A Distributed Denial of Service attack, also known as a DDoS attack, can cripple your server and render it inoperable. For this reason alone you need to know how to protect yourself against them. DDoS attacks work by overwhelming a website with external requests, thereby slowing it down or taking it offline completely.
Throttling DDoS Attacks:
A DDoS is the contemporary replacement for the old-fashioned way of spamming until a site became unusable. On top of that, the perpetrators are usually anonymous which means there’s literally no one you can call on to stop them from attacking your website.
The most common type of attack is called an SYN flood attack. It works by sending a server many TCP packets which have the SYN flag set. If you’re not familiar with the TCP protocol, this is the first packet sent in any TCP handshake. The server will wait for a response from that packet before moving on to the next packet, which means that if it’s being bombarded with many such packets at once, it never gets to processing any of them and becomes unavailable as a result. There are some simple ways to protect your website against DDoS attacks, however. One of the most popular options is to have a firewall in place. A firewall will block all incoming connections to your server except for those coming from the IP of your origin server. If an IP is allowed through, then you know it’s a legitimate request and is not the result of an attack.
This approach works, but it’s also very limiting because now you can only accept connections from one source. If your website accepts donations from anonymous users via PayPal or Bitcoin, you need to make sure they can still connect to your website. Another approach would be to use a different port. By shifting your website’s traffic to a different port, you can make sure that no new connections will be accepted by your server. This has the added benefit that if any IPs are blocked, it doesn’t matter because they were never even supposed to connect in the first place.
Once an IP has connected, other ports may become open as well. While this makes sense for a web server, it does not for a mail server or FTP server because those servers don’t work on the basis of requests from external clients.
Throttling DDoS Attacks Using Discrete Logarithm:
A DDoS attack is a type of cyber-attack where multiple compromised systems, typically infected with a Trojan that gives an attacker remote control over the system, are used to flood a target with requests in an attempt to overload its ability to respond to the traffic or use up its bandwidth.
An unfortunate side effect of these attacks is that they can often interrupt internet service for entire neighborhoods and even entire cities. There are two basic types: Volumetric attacks which are slower but burst and overwhelm network infrastructure (an example would be ACK packets), and Application Layer Attacks like SYN Floods which work on content servers.
Reasons for Attacks:
- One such attack represents a serious threat to the Internet infrastructure in general and network infrastructures in particular. “The various techniques used by a distributed denial of service (DDoS) are fast, cheap, and simple. This is why DDoS attacks pose a threat to society.” DDoS is also driven by monetary motivation due to the ease with which it can be performed: the cost of an attack can be as low as $50.
- A DDoS can be categorized into distinct categories based on the type and frequency of the traffic being sent. These include:
- The above data analysis is an intense analysis, but it has its limitations (or biases) as well.
- “DDoS attacks often involve SYN flood attacks and UDP flooding. SYN flood attacks attempt to flood a target system with TCP SYN requests and once the target responds, there will be no TCP connection, effectively making it impossible for the target to handle any data packets that are sent due to this unopened TCP connection.
Attack Diagnosis and Parallel Attack Diagnosis:
The traditional focus of DDoS mitigation techniques is on identifying attacks as they happen and attempting to block them. This becomes exponentially more difficult with growing bandwidth and latency between the defender and attacker, so you have to identify new ways to disconnect attackers from their targets. A new technique from Microsoft’s research labs provides a way of doing that through an algorithm called “discrete logarithm problem” (DLP). A DLP uses the key multiplication properties of elliptic curve cryptography in order to generate unique identifiers for each client sending traffic. The DLP then computes a discrete logarithm value for each client and sends that value to the target. The attacker can only send the traffic if its client passes the DLP check, which acts like a filter on the attack traffic.
DLP is also extendable beyond Cloudflare, so it can be used to quarantine other kinds of botnet traffic from being sent out from botnets or infected devices. It could also be used within distributed systems like Tor to stop attacks at the edge of a Tor network before they hit a human target.
Attack diagnosis is a crucial first step in defending against DDoS attacks, but it’s also one of the most difficult steps. Attackers can use a variety of techniques to try to hide their identity or spoof the source of their attack traffic. The key discovery in Microsoft’s attack data – that attackers in a high-bandwidth attack are more likely to be coming from China – is a big step toward discovering the source of an attack, but at least one other tutorial found those same fingerprints elsewhere.
Microsoft’s DLP technique is not just for DDoS mitigation, however. It could also be used to show where botnet traffic originates from a wide variety of places.
Parallel attack diagnosis is hard for both centralized and decentralized architectures. A common technique used by defenders is to use distributed techniques to look at attacks at the network edge as they happen, rather than looking at the attack data after the fact. This is one of the reasons that large cloud services like Cloudflare provide visibility down to the IP address of each client sending traffic with their services. It’s a difficult problem to solve, but Microsoft’s work shows that it is possible to identify attackers through their traffic patterns without having to identify them in real-time.
Countermeasures:
- The best way to protect your server from DDoS attacks is to utilize as many methods as you can.
- If you have a firewall in place and use a different port for your website, it’s unlikely that an attacker will succeed.
- However, the best way to stop DDoS attacks is not what you should do, but rather what you shouldn’t do.
- The truth is that there really isn’t a lot you can do apart from using the right measures and your best efforts to keep your server secure in the first place by making sure that there aren’t any vulnerabilities that could be used against you.
Significance:
With so many attacks happening on a regular basis, it’s understandable that people believe that there’s a solution. DDoS attacks are becoming more and more frequent, which is why it’s important for you to understand how they work and what you can do about them.
Conclusion:
If you’re running a site that can be taken offline with a DDoS attack, you need to know how to defend it. Some people believe that the best way to do this is to have a firewall in place and block incoming traffic from external IPs. While this may work for some, the truth is that the best solution is a combination of many measures taken together.