What is a DDoS attack?
In summary, a DDoS attack is a lot of traffic to a server or web server. With enough traffic, an attacker can run out of bandwidth and server resources until one (or both) is flooded and doesn't work. The server fails or there is not enough bandwidth for a true client to access the web service. As you can imagine, this means service failures and loss of revenue as the attack continues.
A managed ddos services can have a protection on online businesses. Therefore, it is important to understand how DDoS attacks work and how to quickly mitigate them. Since there is no single source during the attack, you cannot filter or block an IP. DDoS attackers infect users 'systems (which can mean not only computers but also embedded systems and IoT devices) with software that can control users' systems worldwide. Attackers use a centralized system to target malware-infected machines to send traffic to their site. The number of machines an attacker can use at their disposal depends on the number of infected machines, but it can be tens of thousands. Worse still, DDoS malware is often very sophisticated, for example, an incomplete connection to which an attacking system can send a new request, such as sending an incomplete connection request that causes the system to wait. It uses a technique that overloads the server by sending requests.
Generally, you can identify how much attack you can withstand. If normal traffic is 100 connections at a time and the server is working fine, then 100 machines competing for connections will probably not be affected. However, DDoS attacks result in thousands of connections from many different IPs at once. If the server cannot handle 10,000 connections at once, it may be vulnerable to DDoS attacks.
Without warning, hundreds or thousands of machines (servers, desktops, and even mobile devices) simultaneously send traffic to your site. In a matter of minutes, the performance and resources of your site will be significantly reduced, and normal users will not be able to access your site.
How Do You Know That A DDoS Attack Is Occurring?
The most difficult part of a DDoS attack is the lack of warnings. Some large groups of hackers send threats, but most of the time attackers send commands that attack the site without warning.
I generally don't browse the site, so it's a customer complaint that they finally find something wrong. You probably don't think it's a DDoS attack at first, but I think the server or hosting is down. I check the server and do some basic testing, but I only see a lot of network traffic that is resource depleted. You can also check if there is any program running in the background, but I can't find any noticeable problem.
It can take several hours between the time you realize it is a DDoS attack and the time it takes to mitigate the damage. This means that you will lose hours of service and income. This basically leads to a significant reduction in income.
DDoS Attack Tracks
The most effective way to mitigate a DDoS attack is to know when it occurs right after the attack begins. There are some clues to indicate that a continuous DDoS attack is occurring.
- IP address makes x requests in y seconds
- Server responds with 503 due to service interruption
- TTL ping request timeout (lifetime)
- Employees notice slowdown issues when using the same connection for internal software
- Log analytics solution shows increased traffic
Too many requests for an IP
You can temporarily configure your router to send traffic from a specific IP to a null route. Basically this sends the attacking IP address to an invalid or deadlock and cannot affect the server. This is a bit difficult as you can easily block legitimate IP addresses when trying to stop the attack. Another problem is that the source IP is generally spoofed and the connection between the server and the source machine is not complete.
Setting alerts through a firewall or intrusion detection or prevention system can be difficult. Again, this is because legitimate bots are picked up as attacks. Configuration and settings also depend on your system.
In general, configure a range of IP addresses to send alerts when too many connection requests are sent in a short period of time. Sites like Googlebot crawl sites very quickly and frequently, so you may need to whitelist certain IP addresses. Due to the legitimate need to run bots and scripts that can send false positives to the alert system, this alert may take a while and the settings may work correctly. It is important.