Every DDoS attack is aimed to destabilize the server's infrastructure and to get it down. Hackers use a lot of diverse techniques and always find a way to overload someone's internet resource or web application, so it becomes unavailable for common users. And at that exact moment business starts to lose money and the most popular websites cease to function.
Let us discuss how criminals implement dangerous DDoS attacks and how administrators and developers can resist them.
Different types of DDoS attacks are attached to a network model called OSI. This model consists of seven levels. Each of them can be chosen by the hacker as the main target which will be used to attack someone's server.
Here are all the OSI levels:
L7 — application. At this level, hackers are trying to access mechanisms that help applications communicate with network essences. For example, L7 is often used to attack websites via HTTP requests.
L6 — view. When hackers are taking a chance to compromise compression protocols or data-encryption components, you might confidently speak about the L6-type of attack. This level includes sending to a server fake SSL certificates. Such a procedure can take a lot of resources.
L5 — session. Described as an attack that implies discrediting output/input protocols. This technique makes the internet resource inaccessible for users.
L4 — data-transferring. L4 is understood as a method of attacking TCP and UDP protocols. Cybercriminals are executing data-transferring and then interrupting it before finishing so the attacked server is stuck in a kind of standby mode and loses the capability to receive correct requests.
L3 — network. At level 4 hackers attack IP, ICPM, ARP, and RIP protocols. Such attacks usually result in dramatically reduced bandwidth.
L2 — channel. L2 — is when hackers try to overload network communicators with an excess amount of data.
L1 — physical level. Basically, this method implies destroying hardware, disconnecting servers by cutting connection cables, etc.
Mostly, administrators and developers have to deal with levels 3,4, and 7.
Attacks at levels three and four are usually called ‘infrastructural‘. They are based on transferring a large chunk of data which also can be counted as a ‘flood‘ (generating and sending an excessive quantity of data). This flood is aimed to ‘clog‘ the networking channel so the web server starts to work slower than usual. Because of such attacks, common users of internet resources stumble upon some troubles while interacting with the website or the application.
At the seventh level, hackers use specific components of server infrastructure. They use malware to generate malicious traffic that hardly differs from non-malicious. And these attacks are extremely effective because criminals can exploit simple techniques like trying to authorize on the web resource using a lot of fake usernames and passwords.
The problem is to distinguish between the real user who forgot his password and is trying to pick it up and the hacker who decided to disrupt your internet resources' casual functioning by sending thousands of fake requests.
Used methods vary depending on the network level used by hackers and on their imagination. Here are some popular techniques.
We have already touched on this topic earlier and found out what is the main strong point of it. Actually, cybercriminals behave like typical users, but on an extremely large scale. For example, opening a giant amount of connections and maintaining them before the server sends a timeout signal. While so, users can't access attacked internet resources.
Often hackers use POST requests to overload the server. One of the ways to slow down server performance — is passing the body of the request as slowly as possible. When the connection with the server is refused, hackers create a new one and the server has to answer because the headers of HTTP-request are correct even though hardware resources and bandwidth are used inefficiently. Sometimes, hackers act vice versa, creating a piece of malware that passes HTTP requests at normal speed but ‘reads‘ them unexpectedly slowly.
And the third method — sending data encoded as XML. When such data reaches the server it takes much more space on it and leads to overfilling the memory.
If hackers chose to use a protocol-level DDoS attack they will do anything to fill up the network channel of the server with malicious packages so the server will not have a chance to receive and process requests from real users.
SYN-flood — is a common example of such attacks. The server receives the package, then sends the response to the sender, and awaits another one but nothing happens. Hackers generate a lot of such incomplete requests and the whole process results in server malfunctioning.
Another way to implement a similar attack — is fragmentation. Criminals send packages divided into small fragments. While transferring to the server these packages become shuffled and break attacked internet resources.
This is a separate category of attacks. They can be implemented on application-level or on infrastructural-level. Such attacks imply creating conditions in which the server can't process requests from real users.
For example, they can generate an immoderate amount of HTTP requests and send them to the server simultaneously. Also, these requests can be architected in such a way that they will try to access the most weighty parts of the internet resource, so the response from the server becomes unwieldy.
There is more to it. Hackers can send ICMP packages from different IP addresses. Each package makes the server check its status, but requests are faked so nothing besides overloading happens.
UCD-flood is quite similar. Generating a lot of useless requests. Every request demands a volumetric data piece to send back. While dealing with such requests, a website or web application becomes unavailable for common users.
The question is — ‘How to deal with such attacks’. The amount of DDoS attacks grows from year to year.
There are simple Linux utilities helping to prevent DDoS attacks that are easy to learn and use. The problem is that these days hackers organize large-scale attacks more often than usual. It is almost impossible to cope with them no matter if it is a small online shop attacked or some kind of international corporation.
Is there a workaround? You have to strengthen up the layer of protection of your server using all the available methods. One of the ways to achieve a reasonable level of protection is to use fully-featured complex DDoS protection. It effectively helps to illuminate most of the L3, L4, and L7 attacks.
This feature can be accessed even if your server is under attack already. It gives you:
Fault tolerance while DDoS attacks of different types.
Traffic filtering.
Nodes that work as traffic filters around the globe.
Quick set up in an hour.
One more option is on Hostman.com - you can use a proxy to protect your server from DDoS attacks. Additional proxy servers help your users to get the data they need at a reasonable speed even though the main server is under attack and administrators are working hard to interrupt the ongoing digital onslaught.