What happens when your website gets DDoS'd?

DDoS is an acronym for "Distributed Denial of Service" and basically means using a large network of computers (known as bots) to disrupt other infrastructures, such as servers or networks. To understand how a DDoS attack works, it’s first important to understand how content is served over the internet.

Request and Response

When you, the “client”, type a web address in your browser and hit enter, the browser makes a request to the host of the website, the “server” (there are multiple steps to this request such as DNS lookup, which we will come onto in a later blog post). When the server receives the call, it interprets the request and sends a response back to the client (e.g. HTML to render ).

Servers have a finite amount of requests that they can handle at any one time, dependent on multiple factors, such as bandwidth throughput available, memory, CPU, geographical location in relation to the client, and many others.

Imagine a juggler. They might be confident juggling 3 balls. 4 at a stretch. 5 is pushing it. 6. 7. Suddenly the balls are all over the floor.

You may have noticed this concept if you have visited a popular website at times of peak traffic. For example, a half time advert during the Superbowl or mega sales on Black Friday are likely to cause a spike in traffic to the website, which can cause it to be less responsive.

One form of DDoS attack is to exploit this concept and put the afterburners on. How will the server cope if the number of requests is increased by 100, or 1000, or even millions? More than likely the server will crumble, costing money in lost revenue and much frustration to customers.

To date, the largest attack ever seen was against the hosting company OVH and was 1Tbps (source: http://securityaffairs.co/wordpress/51640/cyber-crime/tbps-ddos-attack.html).

So how is it possible for so much request traffic to be created at the same time? The key is in the word distributed.

Attackers create a series of compromised (i.e. infected) machines known as a botnet (a bit like an army of machines) which is used to flood the target server with traffic en masse. As it comes from multiple locations it is also hard to narrow down the source.

Historically, these machines would be desktops, laptops and servers, but there is now a new set of devices to exploit...

Internet of Things (IOT)

The last decade has seen the emergence of more and more devices being connected to the internet. Smart phones, watches, CCTV cameras, cars, fridges, central heating; they are all now connected. This is the known by the somewhat corny phrase, “Internet of Things”.

The problem is that as the amount of devices has grown, the standard of security hasn’t kept up. Or rather, the security is in place but isn’t being used properly.

As an example, routers provided for home broadband come with an administration interface requiring authentication. Each manufacturer will use a default username and password combination, such as “admin” and “password”, with the expectation that the user will change them. However, the majority of users never update them, leaving them open for exploitation by bots, which cycle through a list of known manufacturer combinations in an attempt to compromise the device.

Once the hardware is infected, it can be used as part of the overall botnet to perform an attack, with the owner only noticing a slight slowdown in their internet connection.

One of the most active bots is Mirai, known to have taken down Amazon and Spotify. As of October 2016, it was known to have infected over 1.2 million devices (source: http://thehackernews.com/2016/10/iot-dyn-ddos-attack.html).

If this sounds a bit Skynet, that’s because it is. They have yet to become (fully) self aware, instead they are being controlled by malicious hackers.

But why do it in the first place?

Extortion

Sometimes people just want to cause havoc for the “fun” of it. Or to protest for a cause. Or to hurt the brand. Often, it’s just about the money.

But how do you make money from DDoS-ing someone? Answer: blackmail.

One scenario is for attackers to perform a “minor” attack on a site for a short period of time, just to prove they can do it. They then contact the company involved and threaten them with a much bigger and more prolonged attack unless they send payment to some offshore account.

Our advice: never pay up. You have no guarantee that they won’t perform the attack anyway, and it sets a precedent for more and more future blackmail attempts.

Protection

So how do you protect against this kind of attack? On a simple level, you need to block the source IPs of the attack traffic from hitting the server in the first place. This is easier said than done as the IPs aren’t known until the attack actually happens, by which point it is too late.

Hosting companies, such as Rackspace and CloudFlare, offer mitigation services which work in real time. They actively track traffic over a period of time, thus learning what “normal” traffic looks like for the destination server. In the event of an attack, the service tracks the odd traffic and puts a block in place.

Unfortunately mitigation services can never be 100% effective as the complexity of attacks increases. Therefore it is important to have a redundant hosting setup, as described in our previous post on 100% uptime.

If you have experienced any of the above, please get in touch so we can help.

We will be happy to take your call: 0114 279 7779 or email on hello@quba.co.uk