DDoS translates from English as “distributed denial of service”. Hackers control the botnet and send it a command to attack the selected web resource. This means that non-targeted requests from a huge number of IP addresses are sent to the site at the same time. The server tries to process each request, but its computing resources are limited, at some point they become insufficient, and sites “crash”. DDoS was preceded by a DoS attack in which all requests came from one computer. Numerous requests to the server from a single IP address looked suspicious, so it was easy to catch a DOS attack at the very beginning and repel it by blocking the bot. DDoS is a more sophisticated cyberattack. If there are a lot of bots on the network, they will quickly disable the site. It is difficult to distinguish them from genuine users. If you enter protection only after the attack begins, then you cannot guarantee its successful reflection before the site is completely disabled.
Protecting the site from DDoS attacks.
When the site stops responding, users are left unable to order and pay for goods and services. In addition, DDoS can be a cover for the theft of personal data of the company’s customers. The business risks information leakage, customer trust and loss of possible profits.
How to determine the presence of an attack:
You need to connect to the web server via SSH.
Using the ps and top commands, we check the growth in the number of httpd (apache2), php-fpm or nginx processes.
We count the number of web server processes and the number of connections on port 80 (443 if an SSL certificate is installed on the site) using the commands:
ps aux | grep -c <name of the web server daemon process>
netstat -na | grep -c :”80”
If the number of connections is higher than the average, it is highly likely that a DDoS attack has been committed on the web resource.
DDoS attack is an advanced version of DoS. However, the development of this type of security threat did not stop there. Attackers find new vulnerabilities in the system and more modern types of DDoS appear. They exploit the weaknesses of each of the seven levels of user-site interaction on the L1–L7 network. The most common are HTTP, SYN, ICMP and UDP floods. There are no universal protection measures, but you can choose and use several methods at once, which together can provide a reliable level of security. Let’s list the ten most effective in 2023:
Filtering incoming traffic.
Timely software updates.
Enabling third-party DDoS protection.
Monitoring the availability of the site.
Query optimization.
Do not skimp on equipment.
Tracking the number of requests per second.
Abandoning Windows Server.
Using the testcookie module.
Error analysis.
Below we will take a closer look at each method of DDoS protection.
No. 1. Filtering incoming traffic
A hosting provider can provide basic protection against DDoS attacks. As a rule, free protection from the hoster includes traffic filtering at the L3 and L4 levels. Data packets arriving at the client’s site are analyzed for the presence of attack markers. The beginning of DDoS is determined by such criteria as the uniqueness of IP addresses, packet delivery speed, data transfer rate, and so on. If there are deviations, L3/L4 filtering is enabled, after which the site receives requests only from real users. The basic level of protection is suitable for small projects.
If a project requires more flexible protection that takes into account the specifics of a particular project, you can resort to special services, which we will analyze in a separate paragraph, or set up traffic sorting yourself.
No. 2. Timely software updates
The software that is used to create and operate web resources is often open source in nature. Any developer can open and study the code of such software, which means that attackers can safely find weaknesses in it that can be used for a DDoS attack. Free software developers periodically examine the code of their programs for vulnerabilities and call on the user community to do so. After that, updates are released, which eliminate the detected flaws. To maintain security at a high level, you need to install software upgrades in a timely manner.
Commercial software also needs to be updated. Companies stop supporting outdated versions of their programs. To prevent the software from causing an attack, you cannot use it after the developer has stopped releasing security updates.
No.3. Enabling third-party DDoS protection
The volume of traffic may increase for natural reasons, for example, during promotions or during the sale of seasonal goods. Therefore, traffic growth is not always associated with a DDoS attack. If you block regular visitors to the site, it will immediately negatively affect its reputation. It is necessary to set up filtering of incoming traffic so that only real requests reach the site and bona fide users do not get blocked. Standard filtering does not take into account the specifics of the project and protects only against low-level DDoS. Additional measures will be required to ensure a higher level of security:
Kaspersky Lab’s cyber threat map — allows you to identify the countries whose traffic is the most dangerous for projects;
firewall is a ready—made filter system, the purpose of which is to fight viruses;
Anti-DDoS services that configure filters to repel attacks depending on their power and type.
More flexible and in-depth methods of DDoS prevention and control are usually provided by third-party services. Individual protection algorithms for the project are being formed. A model of normal user interaction with a specific site or application is being compiled. Incoming traffic is analyzed and compared with this model. To find deviations, it is necessary to identify:
which countries do the main traffic come from?;
what is the intensity with which requests are usually received;
which headers and methods are most often chosen by users to access the server;
how much traffic is typical for the project;
features of the company’s services, etc.
Additional traffic filtering rules appear. The site is protected at all levels of user interaction from L1 to L7. It becomes possible to restrict access to the site to botnet devices by geo-recognition, as well as block attacks such as UDP, SYN, ACK, RST Flood, attacks on TLS services and smart attacks.
No. 4. Monitoring the availability of the site
The sooner you find out that the site has access problems, the sooner you can find a solution to them. There are special services that check the site and send a notification to the owner if it has become unavailable. The web resource is checked by the monitor with a certain frequency, for example, once an hour. HTTP, DNS, and PING availability is being tested.
No. 5. Query Optimization
The danger of DDoS attacks lies in the fact that requests received from bots lead to the exhaustion of server resources. However, it is possible to optimize the processing and reception of requests so that the computer can read them faster, close the request if there is no response from the user for a long time, or not accept them at all. Let’s list the filters that the system administrator can install on his own.
By the amount of resources that the server will spend on processing requests. In order for the site to remain operational, you can set a limit on the computing resources of the server that it will spend on processing each request. This way incoming packets that may overload the web resource will be filtered. First of all, limits are set for RAM, or rather for the amount of data that is placed in the buffer. The parameters are set in the nginx config:
client_max_body_size — the maximum size of the user’s request body;
client_header_buffer_size — buffer size for the request header;
large_client_header_buffers — buffer size for requests with a large header.
By the timeout that occurs when the user and the site interact. This filter will help protect the server from garbage requests, the purpose of which is not to receive a response (like a real user), but to create a load on the channel. The optimal time is set during which the server should process the request and the client should accept the response. If this does not happen, the connection is terminated. The server is released and proceeds to process the next request. Parameters in nginx:
send_timeout — the time during which the client must accept a response from the server before the session is automatically terminated;
keepalive_timeout — the time until the server decides to disconnect the connection to users after sending keepalive (messages to check the activity of the connection between devices);
client_body_timeout and client_header_timeout are the normal time to read the message header and body;
reset_timedout_connection on — helps to close the connection between devices in time during the FIN-WAIT phase if one of the parties sent a request to end the session, but did not receive confirmation from the other.
By IP address for GET requests. IP blocking is effective to protect against HTTP flooding. It is necessary to access the log files from the HTTP server. To do this, follow the link on the hoster’s website, an alternative way is to search for the log through the system folders of the web server, for example, on apache log—the file will be located at the following address: /etc/httpd/logs/access_log. In the web server log, you need to highlight the IP addresses of devices whose behavior resembles bots – they receive a large number of GET requests in a short period of time. Then a file is created.htaccess is in the root folder of the site, the code is written in it:
<Limit GET POST>
order allow,deny
deny from 000.000.00.00
deny from …
allow from all
</Limit>
Suspicious IP addresses are substituted instead of 000.000.00.00.
By geo-sign. This way, you can eliminate requests from countries where there is no target audience for the project, but from which garbage traffic is constantly coming. Connect the GeoIP module to nginx. Output the geo-linking information in access_log and add the users who were eliminated on this basis to the ban. If the user does not get to the site, he will receive the code “444 Not Found” in the response from the server
No.6. Do not skimp on equipment
Cheap hosting assumes that the server will have a small amount of computing and hardware resources. Such a server is easy to disable, so it is better to rent a more expensive hosting service. He will be able to provide the project with a backup amount of RAM, high speed of traffic processing, the ability to receive a large number of incoming packets — resources that will allow the server not only to perform normal processes, but also to delay the complete collapse of the site in the event of DDoS and give specialists time to establish the type of attack and take measures to eliminate it. There are several parameters that you need to pay attention to when choosing a reliable provider and equipment:
high network bandwidth;
availability of a productive communication channel with the data center;
the distance between the site users and the server;
type of storage device;
CPU characteristics;
no traffic restrictions.
No.7. Tracking the number of requests per second
Keep track of the change in the volume of requests that arrive on the site in one second. A DDoS attack will be signaled by both a sharp increase in requests and a strong decrease in this indicator. By increasing traffic, you can set the beginning of the attack, and by falling, the stage of the site collapse. You can estimate this value using the shell command in nginx:
echo $(($(fgrep -c “$(env LC_ALL=C date –date=@$(($(date \
+%s)-60)) +%d/%b/%Y:%H:%M)” “$ACCESS_LOG”)/60))
No.8. Abandonment of Windows Server
When there are a lot of connections, Windows Server starts responding poorly. The reason for the failure lies in the Windows network stack. Linux oss are better protected from attacks, which is why many server owners choose distributions for their VPS and dedicated servers. Linux has basic tools for quickly blocking bots by IP — iptables and ipset utilities. In addition, you can configure the Linux kernel by timeouts and buffer sizes.
No. 9. Using the testcookie module
Testcookie is an nginx module that works as a filter between bots and the backend during an L7 DDoS attack and allows you to block garbage requests. Testcookie only protects against bots without HTTP cookie and redirect mechanisms. The module checks the client’s ability to perform redirect, JavaScript support, and its compliance with the browser it pretends to be.
No. 10. Error analysis
Analyze the traffic volume, server response time, and the number of errors that occur using logs. To do this, in the nginx log, check the request execution time, taking into account all delays that occur during the connection between the user and the server, by the request_time variable, and then the time it took the site backend to perform the operation and give the user a response, by the upstream_response_time variable. The format of the log file is set using the following config:
log_format xakep_log ‘$remote_addr – $remote_user [$time_local] ‘
‘”$request” $status $body_bytes_sent ‘
‘”$http_referer” “$http_user_agent” $request_time \
$upstream_response_time’;
Conclusion
DDoS attacks threaten the security of almost any web resource. Small sites will have enough basic protection from a hosting provider, and large projects will need additional security mechanisms from third-party services.