Table of contents of the article:
One of the characteristics not taken into consideration when buying a hosting space or a cloud server or a dedicated server is to know how the hosting provider will behave when your site is targeted by some attacker. with some DDOS (Distributed Denial of Service Attack).
We will not go into the details of the various types of attacks at level 3 or level 7 of the ISO / OSI model because we do not want to delve into an infinite vastness of DDOS attack modes in continuous and constant evolution.
We just want to let you know which are the two most used behaviors when your site is attacked and inexplicably you will see it go down for no apparent reason and you will be alone against experienced hackers who are taking you offline for hours or days.
In that moment of absolute darkness in which you do not know in the least what is happening or what countermeasures to take, I assure you that having a comprehensive, well-prepared and collaborative hosting provider is equivalent to meeting an iced drink seller after 3 days of thirst and agony in between. to the desert.
This article stems from a mishap we had with one of our customers who we follow on one of his suppliers (not ours) who received an attack last night. I therefore want to let you know what happened and what are the standard behaviors (not only of this provider) when a site or a VPS instance (as in this case) receives a DDOS.
Although we can naively think that a DDOS attack is something extremely rare, unlikely, almost impossible, it must be said that things are different as reported by the following infographic which reports the inherent situation in our country in 2017 and in any case current.
Offline site and server. Here is a real case.
Although it may seem not very credible, this modus operandi is one of those even more in vogue by economic hosting providers who do not take into account in their business model that in all probability each of their customers will sooner or later receive a more or less important DDOS attack. .
A practical example concerns a well-known German Hosting Provider famous for selling well-sized VPS instances at very attractive costs (from 5 to 30 euros per month to be clear).
The extremely cool thing is that all of their Linux VPS solutions of any size and any price they included DDOS management as reported by themselves :
If we click on the vice info in orange we go to an in-depth page that reads verbatim (version translated into Italian with Google Translate):
Distributed Denial of Service (DDoS) attack refers to overloading a server or service, which is the target of the attack, by sending a high amount of requests, often unnecessary, so that the server or service does not is able to complete his regular tasks more. The server or service is proverbially "wiped out", it is no longer possible to reach it via the Internet, as long as the attack continues.
Unfortunately, DDoS attacks are gradually becoming a more common occurrence on the internet. Contabo customer servers are becoming the target of such attacks more often. Without effective DDoS protection, the servers under attack would not be available on the Internet for an extended time.
In order to protect our customers from such attacks and the accompanying availability problems as much as possible, Contabo has developed an internal DDoS protection. This DDoS protection is free for all our customers, it is automatically activated for all servers and web space packages in Contabo data centers.
How does Contabo DDoS protection work?
Contabo's DDoS protection is a security system that automatically detects most DDoS attack patterns and filters incoming traffic to the server so that the "malicious" attack traffic is eliminated and only the "real" traffic desired arrive at the server. This means that you, as a Contabo customer, will barely notice a possible attack as our DDoS protection filters the attack in progress for you.
What does Contabo DDoS protection provide?
Contabo's Ddos protection has been developed to recognize 99% of all attack patterns it will filter. In all these cases the servers will remain online and available on the Internet, even if they are under attack.
What does Contabo DDoS protection not provide?
Like any other DDoS protection used or offered on the Internet, Contabo's DDoS protection has its limitations. While our protection recognizes and filters 99% of all attack patterns, there are some DDoS attacks that cannot be mitigated due to their sheer pattern or volume. The likelihood of your server being affected by attacks that our DDoS protection cannot filter out is very low. In addition, we are continually working to further improve our protection system so that even attacks that we cannot avoid today will be recognized and filtered out in the near future. However, we ask that you understand that Contabo DDoS protection - like any other DDoS protection - does not guarantee that your server system will be protected from every theoretically conceivable DDoS attack.
What should I do as a Contabo customer to get DDoS protection?
Nothing. Our DDoS protection is free for all Contabo customers, it is automatically activated for all servers and web space packages in Contabo data centers. Both our existing and new customers don't have to do anything, your uplink will be automatically and permanently protected by our DDoS protection.
Below is the original screenshot in English taken from their site: https://bit.ly/31Zabdp
In short, reading above, one would think that unless you are targeted with traffic of hundreds of gigabits per second, the hosting provider should be able to mitigate the DDOS inbound at level 3 without creating disruptions to the customer business.
Yet this e-mail communication arrived yesterday in which an entire VPS instance was announced to be taken offline to the bitter end, for just 1 gigabit per second of inbound traffic. More than a DDOS attack I would say "a caress of DDOS"
In short, at the first small problem the supplier has practically taken the VPS instance and the customer's business offline. The only salvation was that of a short-lived DDOS that allowed the request to be rekindled after about an hour at their sole discretion. If the attack had lasted hours, days or weeks, it would have been offline for the duration of the attack.
Now this case does not and must not be a negative stance towards a particular supplier, we simply report one of the many recent cases.
Managedserver.it offers collaboration and DDOS mitigation in safeguarding the customer.
As suppliers, we believe that a customer should have the opportunity to be professionally protected from both level 3 and level 7 DDOS attacks, i.e. network and application.
At level 3 for volumetric attacks (Packet Flooding) we have the ability to work at multiple levels, both through packet filtering through dedicated hardware systems on edge routers, and through partnership with Arbor Networks of our datacenter.
Arbor Networks is a leading provider of network security and management solutions to businesses, service providers and government organizations around the world.
Arbor distinguishes itself from other security ISPs in that it leverages its ability to deliver services and turns it into a benefit for all customers. Arbor has created ATLAS, a project born from the collaboration with over 230 Service Providers who have agreed to share anonymous data on Internet traffic with the ASERT (Arbor Security Engineering & Response Team). This data, a total of 35 Tbps, is enhanced by Arbor's global “honeypot” network of more than 45 sensors in the dark and unused address space of customer networks. The information is aggregated and analyzed by the ASERT team and then sent back to customers in the form of attack signatures via the Arbor products in use. Arbor is therefore ideally placed to provide elaborate data on the DDoS attacks, malware, botnets, exploits and phishing that threaten Internet infrastructure and services today. Ultimately, ATLAS provides a significant competitive advantage by providing customers with both a micro-overview of their network and a macro-overview of global network traffic. Today, this powerful combination of network security information is unrivaled.
After completing a thorough review of our systems' ability to resist DDoS attacks, ManagedServer.it has implemented DDoS protection mitigation tools in our network, which consist primarily of Arbor and Juniper hardware. Our three-tier system allows us to clearly distinguish between valid traffic and malicious attacks.
Traffic flow during normal operations
Traffic flow in a DDoS protected system during an attack
The DDoS protection system is divided into the following levels:
1. Automatic recognition of attack patterns
In addition to recognizing an attack based on the amount of traffic or the number of packets, we will be able to clearly define the actual attack and then enter the house and react specifically to that particular type of attack. For example, a UDP flood with 500k pps is harmless to a server. However, a 500k SYN packet could be a problem. Our DDoS protection tools can accurately detect this kind of difference.
2. Traffic filtering for known attack patterns
This method allows us to effectively filter the most well-known attacks by inserting them through traffic control filters. The method is particularly effective in flushing out the following types of attacks: DNS reflection, NTP reflection, and UDP flood on port 80.
3. Challenge-response authentication and dynamic traffic filtering
In this last layer, we filter out attacks in the form of SYN floods, DNS floods, and invalid packets. We are also able to flexibly adapt to other unique attacks and reliably mitigate them.
The above technologies support a high level of automation, which in turn will continue to be optimized step by step. We can improve the system by analyzing each attack and constantly adjusting our filters and responses.
Level 3 DDoS protection will not increase costs or prices and will be available to all customers. Our system will detect DDoS attacks at all times and its ability to recognize them will continually improve. Once an attack is recognized, dynamic DDoS protection tools immediately take action and filter the attack. Your traffic will usually not be affected by the DDoS protection system due to its dynamic attack mitigation method.
In addition to an integrated protection such as Arbor Networks, especially for attacks at level 7 (Application) we have commercial plans of CloudFlare with CDN and WAF (Web Application Firewall) function.
Cloudflare, Inc. is an American company that deals with content delivery network (network for the delivery of content), internet security services and distributed DNS services, which place themselves between the visitors of a site and the hosting providers of Cloudflare users, acting as a reverse proxy server for websites.
It defended SpamHaus from a DDoS attack over 300 Gbit / s. Akamai's chief architect said it was "the largest publicly announced DDoS attack in internet history." It also reportedly absorbed attacks with peaks of over 400 Gbit / s from an NTP reflection attack.
Cloudflare allows customers with subscription packages to take advantage of a web application firewall service. By default, the firewall has set the OWASP ModSecurity rules together with its own rules and those of common web applications.
Cloudflare offers domain name server (DNS) services to all customers working on the anycast network. According to W3Cook, Cloudflare's DNS service currently powers over 35% of managed DNS domains. SolveDNS found that Cloudflare consistently has some of the fastest DNS resolution in the world, with a resolution of 8,66 ms recorded in April 2016.
Not just tools but above all know-how
In addition to adopting the right hardware / software solutions and the right commercial partnerships with specialized security companies, adequate know-how is essential to understand the attack in progress, identify patterns and adopt the best filtering and DDOS mitigation solution.
Obviously, regardless, there must be adequate preparation and the willingness to protect a customer in a difficult time rather than accepting to turn off the machine and risk losing a customer which at the moment could be the most convenient cost / benefit solution for the provider.
The truth is that you have to be ready and unlike many other suppliers we are.