Who and why is DDoS attacking domains?

Started by wwwmaster@, Oct 04, 2022, 07:50 AM

Previous topic - Next topic

wwwmaster@Topic starter

How do I know who's doing a DDoS attack on my domains and why?
We, - not a legal entity at all, some sites on the domains had 2-3 visitors per day, and a serious attack on our domains is going on.
Why? Who needs it?


If you are hosting, then this hosting is probably under attack, or servers are rented from the hoster, and your domains for the company fall because of this outrage.


You most likely just got hit by a "cool mess" by accident,
because there are a lot of other sites on your hosting site with you,
which are probably the target.


My exotic theories are:
1. Well, since the attack on all domains, rather than specifically one - change ip, perhaps the attacker simply made a mistake and you are not targeted.
2. There were precedents when it's not the most decent, but very greedy hosts entertained to bribe customers for a paid service of additional protection.
P. S. And how serious an attack? How much does free protection on a VPS work? And what makes you think it's a DDOS at all?

wwwmaster@Topic starter

Quote from: _AnnA_ on Oct 04, 2022, 11:53 AMWell, since the attack on all domains, rather than specifically one - change ip, perhaps the attacker simply made a mistake and you are not targeted.
The attack was not on all domains on the VPS, but on 7 of the two dozen. Changing IP will not do anything. The attacker makes requests to sites by domain name, not by host IP.

Quote from: _AnnA_ on Oct 04, 2022, 11:53 AMAnd how serious an attack? How much does free protection on a VPS work? And what makes you think it's a DDOS at all?
I was advised by my hoster to connect the domains under attack to CloudFlare. The attack is very serious, from 5 to 15 thousand requests per hour for some domains. Well, according to CloudFlare.

And I'm not even talking about the traffic CloudFlair helps me save. Without protection, I had 100GB of incoming traffic in 2-3 hours. For incoming traffic hoster asks money (over the limit of tariff). You see, he does some kind of protection against DDOS, and such incoming traffic, it must be paid.
If it were not for claudflair, I would have to pay 15-20 bucks a day.
CloudFlare repels about 90% of hаcker requests.


Quote from: wwwmaster@ on Oct 04, 2022, 12:47 PMThe attack is very serious, from 5 to 15 thousand requests per hour for some domains.
Well, then it's easier: turn on "im under attack" there, if it did not turn on itself, and it's fine, the attack will not reach the server.
Illiterate by domain and attack, and competent hits just on ip, bypassing cloudflare, including. In your case, someone semi-literate :) works. It's possible.


Quote from: wwwmaster@ on Oct 04, 2022, 07:50 AMserious attack on our domains is going on.
What do you mean by "serious attack"? Not the first time I hear about such attacks, when I began to study it turned out that by serious attack meant 100-200 visits to the site per day.  ;)

But, as I understand it, you have an anti-DDos solution, and it works, and it is able to scale. Well, let it work.
If the pressure will be increased, then we will have to think about software firewall or other options.
But I don't think it will.

wwwmaster@Topic starter

Quote from: Ronny on Oct 05, 2022, 05:14 AMyou have an anti-DDos solution
Access logs, they show that requests to sites are hаcked, DDOS.
A huge number of requests to certain pages of sites, but from different ip, with fake user-agents and HTTP referer.
Well, and CloudFlair shows statistics, according to it... since the DDOS attack started, already under 100 million hаcker requests have been blocked.
For now, we will stay with the same host, if anything, we will increase the rate on Cloudflare.
Thank you all for the discussion.


DDoS-what is it?
You should start by understanding the difference between DoS attacks and their derived DDoS.

DoS stands for Denial of Service. An attacker attacks in order to cause a load on the subsystem in which the service runs. The impact is carried out from a single server and is aimed at a specific domain or VM.

Features of DoS attacks:

The traffic flow is started from a single subnet.
Attempts to" put " the site are noticeable by the content of the log file.
Attacks are easily blocked using a brandmauser.
This type of attack has not been special for a long time ??it is dangerous, but requires the installation of specialized programs.

DDoS stands for distributed denial of Service. The fundamental difference from DoS is the use of several hosts at once (more on this below). The difficulty of protecting against this type of attack depends on the number of machines from which traffic is sent.

Features of DDoS attacks:

Multithreaded nature-this approach simplifies the task of blocking a site, since it is almost impossible to quickly weed out all attacking IP addresses.
High invisibility-proper attack construction allows you to disguise its beginning as natural traffic.
Complexity of suppression. The problem is determining when the attack started.
How does a DDoS attack occur?
DDoS is the use of a large number of devices (computers) that are controlled remotely. The attack is carried out by directing false traffic to the target. As a result, it is so busy processing such requests that it does not have the resources and time to work with legitimate traffic. As a result, the system responds to requests very slowly or is completely excluded.

The attack begins with preparation. An attacker (called a ddoes) gains control of a large number of computers by infecting them with a Trojan-type virus. Infected computers are called "zombies". Usually, their owners do not even know that the devices are involved in attacks: unless they can periodically complain about too slow PC operation (or wonder why the internet provider blocks them due to an excessive number of requests).

After infecting a large number of devices, an attacker forms a botnet. This group of" zombies " is controlled remotely and will execute any commands. They are distributed by the main server, which coordinates the work of the botnet. The server reports directly to ddoser.

Why do DDoS attacks occur?
There are several reasons to commit attacks. Here are just a few of them:

Execution of a political order. It is a very common practice in the modern world to attack servers that store data from state portals, registers, and so on.
Competition. The goal is obvious: destroy the company's reputation and redirect the customer stream to another site.
Blackmail. A DDoS attack can be a stage of influencing a large business in order to obtain a ransom.
Revenge and other personal reasons. This is not the only option when individuals can order or perform an attack.
What are the types of DDoS attacks?
There are two groups of DDoS attacks:

Infrastructure-level attacks. The most common ones include such options as SYN-flood, as well as UDP-flood. Attacks are massive and overload the network or servers. Still, they are easier to spot than others.
Application-level attacks. They are less common, but more complex. This is usually how they try to impress the most valuable parts of the app to make it inaccessible to users. Examples include directing a stream of HTTP requests to the authentication page, WordPress Pingback, and other options.
DDoS attacks are distinguished by the types of requests. Here are just a few of them:

HTTP, which is based on the header. The number of headers can be any: the attacking side only gives them the necessary properties. By changing the headers, you can mask the attack;
HTTP (S) GET-request data on the server: file, image, web browser script, or page;
HTTP (S) get-flood-sending a powerful stream of requests to the server in order to 100% take up all its resources;
HTTP (s) POST – placing data in the request body for further processing on the server. The request encodes this information, and only then sends it to the server. This is relevant if you need to transfer large amounts of data;
ICMP flood (FBO Smurf attack). The attacker creates a fake ICMP packet, in which the address of the attacking party changes to the address of the victim. You can implement such a scheme if you have a very large botnet;
sending "heavy packets" to the server – they waste CPU time, leading to a system crash.
How to deal with DDoS attacks?
All options for resisting attacks can be divided into two groups: active and passive. Passive methods include safety methods provided for in advance: prevention and protection. Active options are relevant when an attack is already taking place.

The main method of protection is passive and is aimed at preventing attacks. Prevention is a set of measures. In particular, if possible, it is necessary to avoid inciting hostility among the audience: the content of the resource should not cause disagreements and a desire for revenge. Technical methods of prevention include the use of special hardware and software.

Active and passive protection options include:

filter traffic and block data sent by suspicious devices. You can filter traffic by routing by ACL lists or using firewalls (the latter option is relevant exclusively for protecting private networks);
reverse DDoS-redirects traffic to the attacking side. Suitable for large Server Capacities;
damage monitoring and bug management. However, this method will not save you from flood attacks;
building distributed systems-allows you to leave a resource available to users even if several nodes are blocked due to attacks. Creating a duplicate system - "must-have" for large portals;
installing a monitoring and notification system-it detects an attack in a timely manner and makes it possible to respond effectively to it;
using a security service-a set of filtering mechanisms that prevent an attack (this method is the most expensive of all those listed).
You can effectively resist DDoS attacks only by implementing a set of passive and active measures. However, this still does not give a 100% guarantee of loss of control over the processes.