A distributed denial of service (DDoS) attack is an attempt by a malicious attacker to overwhelm a website or device with so much traffic that it becomes unavailable for legitimate users. The primary purpose of a Distributed Denial of Service (DDoS) attack is to make a machine, network resource, or service unavailable to its genuine users. If we don’t use appropriate security practices or technologies, our applications become non-functional situations.
A malicious attacker may use multiple compromised computers or devices or IoT devices during an attack. All these compromised devices make DDoS attacks more effective.
What is DDoS mitigation?
DDoS Mitigation is a process in which you use a set of techniques or software to minimize or mitigate the impact of DDoS attacks on the targeted servers.
Common Types of DDoS Attacks
1. Volume Based Attacks
The volume-based attack is the most common type of DDoS attack. An attacker uses multiple techniques to generate massive amounts of traffic to overwhelm a machine’s bandwidth because of creating massive volumes of traffic that make it impossible to send legitimate traffic into or out of the target site. The machine continually checks for malicious data requests and has nowhere to store legitimate traffic. We can detect this kind of attack easily.
2. Protocol Attacks
The Protocol attacks target Layer 3 and Layer 4. Attackers use malicious connections to consume the processing capacity of network infrastructures like servers, firewalling, and load balancers.
An SYN flood (half-open attack) is the most commonly used method for an attack. In this attack, the attacker repeatedly opens connections to the target server machine or device, overwhelming its available ports.
3. Application Layer Attacks
The Application attacks target Layer 7, which is the topmost layer in the OSI network model.
At layer 7, the solution uses behavioral algorithms (e.g., anomaly detection) to detect and block voluminous attacks at the application layer (e.g., SQL injection).
This layer is closest to the end-user, so both the OSI application and user layers interact directly with the software. These attacks are usually small in volume when compared to the other layers of attacks, so they’re not easy to detect.
DDoS attack examples
- In September 2016 – An attack on the Internet of Things (IoT) devices by Mirai malware impacted Internet platforms and services (Brian Krebs, DNS solution provider Dyn, etc.). Here is the list of sites or services (Github, Twitter, etc.) that were unavailable in Europe and North America.
- In Feb 2014 – According to a report on Gigaom, Cloudflare datacenters hit by the world’s largest distributed denial-of-service attack (DDoS) in Europe and the U.S. This DDoS attack is estimated at approximately 400 gigabits per second of traffic.
- In February 2018 – A most potent distributed denial-of-service attack (DDoS) on the Developers platform GitHub. This DDoS attack estimated approx 1.35 terabits per second and lasted for roughly 20 minutes.
- In February 2020 – Amazon Web Services was hit by a powerful gigantic DDoS attack. The attack was running for three days and was estimated at approximately 2.3 terabytes per second.
Best Practices for Preventing DDoS attacks
1. Traffic Monitoring
Application traffic monitoring is essential. We can usually detect most of the attacks by monitoring our network traffic. A common type of DDoS attack involves sending large amounts of traffic to an IP address. However, DDoS attacks could be carried out using just one vulnerable HTTP endpoint.
Whenever traffic exceeds a defined threshold, then you should get some alert or notification. The best practice is to have the proper configuration for the alerting in your monitoring tools. It helps you identify the DDoS attack as early as possible and mitigate damage.
2. Organize a DDoS Attack Response Plan
Depending on the organization’s size and structure, various teams may have different responsibilities in infrastructure maintenance. A DDoS attack happens suddenly and should document the actions that need to be taken.
When a DDoS attack occurs, first, you need to think about minimizing the impact of the attack on your application. Team responsibilities for key members of the team to ensure the organization has an organized response to the attack should be clearly defined and the first step is to define how it will end.
Create a checklist: List out all the processes and steps involved in a project, including who needs to be contacted, what tools you’ll need, and where you’ll get them from.
Communication: Organize all communications and well-defined them.
Responsibility: Document all the team members’ responsibilities and their reactions.
3. Activate a WAF
A Web Application Firewalls (WAFs) are sets of rules or policies that help protect websites or APIs from malicious traffic Web Application Firewall (WAF) sits between an application and HTTP traffic and filters the most common web exploits that can impact the availability of your application.
There are various WAF solutions available, but you need to analyze which WAF solution is suitable for your application.
4. Rate Limit
Attackers can make so many repeated calls on the APIs. It can make resources inaccessible to their genuine users. A rate limit is the number of API calls or requests that a user can make in a given timeframe. If the number of requests exceeds the maximum allowed, temporarily block API access and return the 429 (Too Many Requests) HTTP error code.
NodeJs
import rateLimit from 'express-rate-limit';
export const apiRatelimit = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hrs in milliseconds
max: 100,
message: 'You have exceeded the 100 requests in 1 hrs limit!',
headers: true, // it will add X-RateLimit-Limit , X-RateLimit-Remaining and Retry-After Headers in the request
});
// you can add this in the middleware. it will apply a rate limit for all requests
app.use(API rate limit);
5. Passive cache
If the service first attempts to retrieve an item from its cache backend and fails, it will fall back to retrieve the item from the actual source. The service doesn’t require requests to be made to the real upstream server. It just uses the data that’s already available. A cache backend is an online database or in-memory cache, and the actual data source is SQL, MongoDB, etc.
Passive caching architectures ensure that high volumes of traffic never reach servers or services.
NodeJs
import nodeCache from "node-cache";
const myCache = new nodeCache();
ap
// set object in the cache
obj = { userid: 909887, name: "example" };
success = myCache.set( "userKey", obj, 600 ); // ttl is 600 seconds
//read object from the cache
value = myCache.get( "userKey" );
if ( value == undefined ){
// handle miss!
}
6. Cloud-Based DDoS Mitigation
Some vendors offer DDoS mitigation services as a software as a service model (SaaS). They have charged a one-time license fee for their services, but they charge by usage thereafter.
The cloud-based DDoS mitigation service has a lot of advantages over traditional solutions. They have dedicated staff who react faster than private networks to perform well in cases of volume-based DDoS attacks. Multi-regional availability with auto-replication or backup so you can quickly switch to another region without affecting your users’ experience, updated policies or ruleset, and a better experience for handling DDOS attacks.
final thougts
DDOS attacks are increasing every day. An organization needs to be prepared for any attack. If an organization doesn’t prepare for an attack in advance and one happens, that case damage containment can take months and impact its reputation.
Fixhackedsite – (We’re experts in fixing hacked websites) has all processes and policies well defined, 24X7 monitoring by delegating the security team. Please see the Security Overview document for more information.