3EX United StatesHow to Prevent a DDoS Attack
DDoS Attacks have risen sharply in the last few years, however a difference in type of attack still remains, “But knowing the basics of a DDoS, and being equipped to deal with a large scale attack of this type are also two very different things. While large sites are often attacked, it’s important that those corporations and networks do everything they can to deflect them and remain accessible, even under heavy loads. And even if you manage a smaller site, like a small business or the network of a group of people, you never know when someone will decide to go after you. Let’s see some of the important details behind what a DDoS truly is, and some methods that can be used to make sure your network is safe from them.”
There are multiple methods of DDoS attacks used today. “ First there’s what’s called a Syn attack, which simply means that the attacker opens a TCP connection, the way you would normally connect to a website, but never finishes the initial handshake. It basically leaves the server hanging. Another clever way is to use DNS. There are a lot of network providers who have their DNS servers configured to allow anyone to launch queries, even people that aren’t customers of theirs. Also, because DNS uses UDP, which is a stateless protocol, these two facts make this a potent way to create a denial of service. All the attacker has to do is find open DNS resolvers, craft a fake UDP packet that has a spoofed address, the one of the target site, and send it to the DNS server. While the request comes from the attacker and his botnet, the server thinks that request came from the server instead, and will send the reply to that location. So instead of having the actual botnet conduct the attack, the only thing the target site will see is a bunch of DNS replies coming from many open resolvers, all around the Internet. Also, it’s a very scalable type of attack, because you can send a single UDP packet to a DNS server asking for a full dump of a certain domain, and receive a very large reply.”
So, what is the best way to protect your network? Protect your DNS server. “Make sure your DNS is protected behind the same type of load balancing that your web and other resources are. There are also companies out there that provide redundant DNS that you can use. For example, many people use content delivery networks to serve files to customers in a distributed way, which is a great way to also protect them against DDoS attacks, but many of those companies also offer enhanced DNS protection as well, which is something you may want to look at,” says Patrick Lambert. “The worst thing for any business is for the network or site to go down, so you want to be alerted as soon as an attack starts, and be ready to deal with it. Because of the way it’s done, halting a DDoS attack at the source is incredibly difficult. But setting up an infrastructure that is distributed, hardened, and secure is possible, and that’s something you should think about when setting up your network.”
