Over the first two quarters of 2020, the number of DDoS attacks has almost tripled, with 65% of them being primitive “load testing” attempts that easily “turn off” defenseless sites of small online stores, forums, blogs, and the media.
How to choose DDoS-protected hosting? What to pay attention to and what to prepare for, so as not to be in an unpleasant situation?
(Inoculation against "gray" marketing inside)
The availability and variety of tools for conducting DDoS attacks forces the owners of online services to take appropriate measures to counter the threat. It’s worth thinking about DDoS protection not after the first failure, and not even in a set of measures to improve the fault tolerance of the infrastructure, but even at the stage of choosing a site for placement (hosting provider or data center).
DDoS attacks are classified depending on the belonging of the protocols whose vulnerabilities are exploited to the levels of the Open Systems Interconnection Model (OSI):
- channel (L2),
- network (L3),
- transport (L4),
- applied (L7).
In terms of protection systems, they can be generalized into two groups: infrastructure layer (L2-L4) and application layer (L7) attacks. This is due to the sequence of execution of traffic analysis algorithms and computational complexity: the deeper we look into the IP packet, the more computing power is required.
In general, the task of optimizing calculations when processing traffic in real time is a topic for a separate series of articles. For now, let's just imagine that there is some cloud provider with conditionally unlimited computing resources that can protect websites from application-level attacks (including ).
3 main questions for determining the degree of hosting security from DDoS attacks
Let's take a look at the terms and conditions for the provision of DDoS protection services and the Service Level Agreement (SLA) of the hosting provider. Do they answer the following questions:
- what technical limitations the service provider declares?
- what happens when the customer goes beyond the limits?
- how does a hosting provider build protection against DDoS attacks (technologies, solutions, suppliers)?
If you did not find this information, then this is an occasion to either think about the seriousness of the service provider, or organize basic DDoS protection (L3-4) on your own. For example, order a physical connection to the network of a specialized security provider.
Important! It makes no sense to provide protection against application layer attacks using Reverse Proxy if your hosting provider is not able to provide protection against infrastructure layer attacks: network equipment will be overloaded and become inaccessible, including to the proxy servers of the cloud provider (Figure 1).
Figure 1. Direct attack on the hosting provider's network
And let them not try to tell you fairy tales that the real IP address of the server is hidden behind the cloud of the protection provider, which means that it is impossible to attack it directly. In nine cases out of ten, it will not be difficult for an attacker to find the real IP address of the server, or at least the hosting provider's network, in order to “put down” an entire data center.
How hackers act in search of a real IP address
Under the spoilers - several methods for finding a real IP address (provided for informational purposes only).
Method 1: Search in open sources
You can start your search online: It searches the dark web, document sharing platforms, processes Whois data, public data leaks, and many other sources.
If for some reason (HTTP headers, Whois data, etc.) it was possible to determine that the protection of the site was organized using Cloudflare, then you can start searching for the real IP with, which contains about 3 million IP addresses of sites located behind Cloudflare.
Using an SSL certificate and service you can find a lot of useful information, including the real IP address of the site. To generate a request for your resource, go to the Certificates tab and enter:
_parsed.names: namesite AND tags.raw: trusted
To find the IP addresses of servers using an SSL certificate, the drop-down list will have to be sorted manually with several tools (tab "Explore", then select "IPv4 Hosts").
Method 2: DNS
Searching the history of DNS records is an old, proven method. The previous IP address of the site can make it clear on which hosting (or in which data center) it was located. Among the online services for ease of use stand out и .
When changing the settings, the site will not immediately use the IP address of the cloud protection provider or CDN, but will work directly for some time. In this case, there is a possibility that online services for storing the history of IP address changes contain information about the original address of the site.
If there is nothing but the name of the old DNS server, then using special utilities (dig, host or nslookup) you can request an IP address by the domain name of the site, for example:
_dig @old_dns_server_name nameSite
Method 3: Email
The idea of the method is to use the feedback / registration form (or any other way that allows you to initiate the sending of a letter) to receive an email to your email and check the headers, in particular the “Received” field.
The email header often contains the real IP address of the MX record (email exchange server), which can be a starting point for finding other target servers.
Search automation tools
Cloudflare's IP lookup software most often works on three tasks:
- scanning for bad DNS settings using DNSDumpster.com;
- scanning against the Crimeflare.com database;
- search for subdomains by enumeration in a dictionary.
Finding subdomains is often the most effective option of the three - the site owner could protect the main site, and leave the subdomains to work directly. The easiest way to check is to use .
In addition, there are utilities designed only to search for subdomains using dictionary iteration and search in open sources, for example: or .
How search works in practice
For example, let's take the site seo.com using Cloudflare, which we will find using the well-known service (allows both to determine the technologies / engines / CMS on the basis of which the site works, and vice versa - to search for sites by the technologies used).
When you click on the "IPv4 Hosts" tab, the service will show a list of hosts using a certificate. To find the right one, look for an IP address with open port 443. If it redirects to the desired site, then the task is completed, otherwise, you need to add the domain name of the site to the HTTP request header "Host" (for example, *curl -H "Host: site_name" *).
In our case, a search in the Censys database did not give anything, let's move on.
DNS lookup will be carried out through the service.
Going through the addresses mentioned in the lists of DNS servers using the CloudFail utility, we find working resources. The result will be ready in a few seconds.
Using only open data and simple tools, we determined the real IP address of the web server. The rest for the attacker is a matter of technique.
Let's get back to choosing a hosting provider. To evaluate the benefits of the service for the customer, consider possible ways to protect against DDoS attacks.
How a hosting provider builds its protection
- Own protection system with filtering equipment (picture 2).
Requires:
1.1. Traffic filtering equipment and software licenses;
1.2. Full-time specialists for its support and operation;
1.3. Internet access channels, which will be enough to receive attacks;
1.4. Significant prepaid channel bandwidth for receiving "garbage" traffic.
Figure 2. Hosting provider's own protection system
If we consider the described system as a means of protection against modern DDoS attacks of hundreds of Gbps, then such a system will cost a lot of money. Does the hosting provider have such protection? Is he ready to pay for "garbage" traffic? Obviously, such an economic model is unprofitable for the provider if the tariffs do not provide for additional payments. - Reverse Proxy (only for websites and some applications). Despite a number , the provider does not guarantee protection against direct DDoS attacks (see Figure 1). Hosting providers often offer such a solution as a panacea, shifting the responsibility to the protection provider.
- Services of a specialized cloud provider (using its filtering network) to protect against DDoS attacks at all OSI levels (Figure 3).
Figure 3. Comprehensive protection against DDoS attacks using a specialized provider
involves deep integration and a high level of technical competence on both sides. Outsourcing traffic filtering services allows the hosting provider to reduce the price of additional services for the customer.
Important! The more detailed the technical characteristics of the service provided are described, the more chances there will be to demand their execution or compensation in case of downtime.
In addition to the three main methods, there are many combinations and combinations. When choosing a hosting, it is important for a customer to remember that not only the size of guaranteed blocked attacks and the accuracy of filtering will depend on the solution, but also the response speed, as well as information content (the list of blocked attacks, general statistics, etc.).
Remember that only a few hosting providers in the world are able to provide an acceptable level of protection on their own, in other cases cooperation and technical literacy help out. So understanding the basic principles of organizing protection against DDoS attacks will allow the site owner not to fall for marketing tricks and not buy a “pig in a poke”.
Source: habr.com