Friday, March 26, 2010

DDOS Attacks and how to handle them.

SkyHi @ Friday, March 26, 2010

Well, unfortunately we have recently had much experience related to DDOS attacks. However, DeveloWare LLC can now offer DoS and DDoS security prevention along with our hosting services. So here is a summary of what we have learned through the process…

What is a DDoS attack?

DoS and DDoS attacks flood a Web server with false requests for information, overwhelming the system and ultimately crashing it. The following graphics explain how such attacks work and how companies can possibly prevent them. In effect the server can not handle all the requests, no matter how big and bad your server is. The nature of the attack is quite simple but has complex results on the machine being affected.

How a "denial of service" attack works

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.

In a denial of service attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again–tying up the service indefinitely.

Typical connection


DoS & DDoS attacks


How to block a "denial of service" attack

One of the more common methods of blocking a "denial of service" attack is to set up a filter, or "sniffer," on a network upstream. This means before a stream of information even reaches a site's Web servers. The filter can look for attacks by noticing patterns or identifiers contained in the information. It requires hardware for filtering. If a pattern comes in frequently, the filter can be instructed to block messages containing that pattern, protecting the Web servers from having their lines tied up.


DDoS attacks can happen to anybody!


As a webmaster or admin for any site, never ever think you are exempt from being attacked.  It can happen to anybody. Last month alone there was over 50,000 reported attacks. The attacks were directed towards major sites and small ones without regard. Twitter was taken down from such attacks just a couple weeks ago. Then the same malicious group targeted Google and Facebook.  Less than two years ago the department of defense was attacked and completely taken down. If they can take down Google, Twitter, and the US Gov they can most likely take down your site also.

Protect Your Website

To protect your site you must have hardware that can defend your servers. The problem is that it is expensive. If you find your site is being attacked and you host with one of those $5/month accounts at some cheap hosting company you will find that they will just shut down your site in the interest of protecting the other sites on there servers. You will be just flat out of luck. Make sure your hosting has the routers and firewalls in place to handle these vicious attacks.  Ask specifically about DDoS prevention before you purchase hosting if you want protection. Normal firewalls and routers WONT STOP THE ATTACKS.

Take if from me. We had a virtual server completely upgraded and screaming fast with the highest security you can imagine. But the nature of a DDoS attack does not even send up a red flag to most security prevention systems. You will most likely only notice when your site goes down or your hosting provider cuts you off. Not good at all because it is too late then!

The nature of an attack

What makes these kind of attacks almost impossible to handle without the proper hardware is that you can not just start blocking IP addresses. Because of a couple reasons. First, most of the time the IP doing the request is a real IP but most likely an IP that is not malicious. Usually the IP has been spoofed. Therefore, if you add an offending IP to your block list you may be blocking a true source of visitors. Second, the request is not what actually kills your http server. What kills the server is an incomplete "handshake". 

To explain the 3 way server handshake lets elaborate a little…

To establish a connection, TCP uses a three-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs:

1. The active open is performed by sending a SYN to the server.

2. In response, the server replies with a SYN-ACK.

3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server.

In a DDoS attack its more like a 2 way handshake. This leaves your server hanging and waiting for the third response. What this does is flood your http server with incomplete requests. Most servers have a 30 second time out and a maxim number of connections around 300 or so. Hence, your server is doomed without protection.

DDoS attack symptoms and info

DDoS attacks generally WILL NOT eat up your bandwidth because the handshake never got completed. It just increases server load to the point of being rendered useless. Nothing ever gets sent to the requesting host so there is not usually a bandwidth issue.

DDoS attacks are basically impossible to track unless you have tons of resources. Like on a government level. One of the difficulties in tracking is because the offending IP's are usually spoofed and do not exist or are valid IP's that are non offending.

Blocking IP's wont help with a DDoS attack. You must have the proper hardware to defend against DDoS attacks. If somebody know software to hand attacks please let me and the world know about it.

Who is doing such malicious attacking?

To put it bluntly there are many groups of attackers out there. Some are religious based and some are politically based. But the most notorious ones are simply groups of hackers that get paid to take down sites. They get paid between $100 and $500 per 1000 http requests. There are actually bots for hire out there… SHeeesh! I think they should be hung upside down and have there toe nails pulled out.

Conclusions about DDoS attacks

Get a hosting company that has the hardware to handle these attacks. Firewalls and fast servers just wont help. As a result of the recent attacks on and the companies that host through us we have upgraded our equipment to handle this. We can now provide protection against DDoS attacks.