About everything in the world

Program for detecting ddos ​​attacks. Protection against DDoS attacks with traffic encryption. DDoS Protection Methods

Introduction

I’ll make a reservation right away that when I wrote this review, I was primarily focused on an audience that understands the specifics of the operation of telecom operators and their data transmission networks. This article outlines the basic principles of protection against DDoS attacks, the history of their development in the last decade, and the current situation.

What is DDoS?

Probably, today, if not every "user", then at least every "IT specialist" knows what DDoS attacks are. But a few words still need to be said.

DDoS attacks (Distributed Denial of Service - distributed denial of service attacks) are attacks on computer systems (network resources or communication channels) aimed at making them inaccessible to legitimate users. DDoS attacks consist in the simultaneous sending of a large number of requests to a certain resource from one or many computers located on the Internet. If thousands, tens of thousands or millions of computers simultaneously start sending requests to a specific server (or network service), then the server will either fail or the bandwidth of the communication channel to this server will not be enough. In both cases, Internet users will not be able to access the attacked server, or even all servers and other resources connected through a blocked communication channel.

Some features of DDoS attacks

Against whom and for what purpose are DDoS attacks launched?

DDoS attacks can be launched against any resource present on the Internet. The greatest damage from DDoS attacks is received by organizations whose business is directly related to the presence on the Internet - banks (providing Internet banking services), online stores, trading platforms, auctions, as well as other activities, the activity and efficiency of which significantly depends on the representation on the Internet (travel agencies, airlines, hardware and software manufacturers, etc.) DDoS attacks are regularly launched against the resources of such giants of the global IT industry as IBM, Cisco Systems, Microsoft and others. Massive DDoS attacks were observed against eBay.com, Amazon.com, many well-known banks and organizations.

Very often, DDoS attacks are launched against the web representations of political organizations, institutions, or individual well-known personalities. Many people know about the massive and prolonged DDoS attacks that were launched against the website of the President of Georgia during the Georgian-Ossetian war of 2008 (the website was unavailable for several months starting from August 2008), against the servers of the Estonian government (in the spring 2007, during the riots associated with the transfer of the Bronze Soldier), about periodic attacks from the North Korean segment of the Internet against American sites.

The main goals of DDoS attacks are either gaining profit (directly or indirectly) through blackmail and extortion, or the pursuit of political interests, escalation of the situation, revenge.

What are the mechanisms for launching DDoS attacks?

The most popular and dangerous way to launch DDoS attacks is to use botnets (BotNets). A botnet is a set of computers on which special software tabs (bots) are installed, translated from English a botnet is a network of bots. Bots are usually developed by hackers individually for each botnet, and have the main purpose of sending requests towards a specific resource on the Internet by a command received from the Botnet Command and Control Server. The botnet control server is controlled by the hacker, or by the person who bought the botnet from the hacker and the ability to launch a DDoS attack. Bots spread on the Internet in various ways, usually by attacking computers with vulnerable services and installing software bookmarks on them, or by deceiving users and forcing them to install bots under the guise of providing other services or software that performs completely harmless or even a useful feature. There are many ways to distribute bots, new ways are being invented regularly.

If the botnet is large enough - tens or hundreds of thousands of computers - then the simultaneous sending of even quite legitimate requests from all these computers towards a certain network service (for example, a web service on a specific site) will lead to the exhaustion of resources either of the service or server itself, or to the exhaustion of communication channel capabilities. In any case, the service will be unavailable to users, and the owner of the service will suffer direct, indirect and reputational losses. And if each of the computers sends not one request, but tens, hundreds or thousands of requests per second, then the impact force of the attack increases many times over, which makes it possible to disable even the most productive resources or communication channels.

Some attacks are launched in more "harmless" ways. For example, a flash mob of users of certain forums who, by agreement, launch "pings" or other requests from their computers towards a specific server at a certain time. Another example is placing a link to a website on popular Internet resources, which causes an influx of users to the target server. If a "fake" link (it looks like a link to one resource, but actually links to a completely different server) links to a small organization's website, but is hosted on popular servers or forums, such an attack can cause an influx of visitors that is undesirable for this site . Attacks of the last two types rarely lead to the termination of the availability of servers on properly organized hosting sites, however, there were such examples, and even in Russia in 2009.

Will traditional technical means of protection against DDoS attacks help?

A feature of DDoS attacks is that they consist of many simultaneous requests, each of which individually is quite "legal", moreover, these requests are sent by computers (infected with bots), which may well belong to the most common real or potential users of the attacked service or resource. Therefore, it is very difficult to correctly identify and filter exactly those requests that constitute a DDoS attack using standard means. Standard systems of the IDS / IPS class (Intrusion Detection / Prevention System - a system for detecting / preventing network attacks) will not find "corpus delicti" in these requests, they will not understand that they are part of an attack, unless they perform a qualitative analysis of traffic anomalies. And even if they do, filtering out unnecessary requests is also not so easy - standard firewalls and routers filter traffic based on well-defined access lists (control rules), and do not know how to "dynamically" adapt to the profile of a particular attack. Firewalls can regulate traffic flows based on criteria such as source addresses, network services in use, ports, and protocols. But ordinary Internet users take part in a DDoS attack, sending requests using the most common protocols - won't the telecom operator prohibit everyone and everything in a row? Then he will simply stop providing communication services to his subscribers, and will stop providing access to the network resources he serves, which, in fact, is what the initiator of the attack is trying to achieve.

Many specialists are probably aware of the existence of special solutions for protection against DDoS attacks, which consist in detecting anomalies in traffic, building a traffic profile and an attack profile, and the subsequent process of dynamic multi-stage traffic filtering. And I will also talk about these solutions in this article, but a little later. And first, some lesser known, but sometimes quite effective measures that can be taken to suppress DDoS attacks by existing means of a data transmission network and its administrators will be discussed.

Protection against DDoS attacks with existing means

There are quite a few mechanisms and "tricks" that allow, in some special cases, to suppress DDoS attacks. Some can be used only if the data network is built on the equipment of a particular manufacturer, others are more or less universal.

Let's start with the recommendations of Cisco Systems. This company recommends Network Foundation Protection, which includes protection for the Control Plane, Management Plane, and Data Plane.

Management Plane Security

The term "administration layer" covers all traffic that manages or monitors routers and other network equipment. This traffic is directed towards the router, or originates from the router. Examples of such traffic are Telnet, SSH and http(s) sessions, syslog messages, SNMP traps. General best practices include:

Ensuring maximum security of control and monitoring protocols, using encryption and authentication:

  • SNMP v3 provides security features, while SNMP v1 provides little or no protection, and SNMP v2 provides only partial protection - default Community values ​​should always be changed;
  • different values ​​for public and private community should be used;
  • the telnet protocol transmits all data, including the login and password, in clear text (if the traffic is intercepted, this information can be easily extracted and used), it is recommended to always use the ssh v2 protocol instead;
  • similarly, instead of http, use https to access equipment; strict control of access to equipment, including an adequate password policy, centralized authentication, authorization and accounting (AAA model) and local authentication for redundancy;

Implementation of the role model of access;

Control of allowed connections by source address using access control lists;

Disabling unused services, many of which are enabled by default (or they were forgotten to be disabled after diagnostics or system settings);

Monitor the use of hardware resources.

The last two points are worth dwelling on in more detail.
Some services that are enabled by default or that are forgotten to be disabled after setting up or diagnosing hardware can be used by attackers to bypass existing security rules. The list of these services is below:

  • PAD (packet assembler/disassembler);

Naturally, before disabling these services, you need to carefully analyze the absence of their need in your network.

It is desirable to monitor the use of equipment resources. This will allow, firstly, to notice the congestion of individual network elements in time and take measures to prevent an accident, and secondly, to detect DDoS attacks and anomalies if their detection is not provided for by special means. At a minimum, it is recommended to monitor:

  • CPU usage
  • memory usage
  • congestion of router interfaces.

Monitoring can be carried out "manually" (periodically monitoring the state of the equipment), but it is better, of course, to do this with special network monitoring systems or information security monitoring (the latter include Cisco MARS).

Control Plane Protection

The network management layer includes all service traffic that ensures the functioning and connectivity of the network in accordance with the given topology and parameters. Examples of control plane traffic are: all traffic generated or destined for the route processor (RR), including all routing protocols, in some cases SSH and SNMP protocols, as well as ICMP. Any attack on the functioning of the routing processor, and especially DDoS attacks, can lead to significant problems and interruptions in the functioning of the network. The best practices for securing the control plane are described below.

Control Plane Policing

It consists in using QoS (Quality of Service) mechanisms to give higher priority to control plane traffic than to user traffic (of which attacks are also a part). This will ensure the operation of service protocols and the routing processor, that is, to preserve the topology and connectivity of the network, as well as the actual routing and packet switching.

IP Receive ACL

This functionality allows you to filter and control service traffic intended for the router and the route processor.

  • are applied already directly on the routing equipment before the traffic reaches the route processor, providing "personal" protection of the equipment;
  • are applied after the traffic has passed the usual access control lists - they are the last level of protection on the way to the route processor;
  • apply to all traffic (both internal, and external, and transit in relation to the network of the telecom operator).

Infrastructure ACL

Normally, only hosts on the carrier's own network need access to the router's own addresses, but there are exceptions (eg, eBGP, GRE, IPv6 over IPv4 tunnels, and ICMP). Infrastructure Access Control Lists:

  • are usually installed at the edge of the network of the telecom operator ("at the entrance to the network");
  • are intended to prevent external hosts from accessing the addresses of the operator's infrastructure;
  • provide unhindered traffic transit across the border of the operator's network;
  • provide basic protection mechanisms against unauthorized network activity, described in RFC 1918, RFC 3330, in particular, protection against spoofing (spoofing, the use of fake source IP addresses to mask when launching an attack).

Neighbor Authentication

The main purpose of neighbor router authentication is to prevent attacks that send spoofed routing protocol messages to change the routing of the network. Such attacks can lead to unauthorized access to the network, unauthorized use of network resources, and the fact that an attacker intercepts traffic in order to analyze and obtain the necessary information.

Configuring BGP

  • filtering BGP prefixes (BGP prefix filters) - used to ensure that information about the routes of the internal network of the telecom operator is not distributed to the Internet (sometimes this information can be very useful for an attacker);
  • limiting the number of prefixes that can be accepted from another router (prefix limiting) - used to protect against DDoS attacks, anomalies and failures in the networks of peering partners;
  • the use and filtering of BGP Community parameters can also be used to limit the distribution of routing information;
  • BGP monitoring and correlation of BGP data with observed traffic is one of the mechanisms for early detection of DDoS attacks and anomalies;
  • filtering by TTL (Time-to-Live) parameter - used to check BGP partners.

If a BGP attack is launched not from the peering partner's network, but from a more remote network, then the TTL parameter of the BGP packets will be less than 255.< 255, а маршрутизаторы пиринг-партнеров наоборот - чтобы они генерировали только BGP-пакеты с параметром TTL=255. Так как TTL при каждом хопе маршрутизации уменьшается на 1, данный нехитрый приём позволит легко избежать атак из-за границ вашего пиринг-партнера.

Network Data Plane Protection

Despite the importance of protecting the levels of administration and control, most of the traffic in the network of a telecom operator is data that is in transit or intended for subscribers of this operator.

Unicast Reverse Path Forwarding (uRPF)

Often, attacks are launched using spoofing technology - source IP addresses are falsified so that the source of the attack cannot be traced. Spoofed IP addresses can be:

  • from the address space actually used, but in a different network segment (in the segment from which the attack was launched, these fake addresses are not routed);
  • from an unused address space in a given data transmission network;
  • from an address space that is not routable on the Internet.

The implementation of the uRPF mechanism on routers will prevent the routing of packets with source addresses that are incompatible or unused in the network segment from which they arrived at the router interface. This technology sometimes allows quite effectively filtering unwanted traffic closest to its source, that is, most effectively. Many DDoS attacks (including the well-known Smurf and Tribal Flood Network) use the mechanism of spoofing and constantly changing source addresses in order to deceive standard traffic protection and filtering tools.

The use of the uRPF mechanism by telecom operators providing Internet access to subscribers will effectively prevent DDoS attacks using spoofing technology directed by their own subscribers against Internet resources. Thus, a DDoS attack is suppressed closest to its source, that is, most effectively.

Remotely Triggered Blackholes (RTBH)

Controlled black holes (Remotely Triggered Blackholes) are used to "drop" (destroy, send "to nowhere") traffic entering the network by routing this traffic to special Null 0 interfaces. This technology is recommended to be used at the network edge to drop containing DDoS- attacking traffic as it enters the network. A limitation (and a significant one) of this method is that it applies to all traffic destined for a specific host or hosts that are the target of the attack. Thus, this method can be used in cases where one or more hosts are subjected to a massive attack, which causes problems not only for the attacked hosts, but also for other subscribers and the telecom operator's network as a whole.

Black holes can be controlled both manually and via the BGP protocol.

QoS Policy Propagation Through BGP (QPPB)

QoS Control over BGP (QPPB) allows you to control priority policies for traffic destined for a particular autonomous system or block of IP addresses. This mechanism can be very useful for telecom operators and large enterprises, including for managing the priority level for unwanted traffic or traffic containing a DDoS attack.

Sink Holes

In some cases, it is required not to completely remove traffic using black holes, but to divert it away from the main channels or resources for subsequent monitoring and analysis. That's what Sink Holes are for.

Sink Holes are used most often in the following cases:

  • to divert and analyze traffic with destination addresses that belong to the address space of the telecom operator's network, but are not actually used (they were not allocated to either equipment or users); such traffic is a priori suspicious, as it often indicates attempts to scan or penetrate your network by an attacker who does not have detailed information about its structure;
  • to redirect traffic from the target of the attack, which is a resource actually functioning in the network of the telecom operator, for its monitoring and analysis.

DDoS protection using special tools

The concept of Cisco Clean Pipes - the ancestor of the industry

The modern concept of protection against DDoS attacks was developed (yes, yes, you won't be surprised! :)) by Cisco Systems. The concept developed by Cisco is called Cisco Clean Pipes ("clear channels"). The concept, developed in detail almost 10 years ago, described in some detail the basic principles and technologies for protecting against anomalies in traffic, most of which are still used today, including by other manufacturers.

The Cisco Clean Pipes concept assumes the following principles for detecting and suppressing DDoS attacks.

Points (sections of the network) are selected, the traffic in which is analyzed in order to detect anomalies. Depending on what we protect, such points can be peering connections of the telecom operator with upstream operators, connection points of downstream operators or subscribers, data center connection channels to the network.

Special detectors analyze traffic at these points, build (study) the traffic profile in its normal state, and when a DDoS attack or anomaly occurs, they detect it, study it and dynamically form its characteristics. Further, the information is analyzed by the system operator, and the attack suppression process is started in semi-automatic or automatic mode. Suppression consists in the fact that the traffic intended for the "victim" is dynamically redirected through the filtering device, on which the filters generated by the detector and reflecting the individual nature of this attack are applied to this traffic. Cleaned traffic is injected into the network and sent to the recipient (that's why the name Clean Pipes arose - the subscriber receives a "clean channel" that does not contain an attack).

Thus, the entire cycle of protection against DDoS attacks includes the following main stages:

  • Traffic control characteristics training (profiling, Baseline Learning)
  • Detection of attacks and anomalies (Detection)
  • Redirecting traffic in order to pass it through the cleaning device (Diversion)
  • Traffic filtering to suppress attacks (Mitigation)
  • Entering traffic back into the network and sending it to the addressee (Injection).

N few features.
Two types of devices can be used as detectors:

  • Detectors manufactured by Cisco Systems are Cisco Traffic Anomaly Detector Services Modules designed for installation in the Cisco 6500/7600 chassis.
  • Detectors manufactured by Arbor Networks are Arbor Peakflow SP CP devices.

Below is a comparison table between Cisco and Arbor detectors.

Parameter

Cisco Traffic Anomaly Detector

Arbor Peakflow SP CP

Get traffic information for analysis

A copy of the traffic allocated to the Cisco 6500/7600 chassis is used

Uses Netflow traffic data received from routers, sampling can be adjusted (1: 1, 1: 1,000, 1: 10,000, etc.)

Detection principles used

Signature analysis (misuse detection) and anomaly detection (dynamicprofiling)

Primarily anomaly detection; signature analysis is used, but the signatures are generic

Form factor

service modules in the Cisco 6500/7600 chassis

separate devices (servers)

Performance

Analyzed traffic up to 2 Gbps

Virtually unlimited (you can reduce the sampling rate)

Scalability

Installing up to 4 modulesCiscoDetectorSMin one chassis (however, the modules operate independently of each other)

Ability to use several devices within a single analysis system, one of which is assigned the Leader status

Network traffic and routing monitoring

Functionality is almost non-existent

The functionality is very advanced. Many telecom operators buy Arbor Peakflow SP because of the deep and well-developed functionality for monitoring traffic and routing in the network

Provision of a portal (an individual interface for a subscriber that allows monitoring only the part of the network directly related to him)

Not provided

Provided. It is a serious advantage of this solution, since the telecom operator can sell individual DDoS protection services to its subscribers.

Compatible devices for traffic cleaning (attack suppression)

Cisco Guard Services Module

 Arbor Peakflow SP TMS; Cisco Guard Services Module.
Protection of data centers (Data Center) when they are connected to the Internet Monitoring of downstream connections of subscriber networks to the network of a telecom operator Detection of attacks onupstream-connections of the telecom operator's network to the networks of upstream providers Monitoring of the backbone of the telecom operator
The last row of the table shows scenarios for using detectors from Cisco and from Arbor, which were recommended by Cisco Systems. These scenarios are shown in the diagram below.

As a traffic cleaning device, Cisco recommends using the Cisco Guard service module, which is installed in the Cisco 6500/7600 chassis and, upon a command received from the Cisco Detector or from the Arbor Peakflow SP CP, traffic is dynamically redirected, cleaned, and reinjected into the network. Redirect mechanisms are either BGP updates to upstream routers, or direct control commands to the supervisor using a proprietary protocol. When using BGP updates, the upstream router is given a new nex-hop value for the traffic containing the attack - so that this traffic gets to the cleaning server. At the same time, care must be taken that this information does not lead to the organization of a loop (so that the downstream router, when injecting cleared traffic to it, does not try to wrap this traffic back to the clearing device). To do this, mechanisms can be used to control the distribution of BGP updates by the community parameter, or the use of GRE tunnels when entering cleared traffic.

This state of affairs existed until Arbor Networks significantly expanded its Peakflow SP product line and entered the market with a completely standalone DDoS protection solution.

Introduction of Arbor Peakflow SP TMS

A few years ago, Arbor Networks decided to develop its line of DDoS protection products on its own and regardless of the pace and policy of development in this direction from Cisco. Peakflow SP CP solutions had fundamental advantages over Cisco Detector, as they analyzed flow information with the ability to control the sampling rate, and therefore had no restrictions on use in carrier networks and backbone channels (unlike Cisco Detector, which analyze a copy of traffic ). In addition, a serious advantage of Peakflow SP was the opportunity for operators to sell individual services to subscribers for monitoring and protecting their network segments.

In view of these and other considerations, Arbor has significantly expanded its Peakflow SP product line. A number of new devices have appeared:

Peakflow SP TMS (Threat Management System)- Performs DDoS attack suppression through multi-stage filtering based on data received from Peakflow SP CP and Arbor Networks' ASERT laboratory, which monitors and analyzes DDoS attacks on the Internet;

Peakflow SP BI (Business Intelligence)- devices that provide system scaling by increasing the number of logical objects to be monitored and providing redundancy of collected and analyzed data;

Peakflow SP PI (Portal Interface)- devices that provide an increase in subscribers who are provided with an individual interface to manage their own security;

Peakflow SP FS (Flow Censor)- devices that provide monitoring of subscriber routers, connections to downstream networks and data processing centers.

The principles of operation of the Arbor Peakflow SP system have remained basically the same as Cisco Clean Pipes, however, Arbor regularly develops and improves its systems, so at the moment the functionality of Arbor products is better in many ways than Cisco, including performance.

To date, the maximum performance of Cisco Guard can be achieved by creating a cluster of 4 Guard modules in one Cisco 6500/7600 chassis, while full-fledged clustering of these devices is not implemented. At the same time, the top models of Arbor Peakflow SP TMS have a performance of up to 10 Gb / s, and in turn can be clustered.

After Arbor began to position itself as an independent player in the market of systems for detecting and suppressing DDoS attacks, Cisco began to look for a partner that would provide it with much-needed monitoring of network traffic flow data, but would not be a direct competitor. Such a company was Narus, which produces traffic monitoring systems based on flow data (NarusInsight), and entered into a partnership with Cisco Systems. However, this partnership has not received serious development and market presence. Moreover, according to some reports, Cisco does not plan to invest in its Cisco Detector and Cisco Guard solutions, in fact, leaving this niche at the mercy of Arbor Networks.

Some Features of Cisco and Arbor Solutions

It is worth noting some features of Cisco and Arbor solutions.

  1. Cisco Guard can be used both with the detector and independently. In the latter case, it is set to in-line mode and performs the functions of a detector, analyzing traffic, and, if necessary, turns on filters and cleans traffic. The disadvantage of this mode is that, firstly, an additional point of potential failure is added, and secondly, additional traffic delay (although it is small until the filtering mechanism is turned on). The mode recommended for Cisco Guard is to wait for a command to redirect traffic containing an attack, filter it, and enter it back into the network.
  2. Arbor Peakflow SP TMS units can also operate in both off-ramp and in-line modes. In the first case, the device passively waits for a command to redirect the traffic containing the attack in order to clean it and enter it back into the network. In the second, it passes all traffic through itself, generates data in the Arborflow format on its basis and transfers it to the Peakflow SP CP for analysis and attack detection. Arborflow is a format similar to Netflow but modified by Arbor for their Peakflow SP systems. Traffic monitoring and attack detection is performed by Peakflow SP CP based on Arborflow data received from TMS. When an attack is detected, the Peakflow SP CP operator issues a command to suppress it, after which TMS turns on filters and clears traffic from the attack. Unlike Cisco, the Peakflow SP TMS server cannot operate on its own; it requires a Peakflow SP CP server to perform traffic analysis.
  3. Today, most experts agree that the tasks of protecting local network sections (for example, connecting data centers or connecting downstream networks) are effective.

Hello, dear readers of the blog site. Who hasn't heard about CloudFlare? I heard and even studied in detail the possibilities of the service about five years ago, probably (when). But now I won’t say what exactly then stopped me from trying this service (I don’t remember). But that doesn't matter.

What is important is that on the first working day after the New Year holidays, I still I had to connect the site to CloudFlare and, moreover, in an emergency mode (with pulling out hair, liters of coffee drunk and beating your head on the table). This had to be done because of the complete blocking of access to the site (most likely through a DDoS attack - access via FTP was possible).

Of me, the server administrator is terrible and, by and large, I understand little about the intricacies and varieties of DDos attacks (neither how they are organized, nor how to competently fight them off - except for the simplest blocking by IP). When you don't face it, you don't need it.

But everything turns out that on the first working day after the New Year holidays I was ddosed, and neither I nor the technical support of the hosting could do anything about it. Hiring a freelancer to solve a problem was dumb. Well, at least on the phone, the guys from Infobox threw me the idea to connect CloudFlare (as one of the options for solving the problem) and I grabbed this idea like a straw.

I didn’t really count on success (in a few hours, needed to reset the old and prescribe new NC addresses, I managed to learn a lot of things on the topic and even drew up an approximate plan of action). But to my surprise bourgeois miracle service helped! And even on a free plan. The protection mode against DDos attacks worked remarkably. Honestly, I didn't expect it. Was pleasantly surprised. Moreover, the site began to fly as if on wings (although it was not a turtle before).

In general, it does not happen, but it still happens ...

What is DDoS and what is CloudFlare?

What is DDoS? Well, first of all, it's an acronym for "distributed denial of service". In Russian, this sounds like a distributed attack, the purpose of which is to achieve a denial of service for visitors to the site (sites) from the attacked server (group of servers). The site will give an error to everyone who wants to enter it.

The word "distributed" means that a DDoS attack comes from many computers on the network at once. Very often, a so-called botnet is used for this purpose, i. a group of computers infected with viruses or otherwise taken under control. The owners of the computers included in the botnet may not even be aware that they are attacking someone (everything happens in the background).

Physically, this means a huge number of requests made to the server from different IP addresses. If the address is one or more, then it can be easily calculated from the logs or by opening the page http://xxx.xxx.xxx.xxx/server-status (where x must be replaced with the IP of your server if it is running under Apache). After that, it will not be a problem to temporarily block suspicious IPs, for example, by adding lines to it through the .htaccess file (replace Ip with your own - you can add as many lines with Deny from as you like):

Order allow,deny allow from all Deny from 83.149.19.177 Deny from 87.228.80.49 Deny from 178.212.72.13

It helped me for a while. But real Ddos can't be repulsed for anything- you simply won’t have time to detect repetitions of IP addresses if they attack from tens and / or hundreds of hosts. That's what happened to me. As a result, 7 hours of full down!

For the first two hours, I talked with the technical support of the hosting on the subject of "help" - "we can't." Then in five minutes I connected CloudFlare to the site, in another couple of minutes I changed the DNS records and waited four hours for the connection to start (they should be updated on all key NS servers on the network). The site was fully operational only a day later, approximately.

What is DDos? It's a terrible thing indeed. You feel your complete powerlessness and hopelessness. From the side of the attackers, this is a way to make money (on blackmail or by fulfilling the order of a competitor). Permanent protection against this evil is very expensive, but CloudFlare, even on a free plan, allows you to fight off a weak-medium DDoS attack.

This service has millions of connected sites (about five million) and the developers of the service always clearly monitor from which IPs they usually attack and such visitors, for example, can show a captcha (bots are unlikely to solve it) or check the browser for "humanity" such suspicious IPs. And by themselves, their servers distributed around the world do a good job of rarefying a failure attack - it’s just that these requests are distributed to different servers and greatly reduce the attack power, reducing all the efforts of the “radishes” to nothing.

For more serious DDoS protection in CloudFlare, you already need to pay a lot ($200). But this is all for a very serious business, where DDoS is more powerful (there is more money poured into it), but the owners also have a lot more money. For us, the PRO tariff for $ 20 or the free tariff in general, which has almost everything, is enough for our eyes (read about it below).

What is Cloudflare? This is an online service that has been leading its history since 2009 (it is the same age as my blog). This is by no means hosting, although from the outside it may seem that way. It's more like a hosting add-on (something like a caching reverse proxy). After connecting the site to this online service, its IP address changes and it seems that you have changed the host, but this is not so.

You will still need hosting and you will actually work with the site in the same way as you worked before. There will be some nuances, but the essence will remain the same. CloudFlare same needed to protect (stable operation) and speed up the site.

More than five million sites around the world are already connected to it. This online service owns a distributed network of data centers (more than 120) around the world (since last year, this has appeared in Moscow). The latter is especially pleasant, because it provides a much faster response when accessing sites from the territory of Russia (although our country is large and more centers need to be built).

So, CloudFlare owns a bunch of servers distributed around the world. What for? So that the sites added to it are loaded in the browsers of visitors as quickly as possible. All graphics, CSS and java script codes will be served from the data center closest to the given visitor of your site. Did the visitor come from Moscow? This means that the Moscow data center will start working. From USA? This means that graphics and other statics will be given to the visitor from the Cloud Flare node closest to him.

This alone can already increase the average loading speed of the pages of your site. But this service has a few more aces and jokers in its stash. Working with millions of sites and reflecting attacks every second, the service has a database of addresses from which sites are most often attacked now. This alone can even serve as the first echelon of protection against DDoS attacks on a free plan (and you don’t need to spend much time and resources on this).

In addition, the service allows enable "under attack" mode(Under Attack Mode), when each access to the site is interrupted for 5 seconds to find out the type of browser from which the visit was made. It was this mode that saved me in the hopeless situation described above. Yes, at the same time, all bots and some legitimate users are cut off (at a glance, traffic has become twenty percent less), but this is better than a complete server denial of access.

At the end of the DDoS attack, this mode can be turned off and the appropriate vigilance level can be selected. When the attack is repeated, it can easily be turned on even from a mobile phone while sitting in the subway (the main thing is to react in time).

In general, even almost everything you need on a free plan has already. You can even compress CSS and java script files on the fly (removing spaces from them) to increase loading speed a little. Believe it or not, on a free plan in CloudFlare you can even connect SSL to the site (switch to an encrypted data transfer protocol - https, which Google has been actively inclining us to do lately). Moreover, the service provides its own free certificate.

Kind of a fantasy, isn't it? See the comparison table of tariff plans (including Free) for yourself. Plague! If your hosting falls (there will be problems), then Cloud Flare will give back during this period of time site pages from your cache(and it works - I checked it by stopping the server, but there are nuances about which you must read below, otherwise it will not work). Maybe I missed something from the free charms, but this is more than enough (for that matter).

By the way, this service does not have an affiliate program, but there are a lot of competitors in RuNet with crazy price tags (for example, protection against DDoS attacks in qrator costs a lot). Therefore, when you read on forums or blogs CloudFlare reviews, then pay attention to the often very subtle work of these competitors (the capabilities of CloudFlare are underestimated, and their service or add-on is absolute). Many are being maintained, but the service is definitely from the category of “this cannot be, but still exists.”

Not, he also has flaws. Which? Well, often very significant:


What does the transition to the PRO tariff in CloudFlare give?

As I said above, bought PRO for $20 per month(it turned out to be one and a half times more expensive than hosting) and I was transferred (without my request - automatically) to new IP, where there are only three neighbors and quite legitimate ones.

In addition, at a paid rate Have an opportunity:

  1. Polish(tab "Speed" from the top menu) - compress images on the fly before giving them to site visitors (you can configure the compression option - lossless or lossy, but more strongly).

  2. Mirage- allows you to load the chart on mobile devices not immediately, but as the visitor scrolls the page. In addition, images are compressed to the actual required size and only then transferred to the user in the gadget. It seems like it's great to speed up the site on mobile phones.

    For example, if you open my blog from a mobile phone, then when you quickly scroll the page, you will see that placeholders are inserted instead of pictures, which are replaced with real images only when they hit the viewing screen.

    And now it gives a much lower score - swears that some of the content on the first screen is not loaded on time. Who will understand him?

  3. Page Rules- on a paid account, it becomes possible to set more than three rules for pages (or rather, up to 20). Why are these rules needed? For example, they are the ones that allow you to configure caching of not only static, but also Html pages of the site. Well, there are still other applications, but I only need it for the described purpose. How to set up full site caching (including page text, not just pictures, scripts and styles) read below.
  4. Web Application Firewall- on a paid account, you can activate (on the "Firewall" tab from the top menu) a basic set of protection against various attacks such as cross-site scripting (XSS) and SQL injection. All such activity will be cut off (filtered) for another
    CloudFlare (not reaching real hosting). You can add your own rules, but I'm not strong in this, therefore I limited myself to a standard (tested by time and millions of sites) set.
  5. It will be possible to make your own design for pages with various errors on a paid account. For example, when you turn on the “Under Attack Mode”, then all new visitors to the site will be shown a message that their browser is being checked for “humanity” (if you read Search, they might have seen such an inscription in during the last year, after they connected Cloud Flare).

    This tablet is in the bourgeois language and some visitors can simply run away. But if you write something like “Guys, guys, guys! Do not leave! Literally 5 seconds and everything will be!”, then the chance to keep the visitor will increase. I'm too lazy to do this...

I pay with PayPal, which is very convenient. When setting up payments, they asked me, but the money was not withdrawn from the card, but directly from the wallet itself (I withdraw it into it). It's cool that every subsequent month the payment occurs without my participation - the money is automatically debited from the Paypal wallet on the day of payment, which is very convenient.

It is not surprising, because Paypal allows you to protest the payment within a month and a half, if anything.

How to connect your site to CloudFlare?

Well, here, by the way, everything is quite simple, if the connection wizard can pull out all the necessary settings for transferring your site (its IP, Ms records). However, first things first.

Go to Cloud Flare and register(like the apple of an eye, because this is the key to your site).

I’ll make a reservation right away that there’s nothing special to be afraid of, because if the connection fails, you won’t have to wait a day until the DNS records are rewritten again. Just click on the clouds on the DNS settings page and your site will work directly (I had to do this with one of the secondary projects, which for some reason stopped opening with CloudFlare - see the screenshot below). But in any case: all responsibility for your actions lies only with you and I will be here, no matter how.

Immediately after registration, you can go to add new site page, where you just need to insert its domain name into the proposed line and click on the “Begin Scan” button:

Here, as you can see, everything is OK - the service found all the main NS records (including mail), which is good. Caching was automatically enabled for future data transferred from this site (clouds became colored). Move on.

As mentioned above, even a free plan is suitable for Ddos protection(if you wish, you can also get a free SSL certificate on it). I described the differences between the PRO plan and the free plan above, so choose what you need (I don't care). Move on.

Now the main thing. You need to go to the panel of your domain name registrar () and change the NS records there to those that were offered at this step of the CloudFlare wizard. For example, in WebMoney Domains this is done on this page:

You just need to replace the entries in two lines with what Cloud Flare gave you and wait 4 hours to 2 days, until the whole thing is registered on all NS of the Internet. We go further, and after a few hours after registering new NS servers, you can click on the "Recheck Nameservers" button:

Please note that below are default settings, which will be applied to your site immediately after the final connection to CloudFlare (medium security and standard caching, which means that only static images, styles, and scripts get into the cache).

If the DNS connection has already passed, then the status after clicking on the mentioned button will change:

Button "Quick Actions" allows you to quickly switch to protection against Ddos and other types of attacks, which is called "Under Attack Mode". I had to do just that when switching to Cloud Flare. I had this mode "Under Attack" (Under Attack Mode) turned on for about 12 hours, until the attack stopped.

At this time, access to the site is limited and all connections are checked for their legitimacy. Any bots, including search engines, will not be able to get through to the site. All in all, work in it is not worth longer than necessary(while the attack is going on). Read a little more about enabling and disabling the DDoS protection mode at the very end of this publication.

100% website uptime with CloudFlare

Under offline site operation, I have a situation where for some reason your hosting will "fall", and the site will continue to be available to visitors. This is, as they say, an extreme case. But often hosting can simply not cope with a high load (caused by traffic or the use of many plugins and poor engine optimization). In this case, again, caching Html pages in CloudFlare will help.

By default, as I understand it, the service only caches static: images, CSS and JC. Everything. In principle, and this can greatly facilitate the work of hosting and speed up the loading of site pages in different parts of the world. But often this is not enough. And even this is not the main thing. In this mode "Always Online" function does not work(Always online), because Cloud Flare does not know how to work miracles and gives pages from its own cache, and if they are not there, it refers to the hosting (which may not be available at the moment).

In general, the task is to enable caching of all web page content (markup code that includes text content), and not just static content. You can do this on the tab. Page Rules from the top menu (see explanations in the help). Why wasn't this added to the general caching settings? I think that because of the great variety of sites and engines on which they work. Apparently, it is not possible to ensure stability in this way. We need to act more precisely, based on the structure and specifics of each specific website. IMHO.

On the free plan, you can create only three rules for pages, and on the PRO plan, you can already create 20 rules. The essence of creating a rule is quite simple. For now, let's omit what needs to be inserted into the field with the regular expression, and let's see what they offer us when we click on "+ Add a Setting" (add a setting):

Here you can just select the setting of the degree of caching (Cache levels), where in the list of additional settings that opens, you can select the last option "Cache Everything"("Cache everything"). This way we force CloudFlare to cache the entire webpage, not just the static.

It would also be desirable to ask the time the page will be cached CloudFlare and in the browser cache of site visitors (these are two different settings). It all depends on the degree of dynamism of your site as a whole and its individual pages in particular. I am quite satisfied with the interval of several days of storing the cache in the cloud, and I choose a different browser cache (depending on the type of pages).

To set these settings, you will need to click on the “+ Add a Setting” button a couple more times and select:

  1. Browser Cache TTL- setting the lifetime of the cache in the browsers of your site visitors. For example, if you select one day, then a visitor who visits the same page of your site twice during the day will receive it the second time not from the Internet, but from their own browser cache (no changes). But if more than a day passes, then the page will be requested from the Internet (with Cloud Flare). For the main page of this blog, I set the Browser Cache TTL value to “a couple of hours”, and for the rest of the pages - from a day to two. It is possible that you can come up with something more optimal.
  2. Edge cache TTL- this is already the lifetime of the cache on servers in CloudFlare data centers (worldwide). If you set it to the same day, then all visitors to your site will see this page (or a group of pages for which you set the Edge cache TTL to equal days) without changes, even if this page has changed on the server (for example, comments have been added to it or you something was changed in the text, the image was changed, etc.).

Immediately make a reservation that the service has the opportunity force flush cache not only for the entire site (which is not particularly recommended), but also individual pages, and even individual static files (images, style files and scripts) when you have made changes to them and want them to be immediately available to your site visitors.

This is done on the “Caching” tab (from the top menu) by clicking on the “Purge Individual Files” button ( to flush all cache you will need to click on the arrow on this button and select the lower of the two items "Purge Everything"). In the window that opens, you need to enter the URL of the page, or pages (one per line), or individual files (full path to images, style files, etc.):

I use this option quite often, for example, after changing pictures, adding a comment to an article, or when changing the design of the site (I reset the cache for the style file). Files that you've recently flushed cache are displayed below - you can simply click on them to reset them again. Very comfortably.

But back to the rules settings for individual pages of the site - Page Rules. A little while ago we pressed the button "Create Page Rule" and learned how to enable full caching of Html page content, as well as limit the cache lifetime in visitors' browsers and on CloudFlare servers. The result should be something like this:

Those. we have set the caching rules we need. In the example, this is caching of all content with a cache lifetime in the browsers of visitors of 4 hours and a cache lifetime on the service servers of 2 days. The only thing left is to write a formula in the first line of this pop-up window, according to which the service will understand for which pages of your site these rules apply. How to do this, you can read by clicking on the "Help" button at the bottom of the rules settings window.

In my opinion, there are two ways to set rules:

  1. On the Pro tariff, it is possible to prescribe 20 rules for pages, which allows you to implement the first option: describe with formulas all types of site pages that should be cached. For my blog, this is the main page, article pages, category pages, as well as static pages like “About the blog”, etc. Naturally, we will not indicate the URLs of the admin panel here, because there the cache can interfere with the work.
  2. Only three rules are available on the free plan, and in some cases they may not be enough to implement the first method. The second way is to first allow caching of pages of the entire site, and then disable caching of the admin panel and login page. Three rules should suffice for this.

How to set up full site page caching in CloudFlare

Now in more detail about the practical implementation of both methods.

Let's start with the first option create permissive caching rules for all (or most) pages of the site that will need to be stored in the cache of CloudFlare servers completely (all html code with pictures, scripts and styles).

If the article pages of your site (like on my blog) end in .html, then for their full caching, one single rule for pages is enough:

Site/*.html

Replace my domain name with yours and you should be up and running. Quite simply, the * character replaces anything between the domain name and the .html suffix.

It remains only to add a rule for full caching of the main page of the site:

Website/

Here, I think, everything is clear and without explanation. The only thing for home page I chose less caching time in users' browsers, because the content of this page changes more often than others, and it is important that it is displayed in a more or less up-to-date state.

The caching time on the CloudFlare servers was left large, because when adding a new entry, I simply reset the cache for the main one in the way described just above. It's very convenient, you just need to get used to doing it first.

It's great when all pages except the main page end in .html. For me, for example, headings and static pages (such as "About the blog") do not have such an index. Rubrics I didn’t have to suffer much, because I chose, as it turned out, a successful template, with the obligatory word (catalog) “/category/”, so the rule for this type of page looks like this:

Site/category/*

Well, with static pages, I had to take it easy, but everything seemed to work out.

As a result, the percentage of data returned from the CloudFlare cache was (according to the analytics built into this system) about 90%, which is very good (in fact, the load on my hosting server decreased by this amount):

On a separate account in CloudFlare (free) I posted all my other small projects. Because rules for pages could be created only three on a free plan, I decided to go from the opposite - allow full caching of the entire site, forbidding touching admin pages later.

Let me just say that it didn't work very well. Instead of 90% downloads from the cache, in this case I got less than 50%. But nevertheless, I will give my solutions, maybe you tell me where I made a mistake. So, with the first rule, I allowed everything to be cached:

And the second (this site works on WordPress) — for the admin pages, I chose the bypass caching mode, i.e. not getting these pages into the cache. Everything seems to be working and the speed of the blog has increased significantly, but in analytics, less than 40 percent of the traffic goes through CloudFlare (everything else is pulled from the hosting server). Why? It's not very clear to me. At the same time, there were no problems with working in the admin panel, which is already good.

If you have a website on joomla, then there the admin panel can be bypassed in this way (probably):

Domain.ru/admin*

In general, see for yourself which option you choose.

On one of the sites connected to a free CloudFlare account, all of a sudden having problems(he stopped opening), so for him I just disabled the "cloud" on the "DNS" tab from the top menu:

After that, he began to open up. I have not yet begun to transfer NS records to the old ones - maybe there will be a desire to figure out what's what.

What to do if a DDos attack has begun and how to repel it?

If you connected to CloudFlare precisely because of an ongoing DDoS attack (or it started after connection), then it will be quite possible to repel or reduce the effect of it even on the free tariff of this service. To do this, just go to the "Overview" tab from the top menu and click on the button "Quick Actions":

Select an item from the dropdown list "Under Attack Mode" and this service will begin to actively counteract a Ddos attack.

All users (or bots) will be delayed before accessing your hosting server by the CloudFlare service for 5 seconds, during which time it will try to determine whether it is a real user (browser) or a bot.

Real users will watch such a picture on your screen for 5 seconds(before opening the page of your site):

It is clear that such an “incomprehensible” inscription will still scare away some visitors - I observed a drop in attendance in the “Under Attack Mode” by about a quarter in relation to the normal operating mode. But it is better to lose a quarter of visitors than all 100%. Agree?

In addition, on the PRO tariff (which I wrote about above), you can change the appearance of this inscription and reduce the percentage of failures (for example, translate it into Russian and add a bit of creativity). Either way, it's a great opportunity.

However, you should not leave the site in “Under Attack Mode” for longer than the time the attack is underway, because you will not only lose some visitors, but all search engine bots will be cut off from the site, which will not have a great effect on traffic over time. That's why periodically turn off the "Under Attack Mode" with a simple push of a button Disable(on the "Overview" tab - see the screenshot above) and look at the result.

If the site has become unavailable again (Ddos continues), then turn on Status: I "m Under Attack! back. So continue to monitor the end of the DDoS attack in two hours so as not to keep the site in this unconditionally useful, but suboptimal "Under attack" mode ".

Permanently i prefer to use the default mode Medium. By the way, you can change the security mode without switching to "Under Attack Mode". You can do this on the “Firewall” tab (from the top menu) by selecting the desired option from the drop-down menu of the button with the name of the current Security Level:

Well, and "I "m Under Attack!" you can also turn it on from here.

But in general

So far, everything that I wanted and have to say. Climb more on the "Speed" tab and see what you can use there. In general, excuse me for such a brief description of this undoubtedly remarkable service, but I got tired of typing and making screenshots (seemingly out of shape today).

In Runet, I have not yet seen such philanthropy, coupled with stunning usefulness. Therefore, I did not consider it burdensome to switch to the PRO tariff with a monthly unfastening of $ 20.

In principle, it was possible not to do this, but somehow it’s calmer, or something ...

CloudFlare is dedicated to the fifth video from 6 video tutorials on website acceleration, which, in my opinion, it makes sense to look at in their entirety in order to perceive the optimization picture as a whole (the desired video can be selected from the drop-down list in the upper left corner of the player window):

Good luck to you! See you soon on the blog pages site

You may be interested

How to add video to the site so that the page load speed does not suffer
Handyhost - how to choose the best hosting for you
Acceleration and protection of your site in the Airi.rf cloud service
Measuring and increasing site speed in GTmetrix, as well as setting up jQuery library loading from Google CDN How to register a domain (buy a domain name from a registrar)
How to find and remove unused style strings (extra selectors) in your site's CSS file

DoS (from the English. Denial of Service - denial of service) - an attack on a computer system (usually committed by hackers) in order to bring it to failure, that is, the creation of such conditions under which legitimate users of the system cannot access the provided system resources ( servers), or this access is difficult.

Currently, DoS and DDoS attacks are the most popular, as they allow you to bring almost any system to failure without leaving legally significant evidence. The cost of organizing an attack is negligible. A 10Gbit/s attack lasting an hour costs about $50/€ and can be organized by anyone who visits a special hacker service on the Internet. If an attack is performed simultaneously from a large number of computers, they speak of a DDoS attack (from the English Distributed Denial of Service, a distributed denial of service attack). In modern conditions, DDoS attacks involve not only computers, but also other consumer devices with Internet access.

First of all, the attacker scans the network using specially prepared scripts that identify potentially weak nodes. The selected hosts are attacked and the attacker gains administrative rights on them. Trojans are installed on captured hosts and run in the background. Now these computers are called zombie computers: their users do not even suspect that they are potential participants in a DDoS attack.

Next, the attacker sends certain commands to the captured computers, and they, in turn, carry out a powerful DoS attack on the target Internet service. In some cases, an unintended action leads to an actual DDoS attack, for example, placing a link on a popular Internet resource to a site located on a not very productive server (slash dot effect). A large influx of users leads to exceeding the allowable load on the server and, consequently, a denial of service for some of them.

According to the method of influence, they distinguish:

Network layer DDoS attacks (L3-4), which limit the operation of server hardware or disrupt the operation of software due to protocol vulnerabilities.

Application layer DDoS attacks (L7), which attack the "weak" places of the Internet site, act in a targeted manner, are characterized by minimal resource consumption, prevail in number and require a complex and expensive "antidote".

DoS and DDoS attack is an aggressive external impact on the computing resources of a server or workstation, carried out in order to bring the latter to failure. By failure, we mean not the physical failure of the machine, but the unavailability of its resources for conscientious users - the failure of the system to service them ( D enial o f S ervice, from which the abbreviation DoS is formed).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DDoS or DDoS), which means "D issued D enial o f S service" - distributed denial of service. Next, we’ll talk about why attackers carry out such actions, what they are, what harm they cause to the attacked, and how the latter protect their resources.

Who can be affected by DoS and DDoS attacks

Corporate servers of enterprises and websites are exposed to attacks, much less often - personal computers of individuals. The purpose of such actions, as a rule, is the same - to inflict economic harm on the attacked person and at the same time remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, an enterprise or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the suggestion of dishonest competitors. So, by “filling up” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Homegrown amateur hackers can attack your resources - out of interest, and avengers from among the dismissed employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

The servers of state companies and well-known organizations are often attacked by anonymous groups of highly skilled hackers in order to influence officials or cause public outcry.

How attacks are carried out

The principle of operation of DoS and DDoS attacks is to send a large flow of information to the server, which, to the maximum (as far as the hacker's capabilities allow), loads the computing resources of the processor, RAM, clogs communication channels or fills up disk space. The attacked machine cannot cope with the processing of incoming data and stops responding to user requests.

This is how the normal operation of the server, visualized in the Logstalgia program, looks like:

The effectiveness of single DOS attacks is not very high. In addition, an attack from a personal computer puts the attacker at risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much more profit.

This is how the Norse-corp.com website displays the activity of the botnet:

A zombie network (botnet) is a group of computers that have no physical connection to each other. They are united by the fact that they are all under the control of an attacker. Control is carried out by means of a Trojan program, which for the time being may not manifest itself in any way. When carrying out an attack, a hacker instructs infected computers to send requests to the victim's website or server. And he, unable to withstand the onslaught, stops responding.

This is how Logstalgia shows a DDoS attack:

Any computer can join the botnet. And even a smartphone. It is enough to catch a Trojan and not detect it in time. By the way, the largest botnet numbered almost 2 million machines around the world, and their owners had no idea what they had to do.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out in different directions, which will greatly complicate the countermeasures. Therefore, it is important for each server administrator to study all his "bottlenecks" and, if possible, strengthen them.

flood

Flud, in simple terms, is information that does not carry a semantic load. In the context of DoS / DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another that the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels, to saturate the bandwidth to the maximum.

Flud types:

  • MAC flood - impact on network communicators (blocking of ports by data streams).
  • ICMP flood - flooding the victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked host so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flooding is ping flooding (sending ping requests to the server).
  • SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (awaiting client confirmation) connections.
  • UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
  • HTTP flood - flooding the server with numerous HTTP messages. A more sophisticated option is an HTTPS flood, where the transmitted data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.


How to protect yourself from flooding

  • Configure network switches to validate and filter MAC addresses.
  • Restrict or disable the processing of ICMP echo requests.
  • Block packets coming from a specific address or domain, which gives reason to suspect him of unreliability.
  • Set a limit on the number of half-open connections with one address, reduce their retention time, lengthen the TCP connection queue.
  • Disable UDP services from receiving traffic from outside, or limit the number of UDP connections.
  • Use CAPTCHAs, delays, and other bot protection techniques.
  • Increase the maximum number of HTTP connections, configure request caching with nginx.
  • Expand the bandwidth of the network channel.
  • If possible, allocate a separate server for processing cryptography (if used).
  • Create a backup channel for administrative access to the server in emergency situations.

Overloading hardware resources

There are flood types that affect not the communication channel, but the hardware resources of the attacked computer, loading them to the fullest and causing a freeze or crash. For example:

  • Creating a script that will post on a forum or site where users have the opportunity to leave comments, a huge amount of meaningless textual information until all disk space is filled.
  • The same, only the server logs will fill the drive.
  • Loading a site where some kind of transformation of the entered data is performed by continuous processing of this data (sending the so-called "heavy" packets).
  • Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run some external program on the server).
  • Triggering a security system that makes the server inaccessible from the outside, etc.


How to protect yourself from overloading hardware resources

  • Increase hardware performance and disk space. When the server is running in normal mode, at least 25-30% of the resources should remain free.
  • Enable traffic analysis and filtering systems before sending it to the server.
  • Limit the use of hardware resources by system components (set quotas).
  • Store server log files on a separate drive.
  • Distribute resources across multiple independent servers. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out such attacks than with the use of flooding. Their implementation depends on the skill and experience of the attacker, his ability to find errors in the program code and use them for his own benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (a bug in software that can be used to break the system), he will only have to create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control over the resource and dispose of this "gift of fate" at his discretion. For example, use it to spread malware, steal and destroy information, etc.

Methods for countering the exploitation of vulnerabilities in software

  • Timely install updates that close the vulnerabilities of operating systems and applications.
  • Isolate from third-party access all services designed to solve administrative tasks.
  • Use tools for continuous monitoring of the operation of the server OS and programs (behavioral analysis, etc.).
  • Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
  • Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine if a resource has been attacked by a hacker

If the attacker succeeded in reaching the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, from the onset of an attack to noticeable symptoms, sometimes several hours pass. However, during the latent impact (until the server "lay down"), certain signs are also present. For example:

  • Unnatural behavior of server applications or the operating system (freezing, shutting down with errors, etc.).
  • The load on the processor, RAM and storage increases dramatically compared to the initial level.
  • The volume of traffic on one or more ports increases significantly.
  • There are repeated requests from clients to the same resources (opening one page of the site, downloading the same file).
  • Analysis of server logs, firewall and network devices shows a large number of repetitive requests from various addresses, often directed to a specific port or service. Especially if the site is focused on a narrow audience (for example, Russian-speaking), and requests come from all over the world. At the same time, a qualitative analysis of traffic shows that the requests do not make practical sense for customers.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.

DDoS stands for Distributed denial of service, which means "Distributed denial of service attack". The number of such attacks is on the rise, and although they are more of a minor nuisance than a serious threat, they can take down the sites of various companies and force IT professionals to deal with the existing threat.

Threats in the form DDoS attacks can lead to serious consequences if they occur (for example) during emergencies, so absolutely all organizations need to be prepared for such things.

The degree of danger of DDoS attacks and methods of dealing with them are fundamentally different from other security threats. Websites of organizations may have the most complex security system, but still be vulnerable to DDoS attacks, because these kinds of threats essentially block all traffic. In such cases, an alternative method of dealing with such a threat must be found and ways to reduce the potential daily risk.


Most institutions will not be able to deal with a DDoS attack without much effort. But they are able to find a way to avoid the consequences of the attack. We will provide some ideas on how to improve the security of your site in case of such problems.

12 Techniques to protect yourself from DDoS attacks:


1. Ask the provider to change the traffic limit passing through the Internet connection channel of each individual user. Perhaps some will be against such a solution, but this method will help detect an infected computer unit if this computer consumes more traffic than it usually does. Perhaps this will require a lot of effort and well-coordinated actions, but this method is based on the best solutions in this area.

2. Try to get the ISP to be more responsible and advanced. Such a goal is an excellent solution, but it is also a very difficult task. It may be time to change the monitoring rules, with the understanding that the ISP will be disconnected from neighboring networks, provided that the provider does not pay enough attention to its security. Such decisions will in any case lead to minor internecine conflicts, so this issue should be discussed with all parties involved in advance.

3. Business Critical Systems should be designed with possible data surplus in mind, as well as be resistant to external influences. Such rules include the possibility of having a backup server - for example, the presence of additional databases and a server where a copy of the entire portal is stored, but this server will be hidden from prying eyes and have different IP addresses.

4. Certificate Revocation List (CRL) must be created in order to keep track of certificates that have expired and are no longer valid. Anyone (be it a program or a person) who provides such a certificate will no longer be trusted. An alternative to this is the Online Certificate Status Protocol (OCSP), which is used to detect revoked digital certificates such as X.509.

The need to work with such services lies in the fact that expired certificates can be used by attackers to establish communication and get the opportunity to launch one of the types of DoS attacks on the public key infrastructure itself. At the moment, there is a lot of discussion on the topic of finding solutions for web browsers that would help solve this problem. Government and public sector organizations would do well to follow the news on this topic, and perhaps they will have ideas on how to improve the security of their sites.

5. Consider Installing an Intrusion Detection System, which also includes the ability to block certain ports, protocols, etc. Such products have been around for a long time, but over time, more and more new protection systems against security threats to websites on the Internet appear. In most cases, they simply intercept the transmitted data packets in promiscuous mode and report any anomalies found.

The IPS system can block or redirect traffic depending on what is detected. Although it is currently still difficult to detect a fast-moving and unidentified traffic packet, such solutions can prevent a large amount of traffic from entering certain parts of the network.

6. Remember that when doing business, one should not be limited to only one of the existing types of communication (land line, wireless network, Internet). Business continuity tactics should include the use of all three types of Internet connections.

7. Take control of situations, at which digital communication systems can be completely disabled. Have you developed a backup plan for communicating with customers in case of unforeseen situations? Connect to other available communication channels and make sure that your colleagues and clients know how to immediately connect to a backup server if necessary.

8. Packet transmission with small volume has a better chance of reaching the destination than real-time data transmission. If suddenly your system cannot work normally, investigate the capabilities of your backup servers - whether they can transmit short autonomous messages and whether they are recognized by various government or private equipment. For example, can a traffic light switch from green to red, or can your system tell a hydroelectric plant to open or close valves that move water.


9. Email and text messaging are one of the alternative communication options. They do not use a lot of traffic (at least until additional files are added to the letters in the form of documents or archives) and in most cases it is possible to add them to the queue. This means that such messages will be automatically delivered to the addressee when a stable communication channel appears.

10. Blocking access (Blackholing) is one of the best solutions, but temporary. When using this approach, all traffic - including even the legal business circulation of information - goes nowhere. This solution completely closes access to the resource (which is not very happy), but prevents the penetration of a large amount of traffic and cancels a huge number of requests that can harm other sites. Of course, it is best to avoid such measures, but, nevertheless, sometimes it happens that they are really necessary.

11. Get a hidden forum which only employees have access to. It can serve as a meeting place online where you can discuss certain issues while access to everything else is closed.

12. Set up firewalls and other traffic filtering Software for blocking access through unauthorized ports and protocols.

By themselves, none of the options above can completely rid the websites of government organizations from the consequences of a DDoS attack during emergencies. However, together they can help mitigate the risk, guide site owners on how to deal with the situation, increase your knowledge on the subject, and help fuel the discussion around finding alternative ways to run their sites. It is much more difficult to achieve responsibility from regional Internet providers. This is a very difficult question, but it is impossible to leave this topic without attention.

Share with friends:
Similar posts