By: Himanshu Tiwari, International Center for AI and Cyber Security Research and Innovations (CCRI), Asia University, Taiwan, nomails1337@gmail.com
Abstract:
DDoS attacks pose a significant threat to businesses, governments, and individuals who heavily rely on online services and websites in the contemporary digital environment. These attacks, which resemble digital invasions, aim to overwhelm targeted systems with an excessive amount of traffic, rendering them inoperable and inaccessible. This article examines DDoS attacks in depth and discusses effective defence strategies against these evolving cyber threats.
Introduction
The threat of DDoS attacks appears large in the modern digital era, where businesses, governments, and individuals rely heavily on online services and websites. These attacks function like a digital attack, aiming to flood a targeted system with such an overwhelming volume of traffic that it becomes incapacitated and inaccessible. In this article, we will examine DDoS attacks in depth and discuss strategies for defending against them in the landscape of cyber threats, which is constantly evolving [9-13].
Demystifying Key Terminology:
Before we look into the complexities of defending against DDoS attacks, let’s define a few essential terms.
- DDoS attack: An attack designed to render a system unavailable by overwhelming it with traffic. [1]
- Legitimate requests: Requests from legitimate users who are not part of an attack. [1]
- Network filter: A security mechanism used to block traffic from particular sources or destinations. [1]
- Probabilistic estimation: the process of making educated guesses about the probability that an event will occur. [1]
Types of DoS and DDoS Attacks:
DDoS attacks can be compared to disruptive online bullies. Let’s classify these threats as follows:
- Volumetric DDoS Attacks: These attacks involve directing a huge amount of traffic towards a target, often using a botnet—a network of compromised computers under the control of the attacker. The magnitude of these attacks may affect websites, servers, and even entire networks.
- Protocol Denial of Service Attacks: These attacks exploit vulnerabilities in the use of network protocols. An attacker could, for instance, send a specially crafted packet to a web server, causing it to crash.
- Application-layer Denial of Service Attacks: These attacks target specific applications. An attacker bombards a web application with numerous requests, causing it to stutter or crash.
Defensive Strategies:
Consider implementing the following defence mechanisms to protect against these ongoing digital bullies [2]:
- Utilise firewalls and detection systems for intrusions to filter out malicious traffic and permit only legitimate requests to pass.
- Distribute incoming traffic across multiple servers using load balancers to prevent any one server from becoming overloaded.
- Rate Limiting: Implement rate-limiting mechanisms to limit the amount of traffic a single user can send, thereby preventing attempts to flood the system.
- Software Updates: Update your software on a regular basis to patch known vulnerabilities and close doors to potential attackers.
Volumetric DDoS Attack
DDoS attacks that seem like digital tsunamis are extremely difficult to defend against. Utilisation of a DDoS mitigation service is the most effective countermeasure. These services specialise in filtering out malicious traffic, protecting the target from harm.
Protocol Attacks:
Protocol attacks disrupt online services by exploiting the manner in which computers communicate. Attackers bombard a target with bogus requests, forcing it to respond and wait indefinitely, thereby depleting its resources and rendering it inoperable.
Application Layer DDoS Attack
Application Layer DDoS attacks, also known as Layer 7 (L7) attacks, target the topmost layer of the Internet communication model, impacting standard requests such as HTTP GET and HTTP POST. L7 attacks, unlike lower-level network attacks, not only affect network resources but also server resources, making them more potent and damaging.
Known Botnets
- Mirai [8] is famous for establishing DDoS attacks using Internet of Things (IoT) devices.
- Bredolab [8] is known for its sophisticated techniques to evade detection, data theft, DDoS attacks, and the propagation of malware.
- Zeus [8]: Discovered for the first time in 2007, Zeus specialises in banking malware to steal financial data.
- Ransomware-as-a-Service (RaaS) [8]: facilitates ransomware distribution by enabling cybercriminals to rent out their botnets to others.
- Emotet propagates malware, including ransomware, banking malware, and trojans, via spam emails.
Paid DDoS Protection Services
Consider using DDoS protection services such as Cloudflare, Akamai, Arbour Networks, Imperva, Radware, F5 Networks, Neustar, Corero Network Security, and Fortinet to strengthen your online defences.
Mitigating DDoS Attacks with Nginx
Nginx [3] is a dependable web server renowned for its superior performance, scalability, and flexibility. It performs double duty as both a web server and a reverse proxy server.
Key Features of Nginx
- Excellent Speed: Nginx handles multiple simultaneous connections efficiently, making it ideal for hightraffic websites.
- Low Resource Consumption: It is compact and uses fewer system resources than other web servers.
- Load Balancing: Nginx performs exceptionally well at distributing traffic across multiple servers.
- Reverse Proxy: It is typically employed to manage and secure backend applications.
- SSL/TLS Termination: Nginx manages encryption and decryption efficiently, relieving backend servers of this resource-intensive task.
- Caching: Integrated caching capabilities reduce backend server load.
- Nginx supports the WebSocket protocol, which is ideal for real-time applications.
- Configuration Flexibility: Highly configurable configuration files accommodate specific needs
- Community and Documentation: An active community guarantees extensive documentation and thirdparty modules that augment functionality.
- Security: Nginx has a solid security track record and includes features such as access controls and rate limiting.
Tengine
Based on Nginx, Tengine [4] offers additional features, making it an excellent choice for stable and efficient web serving. Dynamic reconfiguration, HTTP/3 and UDP support, enhanced load balancing methods, support for the CONNECT HTTP method for forward proxy, asynchronous OpenSSL, and more are among the notable features.
Nginx Test-Cookie-Module
This tool combats robot activity by employing a challenge and response mechanism based on cookies, making it difficult for automated attacks to breach your defences. [5]
vDDoS Proxy Protection Tool
vDDoS [6] combines the capabilities of Nginx and the Test-Cookie-Module to create a formidable DDoS defence. It is an impenetrable shield designed exclusively for Nginx servers.
The above diagram illustrates the process of securing our website. In the beginning, we connect our website to a free cloud-based security service such as Cloudflare. Then, we link it to the vDDoS master server, which helps us block traffic that might slip through Cloudflare’s protection.
To enhance our security further, we establish rules using iptables to exclusively permit traffic from Cloudflare’s IP addresses [7] through the primary pathway. This strategy protects our primary VPS server from direct attacks.
References
- Mahjabin, T., Xiao, Y., Sun, G., & Jiang, W. (2017, December). A survey of distributed denial-ofservice attack, prevention, and mitigation techniques. International Journal of Distributed Sensor Networks, 13(12), 155014771774146.
- AAMIR, M., & ZAIDI, M. A. (2013). A Survey on DDoS Attack and Defense Strategies: From Traditional Schemes to Current Techniques. Interdisciplinary Information Sciences, 19(2), 173–200.
- Khan, F. F., Hossain, N. M., Shanto, M. N. H., Anwar, S. B., & Noor, J. (2022, December 20). Mitigating DDoS Attacks Using a Resource Sharing Network. 2022 9th International Conference on Networking, Systems and Security.
- A. (2023, August 8). GitHub – alibaba/tengine: A distribution of Nginx with some advanced features. GitHub.
- K. (2022, October 7). GitHub – kyprizel/testcookie-nginx-module: simple robot mitigation module using cookie based challenge/response technique. Not supported any more. GitHub.
- D. (2023, February 15). GitHub – duy13/vDDoS-Protection: Welcome to vDDoS, a HTTP(S) DDoS Protection Reverse Proxy. Thank you for using! GitHub.
- IP Ranges. (n.d.). Cloudflare. https://www.cloudflare.com/en-in/ips/
- Silva, S. S., Silva, R. M., Pinto, R. C., & Salles, R. M. (2013, February). Botnets: A survey. Computer Networks, 57(2), 378–403. https://doi.org/10.1016/j.comnet.2012.07.021
- Cvitić, I., Perakovic, D., Gupta, B. B., & Choo, K. K. R. (2021). Boosting-based DDoS detection in internet of things systems. IEEE Internet of Things Journal, 9(3), 2109-2123. https://ieeexplore.ieee.org/abstract/document/9461235/
- Tripathi, S., Gupta, B., Almomani, A., Mishra, A., & Veluru, S. (2013). Hadoop based defense solution to handle distributed denial of service (ddos) attacks
- Gupta, B. B., Joshi, R. C., & Misra, M. (2012). ANN based scheme to predict number of zombies in a DDoS attack. Int. J. Netw. Secur., 14(2), 61-70. http://ijns.jalaxy.com.tw/contents/ijns-v14-n2/ijns-2012-v14-n2-p61-70.pdf
- Singh, A., & Gupta, B. B. (2022). Distributed Denial-of-Service (DDoS) Attacks and Defense Mechanisms in Various Web-Enabled Computing Platforms: Issues, Challenges, and Future Research Directions. International Journal on Semantic Web and Information Systems (IJSWIS), 18(1), 1-43.
- Mishra, A., Gupta, N., & Gupta, B. B. (2021). Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller. Telecommunication systems, 77(1), 47-62.
- Gupta, B. B., & Sheng, Q. Z. (Eds.). (2019). Machine learning for computer and cyber security: principle, algorithms, and practices. CRC Press.
- Gupta, B. B., Perez, G. M., Agrawal, D. P., & Gupta, D. (2020). Handbook of computer networks and cyber security. Springer, 10, 978-3.
- Mishra, A., Gupta, N., & Gupta, B. B. (2023). Defensive mechanism against DDoS attack based on feature selection and multi-classifier algorithms. Telecommunication Systems, 82(2), 229-244.
Cite As
Tiwari H. (2023) Defending Against DDoS Attacks: A Comprehensive Guide to vDDoS Protection tool, Insights2Techinfo, pp.1