Recent high profile DDOS (Distributed Denial of Service) attacks have put a spotlight on this type of cyberattack and have made many business owners wonder about their own vulnerability. In late September, the large VoIP services company, Bandwidth.com, endured a rolling DDOS attack which affected their operations for a number of days, and then in early October many users panicked when Facebook — as well as its Instagram and WhatsApp applications — was unavailable for several hours.
How Does a DDOS Attack Work?
In a typical DDoS attack, an attacker exploits a vulnerability in one computer system, making it the “DDoS master”. This master identifies other vulnerable systems and gains control of them by infecting them with malware or by simply bypassing poor password-protection.
These infected devices under the control of the DDOS master are then known as a zombies, or bots. The attacker creates what is called a command-and-control server to command the network of bots, also called a botnet. The person or device in control of a botnet is referred to as the botmaster. Botnets can be composed of almost any number of bots; botnets with tens or hundreds of thousands of nodes have become increasingly common. There may not be an upper limit to their size. Once the botnet is assembled, the attacker can use the traffic generated by the compromised devices to flood the target domain, essentially creating a traffic jam of users trying to reach the same destination, and subsequently knocking the target offline.
Because DDoS attacks involve and affect many devices, the final target is not always the sole victim. The devices used to route malicious traffic to the target may also suffer a degradation of service, even if they aren’t the main target.
How Do You Know You’re Under Attack?
A DDOS attack essentially causes an availability issue, and can range in severity. Because availability and service issues are normal occurrences on a network, it’s important to be able to distinguish between normal operation issues and an actual DDOS attack. Look for these signs of a DDOS attack:
- Specific IP addresses making many consecutive requests over a short period.
- Traffic surges from users with similar characteristics, whether geographical, device or browser.
- Pinging a server causes a timeout.
- Server responds with a 503 HTTP error response, meaning either overloaded or down for maintenance.
- Logs showing a strong and consistent spike in used bandwidth.
- Logs show traffic spikes at unusual times or in an unusual sequence.
- Logs show unusually large spikes in traffic to a particular webpage.
How Can Skyway West Help?
The latest prominent attacks have had many business owners wondering… am I next? And, perhaps more importantly: is there anything I can do before I become the next victim?
As mentioned above, one of the best things you can do is to take the time to monitor your traffic. All Skyway customers have access to excellent traffic monitoring tools through the real-time data at our Customer Portal. Skyway’s security-hardened network comes part and parcel with all client internet connections, including our DNS Firewall, that we deliver through a partnership with CIRA. These three extra steps also help protect against DDOS:
- Our private IP service includes DDoS protection by default, because an attack cannot reach a private IP to attack it.
For sites that require a public IP for external users to connect to, we assign a public IP to our network core that forwards to the private IP assigned the customer site. This way our servers absorb the DDoS instead of the customer’s smaller internet access service. Most DDoS last a few minutes. For large longer attacks we will replace the customer’s public IP.
- We monitor public and private IP customer services every six minutes and react when one is brought down by a DDoS attack. We also monitor our internal systems for congestion and graphs showing total incoming/outgoing network traffic.
- Our own Internet connections are large enough to absorb most attacks. Once we identify an attack we have automated processes in place with our suppliers to blackhole the IP being attacked when the attack is passing through them. Blackhole means they do not pass any of the attacked IP’s traffic to us. We only blackhole the providers used in the attack.
Faster Internet services are also a protection against DDoS. A 1,000 Mbps GigE Fibre customer might not notice a DDoS that congests an ADSL service. Talk with us at any time for further information or to explore your options.
Thanks to Techtarget.com for research included in this post.