Our servers are our most valuable cyber assets, and we must prepare ourselves in case someone wants to take them down. In this blog post we’ll learn the difference between a DoS and DDos and some easy ways to stop them.
DoS: Denial of Service
A web server is prepared to endure a certain amount of connections at the same time. When this limit is surpassed, there are two possible outcomes:
1- The response can be slow or null
2- The server might disconnect from the internet
A DoS overloads the server through many requests from the same computer that slowly consumes all the resources until it starts rejecting requests and denies the service.
This kind of attack can be completed using desktop software like the one shown in the below picture. All a hacker needs to do is decide on the IP objective and the strength of the attack, and your server will be down in a heartbeat.
There are several examples of such software. Although this software is often given a bad name because they can be used to disable web sites, it is actually very useful. For example, they’re the easiest way to perform stress tests so you know how much traffic a web site can support.
DDoS: Distributed Denial of Service
This attack is similar to DoS – they both focus on taking down a server. But in a DDoS the attack is distributed, so it comes from several computers making requests to the same server. The web administrator won’t have a clue where the attack came from, which is why it’s really difficult to stop them.
A hacker performs this attack through a zombie net, otherwise known as a Botnet. They can use desktop software similar to Trojans (because the client side and the server are executables), a web panel, or through Internet Relay Chat (IRC).
In any case, the distribution methods are similar. Common examples of this are the infected videos which sometimes appear on websites.
When we click on those infected videos, we disseminate the virus among our friends, building a long chain of infected computers.
How to prevent attacks?
As webmasters we can install in our server the famous mod_evasive. Basically, what it does is keep a dynamic table with the URLs accessed through the different IPs of Apache clients. It allows executing actions when the same IP requests the same resource more than n times in n seconds.
Mod_evasive, by default, blocks the IP that surpasses the maximum of requests allowed per second and returns an error 403 (Forbidden) to the HTTP request.
What’s really interesting is that it also allows executing a system command so you can add a new rule to AIPtables to block the IP of the client.
Another way to prevent these attacks is Cloudflare, a free system that acts like a proxy server between its visitors and our server. This way, Cloudflare keeps in the cache the static content of the web page, lowering the amount of requests. This is really helpful in case our server is not available, because CloudFlare can deliver pages from its cache.
Among the Cloudflare advantages are that it has proxy servers all over the world placed near their visitors. This means there are improvements in the time it takes to load a page given that the content in the cache is delivered from the closer cache server instead of from our server. Always remember that several studies show that the faster the web, the longer visitors are willing to stay connected.
A second advantage is the protection against spam – taking advantage of the resources provided by the data of third parties, it reduces the number of undesired comments on the web.
Finally, it also alerts visitors in case of infected computers and gives directions about the actions they should follow to clean up the malware or viruses. Visitors have to introduce a CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) to access the web.
These are really useful tools and I recommend you give them a try. In case of any questions, feel free to contact me!