What is DDOS and How do you Cope with DDOS Attacks?


What is DDOS Attacks?

DDOS (Distributed Denial of Service Attack) is hard to prevent and deal with because it is distributed, meaning that you can’t block the requests by IPs unless you shut down the server (which means DDOS does its purpose). Distributed requests are from distributed victim machines in internet so the flood of traffic will eventually slow down your server and make your server denial of services.

ddos-how-it-works What is DDOS and How do you Cope with DDOS Attacks? cloudflare security

ddos-how-it-works

How do you tell if you are being DDOS attacked?

I have a fortunate experience today that I observed something unusual (I set up a script to get email notification when CPU load average is above threshold) with my 3 servers: Each server seems busy (see following htop CPU usage) and non-stopping. My servers are usually quite quiet so continuous usage like this is really rare.

ddos-cpu-usage What is DDOS and How do you Cope with DDOS Attacks? cloudflare security

CPU Usage when DDOS Attacks

So, I took a look at the apache2 log, which is located at /var/log/apache2/access.log and this file size is expanding quickly.

cloudflare-ddos-apache-log What is DDOS and How do you Cope with DDOS Attacks? cloudflare security

cloudflare-ddos-apache-log

From the apache2 access log, I can observe:

  • IPs are different, so you can’t ban them by specific IP ranges.
  • URL to Link from show different URLs, and they are unusual.
  • It is rare that many requests are from different IPs to the same URLs (GET /api/what-is-my-ip)

It turns out that the 3 servers are affected and the API URLs are becoming the targets. I believe someone uses my free Chrome Extension Show IP and somehow tries to bring down the servers (or at least he wants to have some fun).

How do you Cope with DDOS Attacks?

It is recommended that you keep your Server OS update to date with latest security patch and also security measures are in place e.g. ROOT accounts disabled remotely. Also, the golden rule to avoid DDOS Attacks is to avoid exposing real IPs. It is also a good practice to turn off the PING because the attacker may scan a particular IP range for victims.

You can use CloudFlare to reverse proxy so the real IPs are hidden. When I noticed the DDOS attacks, I quickly added a page rule to set the security to “I am under Attack”, and that will show a page like this:

cloudflare-ddos-protection What is DDOS and How do you Cope with DDOS Attacks? cloudflare security

cloudflare-ddos-protection

Alternatively, you can add a ‘Cache Everything’ page rule, so that the succssive contents are served from the CloudFlare edge servers. Both methods immediately bring down the CPU usages, and the servers are back to normal.

Another method is to serve a static cache file as much as you can, so that it doesn’t cost you much CPU resources per request (and you can handle more).

The following CloudFlare traffic statistics show that when DDOS occurs, the uncached requests are increasing, but when I ‘Cache Everything’ the victim API URL, the requests are served from the cloudflare edge servers.

cloudflare-ddos-traffic-statistics What is DDOS and How do you Cope with DDOS Attacks? cloudflare security

cloudflare-ddos-traffic-statistics

For security purposes, you are often recommended to turn off the PING service and disable root login remotely.

–EOF (The Ultimate Computing & Technology Blog) —

GD Star Rating
loading...
843 words
Last Post: Integer Performance Comparisons of Delphi Win32, Win64 and Linux64 for Single/Multithreading Counting Prime Number
Next Post: How to Search and Replace using Regular Expression with Arithmetic Evaluation?

The Permanent URL is: What is DDOS and How do you Cope with DDOS Attacks?

Leave a Reply