If you read the headlines with any regularity, chances are you’ve noticed how DDoS attacks tend to steal the show. Distributed denial of service wreaks havoc on businesses and websites around the world by stalling business and taking websites offline.
In a 2013 report by NSFOCUS, an enterprise level mitigation company, researchers found the following:
“Based on traffic analysis, the findings reveal there is an average of 1.29 DDoS attacks occurring worldwide every two minutes with the majority of attacks being short and small. The report found that 93.2 percent of DDoS attacks were less than 30 minutes in duration and 80.1 percent did not surpass a traffic rate of 50 Mbps.”
So, what we can gather from this is that while banks and hacker groups like Anonymous tend to take up most of the headlines, it’s these smaller attacks that are actually more common — in these are the ones facing every day site owners.
How Does A DDoS Attack Take A Website Offline?
Distributed denial of service works by targeting a website or server with a huge volume of malicious traffic with a goal of taking it offline. The process of how an attack goes about achieving this is rather simple:
First, a packet is sent to the target machine with a request to connect. This initiates the TCP connection (the process two hosts use to communicate). Once the first packet (SYNchronize packet) is received, a response is returned (SYN-ACKnowledge packet). Afterwards, the final ACK packet is set and the connection is closed. This process occurs in the background when you use your computer to access a website.
A DDoS attack exploits the TCP protocol by sending out requests and then not responding when the target machine responds back with an open connection. If the connection is not made within a certain amount of time the connection will time out. What an attacker will do is redirect a huge volume of traffic to a website at once, causing countless connections to timeout. With every new request your server will “listen” on an open port and wait for the connection be closed until it times out. The goal of a DDOS attack is to keep open as many connections as possible so legitimate visitors get turned away.
How Do You Know If You Are Being Hit With A DDoS Attack?
There are a number of ways to check for yourself, but the easiest is to simply type your url into your browser and see if your site comes up. If it is slow to respond —or doesn’t come up at all— there is a possibility that you are being attacked. Although, that is not always the case, so it is important to not jump to conclusions.
There is an easy way to check for yourself. What you will need to do is log into your control panel and open your bandwidth statistics. Look at the recent history: if you see a strange bump in traffic that is out of place, you’ve likely been hit with a DDOS attack.
Another thing you can do is see what IPs are connected to your server. To do this, open up your command prompt screen (you will need SSH for this) and type in:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
This will list all active connections by IP address. From there you should be able to see what IPs may be involved in the attack. You can then choose to block them using your firewall. Keep in mind that if you are using a shared hosting environment, you’ll likely not have access to SSH. In a case such as this, if your plan does not include DDOS protection, your site will be taken offline from your web host. They do this to prevent the attack on your website from affecting other customers.
How Do You Stop A DDoS Attack?
The example above is one option, but a weak one at that. Most people are not capable of handling their own DDOS mitigation for the simple fact they don’t have the infrastructure. DDOS mitigation companies stop attacks with a number of strategies, but they commonly fall in three distinct areas:
- Specialized software / hardware
- Infrastructure / bandwidth
- Training / knowledge
Your best option for protecting your website from DDOS attacks is to speak with a DDoS mitigation expert. They will be able to assess your situation and determine the best solutions for the type (and volume) of attacks you are facing.