In the first two quarters of 2020, the number of DDoS attacks almost tripled, with 65% of them attributable to primitive “load testing” attempts that easily “disable” defenseless sites of small online stores, forums, blogs, and the media.
How to choose a DDoS-protected hosting? What to look for and what to prepare for, so as not to be in an unpleasant situation?
(Vaccination against “gray” marketing inside)
The availability and variety of tools for conducting DDoS attacks forces the owners of online services to take appropriate measures to counter the threat. It is worth thinking about DDoS protection not after the first failure, and not even in a set of measures to increase the fault tolerance of the infrastructure, but even at the stage of choosing a site for placement (hosting provider or data center).
DDoS attacks are classified depending on the belonging of the protocols, the vulnerabilities of which are exploited, to the levels of the open systems interaction (OSI) model:
- channel (L2),
- network (L3),
- transport (L4),
- applied (L7).
In terms of security systems, they can be summarized into two groups: infrastructure layer attacks (L2-L4) and application layer (L7) attacks. This is due to the sequence of execution of traffic analysis algorithms and computational complexity: the deeper we look into an IP packet, the more computing power is required.
In general, the task of optimizing calculations when processing traffic in real time is a topic for a separate series of articles. For now, let’s just imagine that there is some cloud provider with conditionally unlimited computing resources that can protect websites from application-level attacks (including is free).
3 main questions for determining the degree of protection of hosting from DDoS attacks
Let’s take a look at the hosting provider’s terms of service for DDoS protection and the Service Level Agreement (SLA). Do they answer the following questions:
- what technical limitations the service provider claims?
- what happens when the customer goes beyond the limits?
- How does a hosting provider build protection against DDoS attacks (technologies, solutions, suppliers)?
If you did not find this information, then this is a reason to either think about the seriousness of the service provider, or to organize basic DDoS protection (L3-4) on your own. For example, ordering a physical connection to the network of a specialized security provider.
Important! It makes no sense to provide protection against application layer attacks using Reverse Proxy if your hosting provider is not able to provide protection against infrastructure layer attacks: the network equipment will be overloaded and become inaccessible, including for the proxy servers of the cloud provider (Figure 1).
Figure 1. Direct attack on the hosting provider’s network
And don’t let anyone try to tell you tales that the real IP address of the server is hidden behind the cloud of the protection provider, which means that it is impossible to attack it directly. In nine cases out of ten, it will not be difficult for an attacker to find the real IP address of the server or at least the network of the hosting provider in order to “put” the entire data center.
How hackers act when looking for a real IP address
Under the spoilers, there are several methods for finding a real IP address (provided for informational purposes only).
You can start your search from the online service Intelligence X: it searches for information on the dark web, on document exchange platforms, processes Whois data, public data leaks and many other sources.
If for some reason (HTTP headers, Whois data, etc.) it was possible to determine that the protection of the site was organized using Cloudflare, then you can start searching for the real IP from list, which contains about 3 million IP addresses of sites located behind Cloudflare.
Using an SSL certificate and service Censys you can find a lot of useful things, including the real IP-address of the site. To generate a request for your resource, go to the Certificates tab and enter:
_parsed.names: namesite AND tags.raw: trusted
To find the IP addresses of servers using an SSL certificate, you will have to go through the drop-down list manually with several tools (the “Explore” tab, then select “IPv4 Hosts”).
Searching the history of changes in DNS records is an old, proven method. The previous IP-address of the site can make it clear on which hosting (or in which data center) it was located. Among the online services for ease of use stand out ViewDNS and SecurityTrails…
When you change the settings, the site will not immediately use the IP address of the cloud security provider or CDN, but will work directly for some time. In this case, there is a possibility that the online services for storing the history of changing IP addresses contain information about the original site address.
If there is nothing but the name of the old DNS server, then using special utilities (dig, host, or nslookup), you can query the IP address by the domain name of the site, for example:
_dig @ old_dns_server_name namesite
The idea of the method is to use the feedback / registration form (or in any other way that allows you to initiate sending a letter) to receive a letter to your email and check the headers, in particular the “Received” field.
The email header often contains the real IP address of the MX record (e-mail server), which can be a starting point for finding other target servers.
IP search software behind the Cloudflare shield most often works on three tasks:
- scanning for incorrect DNS settings using DNSDumpster.com;
- scanning the Crimeflare.com database;
- search for subdomains by searching the dictionary.
Finding subdomains is often the most effective of the three – the site owner could protect the main site and leave the subdomains to work directly. The easiest way to check is to use CloudFail…
For example, let’s take a site seo.com using Cloudflare, which we will find using a well-known service builtwith (allows you to both identify technologies / engines / CMS, on the basis of which the site works, and vice versa – to search for sites by the technologies used).
When you go to the “IPv4 Hosts” tab, the service will show a list of hosts using a certificate. To find the required one, look for an IP address with an open port 443. If it redirects to the required site, then the task is completed, otherwise you need to add the domain name of the site to the “Host” header of the HTTP request (for example, * curl -H “Host: site_name “*https: // IP_address).
In our case, a search in the Censys database gave nothing, let’s move on.
We will conduct a DNS search through the service https://securitytrails.com/dns-trails…
Going through the addresses mentioned in the DNS server lists with the CloudFail utility, we find working resources. The result will be ready in a few seconds.
Using only open data and simple tools, we determined the real IP address of the web server. The rest for the attacker is a matter of technique.
Let’s go back to choosing a hosting provider. To assess the benefits of the service for the customer, we will consider possible ways to protect against DDoS attacks.
How a hosting provider builds its defense
- Own protection system with filtering equipment (Figure 2).
1.1. Traffic filtering equipment and software licenses;
1.2. In-house specialists to support and operate it;
1.3. Internet access channels, which will be sufficient to receive attacks;
1.4. Significant prepaid channel bandwidth for receiving “junk” traffic.
Figure 2. Hosting provider’s own security system
If we consider the described system as a means of protection against modern DDoS attacks of hundreds of Gbps, then such a system will cost a lot of money. Does the hosting provider have this kind of protection? Is he ready to pay for junk traffic? It is obvious that such an economic model is unprofitable for the provider if the tariffs do not provide for additional payments.
- Reverse Proxy (only for websites and some applications). Despite a number advantages, the vendor does not guarantee protection against direct DDoS attacks (see Figure 1). Hosting providers often offer this solution as a panacea, shifting responsibility to the security provider.
- Services of a specialized cloud provider (using its filtering network) to protect against DDoS attacks at all OSI levels (Figure 3).
Figure 3. Comprehensive protection against DDoS attacks using a specialized provider
Decision presupposes deep integration and a high level of technical competence on both sides. Outsourcing of traffic filtering services allows the hosting provider to reduce the cost of additional services for the customer.
Important! The more detailed the technical characteristics of the service provided, the more chances there will be to demand their performance or compensation in case of downtime.
Besides the three main methods, there are many combinations and combinations. When choosing a hosting, it is important for the customer to remember that not only the size of guaranteed blocked attacks and the filtering accuracy, but also the reaction speed, as well as information content (list of blocked attacks, general statistics, etc.) will depend on the decision.
Remember that only a few hosting providers in the world are able to provide an acceptable level of protection on their own, in other cases cooperation and technical literacy help out. So understanding the basic principles of organizing protection against DDoS attacks will allow the site owner not to fall for marketing tricks and buy a pig in a poke.