- Joined
- Nov 14, 2012
I've taken some measures against DDoS attacks. I'd like to explain what a DDoS is and how it affects services, and what has been done to help protect against them.
The most simple form of attack is called a Layer 7, or application-level "slow attack". It relies on exploiting the victim's resources. An attacker serves a large number of requests that the server works very hard to respond to. The result is overworking itself to the point of not being able to serve real visitors.
To protect against these sorts of attacks, we employ Cloudflare. Cloudflare is a massive application that sits between the request and our servers. They absorb malicious traffic and help filter out attacks. Depending on the cleverness of the attack, sometimes Cloudflare has to respond by being more restrictive. This is when you see things like browser checks and CAPTCHAS.
Cloudflare works in a particular way. Clever people can find ways around it. Some applications are vulnerable to identification attacks, that reveal the true source of the servers. With this information, attacks could potentially bypass our front line of defense.
To handle this, I have done two things. The server now throws away any connections not from Cloudflare. That way, a direct Level 7 attack will not work. Additionally, vulnerabilities have been moved to a smaller and less important Linode. If that server is attacked, no one will care.
Since attackers will be forced to use Cloudflare to even talk to the forum, they will have their options limited. Attacks can still work, depending on what methods they use. To help combat this, I've set up three different domain names. If one of the domains is attacked, I close it and will let people know what other domain to use for the time being.
That's a very inconvenient thing to do, so it's a last resort. Still, the option is there.
Most bases are covered. Uncovering the forum's true source won't help much, and is going to be very hard to do. Attacking Orange (the sub-server) won't bring down the website. Attacking Cloudflare is almost completely useless. Even if we can't stop attackers from breaking through Cloudflare, I can shut them off like valves to keep the server online (at the cost of annoying people).
Is there a weakness? Of course. Everyone reading this already knew what a DDoS was, or at least had heard of them. That's because the Internet is very vulnerable to this sort of attack. It's a big deal. That's why it's a felony in many western countries, including the United States.
A large-scale botnet attack with thousands of infected computers directly hitting the server would look something like this.
At this point, there's nothing to be done. An attack of this magnitude shakes the very foundation of the world wide web to its bones and reveals the innate flaws of its being. The best I could do is explain to my service host the situation. I could obtain a new IP, or they could blackhole any non-Cloudflare IPs (like with what I've done on a server level).
The blue bubble in my earlier diagram ceases to work at this point because, by the time the traffic reaches the server, it's already done its damage. Compared to a Level 7 attack each connection is massively inefficient, but because there's so many of them, it doesn't matter. The Internet, as we all know, is a series of tubes. This sort of massive attack will clog them no matter what sort of fancy garbage disposal you have.
A botnet attack like that costs about $200 dollars a day, from what I've seen.
The most simple form of attack is called a Layer 7, or application-level "slow attack". It relies on exploiting the victim's resources. An attacker serves a large number of requests that the server works very hard to respond to. The result is overworking itself to the point of not being able to serve real visitors.
To protect against these sorts of attacks, we employ Cloudflare. Cloudflare is a massive application that sits between the request and our servers. They absorb malicious traffic and help filter out attacks. Depending on the cleverness of the attack, sometimes Cloudflare has to respond by being more restrictive. This is when you see things like browser checks and CAPTCHAS.
Cloudflare works in a particular way. Clever people can find ways around it. Some applications are vulnerable to identification attacks, that reveal the true source of the servers. With this information, attacks could potentially bypass our front line of defense.
To handle this, I have done two things. The server now throws away any connections not from Cloudflare. That way, a direct Level 7 attack will not work. Additionally, vulnerabilities have been moved to a smaller and less important Linode. If that server is attacked, no one will care.
Since attackers will be forced to use Cloudflare to even talk to the forum, they will have their options limited. Attacks can still work, depending on what methods they use. To help combat this, I've set up three different domain names. If one of the domains is attacked, I close it and will let people know what other domain to use for the time being.
That's a very inconvenient thing to do, so it's a last resort. Still, the option is there.
Most bases are covered. Uncovering the forum's true source won't help much, and is going to be very hard to do. Attacking Orange (the sub-server) won't bring down the website. Attacking Cloudflare is almost completely useless. Even if we can't stop attackers from breaking through Cloudflare, I can shut them off like valves to keep the server online (at the cost of annoying people).
Is there a weakness? Of course. Everyone reading this already knew what a DDoS was, or at least had heard of them. That's because the Internet is very vulnerable to this sort of attack. It's a big deal. That's why it's a felony in many western countries, including the United States.
A large-scale botnet attack with thousands of infected computers directly hitting the server would look something like this.
At this point, there's nothing to be done. An attack of this magnitude shakes the very foundation of the world wide web to its bones and reveals the innate flaws of its being. The best I could do is explain to my service host the situation. I could obtain a new IP, or they could blackhole any non-Cloudflare IPs (like with what I've done on a server level).
The blue bubble in my earlier diagram ceases to work at this point because, by the time the traffic reaches the server, it's already done its damage. Compared to a Level 7 attack each connection is massively inefficient, but because there's so many of them, it doesn't matter. The Internet, as we all know, is a series of tubes. This sort of massive attack will clog them no matter what sort of fancy garbage disposal you have.
A botnet attack like that costs about $200 dollars a day, from what I've seen.
Last edited:
