TOCICI

Denial of Service Attacks

What are they?

Denial-of-service (DoS) Attack

Denial of Service attacks have been around since the Internet first began. Simply put, it is a malicious attempt to make computer resources unavailable for its intended uses, by preventing legitimate users from accessing information or services. In general terms, DoS attacks are implemented by:

  1. Forcing the targeted system(s) to reset.
  2. Consuming resources so that a targeted system can no longer provide its intended service
  3. Obstructing the communications path, between the intended users and the victim, so that they can no longer communicate adequately.

Distributed Denial-of-service (DDoS) Attack

DDoS attack is thus called “distributed” because the attacker launches their attack from multiple systems1).

Attack Types

Today’s many types of attacks fall into two main categories:

VOLUMETRIC ATTACKS

Flooding attacks. Saturates and consumes network bandwidth and infrastructure.

Examples: ICMP, UDP or TCP Syn flooding

APPLICATION LAYER ATTACKS

Harder to detect than Volumetric Attacks. Targets specific applications of services where they exhaust resources.

Examples : HTTP or DNS attacks.

Is Your Server at Risk?

YES

Attack targets are not limited to high-profile systems. If your environment is not adequately protected, then your environment is definitely at risk for attacks.

How to Identify a DDoS Attack?

DDoS Attacks can sometimes be confused with scheduled systems maintenance, so be sure to check our systems status before assuming an attack. However, a sudden four-fold or higher increase in web, email or network traffic is an almost guaranteed indicator that an attack is underway.

Who's Attacking?

Motives, targets, modes and methods of carrying out this malicious attack do vary. An attack's general intention is to prevent a website from functioning efficiently, if at all, for an indefinite period of time.

The attacks are often performed by organized crime syndicates2), hackers3), and script kiddies4). Behind the typical labels, attackers are often:

  1. Business competitors
  2. Disgruntled employees
  3. Any vigilante group, or one person, that doesn't like you

Why Do Attacks Occur

The most obvious reason: to force an online service to go offline.

Although in recent years, DDoS attacks have been launched for the purposes of blackmail, political power plays, or simply because a computer-savvy child was bored. The widespread prevalence of internet connected and malware-laden Microsoft based computer systems have profoundly lowered what was previously a high barrier to entry5).

How Do You Avoid a DDoS Attack?

There are no simple solutions to reduce the threat of DDoS attacks. However, there are some steps and strategies that can help reduce the likelihood of attackers using your computer to launch a DDoS attack, as well as minimize the impact of a large-scale attack.

  • On the Microsoft Windows platform, install and maintain adequate anti-virus, anti-spam, and anti-malware software.
  • Promptly install patches and software updates.
  • Limit the type of traffic permitted in/out of your network.
  • Most crucial of all; work with your hosting company:
    • Select a web hosting service provider that has invested in the capacity, tools, and skills critical for mitigating attacks. Costing in the tens of thousands of dollars; ask your hosting provider how they mitigate DDoS attacks, today.
    • Have a working knowledge of your hosting company; be familiar with their security measures. What prevention measures does your web host employ?
    • Increase server and network capacity. During an attack, the demand increases until there is no more capacity; how much spare capacity does your hosting provider maintain?
    • Use firewalls to DROP traffic towards unused protocols and ports.
    • Configure switches and routers to detect and protect against attacks, using automatic rate filtering, load balancing, and null routing functions.

Changing IP Addresses

We are often asked to change a VPS's IP address, as a method of mitigating the negative effects of a DDoS against an environment.

This strategy, when applied alone, does not work: attackers simply start attacking the new IP address moments after a VPS's services come online at the new address.

This strategy only works if you simultaneously place your VPS behind the services of a DDoS shield provider. If you can demonstrate that you have moved attacked service addresses to behind a DDoS shield, we will work with you to promptly change your VPS's IP address.

Additional reading:

DDoS Protection & Mitigation

What does TOCICI Do?

To help you adequately handle various attacks, TOCICI offers a comprehensive attack mitigation system. The most basic offering, which is automatically and freely integrated with all services, is our automated attack detection and IP null-route services.

Hobbyist and non-production environments enjoy the benefits of our cost-effective automated null-route mitigation services, including increased protection against sudden system crashes, data and database corruptions, excessively large logfiles, and minimizing a risk of bandwidth overages and their related fees.

Although, in the event of an attack, because a standard null-route mitigation strategy does make an targeted environment inaccessible via the general internet, business environments risk revenue losses, brand tarnishment, and loss of access to important business tools and hosted services. It doesn’t matter if you are a large enterprise, small business, e-commerce company or a government institution, we understand it is vital you detect and mitigate an attack before it impacts your business, this is why we offer highly customized & integrated DDoS protection packages.

TOCICI's significant, six-figure, investment in attack mitigation tools and staff training includes:

  • Specially designed firewalls rate-limit excessive traffic.
  • QoS is actively utilized on ISO Layer 2-7 equipment, to ensure appropriate priorities for specific network traffic.
  • Network Intrusion detection systems detect, notify, and can mitigate unwanted network activities.
  • Host based intrusion detection systems will identify, and can disable, malicious programs.
  • Engineers and support staff receive ongoing training, and actively study new attack methods and their mitigation strategies.
  • Internal systems, and managed hosted environments, enjoy the benefits of pre-production staging by experienced systems engineers, enabling prompt attention towards software patches and updates.

External Providers

In lieu of TOCICI's offerings, various 3rd party providers may also be able to help you mitigate effects of an attack. For instance:

To utilize any of these service providers, we encourage you to visit their websites and contact them directly.

Load Testing Systems

When you load-test a server, you risk tripping our DDoS detection and mitigation systems and business processes. To minimize your risks, please:

  1. Coordinate your tests by emailing support@tocici.com at least 24 hours prior to planned testing.
  2. Utilize distributed load generation features found in popular performance and load testing suites.

DDoS Mitigation Impacts

Many knowledgeable hosting providers implement similar DDoS mitigation practices. For example:

Inbound & Outbound traffic

As per the Terms of Services that you accepted upon signing up for our services. If your environment receives, or sends, a disproportionally high volume of data or messages; the excessively high volumes may be considered an attack, and can subject your services to immediate suspension. If you expect high-volumes of traffic, please discuss your business needs and goals with us, prior to your implementation.

Unusually high volumes of traffic can include, but is not limited to:

Email

Volume Description & Discussion
3,000 Daily6) sending limit
90,000 Monthly7) sending limit

This is a daily sending limit intended to prevent our systems from being used as a spam launching platform. Large email hosting providers are often more strict. If you have a valid business need to exceed these quotas, please consider a specialized bulk email services provider such as MailChimp, Amazon's purpose-built SES system, or contact support to discuss your goals in detail.

SSH Connections

Volume Description & Discussion
4 Per-minute, per unique source IP address

This directive exists to minimize risks from SSH brute force attacks. At last check8), TOCICI's network receives an average of 122 excessive/brute-force SSH connections per second (about 10,540,800/day). If you need to establish inbound SSH connections more frequently than 4 per minute from the same IP address, please consider setting up SSH Multiplexing, and/or run your sshd daemon on a non-default SSH port.

IP Networking

Volume Description & Discussion
Bandwidth Varies Limits are established in per-minute, per-hour, per-day, and per-month increments, and vary based upon your VPS type.

This limit is intended to prevent our systems from being used as an attack launching platform. Your environment has either:

  1. A monthly data transfer quota, described as 1TB/month, 5TB/month, etc…; or
  2. A committed data transfer rate described as 10Mbps, 50Mbps, etc…

To help you weather unexpected and short-lived increases in activity and traffic, all environments have a generous “burst” ceiling, which if continuously utilized, would result in very high bandwidth quota overage fees for you.

A normal, and short-lived, burst in activity and traffic could mean a twofold or threefold increase in site visitors over the period of a few hours. Under most circumstances, we do nothing in response to such short-term and low-grade increases in traffic. An unusual spike in activity and/or traffic, would be something exceeding this general guideline. Barring exceptional circumstances, we will contact you before taking your environment offline9).

If you have a valid business need to regularly exceed bandwidth quotas, please contact support to discuss your needs and goals in detail.

Integrated DDoS Protection

Upgrading beyond our standard null-route mitigation strategy helps business environments minimize the risks of revenue losses, brand tarnishment, or loss of access to important business tools and hosted services.

DoS and DDoS attacks can vary dramatically in size from a few Megabits per second, to tens of Gigabits per second or larger. The larger the size or volume of an attack, the greater the difficulty in minimizing an attack's negative effects to the affected infrastructure. Our Integrated DDoS Attack Protection is sold in packages which provide peace of mind that you will be protected from the negative effects of an attack, up-to the volume of protection that has been pre-purchased.

Protection Price10)
4,000 Mbps & 8,000,000 PPS $1,000/month
6,000 Mbps & 10,000,000 PPS $1,200/month
8,000 Mbps & 12,000,000 PPS $1,800/month
10,000 Mbps & 15,000,000 PPS $2,250/month
12,000 Mbps & 18,000,000 PPS $2,700/month
15,000 Mbps & 21,000,000 PPS $3,100/month

We understand that these protection plans are not cheap. Simply-put: raw business/production grade internet connectivity is not cheap. Even with our pre-existing provider relationships, negotiated long-term contracts, enterprise grade infrastructure, and already excellent bandwidth prices, attack mitigation requires raw bandwidth, very high quality equipment, and a team of highly-skilled technical resources…we are passing our own hard-costs directly to you, without markups or profit.

According to Arbor Networks, the average volumetric DDoS attack was 2.7Gbps by June of 2013 (up from May 2012's 1.84Gbps); this trend continues to sharply rise. This means we can no longer offer pre-paid mitigation plans of less than 4Gbps/6MPPS11)…during most attacks, you would gain essentially nothing through lesser mitigation options.

Exceeding Protection Capacity

If an attack exceeds the volume or size of protection that you have pre-purchased, the following steps are taken:

  • Automated systems email, call and/or SMS you, alerting you that you are under attack and exceeding their quota.
  • For a short period, we will continue helping mitigate any ongoing attack, as a courtesy because of an existing subscription plan relationship.

If the attack continues or increases, the following options are available:

  • You may upgrade to the next level of protection12).
  • Null route your traffic, in order to protect our infrastructure from these threats.

We will make all efforts to work with you, explain all possible options, and act in accordance with your wishes. However, due to the profoundly negative impact that such attacks can have on our general operations (as well as the the operations of other customers), at all times we reserve the right to protect our infrastructure from these threats.

If you find that our DDoS mitigation plans and options are unacceptable, we encourage you to discuss your options with the many 3rd-parties that we have suggested above, and/or to immediately move your services to a different hosting provider, without delay.

Additional Reading

1) these are very often virus/malware-infested Microsoft desktops and servers
2) for hire; the purposes of injuring a business's operations
3) for hire, or for sport, using either well known techniques and tools, or something they've developed themselves
4) a more immature but unfortunately often equally dangerous exploiter of security lapses on the Internet. Using existing and often well known techniques and tools, they indiscriminately seek out and exploit security weaknesses, with little regard or perhaps even understanding of the potentially harmful consequences. See Wikipedia
5) in their defense, Microsoft has finally taken a recent (circa: 2012) leadership role towards taking down larger Botnets which run upon their software platform
6) 24 hours
7) 720 hours
8) on December 19th, 2014
9) being the target of an active DDoS is considered an exceptional circumstance
10) If you require a higher level of protection than what is listed, please contact us today. Setup charge equals one-month’s service, and pre-payments are required in minimum six (6) month increments. All charges are non-refundable.
11) 4,000 Mbps & 6,000,000 PPS
12) you must pay for a subscription level that will handle the current attack, and setup fees are discounted only by the amount of setup fees already paid