How to effectively defend against DDoS-attacks? Main attacks types, ransomware attack. What to do if the website has been attacked?

How to effectively defend against DDoS-attacks? Main attacks types, ransomware attack. What to do if the website has been attacked?
Опубликовано: 04.03.2022

читати українською   читать на русском

Website owners do not have to wait for their website to be attacked before taking action. It is recommended to take a proactive approach to DDoS attacks and here are some effective solutions to protect your website from this malicious traffic.

Today, with the widespread proliferation of sophisticated cyber attack tools, more and more people are gaining access to sophisticated malware that facilitates DDoS attacks. Given this significant growth, modern organizations must be prepared to defend against DDoS attacks or risk outages and other damage.

In February 2014, Cloudflare content delivery network was hit by a 400 Gbps DDoS attack that exploited a vulnerability in the network time protocol, NTP, which synchronizes computer clocks. The attack worked in much the same way as a reflected DNS amplification attack, in which the attacker sent small packets, each generating large responses directed at the victims spoofed IP address. An attacker, possibly from a single server, used 4,529 public NTP servers on 1,298 networks to carry out a 400 Gbps attack, the largest in history at the time.

Requirements for protection against DDoS attacks in wartime. How a DDoS attack works

The same features that make the Internet so easy to use also make it easy for bots to collect vast amounts of information. Software bots are very common, and it is not uncommon for a website to receive multiple bot attack attempts per day.

Hackers use several types of attacks against the same target. It is more important than ever that modern DDoS protection solutions meet each of the four requirements:

  • - accuracy;
  • - scalability;
  • - response efficiency in wartime;
  • - availability.

Effective DDoS protection strategies fail if they are not comprehensive. Companies and government organizations should prioritize multi-layered hybrid solutions that can provide continuous protection against any type of DDoS attack.

Most DDoS attacks are designed to use all available bandwidth or network resources on the target network, system, or website. An attacker uses one of the many methods and tools available to bombard a target with a flurry of malicious or nasty requests, or to abuse a protocol or internal vulnerability where the system can no longer respond to requests. The aftermath of a DDoS attack is a bit like entering a concert venue suddenly packed with buses of troublemakers with fake tickets. Legitimate ticket holders, standing in an orderly queue, will never get inside.

Finally, in this attack vector, the attacker launches a DDoS action against the victim server to distract the security team and incident responders while the attacker uses various methods to infiltrate the network. One popular variation on this attack is to continually flood the victim servers until they pay the ransom in untraceable bitcoins.

An attack that comes from a single source is called a denial of service attack - DoS. However, distributed denial of service (DDoS) attacks, which are launched against a target from multiple sources but are coordinated from a central point, are much more common today. Distributed attacks are larger, potentially more destructive, and in some cases harder for the victim to detect and stop.

As DDoS protection mechanisms have improved over the years, attackers have become more resourceful and aggressive in launching multi-vector DDoS attacks. Such attacks can start with an attacker performing an reconnaissance scan of the network to detect network bottlenecks, internal servers, and resource-intensive application services. The attacker can then demand extortion and then launch a traditional attack on the network in the range of tens of gigabits per second, which is enough to cause concern and distract the network operations team. The real attack will be followed by a massive application-specific Layer 7 attack against port 80, targeting: Content Delivery Servers that support the application, or other under-resourced application services. Such attacks can come from thousands of individual IP addresses and can reach hundreds of gigabits per second or, as we saw in the examples above, terabits per second.

What is a denial of service attack?

A denial of service attack DoS occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of an attacker. Affected services may include email, websites, online accounts. For example, banking services or other services that depend on the affected computer or network. A denial of service state is achieved by flooding the target host or network with traffic until the target can respond or crashes, preventing legitimate users from accessing. DoS attacks can cost an organization time and money while its resources and services are unavailable.

What are common denial of service attacks?

There are many different methods of conducting a dos attack. The most common attack method occurs when an attacker floods a network server with traffic. In this type of dos attack, the attacker sends multiple requests to the target server, flooding it with traffic. These service requests are illegal and have fabricated return addresses that mislead the server when it attempts to authenticate the requester. Since unwanted requests are constantly processed, the server is overloaded. This causes a DoS condition for legitimate requesters. In a Smurf attack, an attacker sends Internet Control Message Protocol broadcasts to multiple hosts with a spoofed Internet Protocol source address that belongs to the target machine. The recipients of these fake packets will then respond and the target host will be inundated with responses.

A SYN flood occurs when an attacker sends a connection request to a target server but does not complete the connection using a three-way handshake, a method used in a TCP/IP network to create a connection between the client local host and the server. An incomplete handshake leaves the connected port busy and unavailable for further requests. The attacker will keep sending requests, filling up all open ports to prevent legitimate users from connecting. Individual networks can be affected by DoS attacks without a direct attack. If a network ISP or cloud service provider is targeted and attacked, the network will also stop working.

What is a distributed denial of service (DDoS) attack?

A distributed denial of service attack DDoS occurs when multiple computers work together to attack the same target. DDoS attackers often use a botnet, a group of hijacked devices connected to the Internet, to carry out large-scale attacks. Attackers exploit security vulnerabilities or device weaknesses to control multiple devices using command and control software. Once in control, the attacker can instruct his botnet to DDoS the target. In this case, infected devices also become victims of the attack. Botnets made up of hacked devices can also be rented out to other potential attackers. Often a botnet is provided to attack-for-hire services that allow unskilled users to launch DDoS attacks. DDoS allows exponentially more requests to be sent to the target, which increases the power of the attack.

It also increases the complexity of attribution, as the true source of the attack is harder to determine. The scale of DDoS attacks has increased as more and more devices connect to the Internet through the IoT Internet of Things. IoT devices often use default passwords and lack strong security, making them vulnerable to compromise and exploitation. IoT devices Infection often goes unnoticed by users, and an attacker can easily compromise hundreds of thousands of such devices to launch a large-scale attack without the knowledge of device owners.

How not to become part of the problem during a DDos attack?

While there is no way to avoid a DoS or DDoS attack, administrators can take proactive steps to mitigate the impact of an attack on their network.

1. Register with a DoS protection service

Register for a DoS protection service that detects abnormal traffic flows and redirects traffic from your network. DoS traffic is filtered out and pure traffic is sent to your network.

2. Create a disaster recovery plan (backup)

Create a disaster recovery plan (backup) to ensure effective communication, mitigation and recovery in the event of an attack.

3. Take steps to improve the security of all Internet-connected devices

It is also important to take steps to improve the security of all your Internet-connected devices to prevent them from being compromised.

4. Install and maintain antivirus software

Install a firewall and configure it to restrict traffic to and from your PC. Assess security settings and follow security best practices to minimize other people access to information and manage unwanted traffic.

How do I know if a website is being attacked?

The symptoms of a DoS attack may resemble non-hacking accessibility issues, such as technical issues with a particular network or system administrator maintenance. However, the following symptoms may indicate a dos or ddos ​​attack:

unusually slow network performance. In this case, opening files or accessing websites, the particular website unavailability, or the inability to access any website.

The best way to detect and identify a DoS attack is to monitor and analyze network traffic. Network traffic can be monitored using a firewall or intrusion detection system. The administrator can even set up rules that generate an alert when an abnormal traffic load is detected and determine the source of the traffic or drop network packets that match certain criteria.

What to do if you think you have an attack? If you believe that you or your business has been subjected to a dos or ddos ​​attack, it is important to seek assistance from the appropriate technical experts. Contact your network administrator to find out if the service shutdown is due to maintenance or an internal network issue. Network administrators can also monitor network traffic to confirm presence of an attack, determine the source, and mitigate the situation by applying firewall rules and possibly redirecting traffic through a DoS attack protection service. Contact your ISP to see if there is an outage on their end, or even if their network is the target of an attack and you are the indirect victim. They may be able to advise you on the right course of action. In the event of an attack, keep an eye on other hosts, assets, or services on your network. Many attackers carry out attacks to divert attention from their intended target and use the opportunity to launch secondary attacks on other services on your network.

A DDoS attack allows a hacker to flood a network or server with fake traffic. Too much traffic overloads resources and disrupts communications, preventing the system from processing user requests. Services become unavailable, and the target company suffers from long downtime, lost profits, and disgruntled customers.

For additional protection of cloud services, Microsoft uses Azure DDoS Protection, a DDoS protection system built into Microsoft Azure continuous monitoring and penetration testing processes. Azure DDoS Protection is designed not only to protect against external attacks, but also against attacks from other Azure customers. The system uses standard detection and mitigation methods such as SYN cookies, rate limiting, and connection count to protect against DDoS attacks. To support automatic protections, a multi-load DDoS incident response team defines roles and responsibilities between teams, escalation criteria, and incident handling protocols among affected groups.

Intrusion Detection Systems: IDS solutions provide some anomaly detection capabilities so they can recognize when valid protocols are being used as a means of attack. They can be used in conjunction with firewalls to automatically block traffic. They are not automated, so they need to be manually configured by security experts, and they often give false positives.

Distributed denial of service ransomware (R-DDoS) attacks

According to The Daily Swig, several cybersecurity vendors have seen an increase in distributed denial of service ransom attacks in 2021. Such attacks, also known as R-DDoS, are pure extortion. Attacks of this type cause pain to their victims; in addition to suffering from downtime and service interruptions, there are potential financial costs of paying the ransom. Even if an organization is determined not to succumb to ransomware, fighting the threat takes precious time and human resources. Criminals are reportedly sometimes threatening to cause additional suffering with DDoS after initially launching a ransomware encryption attack. Ransomware is dangerous enough on its own, but when combined with a DDoS attack, it becomes nasty, destructive, and costly. Targeting server infrastructure can lead to long outages.

Referring to the August 2020 R-DDoS attacks on the New Zealand Stock Exchange, Chris Morgan, Senior Cyber ​​Threat Analyst at Digital Shadows, reportedly said:

Whereas most DDoS ransomware often targets the public websites of their victims, this activity has repeatedly targeted server infrastructure, API endpoints, DNS servers, and even NZX ISPs. This shift towards server systems may explain the long downtime associated with these attacks.

The Daily Swig article notes that attackers use a variety of vectors ranging from common network protocols such as Apple Remote Management Services - ARMS, WS-DD Dynamic Web Services Discovery and Restricted Application Protocol - CoAP to amplification vectors such as DNS Response , SSDP, NTP or Memcache.

According to Alan Calder, founder and executive chairman of IT Governance, a cyber-risk and privacy management firm, the trend has been shorter attack durations but more packet-per-second attacks. Often, attackers launch multi-vector attacks that quickly and automatically switch between vectors, making them difficult to detect and eliminate. Because security analysts cannot manually detect these attacks and respond quickly enough to rule out downtime, it is important to have automated, real-time DDoS mitigation to protect against any multi-vector DDoS attacks.

What to do if you encounter an R-DDoS attack

Like other government law enforcement agencies, we at ITVin always recommend not paying the ransom, as this will only encourage further criminal behavior and lead to attacks on other organizations, thinking they are in a position to collect more ransoms. That many organizations may feel like they have no choice if they are already under attack and do not have automatic real-time DDoS protection. This is because it is often important to bring services back online as soon as possible. If you have experienced a DDoS attack, contact your ISP to find out how they can help you.

Buy Me A Coffee

Мы являемся сертифицированным партнером компании TemplateMonster


Заказ сайта

Заполните, пожалуйста, форму заказа сайта. После обработки мы свяжемся с Вами и уточним детали.

Я согласен с Пользовательскими соглашениями


Написать письмо

Заполните форму. После ознакомления мы свяжемся с Вами.


Заказ обратного звонка

Оставьте Ваш контактный номер и наш оператор перезвонит Вам в течении часа.

Например: +38(063) 012-34-56

заказать звонок