Protection against DDoS attacks

Main article: DDoS attack

DDoS attacks are a common tool for unfair competition or masking site hacking in order to steal confidential information. Protection against such attacks is especially relevant for companies operating on the Internet - first of all, these are banks, companies operating in the field of e-business (online stores), daily using payment and order systems, content providers, and the media.

Why it's hard to protect yourself from DDoS

It is difficult to protect against DDoS for the following three main reasons.

• Inherent network vulnerabilities. First, in this case, there are no network vulnerabilities that are exploited by criminals. The attack is successful because in the nature of all computer platforms there is a certain delivery threshold. Computers, clusters, or cloud systems all have physical constraints on the number of requests they can process at a given time. A successful DDoS attack should simply generate enough traffic to exceed this threshold. Most other attacks can be fended off by using special patches, security configuration, or policy changes. But none of these approaches will help counter DDoS. Services should always be available and, therefore, vulnerable to attacks.

• Inability to block the crowd. DDoS is very difficult to block because there are so many sources of attack. It is very difficult to effectively block a long list of attacking IP addresses. Potentially thousands of addresses must be temporarily blacklisted in order to stop the attack. If an attacker uses a method that covers an attack with quite legitimate hosts (spoofing), then innocent hosts can also be blacklisted.

• Search for those responsible. Here we are faced with a third problem: it is very difficult to determine which users make quite legitimate requests and which ones participate in DDoS. Since all computers accessing services create a load on the server, they all participate in the attack, not even knowing about it. It takes a very careful check to determine which client hosts are "good" and which "bad." You need to do a lot of calculations and make them quickly before any decisions are made.^[1]

List of measures if you have been subjected to a DDoS attack

• Make sure the attack has occurred. Eliminate common causes of outage, including incorrect DNS configuration, routing problems, and human factors.

• Contact your technicians. With the help of technicians, determine which resources were attacked by^[2].

• Prioritize the importance of applications in order to maintain the highest priority. With an intense DDoS attack and limited resources, you need to focus on applications that provide the main sources of profit.

• Protect remote users. Keep your business running by whitelisting the IP addresses of trusted remote users who need access, and making the list basic. Distribute this list online and send it to your access providers.

• Define the attack class. What type of attack did you encounter: Volumetric? Low power and slow? Your service provider will tell you if the attack is exclusively voluminous.

• Evaluate options for dealing with attack source addresses. In the event of complex attacks, your service provider will not be able to overcome/determine the number of sources. Block small lists of attacking IP addresses on your firewall. Larger attacks can be blocked based on geo-positioning data.

• Block app-level attacks. Identify malicious traffic and verify that it is created by a known tool. Certain attacks at the application level can be blocked for each specific case using countermeasures that can be provided by the solutions you have.

• Strengthen your perimeter of defense. You may have encountered a level 7 asymmetric DDoS attack. Focus on application-level security-use login systems, human recognition, or Real Browser Enforcement technology.

• Limit network resources. If the previous measures did not help, then it is necessary to limit resources - thus "bad" and "good" traffic will be limited.

• Manage public relations. If the attack has gone public, prepare a formal statement and inform staff. If industry policies provide for this, confirm the attack. If not, then come down to technical difficulties and recommend that staff redirect all questions to the head of public relations.

The table below compares the typical understanding of an attack and the actions that are taken in a resource-constrained environment compared to another response based on a larger knowledge base and deeper analysis.

Additional materials

• How to protect yourself from a DDoS attack?

How not to become a victim of a DDoS attack

Develop a protection strategy

To stop attacks, organizations need to change their defense strategy from a two-step defense to a three-step defense. The two-step approach implies a preliminary stage of preparation for the attack - the choice of security solutions, the deployment of security systems and other measures, and the stage after the attack - conducting an examination, summing up the results and improving the means of protection used in anticipation of the next attack. These actions were enough while the attacks were short-lived.

Now that campaigns last for days or weeks, organizations need to add a third phase - a defensive strategy used DURING an attack. The most important component of such a strategy is a team of experts who can not only dynamically respond to the actions of attackers during an attack, but also use countermeasures to stop the attack, and then analyze the information received to improve methods of combating future attacks. It is unreasonable for organizations to maintain the required amount of human resources and qualified professionals on an ongoing basis, given that they are subjected to only a few attacks per year. Organizations must thus find additional external resources - security experts, industry alliances, or government services. Only with the help of such on-demand services and the strengthening of your team of specialists with the services of third-party experts can you win the fight for security.

Clearing traffic at the carrier or special provider level

A powerful DDoS attack can occupy the entire capacity of the "victim" Internet channel, so the problem cannot be solved on the side of the attacked: effective protection can only be provided at the level of the telecom operator. Internet Umbrella constantly monitors the level of exceeding the intensity of various traffic profiles for the protected network and compares it with standard traffic values. In the event of an attack, the hardware filters malicious packets and sends only cleared traffic to the client. All these actions are carried out automatically 24 hours a day, and the capacity of the operator's Internet channels is sufficient to prevent the most powerful attacks. The dedicated change of technical specialists Orange monitors the efficiency and operability of the service in 24/7 mode and promptly makes adjustments as needed.

Due to the reduction in the cost of organizing powerful DDoS attacks, only companies with broadband Internet access and backup of the connection channel can afford to rely on their strength to protect against them, which is rare in current Russian corporate practice. Therefore, in this case, it is more correct to rely not even on telecom operators, but on specialized providers for protection against DDoS attacks.

Be careful with stress testing services

The availability of the web resource is the most important factor in doing business: long response times and inaccessibility lead to direct losses in the form of lost prospects. That is why developers and owners of web applications pay special attention to load and stress testing procedures. In turn, services appeared that check web resources, imitating the activity of visitors.

Stress testing is a procedure for assessing the performance characteristics of the system, carried out outside the limit value of the load. Stress tests in most cases lead to abnormal behavior of the system or its denial of service similar to DDoS attacks. However, the goals of stress testing and DDoS attacks are completely different. In the first case, the task is to determine the indicators of the maximum load of the system and check the resistance to some scenarios of DDoS attacks, and in the second - to make the attacked object inaccessible by any effective methods, thereby disrupting the performance of the target infrastructure.

With the growing need for such assessments, there are many online services that allow you not to bother setting up complex testing systems and preparing a cloud infrastructure: it is enough to set load parameters and pay for computing power, then waiting for a report on the behavior of the resource. At the same time, some familiarization services offer a short test for free without registration.

However, attackers can use this seemingly harmless service for their own purposes. The fact is that most load testing services do not require confirmation that the procedure is ordered by its owner - there are no additional links to the phone number or credit card. Thus, of the six services considered by Kaspersky Lab specialists, only one asks to place a special file on the tested resource - its presence means a guarantee that the server administrator is notified of the procedure. Moreover, two services allowed load testing without registration at all - it was enough to enter the resource URL. Kaspersky Lab experts came to a disappointing forecast by presenting several options for attackers to use free mode alone, not to mention richer paid capabilities.

"Cybercriminals can exploit such systems to deal serious blows to owners of small web resources. To avoid such a scenario, each load testing service must request consent from the owner: ask him to place a unique code or banner on the site, after reading which traffic will be launched. In addition, you should use CAPTCHA technology when working with the service. Such verification procedures will help avoid illegal actions by intruders and botnet robots, "commented Denis Makrushin, technical positioning manager at Kaspersky Lab.

Security challenges against HTTPS and SSL attacks

There are two assumptions regarding the fight against DoS/DDoS attacks. First, it is required to stop the attack as early as possible before it penetrates deep into the network. Secondly, which is more obvious, you need to check all traffic. This is not easy to achieve in attacks based on the use of the HTTPS protocol.

Already by 2012, the ERT team faced an increased number of requests for help in the fight against HTTP - attacks. It is surprising that such attacks were not used so often before, but at this time a sharp increase in their popularity was expected.

Why does an HTTPS attack pose such a threat? Despite the fact that it uses a protocol similar to the HTTP protocol, it poses a threat of a completely different level. The reason is as follows: as a rule, HTTP attacks can be detected and eliminated using a system of protection against DDoS attacks, which is located on client equipment (CPE), in the cloud or, ideally, both there and there. Such solutions can cope with application-level HTTP attacks or attacks on network overflow.

However, when the same attacks are carried out through the HTTPS protocol, things are different. Network floods can be stopped; the data is not yet encrypted, and the SYN flood, for example, looks exactly the same over HTTPS as over HTTP. However, attacks on applications are quite difficult to detect.

As shown in the figure, encrypted HTTPS traffic is usually only decrypted on a web server, load balancer, or dedicated device for SSL termination. These objects usually lie further on the network after the level where traffic is checked by DoS protection systems (in the cloud or CPE):

• Since organizations are reluctant to transfer their SSL keys and certificate to the MSSP of the cloud, because such an action carries certain risks, the DoS protection system located in the cloud cannot analyze encrypted traffic, and therefore cannot detect an attack.
• The CPE device also sees the data in encrypted form, and also cannot analyze it. Therefore, it is too late to notice the attack, after it has already reached its goal.

In addition to HTTPS attacks, there are attacks inherent in the SSL level, which are aimed directly at the SSL communication mechanism. SSL attacks that are carried out using the THC-SSL-DOS tool were discussed in detail in a 2011 report, but we will briefly outline this issue.

Typically, SSL acknowledgement is performed only once to establish a secure connection. For the attack, the protocol option for "renegotiation" is used to set a new secret key. By sending multiple requests for SSL renegotiation, an attacker significantly increases the load on the processor target server until it can no longer work.

In cases where the server does not support the "renegotiation" option, an attacker can open new SSL connections, which will lead to the same effect. The SSL attack is asymmetric in nature - the resources the server needs to process the confirmation are 15 times more than those required from the device that requested the confirmation (attacker).

HTTPS is supported by almost all websites and is an important component of financial sites where it protects money transactions. Given the difficulty of detecting HTTPS attacks, we expect to see a sharp increase in the popularity of such attacks and recommend that organizations, especially those working in the financial sector, purchase a solution to combat this problem.

Recommendations for Selecting a DDoS Protection Provider

On April 25, 2017, Qrator Labs, Ngenix, Wallarm (Valarm) Onsec (Onsec) announced the release of detailed recommendations for choosing a provider of site protection services against DDoS attacks and anti-hacking, as well as vulnerability detection services. This is the first time such a comprehensive list of criteria for choosing a provider on the Russian market has been created.

cybersecurity service provider is an important link in the security system of any company. According to Qrator Labs, the number of DDoS attacks in 2016 increased by about one and a half times, and the number of attempts to hack sites is growing at a similar rate. Along with the increase in the number of attacks, the number of foreign and domestic services offering customers appropriate protection is also increasing. However, choosing a reliable service provider is difficult, since the cybersecurity market is closed, opaque: there are few public success stories here. Therefore, it is often not easy for customers to evaluate the supplier with whom they intend to work. Our initiative is aimed at helping customers organize and simplify the supplier selection process. Following the recommendations developed in the Commonwealth of Companies for the development of cybersecurity services, customers will be able to choose truly effective protection that allows them to fully protect web resources from all possible types of attacks, "says Alexander Lyamin, CEO and founder of Qrator Labs

"The recipe for an effective security provider contains many ingredients: current technologies, the maturity of business processes, the experience of employees. It is difficult to assess the future partner in advance, and even more so I do not want to experiment in a critical situation. By combining the vision of information security industry leaders in one document, we strive to help companies assess risks and choose a service provider that will ensure the continuity of their business, "comments Konstantin Chumachenko, CEO of NGENIX

According to the participants in the development of the methodological document, the security service provider must meet a whole range of criteria - both business and technical. These requirements are usually specified in the quotation and standard SLA contract offered to the customer.

Among the main business criteria are the following:

• Quality assurance, or SLA (Service Level Agreement), which contains a description of guarantees of resource availability and liability for their non-compliance, including during an attack.

• The essence of the contract with the supplier is to ensure availability, the absence of site hacks, which guarantees protection against any type of threats, even the newest.

• Lack of charging of attack traffic: if malicious traffic is paid, then it will be almost impossible to predict the budget for the service.

• A free test period for typical solutions so that before payment the client can get acquainted with the quality of the service.

• Availability of expert level technical support in 24/7 mode in the language of the client company, so that any problems with the service are solved immediately and in terms understandable to the customer.

• No regulatory risks: the supplier must comply with Russian legislation regarding connected customers or allocate an independent resource to customers from the risk zone.

• The customer should be provided with online access to statistics and analytics in his personal account and regular reporting so that the client has the opportunity to independently control the quality of the service.

From the list of technical criteria for choosing DDoS protection, it is necessary to highlight the presence of a global geodistributed network at the supplier, the DNS protection service, the construction of the supplier's infrastructure using networks of hierarchically unrelated Internet providers and the provision of constant automatic traffic filtering.

When searching for protection against hacking (WEB Application Firewall, WAF), you should take into account the presence in the solution of active and passive search for vulnerabilities, virtual patching of vulnerabilities (the ability to block attempts to exploit the vulnerability until it is actually fixed) and protection against brut force attacks - protection against password brute force.

According to Qrator Labs, traditional approaches based on experience in providing telephone services are not applicable on the Internet, require significant refinement. Today, the quality of Internet services means a combination of basic parameters of the connection between the source and the client:

• bandwidth,
• delay between packets,
• packet loss rate,
• jitter (spread of packet transit time).

But this approach does not take into account that due to the distributed nature of the network, problems can arise even before the connection is established. An example of this is Route Leaks, route leaks. According to Qrator Labs statistics, at each time, about 1% of routes are in this state, in two weeks this problem affects about 5% of prefixes. This problem may worsen if cybercriminals begin to exploit this method to steal traffic and to organize DDoS. In this case, distinguishing malicious intent from configuration errors and other results of the "human factor" will be as difficult as finding a needle in a haystack^[3].

It is necessary to consider quality at three levels:

• the quality of the user's experience of the service here and now;
• waiting for the user regarding the quality of the service during a certain period of time (hour, week, month);
• a quality guarantee built on the user's confidence that the service provided will not have a hidden negative effect on him (the computer will not be hacked, infected with a virus, etc.).

What can we learn in the fight against attacks?

Advanced and prolonged DoS and DDoS attacks are certainly dangerous and complex, but they provide some very valuable opportunities for development. Security experts can collect up-to-date information about attackers - who they are, and what tools they use. Ultimately, this allows organizations to repel the attack, apply countermeasures and defeat attackers on their field.

National system for countering DDoS attacks in Russia

Main article: National system for countering DDoS attacks

DDoS Protection Services Market

2019: Global DDoS Prevention Software and Services Market Tops $9.3 Billion

At the end of June 2020, the analytical company ResearchAndMarkets released a study of the global market for software and services designed to prevent DDoS attacks. Its volume in 2019 reached $9.304 billion. Experts did not specify the dynamics and only noted that the costs of such decisions are increasing and will grow in the future.

Increasing reliance on technology due to process automation across all industries leads to increased downtime costs as a result of DDoS attacks. The increase in the number of such incidents provides a strong demand for reliable solutions to protect users from hacker attacks.

ResearchAndMarkets released a survey of the global market for software and services designed to prevent DDoS attacks

The growth of the market for DDoS protection solutions is also due to huge investments. A significant share is allocated to the construction of new data centers around the world. The fast-growing popularity and adoption of public cloud services, as well as the constant increase in the number of end devices, also provide progressive market growth. Any type of security breach in this ecosystem can lead to huge financial losses, a loss of confidence on the part of investors or customers, as well as large fines.

All this increases the demand for advanced solutions and services to prevent DDoS attacks among enterprises of various sizes. In addition, strict laws on sensitive customer data are forcing businesses to look for robust solutions with a high level of protection against cyber attacks.

The market is expected to grow most steadily in North America and Europe due to strict cybersecurity regulations as well as Asia Pacific due to rapid growth in industry and highly competitive environment. South America, the Middle East and Africa are responsible for a relatively small market share. However, market growth in these regions is expected to remain strong enough during the forecast period.

ON The following companies were named the leaders in the global market and services for preventing DDoS attacks:,,,,, Google Microsoft Amazon Web Services IBM Cloudflare Nexusguard and. Imperva^[4]

2015: IDC: Growth of the Russian market for DDoS protection services by 35%

On September 29, 2016, the analytical company IDC presented, as it claims, the first research in the market for DDoS protection services in Russia (Russia Anti-DDoS Services Market 2016-2020 Forecast and 2015 Analysis). It is showing strong growth and is likely to maintain positive momentum in subsequent years.

According to the IDC report, in 2015 sales of DDoS protection services in Russia reached $16.34 million, an increase of 25.4% compared to 2014. In ruble terms, the market volume jumped even more - by 34.7%.

In 2015, the Russian market for DDoS protection services grew by 35%

According to the results of 2015, experts named Qrator Labs the largest provider of services for protection against DDoS attacks in the Russian Federation. Behind it are Kaspersky Lab and Rostelecom. The top three accounted for nearly three-quarters of the market in question.

According to experts, Russian business has long suffered from DDoS attacks, so that the local market for protection services against such attacks will remain growing.

Published in September 2016, a study conducted by Kaspersky Lab and B2B International showed that about 77% of companies in Russia repeatedly experience DDOS attacks during the year.

Among all the cyber threats, DDoS attacks have always been a big problem for Russian companies and organizations of all sizes from different market segments. With the growing complexity and frequency of DDoS attacks, the market for services to prevent them will grow steadily over the next five years, "said Denis Maslennikov, senior analyst at IDC Russia and the CIS.

2014: Infonetics Research: Global DDoS Protection Market

According to the Infonetics Research report for the first quarter of 2014, Arbor is the leader in this area, which controls 53% of the global anti-attack market in DDoS the corporate segment (with the Pravail solution) and 67% in the carrier sector (). Peakflow SP Accordingly, 8 and 10% of revenue in the same market segments is accounted for, and Radware the third major player - Narus - serves 7% of corporate and 9% of operator orders. The total market volume for the specified period amounted to 91.5 million dollars.

2013: Radware Report: Organizations Use Outdated Security Practices

From the Radware Report (2013) Global Network and Application Security Report

Here, we imply that they engage in a security battle without understanding the true nature of the attack, which prevents them from taking adequate preparation measures. They invest in preparation in the phase leading up to the attack and have a wonderful analysis of the post-attack situation. However, organizations have a critical disadvantage - they do not have the capabilities or resources to defend in the active phase of an attack, they cannot withstand a long campaign that uses sophisticated attack methods. Attackers, on the other hand, are aware of this gap and use it to their advantage. The result is disruption in service availability, even among the most respected online businesses.

Chronicle

2023: Roskomnadzor creates a system to counter DDoS attacks for 1.4 billion rubles

In mid-June 2023, it became known about the creation in Russia of a national system for countering DDoS attacks. The corresponding contract worth 1.43 billion rubles was concluded by the Main Radio Frequency Center (GRCC) subordinate to Roskomnadzor. Read more here.

To combat DDoS attacks, they create a system based on the "sovereign Runet"

At the end of October 2022, it became known that a system based on the "sovereign Runet" was being created to combat DDoS attacks in Russia. Read more here.

Notes