Home
Blog
Ways to protect your server from DDoS attacks

Ways to protect your server from DDoS attacks

16 February 2024

In this article we will consider various types of DDoS attacks, as well as the main ways to counter them.

Today, DDoS attacks can become a serious problem for the operation of servers and the security of the entire IT infrastructure.

We recommend you familiarize yourself with the important information about DDoS, which will be useful regardless of the specialization of your activity, as it can help you to get prepared for any attacks.

DDoS attacks and their purpose

DDoS (Distributed Denial of Service) is a distributed denial of service attack that is often used by hackers in order to interrupt the operation of an application, site or target server using huge traffic flow.

Due to an excessive amount of traffic, the server is overloaded and stops responding to requests, as it does not have time to process, which, as a consequence, leads to a denial of service to users. There are many reasons for such cyberattacks: personal motive, financial gain, cyber vandalism.

One of the main ways to launch such attacks is to create a botnet, or a network of hacked computers. Even if devices included in the network are not directly connected to each other, they are controlled by one person. A botnet can contain a huge number of computers, each of which sends network requests, which ultimately overloads the attacked device and leads to failures in its operation.

How DDoS attacks work

Botnets include a large number of hacked systems. Attackers remotely control them and direct traffic flow to the target. Modern DDoS attacks range from simple direct attacks to complex multi-vector strategies. The second variant of a DDoS attack can simultaneously target different levels of the OSI network model, which leads to difficulties in detecting and eliminating the attack and its consequences as well.

Classification of DDoS attacks

Low-level attacks

These attacks affect the network (L3) and transport (L4) layers of the network. The main task here is to exceed the network's bandwidth and resources by overloading it with a significant flow of traffic. The main types of low-level attacks are described below:

DNS Amplification – using public DNS servers to increase traffic through DNS responses;
UDP Flood – overloading random device ports with UDP packets;
NTP Amplification – applying public NTP servers in order to overflow the target with UDP traffic;
ICMP Flood (Ping Flood) – filling the device with ICMP Echo Request packets;
SYN Flood – consumption of server resources using TCP/SYN packets.

As an example, let`s consider a situation in which an online store is targeted by a SYN Flood attack. Hackers start by sending a large number of SYN packets to the store's servers, which leads to an instant decrease in free computing resources for establishing TCP connections. Thus, the servers are overloaded with fictitious connection requests, preventing real customers from fully loading the site pages they need. Ultimately, this reduces the store's income.

High-level attacks

These attacks affect the application layer (L7) of the network. Web requests are one of the main tools of high-level attacks. HTTP hackers overload the device with such requests, which causes page loading to fail. The use of this tool is somewhat similar to legitimate web traffic, and therefore it is more difficult to identify and eliminate it. The most common types of high-level attacks are listed below:

Zero-day DDoS – using unknown vulnerabilities in servers or web apps;
HTTP Flood – sending a large number of HTTP requests to overload an application or web server;
SSL Exhaustion – initiating multiple requests for an SSL connection leads to an overload of the device;
Slowloris – a large number of slow HTTP connections are created to reduce server resources.

As an example, we will consider the impact of a high-level HTTP Flood attack on a news portal. In this situation, a botnet is used in order to send a large number of HTTP requests to a web server. These requests may be directed to pages that require specific resources, or to site features such as search forms. Thus, due to an overloaded server, users cannot fully view news or leave comments on the site.

The main purpose of low-level attacks is to disrupt the correct functioning of individual network components, while high-level attacks target specific functions and applications. This is the main difference between these two types of attacks.

What do DDoS attacks lead to?

DDoS attacks can become a serious problem, as they can disrupt the stable operation of equipment and data security, which leads to a threat to business reputation of any organization.

Objects of DDoS attacks

Facilities of certain industries are more likely than others to be subject to cyberattacks due to their dependence on digital and online services. Such objects are listed below:

government and financial institutions,
e-commerce platforms,
online gaming services,
medical organizations.

The uninterrupted operation of online services is extremely important for such organizations, and any failure can cause serious problems.

Damage from DDoS attacks

Extortion. DDoS attacks can be accompanied by threats from attackers to encrypt or disclose confidential information.

Data leak. DDoS attacks can be used as a distraction for the IT team, which will be focused on detecting and eliminating the attack. During this time, cybercriminals can obtain confidential data. This can lead to serious problems.

Reputational damage. DDoS can undermine the credibility of the organization, cause the organization to lose customers, partners, and sponsors, and cause significant brand damage.

Financial damage. Countering DDoS attacks and restoring further server operation requires direct and indirect costs. Indirect financial costs here include compensation to clients and much more.

Technical support service

In case of disruption of the platform operation caused by a DDoS attack, users send a large number of requests to the technical support of the hosting provider. Due to the huge flow of requests, the time to resolve each of them increases. Another challenge that technical support faces is distinguishing between regular technical problems and problems caused by DDoS attacks.

Ways to protect against DDoS attacks

Firewall setup

Firewalls are considered the most important components of DDoS protection. Therefore, in order to counter DDoS attacks, firewalls can be configured to detect and block unauthorized traffic.

Spam prevention

Anti-spam measures involve installing CAPTCHA to check whether the user is real or a bot, as well as an email authentication system in order to prevent spam bots from registering. These measures also include reducing the number of authorization attempts.

Configuring traffic filtering

This method involves detailed inspection of incoming traffic through the deployment of network solutions in order to identify who the traffic is coming from (an authorized user or a DDoS attack). These systems detect and block illegitimate traffic based on a variety of criteria, including traffic frequency, source IP address, packet integrity. This method protects the server from cyberattacks in real time, and also helps to understand the pattern of their occurrence and prevent future attacks.

Using a CDN

CDN (Content Delivery network) is a network of distributed servers, the main task of which is to send web content to users, taking into account their geographical location. CDN is developed in order to improve speed and efficiency by storing cached content in close proximity to the end user. This will reduce the load on other servers.

By distributing web content over a global network of servers, the amount of traffic per server is reduced. It's also worth noting that a wide range of CDNs provide imbedded DDoS protection features. These features include:

algorithms for detecting suspicious traffic,
automatic traffic redirection,
absorbing and dispersing a large flow of traffic.

DNS Setup

Clearing the cache. This procedure allows you to store information about IP addresses within the network and reduces the load on the DNS server for each request. Clearing the DNS cache makes it possible to reduce the waiting time for a response to user requests.

Response Rate Limiting, RRL. This is a technique designed to defend against DDoS attacks, especially DNS amplification attacks. RRL is actively used in DNS servers and works by controlling the number of responses sent by the DNS server over a certain period of time.

DNS amplification attack is a type of DDoS attack that involves using the functionality of public DNS servers by attackers in order to overload the device with a large amount of traffic. This type of attack includes sending DNS queries from the victim's IP address, as a result of which the DNS server sends a response that no one needs.

Special services

There are certain company services aimed at preventing DDoS. These services offer complete protection against various types of cyberattacks using the following methods:

speed limiting,
advanced traffic filtering,
botnet detection,
automatic response mechanisms.

Regional blocking

The basis of this method is to limit or block traffic that is most affected by DDoS attacks (by region) using network configuration settings or firewall rules.

Code 444

In Nginx server configurations, code 444 shows that connections should be closed without sending headers or messages in the response. The main advantage of this method is the economical consumption of resources required to process illegitimate traffic.

Neural network

The neural network method is the use of artificial intelligence to analyze traffic and detect possible DDoS attacks. Using this algorithm, you can respond to possible threats in a timely manner.

Using the Testcookie module

The Testcookie module is a complex tool whose main function is to analyze incoming connections using a JavaScript test. Such a test makes it possible to determine whether the traffic comes from a real user or from a bot. Fast and effective blocking of requests from automated botnets is the main advantage of this module.

Prevention of DDoS attacks

Analysis and diagnostics of the entire IT infrastructure

First, it is recommended to analyze the network architecture, identify the security measures in place and determine the capacity of the servers as well. Thus, at the first stage, the weaknesses of the IT infrastructure can be identified and eliminated.
Preparing backup resources

Continuous operation of servers, even during a DDoS attack, can be carried out by backing up servers and network routes. In the event of a failure of the main system, access to a wide range of services will be provided by backup resources. These resources can be responsible for the traffic load as well.
Minimizing the attack zone

To reduce the attack area, it is necessary to limit the access points that can be used by attackers. This can be done by the following operations:
- closing unused ports,
- disabling unnecessary services,
- strict access control.
Thus, the fewer vulnerable points in the network, the more complicated it is for attackers to gain access to the network.
Monitoring setup

Possible DDoS attacks can be detected in advance by continuously monitoring platform performance and network traffic. Implemented monitoring tools that analyze traffic and signal suspicious activity play an important role in timely response and prevention of cyberattacks.
Selecting the most suitable configuration

Protection against DDoS attacks can also be enhanced by configuring security systems and network configurations, taking into account the company's needs. Network configuration involves installing systems to detect and block malicious traffic. Examples include configuring firewalls, intrusion detection systems, etc.

Stages of DDoS prevention in data centers

Attack detection

Powerful monitoring systems are required in data centers. Such systems analyze all traffic in search of the possibility of an attack. Prompt detection of such anomalies is necessary for timely response.
Traffic redirection

When a DDoS attack is detected, it is very important to effectively manage incoming traffic. The main task here is to redirect traffic from the main target to distributed networks or specialized filtering systems using DNS or CDN. Using these methods provides the ability to "disperse" the attack in a wider network, limiting its impact on the attacked device or IT infrastructure as a whole.
Traffic filtering

This step involves the implementation of filtering mechanisms in order to separate legitimate traffic from attacks. Image recognition algorithms and techniques responsible for identifying and blocking malicious data packets are used here.
Attack Analysis

After the consequences of the attack are eliminated, it is necessary to determine its "nature" and the source of its occurrence. It is recommended to study traffic algorithms, logs and attack vectors. This information will be useful for timely prevention of future attacks.