How to detect a DDoS attack?

Started by arthyk, Nov 18, 2022, 06:17 AM

Previous topic - Next topic

arthykTopic starter

If you do not have sufficient experience and do not have the skills to work with specialized software, it is not so easy to determine that your site has undergone a DDoS attack. But some signs point to a high probability of this.
Sometimes purposeful DDoS attacks can be confused with an avalanche of visitors, in which case the site may even stop functioning normally, as in the case of DDoS.
Then you need to immediately think - what specifically caused this increase in attendance? Have there been any advertising campaigns? Or maybe you posted a link to your site on popular resources? If none of that happened, then you should be wary.
Be that as it may, if you observe a significant slowdown in the server, and access logs from client ip addresses contain many requests of the same type, this is most likely a DDoS. Moreover, requests come in this case from the same addresses in the set. The account can go up to tens of thousands, especially in the case of a large-scale attack.
An experienced specialist, as a rule, without much effort, can confirm the presence of malefactors' actions, not only by the number of packets of a certain type, but also by analyzing traffic to identify the geographical aspect of the attack.
    The following users thanked this post: Sevad


Signs of a DDoS attack:
increased network load;
the volume of traffic to the connection ports has increased;
the site is slow or gives errors 502, 503, 504;
the load on the processor and RAM increases dramatically;
the number of requests to databases or other internal services is increasing;
there are multiple user requests to the same files or pages of the site;
user requests do not correspond to the subject of the web resource (for example, a cycling goods store from Tver, and traffic has started to flow massively from all over the world).

Methods for detecting DDoS attacks:
One of the key principles of combating cyber attacks is traffic monitoring. Regular monitoring and analytics will help to detect anomalies in a timely manner and take decisive steps to protect against malicious activity. Next, let's take a closer look at several methods of detecting cyber attacks with a description of the functionality of each.

1. Systematic analysis of web resource traffic

The analysis can be performed in two ways: independently, if you have technical knowledge, or connect automatic systems such as a firewall.

The firewall will monitor and filter traffic. Firewall logs allow you to identify atypical spikes in traffic and find out if there is an attack on a web resource.

2. Monitoring response time

In the early stages, the attack is quite difficult to detect, since the site slowdown is barely noticeable. We recommend regularly analyzing the state of the site to find out what response time is normal. Deviations from this indicator may be associated with a DDoS attack.

To detect early braking and prevent server overload, you will need a service with a response time monitoring function. There are many services with this functionality on the market — choose based on your tasks and budget.

3. Setting up automatic attack notification

After you determine which traffic pattern is normal for your web resource, you can use third-party services to notify about anomalies. Alerts can come in the form of SMS, email, corporate messenger messages and other ways. 

In the DDoS-Guard personal account, you can configure alerts about attacks via Telegram on the control panel of the network protection service. SMS notification settings (Premium and Enterprise tariff) are available for users of the site protection service.

4. A comprehensive approach to detecting DDoS attacks

It is most effective to use all the methods listed above. Different monitoring models will allow detecting suspicious activity as early as possible, which means increasing the chances of coping with it. Combine manual and automatic monitoring, connect an attack alert system and constantly analyze the traffic of a web resource.

How to stop a DDoS attack yourself
It is important to note that all the methods listed below will help mitigate small attacks, but they will not guarantee full protection. It is also worth considering that carrying out preventive measures requires specialized knowledge.

3 tips from DDoS-Guard experts that will help increase resistance to cyber attacks:
1. Cache your content

Caching is the process of saving data. Thanks to this, the site page opens quickly, improves the performance of the web resource, facilitates access to the most frequently requested data. Caching allows you to avoid unnecessary calls to external or internal services, databases, which entails mitigating the impact of DDoS attacks. Imagine a strong stream of water that purposefully goes to one point, the force of its impact will be high. But if you divide it into several dozen targets, the power will be different. Thanks to caching, traffic is distributed to several "points of presence", thereby reducing the load on your site.

2. Set the Rate Limiter

This is a useful algorithm to limit the load on any content that may be attacked. To use it, you will need technical knowledge and skills. If you do not have them, you should delegate the task to an information security specialist. Against DDoS attacks, this algorithm will be useful by limiting the number of incoming requests to a web resource to standard user values, as well as smoothing out traffic spikes.

3. Perform a frequency analysis based on past attacks

If you already have a data slice created based on past attacks, use it to discover new ones. To do this, compare incoming traffic with an existing snapshot of past attacks to identify similarities or differences. For example, you noticed that the attacker's user agent is python—requests (user agent is the identification string of the client application). Add an additional check to the analysis to search for such a user agent. When you get a request, give it a 403 status — this is the standard HTTP response code that prohibits access to the requested resource. This way you will close your site to unwanted visitors.