The problem of protection against DDoS attacks remains one of the most urgent at the present stage of the development of the Internet.
The Meaning of DDoS Attack
The DDoS attack is a distributed denial-of service attack on various Internet services. Upon successful completion of such attacks on the server, it stops responding to legitimate requests from users. Large DDoS attacks target government and government websites, websites of leading IT corporations Amazon, Yahoo, Microsoft, etc. These powerful corporations with huge resources cannot always cope with attacks and repel an attack.
World leaders in information security make DDoS detection and mitigation a top priority in their research and development. This indicates that the development and implementation of methods of protection against DDoS attacks is an urgent task. Currently, one of the most popular types of DDoS attacks is attacks based on reflection and amplification of malicious traffic.
When developing new universal methods of protection against attacks of this type, the primary task is to analyze the protocols that can be used to implement such attacks. In addition, it is necessary to analyze the existing methods of protection against attacks that carry out traffic reflection using various protocols.
Countermeasures are a set of countermeasures aimed at blocking and isolating illegitimate traffic from its general flow. The process of applying a set of countermeasures to the current traffic of an object is called cleaning and mitigating attack traffic. Methods of protection against DDoS attacks can be roughly classified according to two criteria. The first sign is the location of the protection mechanism in the network. Protection methods can be divided into those applied at the source, at the victim’s side, as well as at intermediate network nodes. Methods that combine various protection schemes and ensure their interaction are usually called hybrid.
The Main Stages of DDoS Protection
For a DDoS attack, the attacker organizes a network of previously compromised computers and botnet servers, whose activities are controlled by specialized control centers – command centers. With the help of such a center, commands are given to bots to attack, after which an avalanche-like increase in the volume of malicious traffic is recorded on the target resource. The user of the compromised computer often does not suspect that at the moment his device is part of the aggression
The main stages of protection and the ways of how to stop a ddos attack are:
- monitoring stage;
- stage of attack detection;
- stage of counteracting the attack.
Monitoring mechanisms control the collection of statistical data and build the necessary statistical profiles of the normal behavior of various network traffic parameters for the monitoring object. The monitoring object is a part of the analyzed traffic that meets certain criteria. The criteria are intended to serve ranges of IP addresses, traffic to specific services or applications (HTTP, DNS, FTP, and others). The statistics of the monitoring mechanism can contain parameters (signatures) of already existing types of attacks.
At the stage of detecting an attack, the current parameters of the passing traffic are compared with statistical parameters. DDoS attacks are detected by examining the deviations of the current traffic from the normal traffic profile.
The second main task at the stage of detecting an attack is the classification of anomalies. Based on the classification, a specific set of countermeasures is selected, required to suppress the attack, and its likely sources are identified. Classification of anomalies is one of the top priorities in DDoS mitigation mechanisms.