DDos Attack Types Guide

DDoS (Distributed Denial of Service) attacks are a common danger for businesses in the digital age, but how do they work?

A DDoS attack is a cybersecurity attack designed to restrict access to an internet service, rendering targeted platforms, websites, or tools useless. Malicious attackers may achieve this by triggering a temporary interruption or suspension of the hosting server’s services, with wide-ranging impacts.

DDoS attacks are typically launched from multiple devices which have been compromised by the hackers. These tend to have global distribution, as part of what is generally known as a “botnet”. This is different to other denial of service (DoS) attack types, which depend on just one device connected to the internet to send a flood of overwhelming traffic to the targeted website, network, etc. There are three types of DDoS attacks:

Application layer attacks

This type of attack is intended to crash a victim’s web server using requests which appear legitimate and non-malicious. It includes GET/POST, low and slow attacks, and more forms of disruption.

Volume-based attacks

With a volume-based attack, hackers aim to saturate a target website’s bandwidth through ICMP (or Ping) or UDP floods.

Protocol attacks

A protocol attack puts strain on resources (servers, firewalls, load balancers) through fragmented packets, Smurf DDoS, and other attacks.

DDoS types which commonly target businesses

Below, we explore some of the types of DDoS attacks that pose a risk to companies in different sectors.

ICMP flood

An ICMP (or Ping) flood is made to overwhelm a targeted resource with ICMP Echo Request packets. Essentially, unlike other DDoS types, this one sends a high number of packets as quickly as possible — but without taking time to wait for any replies.

As a result, ICMP flood attacks may consume a business’s incoming and outgoing bandwidth as servers will try to use ICMP Echo Reply packets to reply. This can ultimately cause major slowdown in systems.

UDP (User Datagram Protocol) flood

Essentially, a UDP flood is a DDoS attack which causes a storm of UDP packets with an intent to cause floods in a remote host’s ports randomly.

Such an attack can cause hosts to continually search for application listening in certain ports. When applications aren’t located, the host will reply with an ICMP “destination unreachable” packet — which consumes resources and potentially causes inaccessibility.

SYN flood

This DDoS attack type is unleashed to take advantage of a vulnerability in the TCP connect sequence, in which a SYN request to trigger a TCP connection to the target host needs to be responded to with a SYN-ACK reply. It is then to be confirmed by the requester’s ACK response.

In this DDoS attack type, a requester would launch a number of SYN requests but doesn’t respond to the SYN-ACK response or triggers the requests from a spoofed address. In any case, the host system is left waiting for each request’s acknowledgement — leaving resources bound until no fresh connections can be initiated. This leads to a denial of service.

Slowloris

A Slowloris is an attack designed to help one web server bring another down without having an effect on other ports or services within the network targeted. How? By keeping as many of the target server’s connections open for as long as it can, by making connections to the server but sending just partial requests.

So, a Slowloris keeps sending HTTP headers without ever completing a request, and the server keeps all of them open. Eventually, this creates an overflow in the connection pool and causes denial of additional connections from innocent clients.

POD (Ping of Death)

The so-called ping of death is a DDoS attack type which involves sending several malicious pings to a target computer, giving recipient hosts oversized packets, which overflows those memory buffers which have been allocated for the received packet. This leads to denial of service for any packets which may be legitimate.

This works on the basis that an IP packet’s maximum length is 65,535 bytes, but Data Link Layers typically impose limits on a maximum frame size. In ping of death attacks, a massive packet becomes separated across more than one, causing the recipient host to reassemble it into the oversized packet.

HTTP flood

Attackers use HTTP floods to target an application or web server by taking advantage of HTTP GET or POST requests which may appear genuine.

This type of attack doesn’t involve malformed packets or spoofing, and puts less strain on bandwidth than other DDoS types. HTTP floods tend to be most impactful when forcing an application or server to allocate all of the resources available in response to all requests.

Zero day

Zero day types of DDos attacks refers to all new or unknown forms of threats, which depend on vulnerabilities for which patches are yet to be issued. Hackers usually exchange zero day opportunities regularly.

NTP amplification

Attackers use an NTP amplification to target Network Time Protocol servers and overwhelm them with UDP traffic. These DDoS attacks are described as “amplification”-based because of the query to response ratio.

This tends to be between 1:20 and 1:200 or higher, enabling attackers to achieve major disruptions if they have access to multiple open Network Time Protocols.

What causes hackers to launch DDoS attacks?

In a relatively short period, the types of DDoS attacks covered above have become the most common form of cybersecurity risk. Both their number and volume have grown in the past few years: while briefer attacks are the norm, they often involve a larger packet-per-second volume overall.

So, what drives the attackers?

Industry rivalries

Businesses may leverage some of these DDoS attack types to disrupt a competitor’s service or website, to improve their own market performance. For example, one online retailer may employ a DDoS attacker to bring a rival site down ahead of a crucial Black Friday or Cyber Monday sale event.

Divergent beliefs

Some hackers, referred to as “hacktivists”, launch DDoS attacks to disrupt businesses they may disagree with (in terms of workers’ rights, for example).

Cyber attacks on enemy nations

A government may authorize a DDoS attack to cause issues for other countries’ infrastructures or websites, for their own gain.

Extorting money

DDoS attacks may be initiated as a means to secure money from a business, such as through ransomware.

For thrills

Hackers could create and launch their own DDoS attacks to get a short-term rush, with no sympathy for the people they affect.

How to Secure Nginx Against Malicious Bots

Nginx Security

Protective measures for a server are very important and there are several ways to protect your websites and apps from malicious bots. We’ll be looking at different bots and how they operate, and how you can use Plesk’s security measures to secure Nginx against malicious bots.

Malicious Bot Types

Nginx vs malicious bots

There are Bots that scan API keys on Git (Scanbots) and bots that download web pages. But even worse, you’ll find hackers using bots as a group of hijacked computers to take down websites (botnets). Or even send out innumerable spam emails (Spambots). Let’s take a deeper look at the latter two.  

Bots For Spamming Emails     

Spambots are special programs that crawl the internet for email addresses posted in forums, discussions boards, comments and websites. Spam generally means unwanted and unwarranted emails. They usually look for ‘mailto’ expressions (HTML used to display email IDs online), with a format such as the one below.

<ahref=“mailto:[email protected][email protected], [email protected],[email protected]&subject=Web%20News“>Email Us

Apart from mailto, others have resorted to using words, just to make it difficult for Spambots to crawl email addresses. For instance, instead of  ‘‘[email protected]’’, others prefer to use this format rather: support[at]abz[dot].com on the web. However, spam programs identify these different formats and affect users. Costing time, money and productivity.

Bots For Hijacking Computers

Malicious botnets are a network of infected computers with malicious software controlled as a group by hackers to perform distributed denial of service attacks (DDOS). Botnet makes a way for malware to enter networks and control them.

Let’s look at how attackers use botnet hijack computers by studying a click-fraud botnet which made a profit for its creators through Google search program.

Paco Redirector is a botnet trojan which affected search engines, such as Google and Bing. Here’s how.

  1. First, it infects users’ computers when they download and install fake versions of popular software
  2. Afterward, Paco changes browser’s local registry keys to include two entries to ensure malware starts at boot time.
  3. Finally, the malware implements a proxy configuration file that captures traffic and routes it through attackers command and controlled server.

How to Secure Nginx Server against malicious Bots

Due to the fact that most websites run on an Nginx server, we need to know how to secure Nginx against malicious bots. We can protect the resources running on Nginx servers by using Plesk extensions and Fail2ban.

1. Using SpamExperts Email Security Extension

Using SpamExperts Email Security Extension

SpamExperts specifically protects a hosting environment from threats like spam and viruses. It comes with an incoming filter, which separates valid emails from unsolicited ones. And also an outgoing filter, which prevents your IP address from being blacklisted since spam can be sent from your compromised account within your web infrastructure.

2. Using DDOS Deflate Interface Extension

Using DDOS Deflate Interface Extension

Hackers often use malicious bots to automatically brute-force authentication. So, you can use DDOS Deflate Interface to mitigate DDOS attacks by blocking IP addresses which exceed the configured threshold.

3. Using Fail2ban to Block Internet Bots

Fail2ban is a prevention software that protects servers like Nginx from bot attacks. You can install Fail2ban software by using the following command:

apt-get install fail2ban

Ubuntu users can make use of this command to install Fail2ban whilst Fedora and CentOS users can use the command below:

yum install fail2ban

Afterwards use the following command to create a second copy of Fail2ban local configuration file:

cp /etc/fail2ban/jail.conf /etc/fail2ban/local.conf    

Below is a screenshot of the Fail2ban jail configuration file:                   

Fail2ban jail configuration file screenshot - How to Secure Nginx Against Malicious Bots - Plesk

Search for the maxretry parameter and set it to 5. Maxretry is the parameter used to set the limit for the number of retry by a host. If the host exceeds this limit, the host is banned.

Maxretry parameter

Apart from the maxretry parameter in the configuration file, there are other parameters such as Ingoreip which is used to set the list of IP addresses which will not be banned.
Then execute the following commands to run Fail2ban package on the server:

 sudo systemctl enable fail2ban    

 sudo systemctl start fail2ban

Now let ‘s go ahead to configure Fail2ban to monitor nginx server logs.

Because these hackers use bots to perform brute-force, we can create a specific jail for login attempt by adding the following content to the jail.conf file under [nginx-http-auth]

enable = true
filter = nginx-auth
action = iptables-multiport[name=NoAuthFailures,port="http,https"]
logpath = /var/log/nginx*/*error*.log
bantime = 600
maxretry = 6[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
bantime = 600
maxretry = 6

Finally you can create filter for the [nginx-http-auth] by navigating to the following path:

cd /etc/fail2ban/filter.d

The screenshot below shows all files inside the filter.d directory

Files inside the filter.d directory

Open the file nginx-http-auth.conf and add the following content below failregex specification.

^ \[error\] \d+#\d+: \*\d+ no user/password was provided for | authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

Save and close the nginx-auth.conf.  You can now activate your nginx jail by using the following command:

 sudo service fail2ban restart

These solutions may not be the only ways to stop bots from attacking your Nginx server.  However, you can rely on these methods to avoid the negative effects of malicious bots. Get in touch with one of our Plesk experts if you need further assistance regarding a bot attack.

How useful and straightforward was this guide? Any issues? Let us know in the comments below.

arrow icon - Plesk

Server DDoS Protection – Techniques you need to know

Server DDoS protection - Plesk

If a restaurant suddenly has a million people show up, it obviously can’t cater to its customers. Same with running a website. An avalanche of traffic blocks your customers from accessing your online service because the server struggles to cope. Hence, slowing your site to a crawl, making it not function as it should. This is basically what happens with a Distributed Denial Of Service (DDoS) attack. Without Server DDoS Protection, your visitors can’t access the info and commercial services you provide. Or they may experience difficulties with your website’s functionality.

Unscrupulous competitors and malicious delinquents launch DDoS attacks all the time. DDoS attacks are extremely popular among hackers. Because they’re an inexpensive but effective way to disrupt the work of online services, and they often go unpunished. So, you may be wondering, what’s the best server DDoS protection for you?

Server DDoS Protection - Plesk

What’s DDoS protection?

DDoS attacks come in all varieties with strategies like volume, protocol, and application layer attacks. This means your DDoS mitigation software needs to be versatile enough to cope with anything thrown at it.

Volume-based and protocol attacks are like a tsunami that try to flood your server resources and network. In which case, the server DDoS protection filters illegitimate connections from the traffic.

We offer the best DDoS protection with an enterprise-grade service.  Our server DDoS protection can handle the most common attack types, including:

  • UDP Flood
  • SYN Flood
  • SYN-ACK Flood
  • ICMP Flood
  • DNS Reflection Flood
  • Fake Sessions
  • Synonymous IP
  • Misused Application Attack

DDoS attacks can be lethal to your business. So choose the best server DDoS protection, like ours, to block all forms of DDoS attacks.

Software that detects and analyzes DDoS attacks

DDoS attacks can be very sophisticated, and it’s not always obvious when an attack’s happening. But the best DDoS protection can recognize and deal with an attack immediately. Moreover, such software can also be a detective, analyzing the attack to reveal the method used.

Traffic is continuously being filtered through Plesk’s DDoS protection appliances. Therefore, you get instant protection when an attack begins. They detect and avert DDoS attacks in 90 seconds or less. Great for you, because the quicker you pick up on an attack, the safer your data is.

Without the best DDoS protection, your server could be down for days. And any business can be attacked, so everyone needs protection.

Server DDoS protection – your software umbrella

As technology marches on, DDoS attacks become more sophisticated and hence, more difficult to spot. But the best server DDoS protection is constantly updated, as new info about how attacks evolve comes to light. Plesk aims to always be one step ahead, so our software can turn back any DDoS attack on your website.

The best DDoS protection covers you against all attacks

DDoS attacks don’t just happen to large corporations and governments – the ones you see in the headlines. In fact, 90% of DDoS attacks happen to much smaller players. Thus, the damage they do is just as significant.

For instance, without server DDoS protection, your website could get just 50 bot attacks. That doesn’t sound like much. Your server won’t crash and you may not know there’s a problem. But your page load times may drop by just enough to annoy your customers. Customers who then go looking at your competitors’ websites, meaning you lose money.

The best DDoS protection can protect you from a flood attack of 1Gbps all the way up to 40Gbps. So, if you have a current service provider, then be cautious and check they can do this.

How to get server DDoS protection using Plesk

Plesk Onyx hosting platform has helped system administrators for over 10 years. Use the Plesk server management solution in order to implement across-the-board automation for every web hosting business’ task. Or your daily server-based business operations.

For the best DDoS protection Plesk has a dedicated extension, DDoS protection by Variti.

The Best DDoS Protection – How Plesk Works

Plesk Onyx cloud managent platform - explaining cloud web hosting
  • All incoming website traffic passes through a distributed network of filtering nodes. We analyze traffic in real-time, checking multiple characteristics.
  • We have developed mathematical algorithms to filter automated traffic from real users’ queries. Then we classify requests as either legitimate (real user) or illegitimate (bot).
  • We divide traffic from a single IP address (mobile or wireless Internet, provider with NAT, public WiFi).
  • Also, we inspect suspicious visitors discreetly, basing our approaches on behavioral analysis.
  • Active Bot Protection instantly blocks malicious traffic in less than 50 ms, upon detecting a DDoS attack or during an automated scanning threat.
  • Our server DDoS protection allows well-meaning users to enjoy the website’s functionality and services – without interruption.