|
Table of contents
• DDoS attack technique
• How computers get infected
• Types of DDoS attacks
• How to secure your website
• The legal aspect
• How NOT to replenish the army of bots
The English abbreviation DoS means Denial of Service. For an Internet resource, this means that it is impossible to process too many requests coming from outside. Each website is hosted on a server, where users access it. The server may be owned by the site administrator or the hosting provider. In any case, the resource has a limit to the information it can process per unit of time. The limit depends on the disk capacity, traffic parameters, and to a lesser extent on the structure of the target site. If server receives many requests at the same time, it starts to slow down at first, and then becomes unavailable altogether, ceasing to respond to requests. If the site is hosted with a commercial hosting provider, then other resources using the same disk space may also be affected. The DoS phenomenon is quite common on the internet. For example the publication of breaking news often leads to a temporary malfunction of the websites of news agencies, TV channels, as well as the websites of famous personalities. Usually, there is nothing criminal behind this, we are talking only about the discrepancy between the server's power and the interest shown by the public.
DDoS Attack Technique
A completely different situation arises when another letter "D" is added to the DoS abbreviation. The abbreviation DDoS stands for "Distributed Denial of Service". Distributed is the key word. It implies some kind of organizing force that directs seemingly chaotic requests to the victim's resource. Moreover, there are so many such requests that not only low-power servers of small companies, but also hosting provider machines with a bandwidth of thousands and tens of thousands of megabits per second cannot cope with them. How do attackers manage to create such traffic?
A huge number of requests are dumped on the server, and most of them are completely meaningless. But deprived of special protection, server is forced to analyze them all in a row and give some kind of answer. This leads to an overloaded server and incoming traffic jam. If the communication channel is narrow-band, then even several hundred requests can disable the server. If its power is high, and the communication channel has a high bandwidth, then either tens or even hundreds of thousands of requests are needed to disable it, or its disabled by so-called heavy requests, the response to which takes a lot of time from the processor.
How computers get infected
First, the hacker creates a Trojan program and, with the help of mass mailings and placement on dubious resources, introduces Trojans into the disk space of random users who visited a dubious site or clicked on a link that came in an email. The most curious thing is that the antivirus may not even react to the infection, since the Trojan does not show any aggression towards the infected computer – it hides in anticipation of its owner's command.
When a hacker chooses an object for a DDoS attack, he sends an encrypted command to his agents of influence, of which there may be hundreds of thousands around the world. The command contains the IP address that is subject to mass destruction. Bots scattered around the world begin to bombard the victim with requests that are either relayed from the site of the initiator of the attack, or generated on infected computers according to an initially specified algorithm. In any case, the requests have no explicit connection with the computer of the initiator of the attack, all responses go out from the addresses of the botnet. The owners of these PCs and smartphones do not even suspect that their equipment is being used for an attack. The more computers running in the botnet, the faster the attack will succeed. It is considered especially effective to send large packets, the processing of which requires considerable time, or to send requests to which the victim computer must give a detailed response. In the first case, the processor is overloaded, in the second – the communication channel. Both lead to system failure and multimillion-dollar losses, as was the case, for example, in attacks on the world-famous online stores Amazon and AliExpress.
Types of DDoS
Here are the most popular types of DDoS attacks. Let's limit ourselves to those techniques that aim to disable the victim site without penetrating into website's structure and without trying to obtain administrative rights.
Ping flood. The simplest type of attack that does not require a botnet. From one or more computers, the victim is attacked by numerous small-volume echo requests, which nevertheless devour its operational resources. There are special programs to create a flood and attract volunteer helpers. It is relatively easy to deal with ping flood, since there are few sources and they can be blocked (if you know how to do it). You can disable the option to respond to ICMP requests on your computer or set an algorithm for prioritizing them.
HTTP flood. The initiators of the attack send the victim a small packet that requires a detailed response. As a result, the outgoing traffic of the site is overflowing. A hacker uses a dynamic IP address or acts from user nodes, otherwise his computer itself will be flooded with a response flood.
SMURF attack. The same ping flood, sent out using an extensive botnet that multiplies the intensity of ICMP requests.
"Fragmentation grenade" (English Fraggle flood). The technology is similar to the previous one, but instead of echo requests (ICMP), requests using the UPD protocol are used. Hackers are constantly improving DDOS attack techniques, creating branched botnets, without which an attack on a seriously protected resource does not make sense.
How to secure your website
Blocking unwanted requests via htaccess. Working with the file .htaccess makes it possible to manage access to the site at the server level without affecting codes and scripts, due to which it loads the resource very poorly. At the same time, the site is protected by imposing restrictions on IP addresses and certain features in requests.
Protection using a PHP script. Each request received on the site is analyzed, and the IP from which it originated is remembered. If commands come from a familiar IP address at intervals that are atypical for a person, then access to the page is blocked. The disadvantage of this method is that the script may increase the load on the site.
A service for clearing spam traffic. The DNS server of the company that provides security services is added to the domain name of your site. As a result, all requests coming to your site first go to the IP address of the filtering server. Secure packages are sent to the hosting of your resource, and suspicious packages are blocked. As a result, a special server takes over all the extra load.
The legal aspect
In the fight against "dosers", considerable experience has been gained from the profile department "K" of the Russian Ministry of Internal Affairs. In the case of an outright attack, especially one with a selfish motive, feel free to contact law enforcement officials – they have the technical and organizational capabilities to help you. Hackers usually first carry out a demonstration attack on a resource, after which they turn to the owners with an offer that cannot be refused. Record conversations on a voice recorder, save correspondence on social networks and messengers. This will help in the organization of operational investigative measures and during the trial, if it comes to it. In Armenia you can report DDoS attacks to the Police's Cybercrimes Department.
How not to replenish the army of bots
For a simple user, the main thing is to remember that the threat does not come from the attacker himself, but from infected computers. Do not open messages coming from unverified sources. Do not follow questionable links, even if they come from friends on social networks. Their accounts can be intercepted by intruders. Check the security of external media. Install the latest antivirus version on your devices, preferably a full one, usually not free. The price of the issue is not so great, but there will be a guarantee of virtual "health". The same goes for a mobile phone – the Internet today is literally flooded with questionable links, and gadget users are less careful than desktop and laptop users.
|
