The attack itself is a process of high volume viral traffic generation, directed on the target server, occupying its resources and interrupting the normal work. As a result, server infrastructure is not able to process and answer requests, serve users – which means clients can’t use the website effectively, get accustomed with company’s data or create requests for goods/services. Thus, DDoS attacks usually cause great loss for companies.
Moreover, it’s almost impossible to handle the attack without professional help: that is why special goods and services against DDoS attacks appeared on the market.
A Bit of Statistics
Unfortunately statistics and experts’ predictions are optimistic neither for the Russian nor for the world market. According to Kaspersky Laboratory more than 17% of Russian companies suffered severely from DDoS attacks in 2015. Moreover, this negative trend is gaining ground – the number of attacked companies is increasing by 20-30% annually.
The world analytics appears to be even worse. For instance, in Radware Ltd. Global Application & Network Security Report (2014-2015) DDoS attacks are supposed to increase by 20%. In addition, experts emphasize that not only the number of attacks is increasing but their duration and complexity as well. One of the new trends is “real-like” DDoS traffic which is very hard to filter.
Another report by Wallarm and Qrator Labs on the internet security level in Russia and all over the world is also noteworthy. It contains analysis of the most frequently attacked websites in the recent years, these are: payment systems, financial companies, social networks, online-shops, real estate and advertising agencies. Of course, it doesn’t mean that other companies providing goods and services via the Internet (such as banks, medical centers, mass media or travel agencies) are safe from DDoS attacks. You may see the average number of DDoS attacks on different kinds of sites in the table below.
Qrator Labs analytics warns about increase in complexity of DDoS attacks: experts predict that by the end of 2016 competition for amplifyers will have increased and the number of L7 (application) attacks will have risen. On this basis experts strongly recommend using combined remedies provided remotely.
According to the report by DDoS-GUARD in 2015 Russia took the “honorable” 3rd place (as Russians say) in the chart according to the number of DDoS attacks.
DDoS Attacks: Types and Features
- Volumetric Attacks (connectionless) are aimed at overflowing communication channels and limiting sector’s bandwidth. As a rule for these attacks hackers use infected botnets and computers.
- TCP State-Exhaustion Attacks are directed on communication devices monitoring the state (web-servers, firewalls) and are aimed at disrupting devices connection and as a result causing functional disorders.
- Application Layer Attacks (connection-based) are hardly noticeable app attacks targeted on application weak points. It may be hard to detect these attacks because of the low DDoS traffic volume.
DDoS Attacks: Techniques
- HTTP-flood. A hacker sends a small HTTP-packet to a server, which sends a considerably larger package back. Thus, e.g if the server channel is 10 times wider than the hacker’s channel, the server’s bandwidth is likely to be overflown. In order to prevent denial of service on the attacking computers, hackers constantly change their IP-address for hosts’ IPs.
- ICMP-flood (Smurf attack) is one of the most dangerous attack types as it causes a denial of service on victim-computer in 100% of cases. To check system hosts a hacker applies broadcasting (ping-requesting). A fake ICMP-packet is sent via the broadcast address of the amplifying network, then the hacker’s address is changed for the victim’s address and the victim receives answers for ping-request from all the nodes.
- UDP-flood (Fraggle attack) is almost similar to the Smurf attack, the only difference is the use of UDP-packets instead of ICMP ones. A flooding host sends echo requests to a victim’s seventh port via broadcast request. After that the hacker’s address is changed for the victim’s address and the victim receives the vast amount of answers, equal to the number of hosts. As a result the network’s bandwidth gets overflown and the victim faces denial of service.
- SYN flood. This type is rarely used nowadays, because it was overshadowed by the Smurf attack. The pattern is quite simple: two systems create a TCP-connection for data exchange. To establish the connection a hacker sends forged requests, which exhausts connection resources of the victim system.
DDoS Protection Solutions
Despite all the difficulties, it is possible to avoid DDoS attacks on your own (using special software and hardware, supplemented by organizational measures, including bandwidth capacity expansion and load balancing) or following the SaaS (Software as a Service) model applying the services of a professional company.
The second option relieves you from scrutinizing technical nuances, developing a sophisticated infrastructure, hiring specialists and spending a lot of money. You just need to arrange a paid subscription (price usually depends on the number of protected websites and filtration rate). This is a perfect option to protect from volumetric attacks, but it isn’t very effective with application attacks and “slow” attacks. We would like to suggest some better solutions for these cases that you may find further.
This company provides both a range of hardware solutions and SaaS-model protection from DDoS attacks. This combination of service and product offers makes Radware quite successful on the market.
Radware provides the following remedies: HTTP Mitigator, Stateful Firewall, TCP SYN Flood Protection, Connection Limit, Behavioral Server-Cracking Protection, Behavioral DDoS Protection, Signature Protection, Stateful Inspection.
It is important to mention that you can increase performance, if necessary. For example, you may begin with 1 Gbps for minimum price and then opt for 2 or 3 Gbps by paying extra for license.
Arbor is a brand for Pravail data-center protection devices and Peakflow mounted devices. Arbor provides self-contained security systems as well as hybrid solutions based on cloud support for traffic filtration.
Arbor TMS provides self-contained protection from different DDoS-attacks, such as attacks from forged random IP-addresses aimed at channel overflow. There are three levels of devices with different performance (1,5 – 100 Gbps) for various infrastructures.
Arbor APS is the developers’ solution that applies Arbor cloud for higher operation performance and quality. There is also a wide range of models, with performance up to 40 Gbps. The maximum performance is delimited by the license type (cloud services are included).
Fortinet has made a significant contribution to the sphere of information security, namely by developing a range of remedies against DDoS attacks. They are hardware protection devices – FortiDDoS that filter network traffic and prevent attacks of different kinds.
This unique product consists of response prediction and legitimate users behavior prediction modules and a heuristic analyzer that allows distinguishing between DDoS and normal traffic.
Among benefits of this option are low price (in comparison to competitors), wide variety of protective functions and plug-in support.
DDoS attacks may also be prevented by installing software solutions on your hardware. The most popular options today are software based on Nginx and WAF (special remedies for web-apps), firewall configuration and so on.
However software solutions can prevent just the simplest attacks. For instance, firewall is useless against web-resource attack, because they usually occur in a form of http/https-requests. Firewall has a limited analytical power there and, therefore, is unable to detect such attacks.
This relatively new company, which appeared in 2009, already has a client base of more than 2 thousand providers around the globe. Qrator Labs provides clients with a personal account on the website where thay can register, choose a plan and activate protection. Every authorized client is given the Qrator-network IP, where the client should change A-record of DNS. This way the traffic is firstly filtered in the Qrator’s network and after is sent to the client’s website. There is no need to change the hosting.
The benefits of this option include payment in rubles, so Russian clients won’t suffer from currency exchange rate changes. Although the price for basic services isn’t high, all over-the-limit legitimate traffic should be paid additionally, which may cause unexpected expenses.
Free test period is 7 days (if website isn’t attacked; in case of a DDoS attack, test period is reduced to 1 day).
The company offers the following plans:
- Not for Business. The minimum price is 4990 rubles monthly. The plan would suit small websites with low traffic (up to 2000 a day) and “light” content, such as online-shops, small forums or online business cards.
- Small/Medium Business. The minimum price is 18 000 rubles monthly. Unlimited attack protection and high quality filtration of medium-level DDoS attacks.
- Large Business. The minimum price is 46 000 rubles monthly. The plan suits websites with high reliability and sustainability requirements.
This hosting-provider applies self-developed equipment for traffic filtration. The company offers high channel capacity – more than 1,5 Tbps and DDoS-attack protection at 240 Gbps. Their protection system is based on geographical distribution of filtration points and, therefore, guarantees efficient levelling of attack’s harmful effects. The client’s web-resource is monitored constantly, not only during attacks. Clients may activate protection remotely or use a physical link.
In addition, this option has other benefits, like wide choice of plans that allows a client to manage expenses better. For instance, if you need to protect a hosting, you’ll be given a choice of three plans: $150 (2 GB, a dedicated IP address, 1 domain, 10 subdomains), $300 (3 GB on the server, a dedicated IP address, 1 domain, 10 subdomains, HTTPS-traffic filtration), $400 (5 GB, a dedicated IP address, 3 domains, 30 subdomains).
The price for remote protection may vary between $80 and $1000 monthly and the price for protection of game servers using TCP protocols may vary from $175 to $1000 monthly. Protection of web services from all kinds of DDoS attacks costs from $400 to $600. The last includes 24-hour technical support, 24-hour service availability monitoring, primary priority in request processing, individual solutions development.
This company specializes in speeding up web resources, delivering content and infrastructure protection. Apart from DDoS attack protection, CloudFlare offers high level SQL-injection protection and built-in WAF functionality. You don’t have to install any additional hardware or software to switch infrastructure in order to redirect traffic to the Cloud.
Additional Information about CloudFlare
According to the Forrester analytics CloudFlare is one of the leading companies in the field of DDoS attack detection and SaaS protection in the world. So how does CoudFlare work? Why is it so popular? Which attacks can it repel?
To put it simply, CloudFlare is a service that filters traffic before it is directed to the client’s website. To provide strong protection it is necessary to move domains to CloudFlare server’s DNS and deny access to your server for everyone except CF IPs.
One of the main advantages of this option is a free package of services. Although the package includes minimum functionality, it turns out to be enough to significantly reduce the load on a server. There are reliable DNS hosting, website cache, server load reducing, opportunity to use SSL on your website and repel attacks of maximum 10 Gbps. Protection from attacks at higher speed requires activation of a paid package of services – plans’ prices are fixed, so unexpected expenses are out of question. For additional $20 you may activate Web Application Firewall that will protect your web resource from different kinds of attacks, including XSS attacks.
Moreover, you may request a detailed report on attacks and loads. Also, there are some additional functions, such as control channels and opportunity to use SSL traffic protection.
The company embraces data-centers all over the world – in Latin and North America, South and North Asia, Europe, which is more than any other company does. Among its’ clients are such brands as IBM, Microsoft and Google, which speaks for itself.