In recent years, DDoS attacks or also known as Distributed Denial of Service attacks, They have become one of the main threats from thousands of websites and the concern of thousands of companies around the world. To mitigate the DDoS attacks an attacker might make, CDN services like Cloudflare are generally contracted, allowing us to enable an anti-DDoS system. Is it advisable to activate this service only in case of attack or is it better to always leave it activated? Today at RedesZone we will talk about the two policies that we can follow.

Operation of a DDoS attack and types

Hackers use DDoS attacks to throw away web pages or different services that a certain company has on the Internet. This means that any company, large or small, is continually threatened by this type of attack. Although DDoS attacks are continually being performed on the Internet, only a few of them are powerful enough to completely throw away a website, since today we have CDN services to mitigate as much as possible this type of attack. The attackers' objective with this type of attack are the following:

-E-commerce websites.
-Online applications, such as those of the bank.
-Educational platforms.
-Websites of different governments.
-Any service exposed to the Internet.
Attackers often take advantage of different networks of devices infected with malware, to start sending a large amount of data or to open connections with a specific server, that is, they usually use a botnet, either their property or « rented » for a few hours, and it is that in the world of cybercrime you can buy without many problems the total control of a botnet to attack a target.

Currently there are several different types of DDoS attacks, depending on how they are performed and what our objective is, we will be able to use some types or others, and even a combination of several.

Volumetric

Volumetric attacks are those that are aimed at completely saturating the available bandwidth of a specific target. These types of attacks are also known as volume-based attacks, as they send hundreds of GB per second through a botnet they have purchased. In this way, by saturating the bandwidth that goes to the server, legitimate users who want to access the service will not be able to do so, causing a denial of service.

Some of the most common attacks that are volumetric are the following:

DNS amplification: It consists of taking advantage of the DNS protocol, falsifying the target's IP to send a large number of requests and get the DNS servers to respond to them.
ICMP flood: This protocol can be used to flood the available bandwidth of our target.
UDP flood: In this case, the UDP protocol is used to try to saturate the bandwidth of a target, to collapse the server ports. This attack is the most powerful because it allows saturating services that have a large bandwidth.
As you can see, volumetric attacks aim to completely saturate the available bandwidth of the server.

Protocol attacks

The objective of this attack is to exhaust all the resources of the attacked server, trying to collapse the server itself creating hundreds of requests per second falsified, to block the web server and even also block the same operating system due to this unusual high traffic. The most popular and used protocol attack is the TCP SYN flood to a certain team, we must bear in mind that the TCP protocol is a connective, reliable and connection-oriented protocol, so before starting to send real data, it is necessary to perform in handshake with the server, so that later all the data flows correctly without loss of packets. Here we explain what the TCP SYN attack consists of:

-An attacker sends a TCP segment with the SYN flag to the server, in this segment our real source IP address will not be, but a falsified one.
-The server will try to set the three-way handshake, sending the client that has connected a SYN-ACK, however, it will never come because it has falsified its source IP.
-The server will have to wait a certain time until the connection that has been opened is closed.

If an attacker sends 10 TCP SYN segments, the server will be able to manage it correctly and smoothly, but when the attacker sends millions of TCP SYN segments, could be easily blocked. However, in the latest versions of the operating systems there are already mitigation measures for this attack, in addition, We could also incorporate a SYNPROXY to more efficiently manage these types of attacks.

Attacks on the application layer

These types of attacks aim to cause the web server to crash completely, be it an Apache2 or Nginx which are the two most popular. This is done by sending HTTP requests that seem legitimate, but really are not. These attacks are also known as layer 7 DDoS attacks ( application ), in addition, there are mainly two types of attacks:

HTTP flood: It consists of sending thousands of HTTP requests from different source IPs, they aim to saturate the web server completely and stop working.
Low-and-slow: This attack consists of sending a small HTTP traffic flow, without using too much bandwidth, the objective is to gradually saturate the web server with the aim of falling down and denying the service to real users.
Now that you know the different DDoS attacks that exist, we ask you the question: is it always worth having anti-DDOS security measures activated? Would it be better to only activate them in case of actual attack? Today all hosting services and also CDN allow us to activate DDoS mitigation measures. A DDoS attack can be mitigated to a lesser or greater extent, but it can never be avoided because it is not in our hands that this attack stops, this is the first thing we should consider. After being clear, we must think about whether to activate the anti-DDoS system on demand or leave it always active so that it protects us against possible new attacks, however, each policy has its strengths and also its weak points.

Anti-DDoS on demand

An anti-DDoS system on demand consists of a service that we can activate or deactivate whenever we want. In the event that our hosting or CDN detects a DDoS attack on our website, application or online service, it will immediately notify us to decide what measures to take. Generally the measures to take are:

Analyze the type of DDoS attack that is being carried out on us.

Activate mitigation measures specifically aimed at stopping this attack that they are carrying out on us.
When we activate DDoS mitigation measures, legitimate traffic could also be affected, that is, it is possible that certain clients cannot access our website, because in many cases it is difficult to differentiate between malicious traffic and legitimate traffic. Depending on the policies used in the firewall, these problems may not appear or only a lesser measure, Or hundreds of clients may be affected by these mitigation measures if the DDoS attack is more aggressive, so we must take this into account.

The strengths of using this system on demand is that we will only use it for the period of time the attack lasts, and once it happens, then we can deactivate it without any problem and our website will continue to function properly. The negative aspect of using this method is that they may throw us on the web until we activate the mitigation measures in the hosting or CDN, in addition, Someone from the technical team should always be aware that everything is going well and continuously monitor the traffic on our website.

Attack mitigation always activated

An always activated distributed denial of service attack mitigation system is that mitigation against these attacks is always working and operational. Certain hosts and also CDN allow us to permanently enable this protection, to mitigate any possible attack they carry out on us. Although it may seem that always having this system activated is perfect because we will be immune to different attacks, the truth is that it is not as good as it seems.

When we activate DDoS mitigation measures on an ongoing basis, we must take into account all types of attacks and create rules to mitigate all of them simultaneously. Another very important aspect is that the legitimate traffic of our clients could be affected, preventing hundreds of users from accessing our website, so we ourselves may be denying the service. This is something that we must take into account when activating mitigation permanently or almost permanently, because a lot of traffic that is not malicious could be blocked.

The positive part of always having it activated is that we should not worry excessively about this type of attack, since most of it will be adequately mitigated, however, We must take into account what rules we have applied to carry out this mitigation, because you may not have « covered » all possible attacks.

Conclusions

Mitigation of attacks on demand or always activated has its strengths and weaknesses. Mitigation on demand is generally always used to prevent legitimate customer traffic from being blocked as well. This can be done easily and quickly through the administration panel of our hosting, or if you use CDN services such as Cloudflare, We can activate it directly from the main management menu.

In the case of Cloudflare, we will be able to activate different mitigation measures depending on the type of attack, for example, we will be able to activate layer 7 mitigation measures only, This will protect us against attacks that are directed at our websites with HTTP and HTTPS. We will also be able to activate the mitigation measures of the transport and network layer, for example, it will allow us to protect the FTP, SSH and even VoIP or online games service, with the aim of adding an additional layer of security to these services.

Finally, we could also establish rules for mitigation measures to be automatically activated in the event of an attack, and when this attack ceases, then disable security measures so as not to interfere with legitimate traffic.