DDOS attack, what to do

Reduction of the attack surface

What is a DDOS attack ?

The purpose of a DENI (DOS) attack attack is to affect the availability of a targeted system, such as a website or an application. In general, attackers generate large volumes of packages or requests, which ends up submerging the target system. In the event of a distributed denial attack (DDOS), the attacker uses several controlled or corrupt sources to proceed.

In general, DDOS attacks can be distinguished according to the layer of the OSI model they target. They are the most common at the network layers (layer 3), transport (layer 4), presentation (layer 6) and application (layer 7).

OSI model:

#	Layer	Application	Description	Vector example
7	Application	Data	Network process to application	HTTP flow, DNS request flow
6	Presentation	Data	Data representation and encryption	SSL abuse
5	Session	Data	Inter-host communication	N / A
4	Transportation	Segments	End -to -end connections and reliability	Syn flow
3	Network	Packets	Path determination and logical addressing	Reflection attacks based on UDP protocols
2	Data connections	Images	Physical addressing	N / A
1	Physical	Bits	Multimedia, signal and binary transmission	N / A

Classification of DDOS attacks

If you want to apply techniques to limit these attacks, you can group them according to the infrastructure layer (layers 3 and 4) and the application layer (layers 6 and 7).

Infrastructure layer attacks

Attacks in layers 3 and 4 are often considered as infrastructure layer attacks. They are also the most common and include vectors, such as synchronized flows (SYN), and other attacks by reflection, such as DUP protocol flows (User Datagram Packet). These attacks are generally major and aim to overwhelm the capacity of the network or application servers. However, because they have a clear signature, they can be more easily detected.

Application layer attacks

Attacks in layers 6 and 7 are often considered as application layer attacks. If they are less common, they tend to be more sophisticated. They are generally lower scale than infrastructure layer attacks, but tend to relate to particularly crucial components of the application, which makes it unavailable. These components may include a HTTP request flow redirecting to a connection page, a research API, or even WordPress XML-RPC flows (also called “WordPress pingback attacks”)).

DDOS protection techniques

Reduction of the attack surface

One of the first DDOS attacks attenuation techniques is to minimize the attack surface that can be targeted, thus limiting the options for attackers and allowing you to create protections in a single location. We want to make sure that we do not expose our application or our resources to ports, protocols or applications where no communication is expected. Thus minimizing the possible attack points and allowing us to focus on our attenuation efforts. In some cases, you can do this by placing your IT resources behind content distribution networks (CDN) or charging balancers and limiting direct internet traffic to certain parts of your infrastructure, such as your database servers. In other cases, you can use firewalls or access control lists (ACL) to control traffic that reaches your applications.

Plan for scaling

The two key considerations for the attenuation of DDOS attacks on very large scale are the capacity of the bandwidth (or transit) and the capacity of the server to absorb and to mitigate the attacks.

Transit capacity When designing the architecture of your applications, make sure that your accommodation provider provides large redundant Internet connectivity that allows you to manage large traffic volumes. Since the ultimate objective of DDOS attacks is to impact the availability of your resources/applications, you must locate them, not only near your end users, but to important internet exchanges, which will provide your users with easy access to your application even with high traffic volumes. In addition, web applications can go further by employing content distribution networks (CDN) and intelligent DNS resolution services which provide an additional layer of network infrastructure to deliver content and resolve DNS requests from locations that are often closer to your end users.

Servers Most DDOS attacks are volume attacks that use a lot of resources. It is therefore important that you can quickly put your IT resources on the scale. You can do this using large IT resources or those with features like more extensible network interfaces or more improved networking that supports larger volumes. In addition, it is also common to use loading balancers to monitor constantly and switch loads between resources to prevent overloading one of the resources.

Know what normal and abnormal traffic is

Whenever we detect high levels of traffic reaching a host, the basic requirement is to be able to accept only the traffic that our host can manage without affecting availability. This concept is called speed limitation. More advanced protection techniques can go further and accept, intelligently, only traffic which is legitimate by analyzing the very individual packages. To do this, you must understand the characteristics of the right traffic that the target usually receives and be able to compare each package compared to this basic reference.

Deploy firewalls for sophisticated application attacks

A good practice is to use a web application firewall (WAF) against attacks such as an SQL injection or an intersitated request, which try to exploit vulnerability in your very application. In addition, by the unique nature of these attacks, you must be able to easily create personalized attenuations against illegitimate requests which could have characteristics such as the resemblance to good traffic or come from bad APIs, unexpected regions, etc. It is sometimes useful in the attenuation of attacks because they become experienced to study traffic diagrams and create personalized protections.

DDOS attack

01/15/2020 Reading time: 21 min

Account hack designates the takeover by a malicious individual of an account (messaging, social network, etc.) to the detriment of its legitimate owner. It can have different consequences such as identity theft, theft of banking data ..

What to do in case of phishing or bans ?

01/10/2020 Reading time: 18 min

Phishing or bans is a fraudulent technique intended to lure the Internet user to encourage them to communicate personal and/or banking data by pretending to be a trusted third party.

How to deal with the false technical support scam ?

12/20/2019 Reading time: 20 min

Your device seems to be blocked and you are asked to urgently recall a technical support number ? It is probably a false technical support scam. What to do in this case ? Do not call the number, restart your device, oppose, file a complaint ..

What to do in the event of an attack by denial of service (DDOS) ?

Regularly, websites are targeted by attacks by denial of service, or also called DDOS (English distributed denial of service). In France, operators have observed up to more than a thousand attacks per day. What is a denial attack on service ? How to protect yourself ?

What is a Denial Service attack (DDOS) ?

The Cybermalveillance Site.gouv.FR defines Déni de service attack as an attack ” aiming to make a server inaccessible Thanks to the sending of multiple requests to saturate or by the exploitation of safety flaws in order to cause a strongly degraded breakdown or operation of the service. »»

E-commerce sites, financial institutions, governments or accommodation structures are frequent targets of attacks by denial of service, but All structures can be affected if they have network infrastructure with Internet access.

The denial attack of service is relatively easy to implement by malicious people And the consequences are numerous:

• On e-commerce sites, the site becomes inaccessible or encounters operating difficulties, preventing any transaction
• Dysfunctions on the site are visible by Internet users who may ask questions about the security of the site, altering the relationship of trust with users.

Department attacks can be committed for various reasons: revenge, ideological claims, competition, substantive extortion, etc. The attack can also make it possible to divert attention to better steal sensitive data for example.

Victim of a denial of service attack (DDOS): how to do ?

If the website of your structure no longer works, determine the cause of the incident. The inaccessibility of a site can be caused by a routing failure, a frequentation peak for a specific event, a dysfunction of DNS, etc.

• to contact your host so that it identifies the failing element, the protocol (s) used (s) and the sources of attack and blocks the source IP addresses identified as being behind the attack
• If possible, to recover the journalization files of your firewall and the affected servers
• to make a complete copy of the attacked machine and its memory
• not to pay the ransom claimed, if necessary
• to call on a professional referenced on cybermalvence.gouv.FR for the production and security of affected information systems
• When the attack is complete, to carry out global information system to ensure that sensitive data have not been stolen.
• to notify this attack to the CNIL if there has been a violation of personal data

Articles 323-1 to 323-7 of the Criminal Code provide for a sanction in the event of an obstacle to an automated data processing system (STAD). It is therefore important to file a complaint at the police station or the gendarmerie near you. To do this, you will need all the technical elements describing the attack.

What are the preventive measures to protect yourself from the denial of service attack (DDOS) ?

To prevent attacks by denial of service, you must:

• regularly carry out the security updates of your software
• Configure your firewall correctly
• Check the complexity of your passwords and change them regularly
• Check that your host is prepared to deal with this type of attack.

The Cybermalveillance Site.gouv.FR offers many resources and advice. You can find A reflex sheet on the denial of service to adopt good practices and react in the event of an attack.
Consult the online file

These content may also interest you

• Five tips to guard against ransomware (ransomware)
• Safety of your data: What are the most common hacking methods ?
• Companies: what cybersecurity rules apply ?