Recently, there are more and more reports about the actions of hackers and software hacking. DDoS attacks are often mentioned without any explanation of what they are and what danger they pose to servers. We will tell you what this phenomenon is. We will consider its signs and main varieties, as well as methods of counteraction.
The term DDoS attack comes from the abbreviation "Distributed Denial of Service", which means a distributed denial of service attack. The purpose of a DDoS attack is to disrupt the normal operation of a server, service, or local network, to bring them to failure or make it difficult for bona fide users to access them. The task is achieved by creating such Internet traffic that the computing system does not have sufficient resources to process it.
The attacking traffic is generated by several computers or local networks, including IoT devices. As a result of malicious actions of an individual hacker or a group, many requests are formed to the attacked computing system. This allows attackers to gain unauthorized access to valuable information. These can be confidential databases, program code, or the version of the software used.
The best analogy for a DDoS attack in everyday life is a traffic jam created intentionally using several vehicles. As a result, ordinary drivers cannot drive to their destination.
How is a distributed denial of service attack carried out?
Only those computing systems that have an Internet connection can be subjected to a DDoS attack. A global network consists of many computers and other devices that have an Internet connection. And malicious (virus) software is introduced into some of them by different methods. The latter are called bots among specialists ("zombies" in slang), and their groups are respectively called a botnet.
Immediately after creating such a system, a hacker gets the opportunity to organize a DDoS attack, which is carried out as follows:
- A special instruction is developed for each individual bot, which is transmitted to it via the network.
- After receiving it, the managed computer or system begins to form and send requests to the IP addresses of the attacked local network or server.
- At first, this causes traffic processing to slow down, overloaded equipment begins to fail. As a result, all traffic is denied service, including from ordinary users.
The main problem in countering distributed DDoS attacks is that it is extremely difficult to distinguish attacking traffic from normal traffic. Each of the bots attracted by hackers are legitimate Internet devices and it is extremely difficult to separate malicious requests from ordinary ones.
The main signs of a DDoS attack on the server
A sudden slowdown of the server, lack of access to the service or a separate site may indicate illegal actions of hackers. At the same time, difficulties may arise as a result of natural causes, for example, a sharp increase in normal traffic. Publicly available analytics services allow you to identify a DDoS attack by a number of characteristic features:
- Significant amounts of traffic from one or more IP addresses belonging to the same range.
- A large number of users who receive requests for access to the analyzed web pages have the same behavioral profiles (geolocation, browser version, or device type).
- A sharp increase in traffic at certain intervals, for example, every two or three hours or according to a different schedule.
- An explosive increase in the number of requests to one of the Internet services or web pages.
In addition to these, there are other signs inherent in certain types of distributed DDoS attacks. In such cases, the capabilities of conventional Internet analytics tools may not be enough and specialized software will be required to identify them.
Classification of DDoS attacks: the most common types
The arsenal of tools used by hackers to break into websites is diverse. DDoS attacks of a certain type are aimed at certain components of an Internet resource, server or computer. In order to understand the algorithms of their work, it is necessary to understand how a specific network connection is carried out.
The Internet connection is provided by special software, which consists of many different components-"layers". They make up the model and each of them has its own purpose as, for example, supporting, bearing and enclosing structures of a building under construction.
The seven-level OSI model is used to describe the network connection structure:
- The application layer. Programs such as email clients, messengers, or browsers use this level for direct processing of user data.
- The level of views. It is intended for data preparation (compression, translation and encryption) for subsequent use at the application level.
- Session level. Provides the opening of a communication channel between two devices in the network and its closure at the end of the session time.
- Transport level. It is responsible for end-to-end communication between specific devices and manages data flows and error control.
- The network layer. It is used only for organizing data transfer between devices belonging to different networks. This layer provides optimal routing, the separation of information into packets with subsequent assembly at the destination point.
- The level of the data transmission channel. It provides data exchange between devices of the same network and is similar to the network layer in terms of the tasks to be solved.
- The physical level. It includes equipment used for data exchange between devices (cables, switches, etc.). At this level, the information packets are transformed into a bit stream, and the signals are matched.
The vast majority of hacker DDoS attacks are aimed at overloading a specific network or device that is their target. Conditionally, these actions can be divided into three categories according to the number and nature of the attack vectors used:
- the only one;
The latter are mainly used in response to counter-actions used to protect an Internet resource.
DDoS attacks carried out at the application level
In relation to the above model, such attempts to hack an Internet resource are called a DDoS attack of the seventh level. Its purpose is to overload the site and create conditions when servicing normal traffic becomes impossible.
Hacker attacks of this type are carried out at the level at which the web page is formed on the server, and are transmitted in response to HTTP requests. On the client side, such requests do not require huge resources to create and process, at the same time, the server has to use significant computing resources. At the same time, many database requests can be processed on the target server and several files can be downloaded to create the requested web page.
The difficulty of protecting against distributed attacks of the 7th level is that it is not easy to distinguish malicious traffic from normal traffic.
Hacker attacks of this type simulate multiple updates of the web browser, which is carried out on several computers at the same time. It's as if a lot of users are constantly pressing the reset button, which leads to the formation of a large number of HTTP requests. As a result, the server is overloaded, which leads to service failures.
The level of DDoS attacks of the HTTP flood type is determined depending on the complexity:
- Simple ones. When they are implemented, unauthorized access to the same URL is provided when organizing coordinated actions from IP addresses of the same range, as well as the same user agents and transition sources.
- Complex ones. The attacker uses a significantly larger number of IP addresses with random traffic sources and user agents to hack several web pages at once.
Complex DDoS attacks require computers with appropriate characteristics and resource-intensive software.
Among specialists, the actions of hackers of this type are called attacks and state exhaustion. Protocol attacks complicate the operation of services due to too high consumption of server resources or specific network equipment, which can lead to disruptions of their operation. Attackers in such cases usually target load balancers or firewalls.
In the process of implementing a protocol attack, vulnerabilities at the third and fourth level (protocol stack) are used to make the target web page inaccessible.
During such an attack, a lot of TCP packets with fake IP addresses are sent from bots. The mentioned SYN packets are intended for initiating network connections. The target machine responds to them and waits for confirmation, which it does not receive. Accordingly, the resources of the attacked web page are exhausted and it stops responding to incoming requests.
SYN-flood can be compared to the work of a large store, in which employees of the supply department receive instructions from the trading floor for the delivery of a particular product. They go to the warehouse, find what they need, but without receiving an order confirmation, they do not understand what to do next. As a result, they stop working until the circumstances are clarified.
DDoS attacks of the bulk type
The actions of hackers in these cases are aimed at creating such a load that the entire available bandwidth of the Internet connection is used. When implementing large-scale DDoS attacks, large data packets are sent to the target resource using various means of generating large traffic or other means of amplification. During the attack, both individual bots and entire botnets are used, from which many requests are generated to the target web page or server.
During a hacker attack, a request is sent to an open DNS server, which contains the IP address of the target device. In response, the allegedly requested data packet of a large volume is sent. And a lot of such fake requests are generated, which, in the end, leads to an overload of the target and the occurrence of service failures.
DNS amplification can be compared to a situation when a person calls a restaurant or supermarket, makes an application for the delivery of dishes or goods and asks to call him back. At the same time, he gives the phone number of his neighbor. There are a huge number of such calls to the target address by a large number of users, which finally overloads the delivery service.
Methods of preventing DDoS attacks
As noted above, the main difficulty in providing protection against hacker attacks is to determine the difference between the attacker and normal traffic. When conducting advertising campaigns for new products, many users can visit the developer's site. This causes an emergency shutdown of traffic and is an error. If this web resource has a surge of traffic from known hacker groups, it is necessary to take measures to reduce the impact of a distributed DDoS attack.
Attempts to hack web resources can take a variety of forms from the simplest with a single source of suspicious traffic to the most complex multi-vector impacts. In the latter case, several types of DDoS attacks are used at once in order to force the defending side to disperse forces and funds in different directions.
As an example of such a multi-vector impact, we can cite a combined DDoS attack at several levels at once: DNS strengthening in combination with a large number of HTTP requests. To prevent such attacks, you need to use several counteraction strategies at once.
When attackers use distributed denial-of-service attacks with a combination of different attack methods, the complexity of countering them greatly increases. Hackers tend to mix attacking traffic with normal traffic as much as possible in order to reduce the effectiveness of protective measures to near-zero indicators.
Attempts to simply disable or restrict traffic without filtering rarely bring a positive result. At the same time, the DDoS attack adapts and looks for ways to bypass the counter-actions taken. In such cases, the best solution is to use a multi-level protection strategy.
One of the most accessible methods of protection for network administrators is to create a "black hole" for suspicious traffic. In its simplest form, Blackhole routing provides for redirecting all requests without dividing them into normal and malicious ones to the zero route, followed by removal from the network.
If a DDoS attack is detected on a certain site, the provider has the opportunity to cancel all traffic as protection. This solution is not the best, because the attacker achieves his goal and makes the resource unavailable.
Limiting the speed of a DDoS attack
Each server can receive and process a certain number of requests for a specified period of time. Limiting the speed of a DDoS attack allows you to significantly reduce its effectiveness.
At the same time, it should be understood that this method provides a significant slowdown in the theft of content and program code by web parsers and blocks login attempts using brute force. However, it is not effective enough against complex combined denial-of-service attacks.
Features of using Web application firewalls
The use of special software products can significantly mitigate DDoS attacks of the seventh level. There is a firewall (WAF) between the Internet and the protected server, which works as a reverse proxy. It is used to block malicious traffic of certain types.
Incoming requests are filtered according to the established rules, which allows you to identify DDoS tools and prevent seventh-level attacks. One of the main advantages of this method is the ability to set your own rules to counter an attack.
Principles of Anycast distribution over the network
This method reduces the harmful consequences of DDoS attacks by redistributing traffic across the server network.
If the same server receives many requests at the same time, it will be overloaded with traffic and will not be able to effectively respond to additional incoming requests. In the Anycast network, instead of a single source server taking the brunt of traffic, the load will be distributed among other available data centers, each of which has servers capable of processing and responding to an incoming request. This routing method can prevent the expansion of the source server's capacity and avoid interrupting the service of clients requesting content from it.
The best analogy of the Anycast distribution method over the network is the separation of the flow of a large river with a strong current along separate branches. As a result of the redistribution of traffic from a DDoS attack, its destructive ability is reduced to a minimum and it becomes completely manageable.