Due to the conflict between Russia and Ukraine, the news about DDoS attacks was again in the headlines on the websites of many companies and government institutions in Ukraine. As a result, both websites and e-services were paralyzed.
DDoS stands for Distributed Denial of Service. What exactly is a DDoS attack? It is an attack on a given website from many places at the same time. The attack consists of many requests directed to services and means a lot of network traffic which in turn makes it impossible to handle requests from “real” users to services. The consequence of such attack is the utilization of server resources, blocking access to links, applications, services, or websites.
DDoS can be compared to a situation where, for example, we tried to buy a ticket to a concert of a famous performer or use a government service when submitting annual statements to the National Court Register just before the deadline. It happened more than once that the servers “could not stand” the load. The described situation concerns the inadvertent action of many users, unlike a hacker attack, where it usually has a larger scale, and the goal of criminals is to paralyze the operation of servers.
Ukraine hit by DDoS attacks, Russia deploys malware https://t.co/WDuCn4MB0s #news #cybersecurity #infosec pic.twitter.com/JTqSplTMtT
— DeepFriedCyber (@DeepFriedCyber) February 23, 2022
The effects of a DDoS attack can be catastrophic for the company – you can imagine an attack on an Enterprise Resource Planning (ERP) system server, e-commerce website or other system in the company that completely paralyzes it, making it impossible to function. A break in business means measurable losses. On one hand, they result in business downtime, direct loss of revenues, failure to meet deadlines, often penalties and, on the other, loss of the company’s credibility and customer exodus. An attack on government administration servers prevents the operation of websites for citizens or even the cessation of the operation of key services.
There are many examples of such attacks, including the 2004 Mydoom virus attacks on SCO and Microsoft’s servers. The most important DNS servers were targeted twice (in 2002, causing a blockage of 9 out of 12, and in 2007, blocking 2 of the 6 attacked servers). In connection with the planned signing of the Anti-Counterfeiting Trade Agreement (ACTA) by the Polish government in 2012, an attack, by a group called Anonymous, took place on the sides of Polish government institutions and the lower house of Polish parliament, the Sejm. Often the target of the attack (as in 2015 and 2016) were online game servers – e.g., Stardoll, which was used by almost 400 million users. The truth is, however, that we do not find out about most DDoS attacks (or attacks of any other type) – because they are carefully hidden by victims (especially business ones) – after all, such attacks always exhibit a lack of preparation for cybersecurity incidents by their victims.
IT people should consider how to minimize the risk of an attack and secure the infrastructure. First, know which servers may fall victim to an attack, what effects an attack may have on the functioning of servers, what causes downtime of which services, so you are able to prioritize activities and allocate appropriate resources (whether human or financial) to these services, which are necessary for the functioning of the organization.
Anti-DDoS solutions are based on hardware and application components. The security system defines a set of IP addresses that are monitored by the security system. When a certain traffic threshold is exceeded, an alarm is generated and filtering is activated, which redirects the traffic from the attacked server to other devices. These devices can be in the local infrastructure as well as that owned by the anti-DDoS service provider.
One of the activities is to perform server load tests so that we can prepare our infrastructure for specific network traffic. Stress tests are used not only to prepare for a DDoS attack, but also to prepare websites to work with a certain number of users in a specific period – which allows to ensure the continuity of services, e.g., e-commerce system in the pre-Christmas period. The stress test will show what resources are missing under higher load (RAM, disks, processors, link, etc.).
Hardening means increasing the resistance of a given system to break-ins through its correct and appropriate reconfiguration. Network devices, servers with services and databases should have enhanced ability to respond. What should an IT department focus on? Start by “strengthening” the network and limiting the services offered to the level that is required, closing unnecessary ports on network interfaces, ensuring the appropriate level of authentication, controlling access, and optimizing the use of memory and processing power of servers and anything that generates additional traffic.
Another element that increases the security of the organization is load balancing, which consists of sharing the load between multiple servers, mass memories and network connections. The “balanced” system ensures optimal operation of the website located on twin servers, thanks to which we can ensure business continuity in the event of a failure or hacker attack.
It is also worth spreading the traffic from one DNS server into several, so that one server is not responsible for traffic in our entire network. You can also use external DNS servers, thanks to which we will avoid overburdening our own DNS servers. Another issue worth considering is the optimization of the website consisting of limiting to the necessary minimum the generated queries to the database, downloads, scripts, dividing the application’s activities into stages. It is worth spreading the activities performed by the website into several independent servers providing individual services.
The use of firewalls (more precisely, a skillful analysis of information from them), allows to detect additional, suspicious network traffic from specific addresses. Based on the analysis of event logs, you can determine the IP numbers from which our infrastructure is attacked and block them. These activities apply to both hardware and application firewalls. It is also worth using other tools to detect other anomalies in the functioning of the network: any significant changes in short periods often mean an attack – whether it is an increase in the number of users or generated website queries from one region.
In the case of prevention against DDoS attacks, it is worth considering moving your services to an external Data Center or using the public cloud in your solutions because the services offered by external suppliers will usually be cheaper for us (if we look at Total Cost of Ownership) and more advanced with an appropriate level of services. Everything has its advantages and disadvantages – but you need to be able to define them and choose the right option.
We must be aware that there is no set of activities and tools to protect 100% against an attack. People responsible for IT security and ensuring business continuity should take a set of actions and use a series of systems monitoring and filtering network traffic or eliminating attacks. The coming months are likely to bring us an increase in all sorts of incidents, so we should protect ourselves against all dangers.
Author: Przemysław Kucharzewski
About Przemek Kucharzewski
Co-founder and General Manager in Cypherdog Security Inc. – a vendor of solutions for encrypted communication. Przemek has 27 years of experience in building sales channels, marketing, and commercialization of IT solutions. In recent years, he has been focusing on cybersecurity and cloud solutions. In the past, he mainly worked for the largest IT distributors in the CEE region. He worked as Interim Manager for IT system integrators and vendors in advanced solutions selling. He is the author of many articles in the IT & business media, speaker, lecturer, and podcaster.