Distributed Denial of Service (DDoS) attacks have multiplied in recent months and are breaking new records in terms of exploited bandwidth. In Luxembourg, attacks of several tens of Gigabytes were recorded. DDoS attacks are characterized by the use of botnets or networks of “zombie” machines, where the attacker has taken control without their owners knowledge. These “zombies” can be computers or connected objects like webcams.
A company or organization not prepared for this type of assault may find itself totally paralyzed for some time, sometimes several days. This results in significant financial loss due to the interruption of services or, indirectly, the damage of reputation. Some cases of “Ransom DDoS” have also been listed: in this particular case, the attackers demand a ransom to stop the attack.
Large DDoS attacks have become easier to organize due to the number of unsecured connected objects that are “available” for hackers.
These attacks pose a threat to any organization that has an Internet-connected information system. Therefore, it is better to know how to react if you are the victim of a DDoS attack, and how to prepare yourself to limit its impact.
If you discover that your site is no longer accessible or that it’s slower than usual in loading, you may be the victim of a DDoS attack. That may be the case, but it’s not absolutely certain:
- check that it is not a problem of local connectivity or a configuration problem
- check if other people have the same problem to access your site and if other sites are also harder to reach.
When a DDoS attack occurs, you must react quickly. 4 essential steps:
- Contact the provider who created your website or, if it has been created internally, your employees who created it to assess the situation. Also contact your hosting provider.
- Reduce the TTL (Time to Live) of your domain name to 1 hour with your host.
- Move your website to a DDoS mitigation service such as Google’s Project Shield or CloudFare’s Project Galileo and save the new DNS settings to your host.
- As soon as you have regained control of the situation, it will be necessary to analyze the incident and put in place preventive measures, or to reinforce the existing mechanisms.
- Consult the CIRCL Digital First Aid Kit for details on what to do.
Most hosting companies (whether they are Luxembourgish or international “giants”) offer “DDoS mitigation” services to filter illegitimate traffic. The effectiveness of the protection depends essentially on the bandwidth of the host. A big provider like OVH who has a capacity of 480 Gbps has already been the victim of very powerful attacks that have exceeded 1500 Gbps.
On the other hand, if a vendor has to handle several simultaneous DDoS attacks, targeting different clients, it will be tempted to arbitrate and defend its biggest customers to the detriment of others, especially if the attack lasts a long time.
In the short term, increasing bandwidth can be a solution for medium-range attacks, but there will come a time when the bandwidth will be overwhelmed by a very large attack.
Better to Prevent …
The best strategy against DDoS attacks is to set up a mirroring system for your websites on several remote sites and / or to use another domain where a copy of the site will be hosted.
It is also possible to set up a CDN (Content Delivery Network) which duplicates the content of the site on different servers around the world, in order to serve users more efficiently wherever they are geographically.
This distribution of content reduces the burden on a single server and can significantly reduce the impact of a DDoS attack.
Finally, consider the advice of your host. Consult the “support” or “FAQ” section where you should find specific advice to your particular situation.
To summarize, the 5 elements to take into account to protect against a DDoS attack are the following:
- The choice of the host, who can offer its services to counter the different types and techniques of attacks. Several techniques are proposed, such as mitigation, which allows to filter the “illegitimate” traffic that botnets represent, or aspiration, which uses the power of several datacenters to process all the requests in order to not disrupt the Internet site.
- Solutions like Akamaï or Cloudfare will distribute your data across multiple servers around the world, allowing permanent access. Dedicated to sensitive or heavily trafficked sites, they are also based on the principle of decentralization.
- Setting up a mirror site, an exact copy of your website on another domain (for example by also buying the domain in .com or .net). This procedure must of course be carried out upstream. Several WordPress plugins automate this process, including wp-mirror.
- Prepare a light version of the site. Several sites have already implemented their lighter versions during certain high affluences (result of an election, major event), in order to have a lighter structure to load, thus relieving the bandwidth.
- Set up and prepare a “whitelist” to restrict access, when necessary, for site technicians and administrators only, in case of maintenance operations.
The fight against DDoS is also a societal issue, since botnets are networks of computers and corrupt connected objects that would not be, if better protected from their conception and better maintained and monitored afterwards.