Article by Jerry Low
Geek dad, SEO data junkie, investor, and founder of Web Hosting Secret Revealed. Jerry has been building Internet assets and making money online since 2004. He loves mindless doodling and trying new food.
DDoS attacks are relatively uncommon, but they do occur. Knowing how to protect your server from an attack helps to minimize potential downtime and reduces the potential damage. A DDOS attack results from poor security policies and improper monitoring of a web server. When a machine is under attack it takes the entire server down and the IT administrator is forced to take the entire machine offline to fortify and stop the attack. This results in server downtime and potential losses for the website owner.
Infographic quoted from Wired: When Bots Attack
A DDoS attack results from multiple dynamic networks that have been already compromised. The goal of an attack is to make it impossible for essential services to run efficiently resulting in a complete loss of system stability. The end result is that the server can’t handle the requests and is forced to shut down. One solution to this problem once it has started involves having an infinitely scalable environment that can handle large amounts of bandwidth and keep up with the demands of a DDoS attack.
There are three components to a DDoS attack. The Master controls the entire process and determines how and what machines are used to initiate the attack. DDoS attacks are coordinated attacks that provide the Master with the ability to control several Slave networks to attack the destination machine from multiple sources. The entire operation involves a complex network designed to disable the destination machine. The reasons for a DDoS attack are varied. Whether someone wants to take down a particular website as an act of protest or simply wants to disrupt the flow of information, a DDoS attack can effectively take down entire networks.
There are two main stages in a DDoS attack. The preparation stage involves probing for weak machines that have security vulnerabilities. In most cases, secured and up-to-date servers have nothing to worry about since the attacker will simply move on to an easier to break system. The Intrusion Phase looks for machines around that world that can be compromised and used to attack the intended target. The Distributed DoS phase involves the actual attack of the destination machine affecting the reliability of the website.
Several security issues provide these opportunistic attackers a chance to take root and employ a successful DDoS attack. Software and applications that have not been updated to the latest versions provide the attacker with a weak system and known exploits that can be utilized in an attack. Servers that are set up with an open network and don’t have the necessary firewall restrictions make it possible to compromise a machine. Finally, a website server that doesn’t have regular monitoring and auditing makes it possible for intrusions to go unnoticed resulting in a compromised machine.
The best way to prevent attacks is to follow some basic preventative guidelines to minimize the possibility of a successful campaign.
Firewall Installation and Configuration
Setup and configure your firewall and make sure that "Anti-DoS" measures are activated. A firewall is the first line of defense against hackers. Your IT team should have the knowledge and experience to set up a firewall completely and securely to prevent unauthorized users and hackers from installing DDoS tools. If you don’t have the necessary experience or support team to manage a firewall, then look for managed hosting that will take care of these security measures for you. This is not something that an inexperienced website owner should attempt on their own.
Install IDS on your server to provide automated alerts when someone is attempting to evaluate the weakness of your website. This is also called sniffing and is one of the first signs of a impending attack. Setup a rule to allow for the monitoring of permissions, inode, users, groups, the number of links, sizes and md5 checksums. The rule should monitor only folders that are not changed often such as the "/bin," "/sbin" and "/var." Once that is setup execute AIDE.
Regularly search for rootkits using tools that scan your system for malware. During an audit, you should check for rootkits, out of date software, check to see if kernel upgrades are available, look for trojans, determine if there are any hidden processes, evaluate logs and email relays. Additionally, you should also perform a complete audit to detect unauthorized malicious chron entries, determine whether backups are functioning correctly, look for any unauthorized users and delete any users that are not used. Most servers don’t need every available process running. By disabling and optimizing the system to ensure that only necessary services are running, you can further protect the server from being compromised through an out of date or malfunctioning service. Also, check the system performance and run a memory test to ensure that everything functions properly. Finally, implement a good set of intrusion prevention tools to prevent and alert the IT administrators of a potential breach.
Installing mod_security on your Apache server will help to ensure that a filtering system is in place to prevent attacks. Filtering systems send requests through an analysis process before allowing the web sever to process it. This helps reduce the possibility for malicious HTTP requests and breached in your security. Once Mod_Security is installed, set it up to provide sufficient protection for your server. This involves adding the strings and location to the mod_security configuration file.
Look at your servers load times and HTTP requests to determine if your website has been compromised. If the load is 5 or more, then check to see if there are also a large number of HTTP requests being processed. Any activity that is out of the ordinary should immediately be investigated to improve the chances of stopping the attack. Severs with a heavy load often have around 100 or more connections. However, a server under attack has an even higher number of connections. The key element to look for is how the current load differs from a normal load. If the average load involves 50 connections and the server currently has 500, then something is wrong and an investigation is necessary. Once it has been established that a DDoS attack is being implemented, finding the compromised network should be the next step in the process. Sometimes, it isn’t always immediately obvious that a machine is under attack.
By determining an attack early on, it may be possible to combat and stop the attack in its tracks before it becomes a more widespread issue. However, if the destination machine is bombarded by several slave machines, it will take a significant amount of time to block each IP and host involved in the attack.
To combat an attack, you will need to go through each block of IPs that are currently connecting to the machine to see if they come from the same network. If there are more than 5 IPs or hosts from a single network, then the machine is certainly under attack and you will need to take precautions to disable and prevent the attack from continuing. To stop the attack, you’ll need to manually block the IPs in question using a firewall on your machine. You’ll need to continue this process until all of the machines involved in the attack are blocked. This can take some time and often can be especially difficult on servers with high amounts of traffic. In the end, if someone wants to attack your server, there isn’t too much you can do once the attack starts. You must use preventative measures to head off an attack before it starts. Preventative measures help to secure the system and make sure that the attack doesn’t happen in the first place.
Of course, no system can be completely protected from a DDoS attack, but the more secure services are generally ignored in favor of easier, open and less secure servers.
The Importance of Monitoring and Auditing
While it is impossible to prevent an attack by someone that is determined to infiltrate and take down your system, basic security practices and regularly auditing can help prevent the possibility of a successful attack. If an attack becomes so severe that it threatens the hardware of the server, then you will have to shut down the server, analyze the logs and block any incoming IPs and hosts that are attempting to infiltrate your system. Even if you are not the victim of an attack, as an owner of a web server, you have an obligation to ensure that your applications, security and processes are up-to-date to prevent the possibility of someone using your network as a launching pad for these types of attacks. Audits should be completed on a regular basis. For large companies it is not uncommon for quick audits to be run daily to ensure that the system is protected from attacks and to ensure the maximum efficiency and reliability from the web server.
There are plenty of methods to launch a DDoS attacks – plenty technical stuffs to read, plenty protections need to be done. Personally I am relying a lot on my host WP Engine (which did a very good job in blocking attacks and hacks) on this matter but if you wish to learn more, I suggest further reading on Dave Taylor’s How do I deal with DDoS Attack and Steven J. Vaughan-Nichols’ How to try to stop DDoS Attack.