How to protect the server from DDoS attacks

In 2023, DDoS attacks on servers have become even more organized - attackers have automated them with the help of artificial intelligence. Now both small websites that are randomly victimized and large ones that are subject to targeted attacks are under threat

What is a DDoS attack on the internet and its principles

The essence of a DDoS attack is an attempt to disrupt the entire system. A huge number of packets or requests overload its work. Attackers use several compromised sources to attack servers from different channels.

The principle of a DDoS attack is to actively send illegitimate traffic to the server, which inevitably hampers access for normal users. As a result, sites become inaccessible, or their loading speed slows down significantly. DDOS of game servers is a process that causes similar problems for gamers.

Who's doing it

Life can be ruined by a wide range of people. It includes a high school student who has the idea of becoming a hacker, and a real professional who is fulfilling an order or seeking to enrich himself.

Let's say company A plans to make a significant profit before New Year's Eve, but its main competitor, company B, offers more attractive conditions for clients. By blocking the competitor's site, Company A can take all of its orders, while Company B suffers losses.

However, legislation strictly prohibits DDoS attacks, as they violate the right to access information and interfere with the functioning of web resources.

Why are they attacking

DDoS attacks are aimed at making a server, product or website inaccessible to users. Attacks are organized with a commercial purpose: to get a ransom for stopping; to undermine a competitor before an important event. There are also non-commercial reasons: geopolitical motives; entertainment; "hacking" practice or revenge.

Experience shows that DDoS attacks often target various organizations and institutions, such as online stores, casinos, betting sites, gaming services, media, educational and governmental institutions, and online education. It is important to note that a DDoS attack is different from website hacking, as it does not break the code, but only creates server overload through mass requests, which results in the website being inaccessible to users.

What are the dangers of DDoS attacks

Any DDoS attack has a negative impact on your business. The network channel gets flooded with unnecessary traffic. DDoS attacks create other consequences besides inaccessibility of sites for clients. For example, if you have paid traffic in the cloud - you can suffer financial losses. Long inaccessibility of the site leads to a decrease in search engine rankings and loss of positions, and recovery in the top requires effort. In addition, clients frustrated by login refusals may lose trust in you and turn to competitors. Also, elements of the company's IT infrastructure are not working properly, for example, making internal information vulnerable.

DDoS attacks can render a system completely unusable, leaving no legally relevant evidence. This creates serious problems for businesses as they lose revenue due to inaccessibility of goods and services.

DDoS attack types

DDoS attacks can vary in terms of attack vectors and targets.

At layers L3-4 of the OSI model

• Many SYN requests are sent in a short time. The goal is to overload the queue to connect to the victim server.
• The server receives many UDP packets from different IP addresses.

On protocols

• Attackers attack the HTTP, FTP, or SMTP protocols. This makes it difficult or completely blocks access to the server.
• Hackers use open DNS servers and send fake requests with invalid IP addresses.

On vulnerable infrastructure

Attacks that target authentication services, DNS servers, VPNs, reverse proxies, firewalls, and other infrastructure components are called application layer attacks. These are sending a large number of requests that require significant computing power. High-level application layer attacks erase information, steal resources from the server, and steal data from databases.

On applications

This attack can result in a lack of resources to perform simple operations. Can be very destructive and difficult to detect because it can mimic legitimate traffic. One example of such attacks is "Ping of death" - where the victim receives a fake request (ping) that "turns it off" for everyone.

DDoS protection methods

Let's consider effective ways to protect the server from DDoS attacks without using solutions offered by hosting, paid services or programs.

• Make an infrastructure plan. You need to know exactly what and where it is, what servers and services you are using. Anything that should not be accessible "from the outside" should be closed.
• Configure the firewall. It is important to only allow access to trusted addresses and networks.
• Hide real IP addresses, change them periodically. If you have already been attacked and you have repelled it, the risk of a new attack increases.
• Try to avoid non-encrypted traffic.
• Switch from HTTP to HTTPS. Not only is this important for security in general, but it will also help you organize a secure server against DDoS attacks. Attackers will not be able to view your packets and understand how they are formed to then spoof them.
• Check your business logic to understand how and where your real clients should make requests. This process will help you recognize illegitimate requests.
• If there are several virtual servers on the physical computer - carefully allocate resources between them so that a downed server cannot cause damage to its neighbors.
• Some parts of the site code may be poorly optimized and vulnerable to attack. They should be reviewed and optimized.
• It happens that DDoS attacks are not so easy to detect. Therefore, it is very important to set up monitoring of server indicators: channel and memory utilization, CPU utilization, performance of individual components of the site important for the business.
• Ensure timely software updates, including operating system and applications. This eliminates vulnerabilities.
• Perform regular system resilience checks to identify and address possible vulnerabilities.
• Keep backups so that in the event of a DDoS attack that could cause data loss, you can recover your data.

There are also useful tools for protection. Their choice depends on the type of server, operating system and security requirements

• IPTables - helps to configure packet filtering rules at the Linux kernel level. It can be used to restrict access to the server, block IP addresses of attackers and set rules to protect against DDoS attacks.
• CSF is a set of scripts and utilities that provide additional features: firewall, intrusion detection system (IDS), IP address blocking, traffic filtering and other functions.
• Nginx - supports the limit_conn module to limit the number of simultaneous connections and limit_req to restriction the number of requests from a single IP address.

Don't forget to use vulnerability scanners for additional protection. Some of them are OpenVAS, Nessus, XSSer, and Nikto. They help identify and close system weaknesses, reducing the possibility of attacks and increasing security.

Software filters - analyze traffic, apply various algorithms to detect attacks and block potential sources. The use of a software filter to "counter" DDoS attacks uses JavaScript, which is inaccessible to bots, and therefore the attacks are "jammed".

A few more tips

Cache your content. This allows pages to open quickly, improves web performance, facilitates access to frequently requested data, and mitigates the impact of DDoS attacks.

Use CDN - a distributed geographic network of servers that store copies of content that users need. This means that users do not receive content from a central server, but from servers that are physically closer to them. With a CDN, content delivery becomes faster and server load is reduced, which in turn reduces the possibility of a successful DDoS attack and makes it easier to deal with its occurrence.

How to detect a DDoS attack

• Network load and traffic volume on connection ports increased.
• The site is slow or 502, 503, 504 errors are generated.
• The load on operating memory and processor increases sharply.
• The number of requests to databases or internal services increases.
• Multiple user accesses to the same files or pages are registered, but they do not correspond to the subject of the web resource (for example, you have a clothing store in Perm, but the traffic comes from all over the world).

DDoS attack detection methods

One of the basic principles of cyber attack mitigation is to keep an eye on traffic. Regular monitoring and analysis will help identify anomalies in a timely manner and take measures to protect against malicious activity.

• Careful analysis of web resource traffic. You can do it yourself or use automatic systems.
• Tracking response times. In the early stages of an attack, it is difficult to notice that the site has started to slow down. It is recommended to regularly analyze the state of the site to determine what response times are considered normal. Changes in this metric may indicate a DDoS attack. 
• Configure automatic attack notification. Once you have determined what traffic is considered normal, you can use services to notify you of any anomalies.
• Set Rate Limiter to restriction of content load. It will limit the number of incoming requests to default values and also track traffic spikes.
• Study past attacks. If you already have a slice of data, use it to discover new ones. Compare incoming traffic with the existing footprint of past attacks to identify similarities or differences. Give the attacker's user agent a 403 status that denies access to the requested resource. This method will be effective until the attacker changes his user agent.

The most effective option is to use all of the above methods. Different monitoring models will detect suspicious activity early and increase your chances of success

What to do during an attack

It is very important to stay calm and not allow yourself to sink into panic.
Make sure that the site is really being subjected to a DDoS attack. To do this, contact your hoster, look at graphs of interface load, CPU, disk activity, etc. Get information about the level of resource utilization and confirmation about the type of DDoS attack. If the site is not protected by the provider, contact the hosting team as soon as possible.

Do you have a checklist for dealing with DDoS attacks and an experienced system administrator? Use all available tools to reduce the load on the server.

Try to understand the nature of the attacking traffic and its targets. Use analyzer programs to assess the situation.

If you have the opportunity, follow these steps:

• Check the availability of the site with check-host, ping-admin, ping.pe, etc. and the availability of the server, VPS or hosting. The problem may not be an attack but, for example, a power supply problem.
• Clean the access and error logs. Due to the large number of similar attack requests, the logs can fill up quickly and cause problems.
• Configure a firewall speed restriction. This is a temporary measure to help temporarily isolate the server from the network.
• Change the DNS records for the domain. This is also a temporary measure.

If a site or server is unavailable due to an attack, let your audience know about the problems. Create a stub on the site with information about the expected time of their resolution.

Conclusion

Regularly monitor the performance of web resources, respond quickly to any anomalies and take care of protection. Do not forget that fighting a powerful DDoS attack on your own is almost impossible. Trust a reliable hoster to constantly monitor your site to stop the most powerful attacks.