I took this article from Quora Answer
When you are hit with a distributed denial of service attack, your options can be very limited to mitigate it.
First of all relax. No one is dying. No need to get panicky. Yes, you’re under attack, but like I said, no one is dying. When you get panicky and edgy, your ability to think clearly is hampered. So try to relax.
DDoS attacks don’t just happen randomly, they are done for a purpose. Either someone is being paid to take your down (an attack instigated by your competitor) or you (or your site/organization) did something to piss someone off and hence you are on the receiving end of the DDoS attack.
Very few sites actually get hit with a DDoS for no apparent reason. Sometimes, even the reasons are not apparent at all to you.
The message is however, very clear…you are being taught a lesson.
Many-a-times, after the attack has long ceased, you may not even be able to figure it out and be pulling your hair “Why me? What did I do?” – Don’t waste time on that question. If you have not already figured it out, then might as well ponder on that thought later…right now you have a website that is down and you need to focus on that.
So before we discuss the options you have, let us talk a little bit about the attack themselves.
DDoS attacks mostly happen to web/application servers. Mostly! They can be targeted to other type of servers, like mail servers, gaming servers, etc. but predominantly web/app servers.
Datacenter Scenario
Web/app servers are mostly hosted in datacenters by web hosting companies. Chances are your server, switch, router, bandwidth, etc is being shared amongst 100s of other clients. Sometimes, even your IP address itself.
So when you get DDoS’d – others get affected.
This is what datacenters do not like.
Just because of ‘you’ others are getting inconvenienced. You can be in one of the following scenarios:
(a) If you are on a shared IP address, this can be a problem, the datacenter will then try to find out which specific website is being targeted and will then try to nullroute that web entry via the DNS and then try to assign all the remaining websites to another IP, and nullroute (de-advertise) the original IP under attack. Someone will inadvertently have to pay for all this effort.
Datacenters usually don’t run websites, they are in the business of selling servers and bandwidth. The hosting company that rents servers from a datacenter are the ones who usually assign (couple) all the hosting clients on a single IP.
The hosting company – would most likely be the one who would be scrambling to save its other clients from the DDoS nuisance that you are weathering.
(b) In the event that your website is hosted on a separate (dedicated) IP by itself, then the datacenter will simply nullroute your IP until the attack has ceased. There is a caveat to this statement:
If the attack is low in bandwidth utilization (mbps) and pps (packets per second), and well under the ceiling that has been provided to you, then they might not necessarily nullroute the IP and will let the attack traffic continue on to you, unless you specifically request for the nullroute to happen.
However, if the ingress (incoming) attack traffic is greater than what you have been provisioned for and paid for, then most likely they will nullroute, unless you are specifically willing to pay them additional to let the traffic through.
Datacenters do have protection gear (of some sorts). Not every datacenter can afford to invest in the expensive DDoS mitigation equipment and expect to provide this as a free service to all its clients. Those that do have mitigation equipment use it to protect theirown network and their client base on the whole.
The equipment is predominantly used to gain insight (read: visibility) into their network traffic and to immediately single out malicious traffic that can cause their network to degrade, which can result in dissatisfied clients and expensive SLAs.
Almost every datacenter with mitigation equipment in place will charge for countering DDoS attacks. As equipment, subscriptions, training, human resources and bandwidth all cost money, so is the service for protecting you against it. Don’t crib that it is the datacenters ‘right’ to provide you with protection. It is not. Go reread your ToS/SLA / AUP (Terms of Service / Service Level Agreement / Acceptable Usage Policy) documents provided by the datacenter and the hosting provider and you will understand better.
Many “small” attacks (emphasis supplied) can almost be mitigated by merely having a proper dedicated hardware based firewall installed in front of your server. Not all attacks, but almost all.
Web Servers that have to serve web traffic and act as application servers as well, do not perform well when you add on the additional burden/task of a software based firewall on them. Albeit the market has improved considerably on the types of web servers that can now be installed (nginx and lighttpd are two that come to mind) are the new breed of web servers known for their speed in serving request and the different array of modules and patches that can be applied on these servers for freeing resources and serving content faster on existing hardware. They perform fairly well in environments where such servers are used for Reverse Proxy and on the whole are much faster / better than your traditional Apache / IIS environments.
However, as cited, they are no substitute for a hardware firewall itself. Many will cite that FreeBSD + Packet Filtering is the way to go, Yes, it is indeed! but that again means a separate dedicated hardware in front of your web/app server. End result – more costs and more management.
Today, even these ‘slow’ or ‘small’ attacks can wreck havoc with your hosted infrastructure. SYN Attacks and HTTP GET Attacks can come in the 1000s and only utilize a small portion of your bandwidth, yet be crippling for your server’s resources and bring your website down.
Okay, enough of the datacenter scenario, the other scenario where you might get DDoS’d is the Enterprise.
Enterprise Scenario
The enterprise scenario is that you are a large company, where you are not utilizing a datacenter, but have opted that the web/app server be hosted on premises. You will presumably have a large enough internet bandwidth connectivity from your service provider. In which case, your options will be discussed later on.
So, having said this when a DDoS attack happens what can you do? Here are your options (in no particular order):
Wait it Out!
Let your site be down, and wait, anywhere from a few days to 2-3 weeks and hopefully the DDoS will stop in its entirety. Though statistically most DDoS attack die after 72-hours.
Most DDoS attacks cease after 72 hours. Most. This is not a golden rule or a yardstick to go by.
It takes resources and money for a DDoS attack to happen, and the longer it sustains itself, the more exposed the whole botnet becomes towards detection. Waiting it out is not an options for many, especially those who earn a living from their websites. Downtime, means no sales, and no one likes that. But if your budget does not allow, there is nothing much you can do here. If you have decided not to spend money, this is your option.
Your ability to spend money will directly translate to the amount of sales you get from the website. If you earn $500 per day from it, you will invest in a better hosting infrastructure or service of 1-3 days worth of sales to protect your business. If you don’t make any money out of the website, chances are you will not be putting much in to stop the attacks. Better to wait it out.
Thousands of website owners who fall prey to DDoS attacks each year, fall under this category. They have paid anywhere from $2/month to $25/month for their website hosting on some shared hosting platform or on a small VPS and cannot afford to hire services of a anti-ddos mitigation company, which can easily run into $100s per month (and that’s just the starting price) let alone buy DDoS mitigation equipment which can run in $100,000s.
Upgrade Hosting
If you are on a shared environment or perhaps on a VPS, you might want to reconsider the existing platform.
By upgrading your existing hosting setup, you have a relatively better chance of thwarting a DDoS attack, as opposed to your existing hardware platform (that might be shared with many or is weak).
Besides getting an upgrade, see if you can get a hardware based firewall in front of your server which is highly recommended.
Consider hiring a management company to harden & lockdown your OS as well as speed up / fine tune your TCP processes and your Web Server.
Whilst such a setup will not necessarily stop a large DDoS attack, it will ensure that under small/mid-sized attack your server and network gear can withstand it all.
DDoS Mitigation – Proxy Scrubbing Services
This is perhaps the new cottage industry. Most businesses who are seeking DDoS protection, have already gone the route of upgrading their servers, etc. but simply do not have the money to mitigate a 1Gbps or say 200,000 packets per second DDoS attack.
Enter Proxy based DDoS protection. Or Scrubbing Services.
Specialist companies have 10Gbps+ bandwidth connectivity from multiple providers, their network is poised to pass on extremely large volume of DDoS traffic to their ‘scrubbing’ devices. These devices for those in the business are somewhat of an industry secret – not the devices themselves, but the configuration itself. Consider it to be the secret sauce, that separates each one of them.
Most of these companies utilize a ‘farm’ of servers, (some running FreeBSD and Packet Filtering) with some form of a deep packet inspection on the ingress traffic. They are able to reasonably remove malicious traffic by known signatures or practices like malformed TCP IP packets, or excessive (recursive) requests from a single IP, or malformed HTTP GET Requests, etc.
There is quite a mix-and-match of equipment, from off-the-shelve DDoS mitigation appliances like that of Arbor Networks, TopLayer, TippingPoint, RioRey, CiscoGuard mixed with home grown solution and specific appliances that excel in DPI and traffic rerouting and scrubbing.
Their systems are setup as such to take the full frontal assault of the attack and filter out immediately tagged traffic that is deemed malicious by signature, and then further work on the remaining traffic, filtering it, and then parsing the traffic to a reverse proxy server. The IP that takes the brunt of the attack traffic is not yours, or of the reverse proxy server, but that of the company’s scrubbing farm. The IP of your origin server and the reverse proxy server (if utilized) is never known to the attacker nor is it published on your DNS Records.
The relatively cleansed traffic then arrives at your reverse proxy server where it can be further analyzed and cleansed before being passed on to your origin server. While this may seem too many hops, it is not.
The added delay is hardly noticeable.
If the filters ever were to not function properly, and excessive traffic comes through – it will not bring down your origin server but the reverse proxy server, so it an added layer of protection for you.
Some prefer to have a reverse proxy server (using Squid) or some other RP variant, some prefer to do packet-filtering and then routing packets (traffic) to the origin server, it all depends on how at ease you are with the setup and the technologies involved.
Today, by some estimates, 80% of the attack traffic that is filtered against DDoS for small and medium businesses is done so by using such providers and their unique solutions.
Billing for such solution is simple. It is a mix-and-match of both the bandwidth and the pps (packets per second) arriving at the scrubbing farm.
Most providers will have slabs like or a combination close to this:
1,000Mbps &/or 100,000pps – whichever comes first.
1,500Mbps &/or 150,000pps – whichever comes first.
2,000Mbps &/or 200,000pps – whichever comes first.
3,000Mbps &/or 300,000pps – whichever comes first.
…And so on and so forth.
When you reach the limit and cross it – the IP that is bearing the frontal attack is then automatically nullrouted, till such time that your attack traffic falls below the ceiling (slab) you have subscribed to, or if you opt to upgrade your protection package. There are one-time setup fees associated with such setups that are usually $500 or so or x1.5 your monthly bill – whichever is greater.
No two solutions are alike. Each provider like I cited has their own secret sauce and each will claim to be better than everyone else. It is a very cut-throat industry and every client counts. There is more money when the economies of scale kick in.
Pricing is usually based on the month-to-month. You can get decent discounts if you subscribe / commit to long term contract. However, in this business, the client tend to use services for a month, pay for it, and when the attack has subsided altogether, they revert back to their original setups they had before the attack – to save money.
Companies that specialize in this arena are propping up all over the place. Trusted names worth looking into are Prolexic, Verisign, Gigenet, Staminus and Blacklotus, DosArrest, Dragonara, et. al.
Avoid like the plague, DDoS Scam companies like Server4Sale.com and BlockDoS.net
You will probably also need to set aside some money for server administration costs. Unless you are absolutely fluent in the OS / App server you intend to work on, set aside some money for specialized remote server administration companies that will do the setup for you and manage it.
Dedicated DDoS Mitigation Equipment
Now if you are an enterprise or a large company and are hosting on your own, this is where you will look at investing in equipment and infrastructure that is specifically designed to counter DDoS attacks.
Companies like Arbor Networks, TippingPoint, Juniper Networks, Cisco (CicsoGuard), RioRey, TopLayer, Intelliguard, IntruGuard, etc. come into play. I have even found that Foundry Network’s line of products are also very good in mitigating DDoS attacks, though Foundry (now Brocade) is not a specialist in this area per se. IntruGuard’s Captcha/Unique-Cookie method is also now very famous with other solution providers and OEM adopting it. It requires every HTTP request to be validated by a Human intervention and be given a unique session to continue forward.
The real players are Arbor Networks, Cisco (with their CicoGuard), Toplayer and RioRey. These companies have specifically focused on DDoS protection and have worked with datacenters and service providers (large and small) and understand the DDoS space quite well.
DDoS mitigation equipment is not as plug-and-play as the OEM would like you to believe. Believe me I say this from experience and interacting personally with folks who have had a chance to play with different OEM solutions in their network. You need to have a thorough understanding of networking and a bit in the Layer 4-7 space to be able to really put these appliances to use. Enterprise customer don’t act on impulse. Despite the ongoing attack, they will adequately weigh the pros and cons of each solution, the price tag and the ROI.
Solution can start from as low as US$ 30,000 to as high as US$ 1,000,000 for high-end multiple 10G DDoS mitigation and scrubbing appliances. Add to this training, subscription, support costs and it all adds up. Not to mention the time it takes to evaluate, short-list and then deploy a solution.
In the longer run, investing in such technologies is the only way out. If you are going to house servers and have large pipes feeding to your servers, it is only sensible that you plan now and invest in these appliances. Attacks are inevitable.
Choosing the right appliance can be a tough one. Because the market is so small and competitive, Sales Managers have added pressures to meet quotas and will make you believe their solution is the best. Sure enough their solution is good. Is it the best? That is a highly debatable topic. One solution will approach a specific attack from a particular angle, whilst the other solution will tackle it from a different perspective, the end result may or may not be the same.
Very rarely, have I seen a solution that is pure plug-and-play. False positives are a huge issue in this business. Especially when you are talking about HTTP GET Attacks.
HTTP GET attacks are slow HTTP GET requests (genuine requests) from compromised computers (aka Zombies), which are part of a much greater botnet.
With say 2,000 bots in a botnet requesting HTTP GET requests at the rate of a few 100 per second, your Web server’s TCP sockets will be inundated and fill up in no time, which will result denial of service. How to differentiate between a genuine request and a non-genuine is not so straight forward. Remember each TCP connection has a specific time-out value on the server – so whether the connection is genuine or not, it has to stay on as a valid connection in the server – until it times out. I hope you can get a sense of the added complexity.
Network Behavior Analysis (NBA) is one way of tackling the issue, but that again is debatable and one-sided perspective of a specific solution provider (in this case, Arbor Networks). Don’t be fooled by the words ‘surgical precision’. There is surely nothing surgical in real life and precision is misnomer.
If this were the case, DDoS HTTP GET attacks would be child’s play to mitigate. Try explaining that to real-life customers who get blocked from a website due to being flagged as false positives, or coming from behind an ISP proxy or company proxy, where too many requests from the same IP were made and thus blocked. It is not a hand-in-glove fix.
So, concluding, if you are under a DDoS attack, you do have options – that much is clear. It is how much you are willing to spend to defend yourself against such options that you much weight and decide.
Remember in the Internet world, there are no freebies, which reminds me of this quote on which I will end.
“To let the world treat you fairly in return because you are a nice guy, is somewhat like asking a bull not to attack you, because you’re a vegetarian.”