Modern business is becoming more and more dependent on information technology. Large-scale digital transformation programs have significantly increased the importance of digital interaction channels with customers and partners. Moreover, the massive shift to remote work has forced businesses to hastily build digital communication channels with their own employees as well. As a result, the network infrastructure and information resources connected to the Internet have become critical for many enterprises, and the risks associated with them have become business risks because the downtime of these resources or denials of service lead to significant losses and reputational costs.
This is exactly what cybercriminals exploit by regularly launching attacks on networks, websites, and all kinds of Internet services. To do this, they use different approaches and tools. In particular, they really like to use DDoS attacks, as they are inexpensive to organize and carry out while being quite effective in their impact on the victim's business.
The damage from a successful DDoS attack primarily lies in financial and reputation costs: lost profits, termination of contracts and user outflow, numerous complaints from customers, a wave of negativity in the media and social networks and, as a result, damage to the reputation of an Internet resource and its owner. Often, a DDoS attack is used as a cover for the main malicious impact in targeted attacks: while information security specialists concentrate on repelling a DDoS attack and restoring systems to operability, attackers increase the main attack vector – for example, hacking a service, stealing confidential data or installing malicious codes.
The most common targets for DDoS attacks are the government, financial institutions, gaming services, and e-commerce companies. With the onset of the pandemic, attacks on educational resources, video conferencing services, online cinemas, media and entertainment sites have greatly increased.
In the event of a successful attack, the victim resource will demonstrate a significant decrease in performance or will not be able to process legitimate requests from users and other services at all. Depending on what exactly the victim resource is, the consequences of a successful DDoS attack may be slow operation or inaccessibility of the network, server, Internet service, website, application. As a result, the Internet resource freezes, legal users cannot access it at the right time, the network or server becomes temporarily cut off from the Internet, the Internet resource stops working correctly, etc.
The targets of DDoS attacks are often devices connected to the Internet: network equipment, physical and virtual servers, various Internet services, websites and web applications, IoT infrastructure.
Most attacks develop in the following sequence:
In some types of attacks the so-called amplification is used. Its effect can be so strong that an attack is quite successfully carried out without creating a botnet, using one or several computers. The amplifying effect is achieved due to the fact that the attacker sends requests, replacing his IP address with the address of the victim, and the size of the response that the victim will receive may be several times, or even dozens of times larger than the original request.
Smart DDoS attacks deserve a separate mention: the attackers select the most resource-intensive functions of web applications as a specific target and create an excessive load on them, thus causing the denial of service for these applications (usually, no exhaustion of channels is observed). The effect of such an impact can be very strong, even if the attack was carried out from one computer without using a botnet (DoS attack).
Most often, attacks are classified according to the OSI layer at which they were carried out:
Another common method of classification is by the method of exposure:
There are at least three ways to classify DDoS defenses:
At the highest level, DDoS protection solutions can be classified as follows:
Their main advantages:
Drawbacks and limitations:
The main client of on-premise solutions is large operators: ISPs, cloud providers, data centers with their own service for responding to DDoS attacks.
Benefits of quality cloud solutions:
Cloud solutions are the best option for most organizations.
As the cost of hybrid solutions declines, they will become available to smaller service providers.
Typically, DDoS attacks exploit vulnerabilities and features of protocols and systems operating either at the network (L3) and transport (L4) layers of the OSI model or at the application and software services (L4) layer. In addition, “intelligent” attacks using very sophisticated methods of influence are becoming more and more widespread. Based on this, DDoS protection solutions can be divided into three categories:
On-premise solutions are typically limited to L3 and L4 protection. The functionality of cloud solutions can vary widely, and to understand what they are capable of, you need to carefully study the documentation of specific services. To protect critical Internet resources, you should choose the option using WAF – this will maximize the security of resources and ensure their availability in case of DDoS attacks of various levels of complexity.
According to the connection format, DDoS protection can be divided into symmetric and asymmetric.
Typically, symmetric algorithms are more efficient because they analyze both traffic streams at the same time and can base decisions on complete information about the network interaction between the server and clients. Asymmetric algorithms do not guarantee 100% filtering of some attacks.
Usually, symmetric protection is recommended countering attacks against websites and mission-critical applications, while asymmetric protection is recommended protecting ISP networks.
A comparison of the main advantages and disadvantages of both protection classes is shown in the table.
|Advantages||Symmetric protection||Asymmetric protection|
|Flexible outbound traffic management||No||Yes|
|Complexity of connection||Higher||Lower|
|Ability to use multiple providers to protect against DDoS attacks (one IP)||Нет||Да|
Depending on what objects need to be protected, you should choose different methods and means of protection against DDoS attacks.
In addition, it is very important to imagine yourself in the position of an attacker. Think in what ways he could try to implement his plans, and then not only eliminate all found vulnerabilities, but also thoroughly test the service to make sure that it can really withstand attacks.
The first thing to consider when building protection of sites and web applications from DDoS attacks is whether you have access to the server on which the sites and applications are hosted. If you can fully control it, you should not only take care of connecting external DDoS protection, but also properly prepare the server itself: optimize the operating system's network stack so that the server can withstand high loads. To protect against DDoS, it is very important to ensure high performance of the server, including the processing of requests coming over the network.
The standard settings of the network stack of the OS and the Apache or Nginx web server operating in productive operation mode usually have significant limitations that must be eliminated. Particularly, you need to pay attention to the parameters that determine the performance of the server on Nginx and the Linux network stack. You should also pay attention to the optimization of the used DBMS – it should work quickly.
If your site uses popular CMS systems (for example, Joomla!, WordPress, Drupal), be sure to use the public recommendations for tuning their performance. It is necessary to ensure high performance of the site in standard mode – this will increase its chances of coping with a DDoS attack.
If an application or site is deployed on an external site and it is decided to entrust protection against DDoS attacks to its owner, then at least it should be clarified whether he will be able to protect this Internet resource from attacks at the application level (L7). In any case, you can connect an external protection service, and you need to configure it so that the IP address of the real server is not visible to the attacker either through mail headers or through open ports or through other services.
And here are some more recommendations:
In an effort to ensure the stability of services that interact with users via TCP and UDP, it is necessary first of all to optimize the network stack of the operating system. To begin with, you need to make sure that the interrupts of the network card are distributed across different processor cores. In the most modern systems, this allocation is done automatically; however, additional discretion will not hurt.
Note that services based on the TCP protocol have a definite advantage in protecting against DDoS attacks since the protocol itself is better suited to repel attacks. Much more effort is required to secure UDP servers. This protocol does not imply connections, and if the server is subjected not to a typical, but to a targeted attack that simulates game packets, the traffic will not be filtered – unless you inform your DDoS defender about the details of the server architecture and operation in advance, and think about it with him methods of repelling atypical attacks and do not test their effectiveness on several test attacks.
To protect Internet services and online games based on TCP and UDP, you must first configure the network card driver. When a frame arrives at it, it must initiate a system interrupt, which "asks" the processor to suspend the execution of the current task and process the incoming portion of traffic. However, if every frame caused an immediate interrupt and "distracted" the processor from its current tasks, a noticeable decrease in performance could even be observed in the simplest network operations, such as file transfer via FTP. Therefore, these interrupts are queued, which accumulate on the network card and are processed by the processor at one time. This usually happens 250-1000 times per second, and less often – the less the CPU load, but the higher the latency.
On the other hand, the most modern servers have multiple processor cores. Since the OS treats each of them as a separate processor, we can evenly distribute the load from interrupts between them. There are two ways to do this.
Securing network resilience is perhaps the most difficult case in terms of effective protection against DDoS attacks. Firstly, because often you have to protect not only your Internet resources, but also those belonging to your customers who have placed their IT assets inside your network. Second, the large number of IP addresses that the network owner most likely possesses allows attackers to launch relatively weak attacks against multiple addresses simultaneously, which will significantly slow down the entire infrastructure.
The first thing to take care of is that the Edge router has sufficient performance. It is necessary to clarify their bandwidth, assess the current load and, if possible, conduct a series of stress tests, for example, using the hping3 utility.
Second, you need to make sure that the IP addresses you own cannot be determined by tracing (traceroute) both from the outside and from the inside of the network, and those that can be protected by means of ACLs (for appropriate help, contact your security provider).
When connecting network protection through BGP, remember that an attacker can easily trace to a provider providing DDoS filtering and find out the butt IP address, which is usually not protected and therefore vulnerable to DDoS attacks. Therefore, it is advisable to close the junction IP addresses, first, using an ACL (this must be provided by the provider), and, secondly, to hide them from tracing both from the outside and from the inside.
Connecting DDoS protection alone does not guarantee the availability of Internet resources in the event of a DDoS attack. And often the problem lies not in the "bad" DDoS protection, but in the unsuccessful architecture of the Internet service or some of its other features.
In 2017, our company first proposed to the community the term “DDoS protectability” and a set of parameters that affect it. In short, defensibility is the ability of an Internet service to be effectively protected from attacks with a minimum waste of resources.
The following main groups of parameters affect the protectability:
Protection against DDoS attacks can and should be incorporated into a solution at the design stage of its architecture – this will increase availability and reduce the cost of protecting against attacks.
DDoS protection services are now offered by many companies – both specializing in information security and others: ISPs, hosting providers, data centers. Their functionality and quality of protection can vary greatly.
It should be kept in mind that DDoS protection is a very serious matter, so you need to choose a provider with the utmost care. When choosing a provider, it is important to find out the following features.
DDoS protection is a complex task, a real test of the professionalism not only of the anti-DDoS service provider, but also of your own IT employees – system administrators, programmers and, of course, information security specialists.
When setting up an anti-DDoS service, it is important to remember that it must be thoroughly integrated into your information security management processes, otherwise it will not work effectively.
And, obviously, you need to understand that the World, business and IT do not stand still: various modifications are often made to existing systems, new modules appear. Changes are also taking place at the level of the business logic of the systems. Finally, attackers come up with new ways to attack. Therefore, it is necessary to check and test both your resources and protection services, as well as adapt them to the changes taking place in the IT and information security landscape – this will require the efforts of both the owner of the Internet resources and his security provider.