If you work in the computer technology or network security field, I'm sure you're familiar with the term "denial of service", which is colloquially referred to as a "DoS attack". This is currently one of the most common types of network attacks carried out on the Internet. For those who are not in the know, I will conduct an educational program and try to explain what a DoS attack is in the most accessible and understandable form.
It all started when one of the working sites was down for about two hours yesterday. The site is hosted on NIC.RU, not one of the cheapest, and it seems that they are not newbies, but, as they say, “even an old woman can get screwed.”
DDoS - Denial of Service
What is a DOS attack?
Denial of service or "DoS" attacks are a type of network attack designed to flood target networks or machines with large amounts of useless traffic, so as to overload the attacked machine and ultimately bring it to its knees. The main point of a DoS attack is to make services running on the target machine (for example, a website, DNS server, etc.) temporarily unavailable to intended users. DDoS attacks are usually carried out on web servers that host vital services, such as banking services, e-commerce, personal data processing, and credit cards.
A common variant of a DOS attack, known as a DDoS (Distributed Denial of Service) attack, has become quite popular in recent years because it is a very powerful and difficult to detect attack. A DoS attack has a single point of origin, while a DDoS attack originates from multiple IP addresses distributed over multiple networks. How DDoS works is shown in the following diagram:
Unlike a DoS attack, where an attacker uses one single computer or network to attack a target, a DDoS attack comes from numerous previously infected computers and servers, usually belonging to different networks. Since the attacker uses computers and servers from different networks, and even different countries, incoming traffic, at first, does not arouse suspicion among security services, since it is difficult to detect.
Is it possible to combat DoS/DDoS attacks?
Attackers using DoS attacks can easily be added to the firewall blacklist using all sorts of scripts and filters (by IP addresses or address ranges) that are generating too many requests or connections. DDoS attacks are too difficult to determine, since incoming requests look more or less natural, because there is, say, an influx of clients, etc.. In this case, it is difficult to tell the difference between genuine and malicious traffic. Excessive security measures on the firewall can lead to false positives and therefore real clients may be rejected by the system, which is not a good thing.
When the influx of false “clients” begins to increase exponentially, it becomes too late to do anything, unless of course you have a whole staff of system administrators and programmers responsible for protecting against attacks of this kind, your servers become inflexible and slow, and in the end, they stop reacting to “external stimuli”, waiting for this stream of spam to end.
Meanwhile, evil hackers are bringing their dark plans to life.