The global coronavirus crisis has dramatically increased consumer interest in e-commerce, e-learning, online communications, and entertainment. The number and frequency of DDoS attacks was a trend even before the pandemic, and if you are an online service owner, or responsible for the operation of one, strengthening the protection against botnet attacks is especially important.
So how do you ensure stable uptime in the face of the new massive wave of cyber-attacks, sponsored by competitors, or initiated by hacker groups to blackmail your business?
Websites and web applications
If your goal is to protect your websites and web apps from DDoS attacks, the first thing to look at is whether you have full access to the server or not. If your website is located on a local server you will have unrestricted access to all needed settings. If you are using an external hosting platform, however, setting up a robust defense will require extra steps.
Let’s say your website is running on a local server. It’s essential not only to take care of DDoS protection, but to prepare the server itself. The first task should be optimizing the networking stack of the operating system so that the server can withstand high loads. It’s important to ensure high server performance, including the processing of network requests, otherwise, there is a risk to face interruptions even without any attack.
For example, a publication mentioning your website may gain popularity, sending you millions of visitors that you, and your server, are not prepared to receive. The result? Website downtime and missed business opportunities, or an angry client.
After optimizing the network stack, take a closer look at the webserver that you are using: most likely it is Apache or Nginx. In particular, pay attention to the parameters that determine the limits and performance optimizations. You should also optimize your database engine- MySQL or whatever database you chose. No matter the type — it has to be fast.
If your site uses a popular CMS, for example, Joomla!, WordPress, or Drupal, use the built-in optimization tools and guides available online. The website must have high performance in normal conditions, without an attack — this will strengthen the security against DDoS. The faster your website, the better its DDoS resistance.
If your website is located on an external hosting platform, check whether it can protect your resource from application-layer attacks — particularly on the seventh layer of the OSI model (L7). In any case, you can connect an external protection service. You need to configure it so that the IP address of the real server isn’t visible to the attacker through the mail headers, open ports, or other services.
Here is a real-life example: an online store was unable to accept orders because of a DDoS attack, despite having a DDoS protection service in place. This happened because the old, unprotected IP address kept working and remained open from the public Internet. Consequently, the attacker found it and used the address to their advantage.
The hosting provider responded by "closing" this address for external access over HTTP/HTTPS ports, and the website went back online. However, in a short time a new series of DDoS attacks shut down the e-commerce platform again. This time the attacker used a 22 (SSH) port, which hadn’t been closed. After this period of downtime, the hosting provider moved the website to a new server.
This solution worked for a while, but the attacks quickly resumed, rendering the website unusable again. Perhaps, the attacker was experienced and extracted the new server address from email headers.
This example shows how crucial it is to make the IPs inaccessible to anyone but the DDoS protector. Use services like Shodan to monitor the visibility of your IP addresses.
Online services and games based on TCP and UDP
To ensure the sustainability of services that interact with users via TCP and UDP, firstly optimize the network stack of the operating system. To start, make sure that your network card interrupts are distributed across different processor cores. Most modern operating systems do this automatically but it's always better to double-check.
Also, assess the component interdependence of the app you want to protect. For example, check what happens if a database or another service becomes unavailable. Your goal is to configure the system in such a way that the attack doesn’t simultaneously shut down all components that interact with users. You can find recommendations on how to increase the availability of each service on their official websites.
Additionally, make sure that the protected service at least has multiple entry points. This will allow you to quickly replace the IP address in your DNS settings with another one if the one you are currently using eventually stops responding. Or, if some of the IP addresses that you provide to clients become unavailable under attack, you can swiftly provide replacements.
If possible, it is a good practice to configure the service in a way that won’t allow unauthorized users to see the real IP addresses employed for access by authorized parties.
Another example from our experience: one of our clients, a gaming service, implemented a sort of a user hierarchy; when a player reached level 20, they would receive a new IP address. This configuration ensured that newly registered players couldn’t initiate an attack on the game server straight after sign-up.
Services that use the TCP protocol usually have more resistance against DDoS. The protocol itself is better suited to be defended against the attacks. UDP servers, on the other hand, require a lot more effort to set up a robust defense mechanism. This protocol wasn’t made to handle connections, and if the server falls victim to an atypical attack — a targeted campaign that simulates game packets — the traffic won't be filtered.
The only way to ensure protection would be to share the details of your service architecture with your DDoS defender, work out a specific defense strategy against atypical attacks and confirm that the strategy works by simulating multiple botnet interventions.
Networks
From the DDoS attack protection standpoint, network protection is perhaps the most challenging case. Here, protecting merely your own network resources is usually not enough. You also need to protect the resources that your clients deploy within your network, and these may include all kinds of services.
What’s more a typical network has hundreds of IP addresses, encouraging cyber-criminals to launch lots of attacks on multiple addresses simultaneously. Even being weak, these attacks will notably slow down the entire infrastructure.
The first thing to take care of is to ensure that your Edge router has sufficient performance to handle the increased load that may result from a DDoS attack. Installing cheap low-end and SOHO routers at the network edge is (almost always) a bad idea. Routers intended for home-use or small offices simply don’t cut it when it comes to network protection. Those old underpowered routers? Avoid them as well. These weak links are likely to become the first victims of DDoS attacks.
When choosing a router, check the bandwidth and number of packets per second it is able to process, estimate possible load, and, if possible, do some stress testing. There are lots of available tools, such as hping3, that can be found in almost all Linux distributions.
Secondly, make sure that the IP addresses that you use for the BGP session with your ISP cannot be seen in traceroute and, more importantly, they are protected with an ACL on the provider side. What’s more, it’s best to hide the addresses from tracing both from outside and inside the network. This will help you hide vulnerable addresses from insiders.
General recommendations
DDoS protection is a vital part of any cyber defense strategy, but it shouldn’t be the only part. If your first wall of defense fails, you need to know exactly what steps to take to mitigate the attack aftermath. Prepare an action plan that will contain step-by-step instructions for your security team.
What’s more, think of the way you will set up DDoS protection and how long it will take. In particular, check timeouts (TTL) for DNS records. For example, with the TTL of 172800, your website will be unavailable for 48 hours while switching to a new DNS record. Of course, setting up DDoS protection for central resources should be done in advance to ensure uptime when it matters the most.
We advise using a DDoS sensor to detect attacks dynamically and automatically activate protection. This measure will give more control over your traffic, save DDoS protection budget, reduce latency in normal operation mode, and — most importantly — it will dramatically decrease response times thanks to automatic threat detection and automated countermeasure engagement.
That’s why, before choosing an anti-DDoS service provider, don’t forget to clarify if they have their own DDoS sensor or the solution that you already have in place.