DDoS attacks is just one from the long list of problems that your web server needs protection from. If you think it’s alright to shrug it off, let us take you back in time to 2016 when internet heavyweights such as Amazon, Twitter, Spotify, Netflix, Etsy were knocked out through repeated DDoS attacks and reported damages in millions of dollars.
One thing’s clear: DDoS needs to be taken seriously. But tackling it first requires knowing all you can about it. Here’s everything you need to know about DDoS.
What is DDoS?
DDoS stands for distributed denial of service and sometimes just referred to as “Denial of service”. It is exactly what it sounds like- your server, under a DDoS attack, will refuse to function anymore. What happens is that your server is actually overwhelmed with traffic which disrupts its services. An abnormally large number of requests is sent to the server and this causes the system to break down and it is unable to process any request at all for a long time.
For instance, Amazon’s website, because of the DDoS attack in 2016, went down for hours and millions of customers and the website administrative themselves were unable to access the website. Such DDoS attacks can even be part of a deeper criminal activity; as the website is down, sensitive customer data such as credit card information will be vulnerable to breaches.
Although we will be discussing DDoS attacks in general and how, with your hosting services, you can protect your server against them, it is important to recognize that all DDoS aren’t necessarily attacks. Some of them can also be accidental. These DDoS “accidents” are actually much more common; targeted attacks are seen in high profile websites such as Amazon, eBay and the likes but for smaller websites, inadvertent DDoS due to their own code is a much likelier scenario.
For example, software and application developers often are unable to determine load distribution and assume it to be even. When the server experiences unexpectedly uneven high loads, processing naturally slows down and the users are left with a glitchy website. But this slow processing isn’t the worst part. When the server encounters such errors, it is often written in the code to retry after 60 seconds or some other similar time interval. This causes requests to build up and the 60 seconds of downtime gradually build up to a full-blown DDoS attack.
Difference Between DoS and DDoS
Although the goal of both these attacks is the same i.e. to disrupt the services of your website, the difference lies in how they set about accomplishing it.
DoS or denial of service is pretty simple; it launches its attack from a single computer. On the other hand, DDoS or distributed denial of service attacks are launched from hundreds or even thousands of machines. All of these computers don’t necessarily belong to the hacker. Victim computers which don’t have adequate security features can easily be added to the hacker’s network by malware. This network of computers are known as a botnet and are often used by hackers and cybercriminals to launch DDoS attacks, steal data, send spam and conduct other such malicious activities.
Types of DDoS Attacks
Once you see just how many types of DDoS attacks your system is vulnerable to and the innumerable ways they can attack it, you will recognize the urgency of the situation.
- Volume Based Attacks
This is the simplest one to understand- the goal is to send a huge number of traffic and requests to your server and saturate its bandwidth to the fullest. Although volume based attacks are measured in bits per second (bps), these have evolved to create traffic of over 1 terabit per second (tbps).
There are a number of request amplification techniques which are used to conduct volumetric attacks. These include UDP or User Datagram Protocol floods, ping floods and other spoofed packet floods.
UDP floods target different ports of the server randomly leading to an overwhelmingly amount of requests in these targeted ports, thus draining the server’s processing power. Ping floods, also known as ICMP floods, send a continuous stream of ICMP echo requests to the server, without waiting for a reply. As the server tries to respond with an ICMP echo reply of its own, the system slows down and eventually shuts down. Spoofed packets are basically data requests sent from a fake IP address, one that does not exist on the internet currently.
- Protocol Attacks
Protocol attacks target the Layer 3 (network layer) and Layer 4 (transport layer) of the Open Systems Interconnections or OSI model of a computer system. This doesn’t just affect the server; the intermediate structures such as firewall and load balancer are also targeted. By attacking these critical resources, this type of DDoS attacks consume all of the server’s computational capacity, utilizing them to their maximum and thus, disabling the server from responding to legitimate processing requests.
Protocol attacks, notorious among hosts, can be launched by a wide array of means such as the infamous Ping of Death, Smurf DDoS, SYN floods and fragmented packet attacks.
The Ping of Death manipulates TCP/IP protocol, hence causing the system to break down. The principle here is that computers process data in “packets”. These packets typically consist of 64 bytes; this is a fundamental part of communication across networks of servers. As for a complete Internet Protocol packet, consisting of data and header, it can contain up to a maximum of 65, 535 bytes. The Ping of Death sends malformed IP packets, which contain greater than the prescribed limit of data, to its target server. This confuses and overloads the memory buffers of a server, leading to a crash.
Smurf attacks are similar to ping floods, except that Smurf manipulates the communication system of the broadcast network to amplify its attack. It uses the Smurf malware, a fun name which is actually disguising a very dangerous software, to send an echo request from the target server to an IP broadcast network. Subsequently, all the hosts in the network respond to the server, thus flooding it.
SYN flood identify weaknesses in the TCP connection sequence, known as the three-way handshake and exploits it to overwhelm the server. For instance, the malicious computer system will send synchronizing (SYN) requests repeatedly to the target server from a spoofed IP address. As the target server will try to respond to these requests with its own acknowledgement (ACK), it will keep failing as these requests weren’t sent from a real IP address anyways. The server has its hands full with trying to respond to these fake SYN requests while legitimate requests are ignored. Eventually, the servers give in and crash.
- Application based Attacks
As far as DDoS attacks are concerned, application layer attacks are considered to be the hardest to deal with. It targets the Layer 7 (application layer) of the OSI model, which typically faces the end user. Disguised as seemingly legitimate requests, these types of attacks are significantly harder to detect than the others. Slowloris and HTTP floods are common application based attacks.
HTTP floods are also known as GET/POST attacks. Rather than using botnets, spoof packets or the many different ways of attacking servers that we’ve looked into, HTTP floods take on a simpler yet more potent approach. Hackers send floods of GET and POST requests, which are used for data retrieval, to the server. They craft these requests to take up as much of the server’s processing capabilities as possible. Eventually, the server is rendered unable to process any request.
Slowloris is another technique to monopolize a server’s resources. The web server containing the Slowloris software builds connections with all the open ports of the targeted server but never sends a complete HTTP request. Rather, it just sends partial headers. As the server waits for request completion, it exhausts all its resources.
Saving Your Server from DDoS Attacks
DDoS attacks come in so many forms, it might seem impossible for you to handle them. But the stakes are high and you need to make sure that your web security is airtight.
- Make sure that your web server has an over-abundance of bandwidth. Instead of buying a plan that offers just as much as you need, choose one that offers more than you will use. This will free up resources against potential DDoS attacks and even buy you time as you try to recover your system.
- Use managed hosting. DDoS attacks are much more sophisticated than all other security threats that a server is faced with. But a web server, housed in a data centre, with adept administrators who are bound by SLA agreements to keep your server up and running, is much safer. Besides, the best managed hosting providers offer DDoS protection services which add more layers of security to your regular security features.
- Cloud hosting, a kind of managed hosting, offers scalability in dealing with bursts of traffic and also offers DDoS mitigation services. For protection against DDoS attacks, choosing cloud hosting is a great step.
DDoS Protection Services from Hosts
According to Kaspersky, a single DDoS attack can cost your company $52,000 to $444,000. This is unacceptable. What you need is special DDoS protection services which will make sure that you never have to deal with these malicious attacks.
These protection services are enabled in a number of stages- detection, diversion, filtering and analysis.
First, it detects any abnormalities in web traffic. The sooner they are identified, the more effective your protection services are. Then, the malicious traffic is diverted away from the targeted server either by DNS or by BGP rerouting. Next, this traffic is filtered by techniques such as spoofing filtering or bogon filtering. This stage will distinguish between legitimate requests and malicious ones. Finally, the system takes a granular look into the security logs to identify both the offender and cause of the attack.
Things to Consider
When you are looking for hosts which offer DDoS protection services, here are some factors that you should consider.
- Network capacity
This is a measure of scalability in case of an attack. Basically, it is the amount of bandwidth that is available to deal with malicious traffic while the rest of it maintains regular operations.
- Processing capabilities
In units of Mpps (millions of packets per second) it is the measure of the processing power of the server to deal with DDoS attacks. These attacks can be as small as 50 Mpps and go as high as 300 Mpps. It is important for your hosting provider to have a higher processing capability to handle the influx of data packets.
- Time taken for mitigation
Your DDoS protection services should be able to identify an attack as soon as possible and weed it out. But if it takes too long and the attack takes hold of the server, it could crash and recovery would be a lengthy process.
Have a look here at the best DDoS Protection Service Providers of 2018, presented to you by HostAdvice. DDoS can be deadly and you should definitely take all the measures you can to protect your website against it.