Traffic jam.

Denial of Service, what you need to know

Our head of support and hosting, Greg Harvey, digs into what denial of service attacks are, how they affect organisations and what you can do to protect yourself.

Photo of Greg Harvey
Thu, 2016-05-26 16:24By greg

Not many people have been unfortunate enough to be at the sharp end of a serious denial of service (DoS) attack. But the bigger you are, the more prone your customers are, the more you come to deal with the reality of this kind of bad behaviour, whether it simply "anti-social" (kids messing about) or criminal (a targeted attack against an organisation to elicit some kind of reward or response).

In fact, it's not even necessarily a case of size. DoS attacks are the fastest-growing type of malicious and criminal activity on the Internet, yet many people remain blissfully unaware of what it is and what it means for their websites. So let's start from the start...

Understanding the Internet

Before we get into the specifics of a DoS attack, first you need to imagine the Internet for what it is. Information on the Internet passes from A to B as "packets" of data travelling along "routes". One of my colleagues, Mig, often describes himself as a kind of plumber for the Internet, which conjures images of a virtual pipe network. This is kind of OK, certainly from the standpoint of explaining to someone what a systems administrator does without going into any technical detail, but it only depicts half the story.

Unlike water in a pipe, packets on the Internet have an address they're coming from and an address they're going to - these addresses are called IP addresses (IP standing for Internet Protocol). So I prefer to think of parking garages (computers) full of cars (packets) that can exit and travel from one parking garage to another on roads (network routes). That way the addressing aspect of the Internet makes more sense. I suppose if you extend that analogy, systems administrators are our road engineers, replacing broken bridges, fixing holes in tarmac, making bigger roads when the existing ones are too small.

So if each computer on the network is like a parking garage full of cars (packets), each garage is connected to the world by a driveway (let's say the router you bought or had supplied by your Internet service provider) with a specific address, which connects to a smaller road (the network of your ISP), which in turn connects to larger roads (your ISPs connection provider) and so on, until ultimately your little packet-car finds itself on the motorways of the Internet, for example the high-speed Transatlantic fibre-optic cables that carry data from the south west of England to the eastern seaboard of America, whizzing its way to another garage at Google (the destination address). When it arrives, that information has been delivered. (More on routing in our FAQ on diagnosing if your site is up or down.)

What is a DoS attack?

OK, fine, so we have all these packets whizzing around that are basically like cars on roads, except they're electrical (or light, in the case of fibre) impulses in cables. And just like roads, you get congestion. If there's too much traffic on a route, things slow down. Junctions get blocked, bridges fail, some packets get "stuck" or lost, but ultimately diversions get set up, packets find other routes, and so on. And just like roads, if there's so much traffic the infrastructure just simply can't cope, you get gridlock!

Normally on roads these gridlock events happen when large routes meet smaller routes, and the same is true of the Internet. When you get a lot of traffic trying to leave a major route for a minor route (think the start of a weekend rock festival in the countryside or something similar) the minor route simply cannot cope with the traffic fast enough and everything grinds to a halt. This is exactly what happens with a DoS attack. The attacker sends so much traffic, in the form of packets, over the major routes of the Internet to the victim’s minor local routes, that the local routes can't cope and all traffic to the victim’s services grinds to a standstill. Their services are blocked completely, electronic gridlock.

What's the difference between a DoS and a DDoS attack?

A DoS attack is usually from a single (or a few) sources, which makes it fairly easy to block. A distributed denial of service (DDoS) attack is more complex because it typically utilises thousands of computers all around the world, all at the same time. This makes it extremely difficult to identify the sources of malicious traffic, and nigh on impossible to identify the perpetrators. It's more or less a risk free crime, which is why it's so popular and so scary. It's expensive and difficult to mitigate, it cripples the victim's Internet services and the perpetrators more or less act with impunity.

OK, but why would anyone attack me?

Some organisations already know the answer to that. Perhaps they're high-value political targets, perhaps they're charities working on potentially divisive research or issues. But why would someone DoS a boutique online retailer, for example?

Because they can!

You have to understand that these days DDoS attacks are far easier to mount than they ever have been, and the motive is often as simple as money. A report by hosting company Pulsant recently stated, in their experience, so-called "ransom attacks" are now up 50%. This is when a DDoS attack is mounted against a victim (let's say a boutique retailer who relies entirely on their website for sales) and shortly after the attack begins the victim receives an email demanding a payment for the attack to stop.

Typically that payment is around the $5,000 mark. This can go on for over a week if no one intervenes or pays, and if the retailer knows they will lose a week's takings if they don't pay, often paying up seems more palatable than fighting back - especially since that "fix" is more or less instant. And so it works. Criminals can easily extort money from unwitting victims, and they usually get away with it at least once.

And because this kind of attack is so easy, they try all manner of websites, all the time, to find the person who is not protected and will pay up to make the problem go away. It’s a numbers game, like the infamous penal code 419 scammers of Lagos - keep doing what you’re doing until you find someone who falls for it.

How do I protect myself?

It’s important to understand you can never entirely protect yourself from a DoS attack. If someone is determined enough, and has big enough resources at their disposal, there is little you can do except wait it out.

However, in most cases attacks are small enough and amateur enough that there are some standard tools you can employ to mitigate their efforts. Following a recent DoS attack against our own networks, we evaluated three of the main cloud-based services:

There are surely more organisations out there doing cloud-based DDoS mitigation than these three, but these are the ones most prominent in our networks, so they are the companies we contacted.

All three of them work in a similar way, at least conceptually (though they’ll all tell you they have a differentiator on some technical level, of course). The basic premise is you route traffic from the Internet via some cloud-based filter, which can be used to block malicious traffic, and clever software on the service provider’s part can automatically spot and block criminal or nuisance behaviour before it even hits your infrastructure.

CloudFlare

CloudFlare is a pretty cost-effective service - in fact, they have a perfectly viable free tier which is great for people requiring basic protection. You essentially use them as your DNS provider (DNS being the service that maps IP addresses - remember the parking garage analogy? - with memorable names people can type into Internet browsers, for example, you type google.com into your browser, your browser asks DNS for the address of google.com and DNS says the destination is 216.58.210.46 - or was, at time of writing).

Of course, your website has its own IP address, but this effectively gets masked by CloudFlare. Because CloudFlare have control of your DNS, if someone tries to find out what your IP address is they’ll just get a CloudFlare IP address. And if someone starts attacking you via CloudFlare, they will filter your traffic through their network first and filter out the “bad” traffic, allowing the “good” traffic to carry right on through.

This is great, but you essentially use them as your DNS provider. This is fine if you only have half a dozen DNS records, but we have much more complex DNS than that. We don’t want to have to transfer all our DNS records to another provider, we manage them ourselves and prefer to stay that way. Plus some customers of ours also do not want dictating to them where their DNS has to be. So this is a blocker for us using CloudFlare.

In summary, great service for a small organisation with simple DNS configurations and totally free at a basic level of protection, which would be more than adequate for most small businesses, but unpalatable for organisations who do not want to cede control of their DNS to a third party or change provider.

Incapsula

Incapsula are at the other end of the scale. They are expensive for small networks and small businesses, they operate at a level where they expect to be protecting entire blocks of infrastructure. Their pricing becomes far more competitive when you’re discussing protecting entire network segments (or “slash 24s” in networking parlance) but for single addresses using their IP Protection service it is pricey.

They have several compelling reasons why their service is superior. Unfortunately, because of the way our services are set up, Incapsula at this point in time are too expensive for Code Enigma to implement. However, they could be well worth a look if you are an Enterprise-scale IT buyer looking for a cloud-based catch-all security solution, especially since they can handle entire subnets quite easily and cost-effectively.

Sucuri

Enter Sucuri, competitively priced like CloudFlare, but with a few killer features that swung it for us. There’s no free tier, so unlike CloudFlare, you can’t just sign up. But you also do not have to hand over your DNS. With Sucuri’s product, their Web Application Firewall (WAF), you get an IP address to change the DNS of your website to and it’s done. All your other DNS entries can stay where they are, you only change your website.

It has a whole load of neat additional security features in the dashboard, as well as specific protection for popular products - particularly relevant to us, of course, they have protection rules in place for all Drupal zero-day exploits. And, like CloudFlare, they also operate a proxy-like CDN feature that respects content headers set by the CMS. So it’s a whole lot more than just DDoS protection.

In fact, we like it so much we’re strongly urging existing customers to sign up, and we’re also insisting all new customers do so as well. For less than $20 a month, it’s an absolute no-brainer, it protects our customers and our infrastructure, and it doesn’t break the bank.

What else do you do?

Not all of our infrastructure can be protected with services like Sucuri. To add a 'defense in depth' mitigation measure, we do (and always have, since we moved to Rackspace) invest in an advanced traffic scrubbing system at datacenter level. This has its limitations but it means, in most cases, even attacks that target an exposed public IP address can be scrubbed out inside a few minutes. The difference is that this is a reactive rather than a proactive measure, but our experience has shown it is still very effective.

Without a datacentre level solution, if your origin IP addresses - the “back end” addressing, if you will - get attacked directly, you will be powerless. It’s a last line of defence, but for a professional hosting company we believe it’s essential. Because if someone’s going after your IP address, throwing a service like CloudFlare over the top of a website just won’t help, because the attacker is already directly attacking your infrastructure. It’s too late to hide!

In summary

DoS attacks do matter to you, even if you think they don’t. It is a major “growth industry” in cybercrime and you don’t need to be a bank or a big law firm or a government department to be at risk. With the rise in “ransom attacks” anyone is fair game, so you ought to protect yourself.

Code Enigma will protect you as best we can, if you are a private cloud customer and subject to our datacentre protection service, but you will do yourself and your hosting provider a favour if you sign up to either a free service like CloudFlare, or a cheap one Sucuri WAF if you find some of CloudFlare’s limitations are a show-stopper (like us), or a network-level solution like Incapsula if you want to protect your entire private cloud.

There’s really no good reason I can think of for a commercial website not to be using one of these services, especially since at least one of them is literally free.

Just one more thing - why are DDoS attacks getting easier?

The TL;DR is because you don't keep your computer software up to date! 25% of Windows PCs alone are still not properly protected, and worryingly, that figure hasn't changed since Microsoft highlighted the problem back in 2013.

Why does this matter? Because DDoS attacks emerge, for the most part, from something generically termed a "botnet". This is a group of computers that all have an Internet connection and have all been successfully hacked (usually by some automated means - a phishing scam, a malicious website, an infected file) so they have some malicious software installed. Software that allows a criminal to remotely control that computer. If you have a botnet of some 5,000 computers, that's a tiny percentage of the computers worldwide, but it's more than enough computers to mount a DDoS and take down most websites. If each one of those computers is requesting 10 pages a second, the victim's website is dead.

And the owners of the computers engaged in the attack will, for the most part, be blissfully unaware their computer is being used to engage in criminal activity. In fact, the problem is so widespread and endemic on the modern Internet, the police probably won't even bother to contact individual computer owners. It's a waste of time!

The simplest way to make sure you're not part of the problem is to always update your software, always keep your antivirus definitions up to date and be careful where you go and what you open on the Internet. And never, EVER, open a program or file sent to you as an email attachment, no matter who it came from. Not even "funny" presentations.

If everyone took proper responsibility for the security of their own PC, there would be no botnets, there would be no DDoS.