DDoS means Distributed Denial of Service. DDoS-attacks are meant to make the victim deny service to both normal users and attackers.
The easiest way to explain DDoS is by example:
Imagine that you are standing in a queue in a local store. The cashier is slowly but steadily processing the orders, the queue is getting shorter, and then one customer decides to mess with the cashier. Like this:
«Twelve oranges, please. Also… How much are these chocolates? Too much… What about those? Do you have something like them, but with other fillings? Or with peanuts on top? You know what, I don’t want the oranges, replace them with grapefruits. Do you have cookies?»
Some time later, the cashier will simply refuse to serve him and the queue will move on. But what if there will be a hundred of those clients? At some point the cashier will simply close up shop and run away screaming.
That is what a DDoS attack is — swarming the server with hundreds of useless requests from different addresses, up until the point it goes down.
When it comes to the internet, a hundred users means nothing. That’s why, usually, DDoS-attacks are carried out with dozens, or even hundreds of thousands of computers. And if in order to DDoS a store you need just a modest flashmob, when it comes to DDoSing a server, you need something more.
Most hackers prefer using infected computers. It can be computers in school, in the library, a computer club or even simply computers that belong to other users. Such viruses do not show themselves in any way, but when they get a command from the author, they immediately attack the server.
Most DDoS-attacks happen on these three vectors:
- GET (HTTP/FTP). Hackers request a page or a file from the server. If there’s enough of them, and the server does not have resources to spare, at some point it will begin to form a queue. Once it is full too, the server can be considered down, since there will be no way to access the resources on it.
- TCP-SYN. TCP protocol is the foundation of the internet, and the SYN-packages are the requests to establish connection via TCP. Once the server receives such a package, it sends back a SYN-ACK package and waits for ACK-package to be sent back. Except attackers never send an ACK — only new SYNs. And since the number of open TCP connections is limited, at some point all of them will be taken by the attackers and the server will go down.
- UDP/ICMP. UDP is a protocol of user datagrams, which allows a single server to host more than one application. Once the server receives a UDP-request, it has to check the availability of an app at the request port and then send back either a response or a ICMP-error. And since there is no limits on the number of requests sent, a hacker can easily send as many UDP-requests as they want, essentially flooding the server’s outgoing broadband with much heavier ICMP-error packages. And if the hacker uses a fake IP, then those package can be redirected to a yet another server, flooding its incoming broadband too.
There are other ways to DDoS too — from sending fake SSL requests to faking your MAC address and confusing the network switch. But they require more preparation and thus are not that popular.
How to protect from DDoS
At the beginning of times, all you needed to protect yourself from DDoS was a decently setup server. But as the times went by, more devious attacks were discovered and clever setups stopped cutting it. As of right now, you need some additional hardware to even simply begin DDoS-proofing your server, as well as a 1+ Gbps broadband in case it fails.
On Unihost servers — both dedicated and used for VPS and hosting — we are using a three-tier DDoS protection.
- To defend against TCP-SYN and GET attacks, we are using a firewall. It’s a separate device that checks the traffic and transmits only the one it cleared to the server. For example, if a lot of users start requesting the same file over and over again, the firewall will limit their access to the server.
- To defend against UDP/ICMP attacks, we are using a router. It’s a device that controls the access to the network and filters out the pointless or suspicious packages.
- To defend against unusual attacks, a member of Unihost support team monitors the traffic 24/7.
If you have no access to the server, but still want to protect your website, use CDN. CDN is a content distribution network, that creates cached copies of all materials on the website and saves it on its own server. The end users get their content from the CDN, which alleviates a lot of load from your own hosting. Cloudflare is the most popular CDN and can handle up to 400 Gbps DDoS attacks. You can connect your Unihost hosting to Cloudflare with a single click.
DDoS attacks are becoming a thing of the past, with an advent of high-speed internet and more and more reliable defense methods. But they are still dangerous. So if you are afraid of unfair competition or simply mischievous hackers, pick a hosting with a reliable DDoS protection.
Subscribe to get useful articles and updates.