location greatly increases your chances of keeping your websites and applications live for your users.
Most importantly, you need to make sure your users/visitors/customers are aware of what is happening and that you are trying to resolve the issues. You do not want your service to just disappear with no contact to customers or explanation of why they cannot access your websites. To do this, you need to have good customer relations in place long before an attack occurs. That means email lists, social media connections and even direct phone calls when necessary. If you have extended outages because of the attacks, you should offer your customers some type of service reimbursement or credit for any down time.
A denial of service attack can be scary and leave you feeling powerless, but it does not have to ruin your business. If you are well-prepared and conscious of the forms and motives behind attacks, you can often prevent them or at least mitigate the damage. Keeping your site visitors or customers happy is your main objective, and being prepared can go a long way in earning and keeping their trust.
Tavis J. Hampton is a freelance writer and web administrator for The Derwin Smiley Show.