What is DDoS

Started by IdeaPad, Nov 07, 2022, 12:35 AM

Previous topic - Next topic

IdeaPadTopic starter

DDoS attacks. Over the past few weeks, our site has been the target of a fairly strong DDoS attack, which caused us to lose several good customers, many hours of sleep and several dozen nerve cells. To be more precise, as it turned out a little later, the target was one of the client sites hosted on one of our servers.

But, from the very beginning. What is a DDoS attack? By tradition, a free definition in the conditions of my work. DDoS is an attack on a hosting server, the purpose of which is to disable any website or service hosted on the attacked server.
The abbreviation DDoS stands for Distributed Denial of Service (distributed denial of Service). "Distributed" means that the attack is carried out from a large number of computers and other devices that have access to the Network.

Why don't I limit attackers to computers only? In my practice, there have been cases when attackers have been identified as MFPs, for example HP.
This, in fact, is no longer surprising, because almost any modern device has its own OS, a set of protocols in it, a command line and, in general, all the necessary functionality to control the device, both directly from the device itself and remotely.
What is DDoS? IT, Hosting, Informative, DDoS, Gif, Long-post

What happens during such an attack? A certain number of devices (from several dozen to several million) with a certain frequency sends a request to a site. What kind of request? Yes, in general, anyone. For example, if we really talk about a site attack, devices request the main page from this site.

Well, what's so scary about that? There are always references to sites. There is nothing wrong with accessing the site itself. The trouble lies in the number of such appeals. A well-configured hosting server supporting 1200-2500 sites comfortably operates in the range of 0-4000 packets per second. In the case of DDoS, these numbers increase hundreds of times, and the server begins to "slow down" or "die".

I'll try to explain. Imagine that the server is a metro station. There are a number of entrances and exits in the station lobby — these are the communication channels of our server with the Network. In normal mode, the station serves the nth number of incoming passengers (network packets with server requests) per second.
 During peak hours, the number becomes quite large, and a certain number of people gather in front of the entrance to the station. Approximately the same situation when the server is running under heavy load. Now imagine that the station is located next to a sports or concert complex. When the event ended, a huge stream of people poured into the station. The crowd is standing in front of the entrance, the movement is very slow. Everyone is indignant and scolds the authorities.
What is DDoS? IT, Hosting, Informative, DDoS, Gif, Long-post

The comparison is, of course, very crude. But the picture should be about clear. When one of the hosting provider's servers is attacked, at best, only the attacked server stops working normally. In the worst case, all servers using the same network router as the attacked server can "lie down". This can happen if the attack capacity exceeds the capabilities of the communication channel of the entire technical site.

As an example: a few years ago, when I worked for another hosting company, the capacity of one of the attacks was 50 GB/s. At that time, the total bandwidth of all channels of that company was 5 times less, that is, the communication channel allocated by the data center for all servers of this hosting provider was about 10 GB/s. Accordingly, all servers located in that data center became inaccessible from the external network.

How is such an attack carried out? A very rough scheme: there is a certain set of devices that have access to the global network. Computers, smartphones, MFPs, kettles, refrigerators, etc. They are hаcked by an attacker. But the owners of these devices do not know about it and, most likely, will never find out. Such a device is called a "zombie" in the IT sphere.
 A group of such zombie devices is called "bot-net". The virus placed on the device will not give itself away in any way, because otherwise the bot-net will lose a fighter. As soon as the zombie device receives instructions for an attack, it begins to act. As I said earlier, for example, to request the main page of the attacked site.

What does a hosting provider do when one of his servers is hit by DDoS? In most cases, the attacked site is calculated, the owner of which is subsequently sent a denial of service, and the site itself and its domain are forcibly disabled. But the process of calculating the attacked can take several hours. All this time, all other sites hosted on the attacked server will most likely not work. Which causes tons of indignation, screams, complaints and a white-hot phone from the owners of all sites hosted on this server.

How to protect yourself from DDoS? Unfortunately, no way. Of course, there are services that provide protection against such attacks. But they often do not give any guarantees, and few people will be able to protect against attacks with a capacity of more than 1 TB / s (and now attacks are gradually moving to this level) and 80-100 million packets per second.
The web services of such services usually cost quite a lot of money and, accordingly, there is not much point in protecting a site hosted on shared hosting.

The hosting providers themselves still have some protection from the "first wave", when DDoS has not yet gained much momentum, and you can have time to calculate and disable the attacked site. Usually, no one will give you detailed information about the first frontier of the hosting provider, because this guarantees its operability to the frontier itself.

In conclusion, I would like to appeal to those who use any paid hosting. If suddenly your site has stopped working, and to your question "WTF?!" technical support says "Sorry for the inconvenience, we are being attacked", be patient a little.
Believe me, they are doing everything possible to resume the server operation as soon as possible. It's in their best interests.
What is DDoS? IT, Hosting, Informative, DDoS, Gif, Long-post

And I beg you: do not ask "TO WARN ABOUT SUCH THINGS IN ADVANCE." It's like warning you that you're going to catch a cold. Sooner or later this will happen, but in most cases it is simply impossible to predict such a situation.


What does a hosting provider do when one of his servers is hit by DDoS? In most cases, the attacked site is calculated, the owner of which is subsequently sent a denial of service, and the site itself and its domain are forcibly disabled.
Do you even have clients with this policy?

You don't care about the opinion of the victim of the attack and you turned it off. His server does not consume resources.
But the address is still on your network.
The attack is coming to you anyway. Your ten-gig channel still receives 50 gig of traffic. All your 2500 sites are still lying, even though you throw out this traffic on the border.


In most cases, the attacked web site is calculated, the owner of which is subsequently sent a denial of service, and the site itself and its domain are forcibly disabled.
Temporary, I hope? The owner of the site is not to blame that it is being blown.
And another question, how well do antivirus software clean such viruses that turn your computer into zombies? I heard that it is also used to earn bitcoins for the owners of the infection and so on. How to escape from this?


Being a bored intern in an IT company many years ago, I decided to see what load testing is. I put jmeter on, took the first website of my favorite movie theater that came to hand.
According to the training manual, I just wrote a loading test. I set the parameter to 250 users (it's necessary to start with a small load, I thought). Everything on the site began to slow down abruptly, and then he died altogether.
I was very ashamed.
As I understand it, so far many owners of network content do not think about such threats until they encounter them.