DOS and DDoS attacks: concept, types, methods of detection and protection. How to protect yourself from attacks? How to protect yourself from overloading hardware resources


DoS and DDoS attacks are aggressive external influence to server computing resources or workstation, carried out with the aim of bringing the latter to failure. By failure we mean not the physical failure of a machine, but the inaccessibility of its resources to bona fide users—the system’s refusal to service them ( D enial o f S ervice, which is what the abbreviation DoS comes from).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DiDoS or DDoS), which means "D istributed D enial o f S ervice" - distributed denial of service. Next, we’ll talk about why attackers carry out such attacks, what they are, what harm they cause to the attacked, and how the latter can protect their resources.

Who can suffer from DoS and DDoS attacks?

Corporate servers of enterprises and websites are attacked, much less often - personal computers of individuals. The purpose of such actions, as a rule, is one - to cause economic harm to the attacked person and remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, a company or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the instigation of dishonest competitors. Thus, by “crashing” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Your resources can be attacked by home-grown amateur hackers out of interest, avengers from among fired employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

Servers of state-owned companies and well-known organizations are often attacked anonymous groups highly skilled hackers with the aim of influencing officials or causing public outcry.

How attacks are carried out

The operating principle of DoS and DDoS attacks is to send a large flow of information to the server, which to the maximum (as far as the hacker’s capabilities allow) loads the computing resources of the processor, RAM, clogs communication channels or fills disk space. The attacked machine is unable to process incoming data and stops responding to user requests.

This is what normal server operation looks like, visualized in the Logstalgia program:

The effectiveness of single DOS attacks is not very high. Moreover, an attack from personal computer exposes the attacker to the risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much greater profit.

This is how the Norse-corp.com website displays the activity of the botnet:

A zombie network (botnet) is a group of computers that have no physical connection with each other. What they have in common is that they are all under the control of an attacker. Control is carried out through Trojan horse, which for the time being may not manifest itself in any way. When carrying out an attack, the hacker instructs the infected computers to send requests to the victim's website or server. And he, unable to withstand the pressure, stops answering.

This is how Logstalgia shows a DDoS attack:

Absolutely any computer can join a botnet. And even a smartphone. It is enough to catch a Trojan and not be detected in time. By the way, the largest botnet consisted of almost 2 million machines around the world, and their owners had no idea what they were doing.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out using different directions, which will significantly complicate counteraction. Therefore, it is important for every server administrator to study all its “bottlenecks” and, if possible, strengthen them.

Flood

Flood, speaking in simple language, this is information that does not carry any semantic load. In the context of DoS/DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another, which the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels and saturate the bandwidth to the maximum.

Types of flood:

  • MAC flood - impact on network communicators (blocking ports with data flows).
  • ICMP flooding - inundating a victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked node so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flood is ping flood (sending ping requests to the server).
  • SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (waiting for client confirmation) connections.
  • UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
  • HTTP flood - flooding the server with numerous HTTP messages. A more sophisticated option is HTTPS flooding, where the sent data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.


How to protect yourself from flooding

  • Set to network switches checking for validity and filtering MAC addresses.
  • Restrict or disable the processing of ICMP echo requests.
  • Block packets coming from a specific address or domain that gives reason to suspect it of unreliability.
  • Set a limit on the number of half-open connections with one address, reduce their holding time, and lengthen the queue of TCP connections.
  • Disable UDP services from receiving traffic from outside or limit the number of UDP connections.
  • Use CAPTCHA, delays and other bot protection techniques.
  • Increase maximum amount HTTP connections, configure request caching using nginx.
  • Expand network channel capacity.
  • If possible, dedicate a separate server to handle cryptography (if used).
  • Create a backup channel for administrative access to the server in emergency situations.

Hardware overload

There are types of flooding that affect not the communication channel, but the hardware resources of the attacked computer, loading them to their full capacity and causing a freeze or crash. For example:

  • Creating a script that will post on a forum or website where users have the opportunity to leave comments, a huge amount of meaningless text information until all disk space is full.
  • The same thing, only the server logs will fill the drive.
  • Loading a site where some kind of transformation of the entered data is performed, continuously processing this data (sending so-called “heavy” packets).
  • Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run any external program on the server).
  • Triggering the security system, making the server inaccessible from the outside, etc.


How to protect yourself from overloading hardware resources

  • Increase hardware performance and disk space. When the server is operating normally, at least 25-30% of the resources should remain free.
  • Use traffic analysis and filtering systems before transmitting it to the server.
  • Limit the use of hardware resources by system components (set quotas).
  • Store server log files on a separate drive.
  • Distribute resources across several servers independent of each other. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out this type of attack than using flooding. Their implementation depends on the qualifications and experience of the attacker, his ability to find errors in the program code and use them to his benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (an error in software that can be used to disrupt the operation of the system), all he has to do is create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control of the resource and use this “gift of fate” at his own discretion. For example, use for distribution malware, steal and destroy information, etc.

Methods to counter the exploitation of software vulnerabilities

  • Timely install updates that cover vulnerabilities of operating systems and applications.
  • Isolate from third party access all services designed to solve administrative tasks.
  • Use funds constant monitoring operation of the server OS and programs (behavioral analysis, etc.).
  • Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
  • Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine that a resource has been attacked by a hacker

If the attacker succeeds in achieving the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, several hours sometimes pass from the onset of the attack to noticeable symptoms. However, during hidden influence (until the server goes down), certain signs are also present. For example:

  • Unnatural behavior of server applications or the operating system (freezes, termination with errors, etc.).
  • The load on the processor, RAM and storage increases sharply compared to the original level.
  • The volume of traffic on one or more ports increases significantly.
  • There are multiple requests from clients to the same resources (opening the same website page, downloading the same file).
  • Analysis of server logs, firewall and network devices shows a large number of monotonous requests from different addresses, often aimed at specific port or service. Especially if the site is aimed at a narrow audience (for example, Russian-speaking), and requests come from all over the world. A qualitative analysis of traffic shows that the requests have no practical meaning for clients.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.

Many popular resources are subject to DDoS attacks for one purpose or another.

If you are the owner of popular or rapidly growing resources, you should think about the safety of your brainchild.

Today we will tell you what are DoS and DDoS attacks, how the latter are carried out and what effective protection exists from them.

Contents:

Concept

All schoolchildren are familiar with the essence of DDoS attacks; they do not want to listen to the teacher’s regular ravings on the topic, and begin to bombard him with questions.

In the end, the teacher gave up without even starting. new topic. DoS is not much different from this elementary scheme.

DDoS is called hacker attack to the server(s) that process requests from users (site visitors) in order to create conditions when it can no longer cope with the load.

That is, a set of actions by attackers is aimed at ensuring that the server’s resources are no longer sufficient to process user requests or that it becomes difficult.

Most often, this is done to cause economic damage: downtime leads to costs, restoring the system and protecting it also requires financial and other resources.

How to organize

DDoS differs from DoS in that the unwanted resource is attacked by a large number of computers, both volunteers interested in this and those infected with viruses.

In the second case, PC owners will not always guess what their machine is doing at the moment.

During the preparatory stage, ill-wishers scan for vulnerabilities, and having identified weaknesses and received certain advantages, they distribute the software, which operates in background.

She waits her turn, and after sending a certain team connects the user's computer to a large-scale attack. This PC is called a zombie.

If you have sufficient resources, you can “take down” almost any unprotected site in this way without leaving behind much evidence, which reduces the likelihood of being punished to virtually zero.

No one anywhere can protect against DDoS 100%, because everyone has their own shortcomings, plus they can be hacked.

And the human factor in this case plays a far from secondary role: correct configuration of hardware and software– deposit successful work.

As with diseases, it is better to prevent them than to fight them yourself and get rid of the consequences. This is done in software, hardware and organizational ways, which we will consider, but first we will get acquainted with the most common reasons for committing DDoS and their varieties.

Second and less common algorithm– inviting volunteers to participate in massive sending of requests to a specified server through special software.

The third type of such cybercriminal activities th – placement of links to the target resource on large portals (news). Due to the rapid influx of users, the server cannot withstand the load and crashes.

Moreover, the problem can be provoked by the site owner himself, actively advertising it on visited portals.

Causes

Computer security experts highlight Several factors triggering DDoS:

  • Self-education, entertainment– novice hackers may try to harm a small resource in order to practice organizing DDoS or test their strength in practice.
  • Personal motives- may be revenge on someone or some organization, for example, after raids on groups of hackers, the websites of the American intelligence agency FBI and some government departments did not function for several weeks.

The consequences of blocking the large Ukrainian file hosting service ex.ua were similar.

  • Political action, protest, for example, against the closure of pirated resources.
  • Unfair competition– while the site is not functioning, there is a possibility that some of its visitors will defect to a competitor.

In the last 2 years, for example, the number of attacks on Russian banks and government agencies has increased in order to undermine confidence in them.In February 2017, a massive attack on the vehicles of the Ministry of Health and.

  • Financial benefit– the attacker demands a certain benefit from the owner of the web resource, usually financial. The ezBTC and RedDoor groups are known for such actions.

Varieties

Making a system inoperative for a certain period of time is much easier, faster and cheaper than hacking. There are several ways to make it difficult for users to access a website.

Internet channel overflow or flood.

The most common algorithm is to occupy the entire width so that user requests cannot reach the server or at least be processed by it. Special applications are written for this purpose. They open a large number of false connections, the number of which reaches the maximum number supported by the server, or send false requests in huge numbers.

SYN flood– overloading the system’s computing capabilities with false requests. After establishing a connection, the system allocates a certain amount of physical server resources for each request.

The attacker sends the packet to the victim without waiting for a response, and then resends the data packet. They take longer to process than changing the IP and sending a new one. This exhausts the physical resource of the server.

Capturing hardware resources– similar to the previous type, its purpose is to load CPU victims 100%.

HTTP and ping flooding are used to attack servers with a relatively low bandwidth, when the hacker’s Internet speed is no more than an order of magnitude less than the victim’s, or even more.

The scheme is as follows: the attacker sends a small packet with contents that are several orders of magnitude larger. After changing the IP, the process continues until it fails.

Smurf attack. The most serious algorithm due to the high probability that service to the attacked machine will be denied.

The adversary uses broadcasting. After sending a fake packet, the cybercriminal will change their IP to the address of the attacked system, which is why it sends response packets to itself. When the number of attackers increases, the server simply cannot cope with processing requests sent to itself.

UDP flood– Echo commands are sent to the victim, the attacker’s IP is changed to the address of the attacked, who is forced to accept his own requests in large numbers, and so on until the entire bandwidth is occupied by false responses.

Computing capacity overflow– sending requests that require a lot to process. When the CPU load is 100%, users will not be able to access the site.

HDD full of log files. We talked about the influence of a system administrator's qualifications on the possibility of carrying out an attack on the servers that he services. If an inexperienced person does not set certain limits on the size of the log file or the number of entries in it, it will take up all the disk space and crash the server.

Code flaws. Professionals do not stoop to the level of sending requests; they carefully study the victim’s system and write exploits - small programs that allow the use of system holes for the purposes of the developer of these very applications. In most cases, such code provokes a call to a non-existent space or an invalid function.

Cache attacks– replacing the IP DNS server with the victim’s address. The request leads not to the page of the attacked resource, but to the attacker’s website. In the presence of huge amount They saturate zombie computers with requests, which is why they cannot cope with converting IP into domain names.

With the correct configurationDNS the probability of a successful attack drops to zero.

Layer 7– the server must send a heavy packet to the request, for example, an archive or .

There are paid resources for carrying out cybercrimes, like vDOS.

It provides services to everyone without asking the user name and the purpose of operating the service.

As you can see, there are many methods to carry out an attack, but if you have appropriate filters that distinguish false requests from real ones, and qualified personnel, this probability is reduced significantly.

Let's figure out how this is done.

Determining DDos

In most situations, it is extremely difficult to notice an attack, even if it is possible, especially in its first hours.

Many victims noticed the invasion of false requests on their servers a few days after a successful attack or a couple of weeks after its completion, when the victim received statistics or an invoice for or a significant expansion of the channel.

To detect a crime in a timely manner, it is necessary to know exactly the type and algorithm of the attack, then we examined them, albeit very briefly.

An ordinary user is unlikely to be able to do anything without the help of a qualified security specialist.

Such people will help you perform a couple of manipulations in the settings to repel an attack. The means of identifying them relate to several categories:

  • statistics– study of user activity on the resource;
  • signatures– qualitative analysis of incoming and outgoing traffic;
  • combination of first and second.

Protection: general concepts

Preventing attacks and fighting criminals is carried out by correct settings hardware and software, but they will only save you from weak attacks.

And even then, sometimes they will only reduce the effectiveness of the attack. Closing holes in the program code - more effective measure fighting zombie computers and botnet networks.

And under no circumstances should you leave it for later.

Let's figure out what measures should be taken when starting a server, creating a network and configuring software in order to avoid the role of a victim.

We gain time

Depending on the type of crime, there are different algorithms for preventing service interruption.

  • To prevent HTTP flooding, we increase the number of simultaneous connections to the database, and if the attack develops, we reset these connections.
  • ICMP flood– disable responses to ICMP ECHO requests.
  • UDP flood– we also disable this type of requests or limit their allowed number.
  • SYN flood– if we determine its presence, we reduce the queue of half-open TCP connections to 1-3.

If you have the appropriate skills, these actions will only temporarily reduce the effectiveness of the efforts of attackers necessary to contact an Internet service provider.

  • Timely update BY on the server and the site engine.
  • Having a response plan to the occurrence of an emergency situation.
  • Taking into account the likelihood of DDoS at the writing/ordering stage program code, its thorough testing.
  • Lack of interface access administration with external network.
  • Operation of penetration tests and critical issues OWASP Top 10 Vulnerability.
  • If security hardware is not available, provide a service software protection on demand by making adjustments to the routing scheme.
  • Operation of CDN content delivery networks. They allow you to distribute traffic between several servers to reduce timings and increase access speed.
  • Installing the Web Application Firewall on web applications, which will monitor traffic coming to the site and verify its authenticity, which will most likely eliminate false requests.
  • We don't use Apache. When using Apache, install the nginx caching proxy, but it will not save you from Slowloris, the most dangerous DDoS method. It's better to stick to a secure HTTPS server.
  • Impact on the source of the problem. If you know the offender, use legislation or other means of pressure to force him to stop illegal actions. There are even special companies for this.

DNS Security

Its work is based on the fact that most bots do not have a redirection function and do not use cookies.

Although recently they have been evolving, and therefore the fight against such programs is becoming more difficult.

The module monitors garbage requests, because the bot body almost never (but cases are becoming more frequent) does not contain a JavaScript engine. It becomes a filter in the event of a Layer 7 attack.

The module checks:

  • Is the bot really the browser it claims to be:
  • does it actually support JS;
  • Does he know how to redirect?

There are several verification methods and they all use cookies, which latest version They are also encrypted using AES-128 if necessary. It can also be installed via , which bots do not support.

Last function will also block many visitors who do not use Flash, but for the duration of the attack, a minor loss of customers is not such a big price to pay.

The tool is free and comes with configuration files for various use cases.

The disadvantages of testcookie are:

  • blocks all bots, including Googlebot (by at least in its current form), which makes its continuous use impossible;
  • provides inconvenience to users with rare Internet browsers, such as Links;
  • will not protect against advanced bots that have .

Temporarily disabling features

Hackers mainly focus on the hardest parts of the site (for large resources), such as the built-in search. If this method of harm is used, simply turn off the search for a while.

Although clients will feel some inconvenience, most of them will definitely return when the problem is resolved. Moreover, they can be notified of a problem.

Geographical position

Modern website engines allow you to filter out users based on geographic characteristics.

If a lot of Chinese people visit your online store or city news portal last days or watch, you can try to block their access. These are probably bots.

Accuracy of determining geotags, banning users, and other shortcomings– temporary payment for the site’s functionality in the future.

Debugger

Using the Xdebug profiler will allow you to see the heaviest queries.

The integrated debugger will determine the code responsible for this, and skillful hands and a bright mind will make it easier complex queries to the database if that is the problem.

Blocking suspicious traffic

We use a firewall or ACL lists to block suspicious traffic.

Such software is capable of blocking access to the site for certain categories of requests, but separating real traffic I can’t handle the “bad” things.

Reverse DDoS attack

If there is enough power and bandwidth, the process of redirecting incoming traffic from the attacked server back to the attacker can be carried out.

Often this process allows you to stop attacks and even load the attacker’s server before it crashes.

Increasingly, here and there in official communications from hosting providers there are references to reflected DDoS attacks. Increasingly, users, upon discovering the inaccessibility of their site, immediately assume DDoS. Indeed, in early March, the Runet experienced a whole wave of such attacks. At the same time, experts assure that the fun is just beginning. It is simply impossible to ignore a phenomenon so relevant, menacing and intriguing. So today let's talk about myths and facts about DDoS. From the hosting provider's point of view, of course.

Memorable day

On November 20, 2013, for the first time in the 8-year history of our company, the entire technical platform was unavailable for several hours due to an unprecedented DDoS attack. Tens of thousands of our customers throughout Russia and the CIS suffered, not to mention ourselves and our Internet provider. The last thing the provider managed to record before the white light faded for everyone was that its input channels were tightly clogged with incoming traffic. To visualize this, imagine your bathtub with a regular drain, with Niagara Falls rushing into it.

Even providers higher up the chain felt the effects of this tsunami. The graphs below clearly illustrate what was happening that day with Internet traffic in St. Petersburg and in Russia. Note the steep peaks at 15 and 18 hours, exactly at the moments when we recorded the attacks. For these sudden plus 500-700 GB.

It took several hours to localize the attack. The server on which it was sent was calculated. Then the target of Internet terrorists was calculated. Do you know who all this enemy artillery was hitting? One very ordinary, modest client site.

Myth number one: “The target of the attack is always the hosting provider. This is the machinations of his competitors. Not mine." In fact, the most likely target of Internet terrorists is an ordinary client site. That is, the site of one of your hosting neighbors. Or maybe yours too.

Not everything is DDoS...

After the events on our technical site on November 20, 2013 and their partial repetition on January 9, 2014, some users began to assume DDoS in any particular failure of their own website: “This is DDoS!” and “Are you experiencing DDoS again?”

It is important to remember that if we are hit by such a DDoS that even our clients feel it, we immediately report it ourselves.

We would like to reassure those who are in a hurry to panic: if there is something wrong with your site, then the probability that it is DDoS is less than 1%. Simply due to the fact that a lot of things can happen to a site, and these “many things” happen much more often. About self-help methods quick diagnostics We will talk about what exactly is happening to your site in one of the following posts.

In the meantime, for the sake of accuracy of word usage, let’s clarify the terms.

About terms

DoS attack (from English Denial of Service) - This is an attack designed to cause a server to be denied service due to its overload.

DoS attacks are not associated with damage to equipment or theft of information; their goal - make the server stop responding to requests. Fundamental difference DoS is that the attack occurs from one machine to another. There are exactly two participants.

But in reality, we see virtually no DoS attacks. Why? Because the targets of attacks are most often industrial facilities (for example, powerful productive servers of hosting companies). And in order to cause any noticeable harm to the operation of such a machine, much greater power is needed than its own. This is the first thing. And secondly, the initiator of a DoS attack is quite easy to identify.

DDoS - essentially the same as DoS, only the attack is distributed nature. Not five, not ten, not twenty, but hundreds and thousands of computers access one server simultaneously from different places. This army of machines is called botnet. It is almost impossible to identify the customer and the organizer.

Accomplices

What kind of computers are included in the botnet?

You will be surprised, but these are often the most ordinary home machines. Who knows?.. - quite possibly your home computer carried away to the side of evil.

You don't need much for this. An attacker finds a vulnerability in a popular operating system or application and uses it to infect your computer with a Trojan that, on a certain day and time, commands your computer to begin performing certain actions. For example, send requests to a specific IP. Without your knowledge or participation, of course.

Myth number two: « DDoS is done somewhere far from me, in a special underground bunker where bearded hackers with red eyes sit.” In fact, without knowing it, you, your friends and neighbors - anyone can be an unwitting accomplice.

This is really happening. Even if you don't think about it. Even if you are terribly far from IT (especially if you are far from IT!).

Entertaining hacking or DDoS mechanics

The DDoS phenomenon is not uniform. This concept combines many options for action that lead to one result (denial of service). Let's look at the troubles that DDoSers can bring us.

Overuse of server computing resources

This is done by sending packets to a specific IP, the processing of which requires a large amount of resources. For example, loading a page requires executing a large number of SQL queries. All attackers will request this exact page, which will cause server overload and denial of service for normal, legitimate site visitors.
This is an attack at the level of a schoolchild who spent a couple of evenings reading Hacker magazine. She is not a problem. The same requested URL is calculated instantly, after which access to it is blocked at the web server level. And this is just one solution.

Overload of communication channels to the server (output)

The difficulty level of this attack is about the same as the previous one. The attacker determines the heaviest page on the site, and the botnet under his control begins to request it en masse.


Imagine that the part of Winnie the Pooh that is invisible to us is infinitely large
In this case, it is also very easy to understand what exactly is blocking the outgoing channel and prevent access to this page. Similar queries can be easily seen using special utilities, which allow you to look at network interface and analyze traffic. Then a rule is written for the Firewall that blocks such requests. All this is done regularly, automatically and so lightning fast that Most users are not even aware of any attack.

Myth number three: "A However, they rarely get through to my hosting, and I always notice them.” In fact, 99.9% of attacks you don't see or feel. But the daily struggle with them - This is the everyday, routine work of a hosting company. This is our reality, in which an attack is cheap, competition is off the charts, and not everyone demonstrates discernment in the methods of fighting for a place in the sun.

Overload of communication channels to the server (input)

This is already a task for those who read Hacker magazine more than one day.


Photo from the Ekho Moskvy radio website. We didn’t find anything more visual to represent DDoS with overloading of input channels.
To fill a channel with incoming traffic to capacity, you need to have a botnet, the power of which allows you to generate the required amount of traffic. But maybe there is a way to send little traffic and receive a lot?

There is, and not just one. There are many attack enhancement options, but one of the most popular right now is attack through public DNS servers. Experts call this amplification method DNS amplification(in case someone prefers expert terms). To put it simply, imagine an avalanche: a small effort is enough to break it, but inhuman resources are enough to stop it.

You and I know that public DNS server upon request, provides anyone with information about any domain name. For example, we ask such a server: tell me about the sprinthost.ru domain. And without hesitation, he tells us everything he knows.

Querying a DNS server is a very simple operation. It costs almost nothing to contact him; the request will be microscopic. For example, like this:

All that remains is to choose Domain name, information about which will form an impressive data package. So the original 35 bytes with a flick of the wrist turn into almost 3700. There is an increase of more than 10 times.

But how can you ensure that the response is sent to the correct IP? How to spoof the IP source of a request so that the DNS server issues its responses in the direction of a victim who did not request any data?

The fact is that DNS servers work according to UDP communication protocol, which does not require confirmation of the source of the request at all. Forging an outgoing IP in this case is not very difficult for doser. This is why this type of attack is so popular now.

The most important thing is that a very small botnet is enough to carry out such an attack. And several scattered ones public DNS, who will not see anything strange in the fact that different users from time to time request data from the same host. And only then will all this traffic merge into one stream and nail down one “pipe” tightly.

What the doser cannot know is the capacity of the attacker’s channels. And if he does not calculate the power of his attack correctly and does not immediately clog the channel to the server to 100%, the attack can be repulsed quite quickly and easily. Using utilities like TCPdump It’s easy to find out that incoming traffic is coming from DNS, and at the Firewall level, block it from being accepted. This option - refusing to accept traffic from the DNS - is associated with a certain inconvenience for everyone, however, both the servers and the sites on them will continue to operate successfully.

This is just one option out of many possible to enhance an attack. There are many other types of attacks, we can talk about them another time. For now, I would like to summarize that all of the above is true for an attack whose power does not exceed the width of the channel to the server.

If the attack is powerful

If the attack power exceeds the capacity of the channel to the server, the following happens. The Internet channel to the server is instantly clogged, then to the hosting site, to its Internet provider, to the upstream provider, and so on and on and on upward (in the long term - to the most absurd limits), as far as the attack power is sufficient.

And that's when it becomes global problem for all. And in a nutshell, that's what we had to deal with on November 20, 2013. And when large-scale upheavals occur, it’s time to turn on special magic!


This is what the special magic looks like. Using this magic, it is possible to determine the server to which the traffic is directed and block its IP at the Internet provider level. So that he stops receiving through his communication channels with outside world(uplinks) any calls to this IP. For term lovers: experts call this procedure "blackhole", from English blackhole.

In this case, the attacked server with 500-1500 accounts remains without its IP. A new subnet of IP addresses is allocated for it, over which client accounts are randomly evenly distributed. Next, experts are waiting for the attack to repeat itself. It almost always repeats itself.

And when it repeats, the attacked IP no longer has 500-1000 accounts, but only a dozen or two.

The circle of suspects is narrowing. These 10-20 accounts are again distributed to different IP addresses. And again the engineers are in ambush waiting for the attack to repeat. Again and again they distribute the accounts remaining under suspicion to different IPs and thus, gradually approaching, determine the target of the attack. All other accounts at this point return to normal operation on the same IP.

As is clear, this is not an instant procedure; it takes time to implement.

Myth number four:“When a large-scale attack occurs, my host has no plan of action. He just waits, with his eyes closed, for the bombing to end, and answers my letters with the same type of replies.”This is not true: in the event of an attack, the hosting provider acts according to a plan to localize it and eliminate the consequences as quickly as possible. And letters of the same type allow you to convey the essence of what is happening and at the same time save the resources necessary to deal with an emergency situation as quickly as possible.

Is there light at the end of the tunnel?

Now we see that DDoS activity is constantly increasing. Ordering an attack has become very accessible and outrageously inexpensive. In order to avoid accusations of propaganda, there will be no prooflinks. But take our word for it, it is true.

Myth number five: “A DDoS attack is a very expensive undertaking, and only business tycoons can afford to order one. At the very least, this is the machinations of the secret services!” In fact, such events have become extremely accessible.

Therefore, expect that malicious activity It will go away on its own, it doesn’t have to. Rather, it will only intensify. All that remains is to forge and sharpen the weapon. This is what we do, improving the network infrastructure.

Legal side of the issue

This is a very unpopular aspect of the discussion of DDoS attacks, since we rarely hear about cases of the perpetrators being caught and punished. However, you should remember: A DDoS attack is a criminal offense. In most countries of the world, including the Russian Federation.

Myth number six: « Now I know enough about DDoS, I’ll order a party for a competitor - and nothing will happen to me for this!” It is possible that it will happen. And if it does, it won’t seem like much.

  • The beginning of the DDoS story payment system Assist
  • Exciting ending

In general, we do not advise anyone to engage in the vicious practice of DDoS, so as not to incur the wrath of justice and not to ruin your karma. And we, due to the specifics of our activities and keen research interest, continue to study the problem, stand guard and improve defensive structures.

PS:we don't have enough kind words to express our gratitude, so we just say"Thank you!" to our patient customers who warmly supported us on a difficult day on November 20, 2013. You have said many encouraging words in our support in

Hello, dear friends and readers - site!

Just a couple of days ago, your favorite blog was subjected to a rapid DDOS attack carried out by unknown attackers.

Due to their criminal actions, access to the resource was closed.

Thanks to one of the readers, who discovered a system failure in advance, it was possible to take counter-operative measures in time to repel a DDOS attack.

Now that the passions have calmed down a bit, let's figure out what a DDOS attack is.

In simple terms, a DoS attack is the creation of conditions under which the Provider denies service to a client due to heavy load on the server at the time of accessing the site.

That is, smart guys, using special software and direct hands, send thousands of false requests from the attacked site to your server. Due to the large number of simultaneous calls to your resource, the system cannot stand it and shuts it down.

To be more precise, it is not the server that turns off your site, but the support service, which thus unloads its machine.

It's sad, isn't it? They should be protecting you, but they simply cut off your sore arm and wait for the wound to heal.

Well, it’s okay, we ourselves are not born with bast.

I think that you have already asked a question - “ How to make a DDOS attack?».

Okay, I'll give you some introductory information, but keep in mind that this criminally punishable. I, as the Author, ask that all charges be dropped in the event of illegal actions by readers.

At one time, the same smart guys created a laser gun under the code name “LOIC”. Using this program for DDOS attacks, the developers tested the stability of server equipment, subjecting it to various loads simulating DOS attacks.

Having fallen into evil and calculating hands, the ray of light has become the sword of the Archangel, who connects his legion of followers, sends millions of false requests and disables competitors' websites.

This program is not classified and is in public access Internet networks. You can download it.

The LOIC program is easy to use. We launch LOIC .exe and see the following window:

In two top lines enter the URL or IP address of the victim and click Lock on:

After these steps, the target IP will appear in a large window labeled NONE:

In the lower window, set the stream (TCP, HTTP or UDP), the number of requests (default is 10) and move the transfer speed slider:

After finishing the settings, click on the big button:

That's all, the dos attack has begun. You can stop the process by pressing the same button.

Of course, you won’t be able to overwhelm a serious resource with one gun, but by connecting several of these guns on a large number of computers at the same time, you can do such things.

But I repeat, these are illegal actions and in collusion with a group of people, calling a DDOS attack is criminally punishable. This material is for informational purposes only.

Launching the LOIC laser cannon:


Protection against DDOS attacks.

Today, 100% protection against DDOS attacks does not exist. Of course, various companies offer services for protecting sites from DOS attacks for serious money, but everything is relative. If your resource is subjected to a powerful attack, in which many participants and dos-bots will be involved, then not a single system will survive.

Therefore, all you can do is repel attacks and block the IP addresses of the DOS source.

By the way, a new competition will be announced soon! Do not miss!

Until next articles...

P.S.

Dear friends, I have a huge request to ask of you! After reading the above material, go and hone your skills on other Websites. Please don't interfere with my work. You have been provided with useful material, have a conscience. Stop attacking the source of your own knowledge.

Thanks for understanding!

Best regards, Denis Chernikov!

Recently, we have been able to see that DDoS attacks are quite a powerful weapon in information space. Using high-power DDoS attacks, you can not only shut down one or more sites, but also disrupt the operation of an entire network segment or shut down the Internet in a small country. These days, DDoS attacks are happening more and more often and their power is increasing every time.

But what is the essence of such an attack? What happens on the network when it is performed, where did the idea to do this come from and why is it so effective? You will find answers to all these questions in our article today.

DDoS or distributed denial-of-service is an attack on a specific computer on a network that causes it, by overloading it, to not respond to requests from other users.

To understand what a ddos ​​attack means, let's imagine a situation: a web server gives site pages to users, let's say it takes half a second to create a page and completely transfer it to the user's computer, then our server will be able to operate normally at a frequency of two requests per second. If there are more such requests, they will be queued and processed as soon as the web server is free. All new requests are added to the end of the queue. Now let’s imagine that there are a lot of requests, and most of them are sent only to overload this server.

If the rate at which new requests arrive exceeds the processing rate, then over time the request queue will be so long that no new requests will actually be processed. That's what it is main principle ddos attacks. Previously, such requests were sent from one IP address and this was called a denial of service attack - Dead-of-Service, in fact, this is the answer to the question of what dos is. But such attacks can be effectively combated by simply adding the source IP address or several to the blocking list, and also several devices due to restrictions bandwidth The network cannot physically generate enough packets to overload a serious server.

Therefore, attacks are now carried out from millions of devices at once. The word Distribed was added to the name, it turned out - DDoS. Alone, these devices mean nothing, and may not have a very high speed Internet connection, but when they all start sending requests to one server at the same time, they can reach a total speed of up to 10 Tb/s. And this is already quite a serious indicator.

It remains to figure out where the attackers get so many devices to carry out their attacks. This regular computers, or various IoT devices, to which the attackers were able to gain access. This could be anything, video cameras and routers with firmware that has not been updated for a long time, control devices, and ordinary computers of users who somehow caught the virus and do not know about its existence or are in no hurry to remove it.

Types of DDoS attacks

There are two main types of DDoS attacks, some aimed at overloading a specific program and attacks aimed at overloading the network link itself to the target computer.

Attacks on overloading a program are also called 7-level attacks (in the osi network model there are seven levels and the last one is levels individual applications). An attacker attacks a program that uses a lot of server resources by sending a large number of requests. In the end, the program does not have time to process all connections. This is the type we discussed above.

DoS attacks on the Internet channel require much more resources, but they are much more difficult to cope with. If we draw an analogy with osi, then these are attacks on the 3-4 level, namely on the channel or data transfer protocol. The fact is that any Internet connection has its own speed limit at which data can be transferred over it. If there is a lot of data, then network hardware just like the program, it will queue them for transmission, and if the amount of data and the speed at which it arrives greatly exceeds the speed of the channel, it will be overloaded. The data transfer rate in such cases can be calculated in gigabytes per second. For example, in the case of the small country of Liberia being disconnected from the Internet, the data transfer speed was up to 5 TB/sec. However, 20-40 Gb/s is enough to overload most network infrastructures.

Origin of DDoS attacks

Above we looked at what DDoS attacks are, as well as DDoS methods attacks, it's time to move on to their origins. Have you ever wondered why these attacks are so effective? They are based on military strategies that have been developed and tested over many decades.

In general, many of the approaches to information security based on military strategies of the past. There are Trojan viruses that resemble the ancient Battle of Troy, ransomware viruses that steal your files for ransom and DDoS attacks that limit the enemy's resources. By limiting your opponent's options, you gain some control over his subsequent actions. This tactic works very well for both military strategists. and for cybercriminals.

In the case of military strategy, we can think very simply about the types of resources that can be limited to limit an enemy's capabilities. Limiting water, food and building materials would simply destroy the enemy. With computers everything is different; there are various services, for example, DNS, web server, servers Email. They all have different infrastructure, but there is something that unites them. This is a network. Without a network, you will not be able to access the remote service.

Warlords can poison water, burn crops, and set up checkpoints. Cybercriminals can send incorrect data to the service, cause it to consume all memory, or completely overload the entire network channel. Defense strategies also have the same roots. The server administrator will have to monitor incoming traffic to find malicious traffic and block it before it reaches the target network channel or program.

Founder and site administrator, passionate about open source software and operating systems Linux system. I currently use Ubuntu as my main OS. In addition to Linux, I am interested in everything related to information technology and modern science.


2024 gtavrl.ru.