What is an HTTP flood attack?

An HTTP flood attack is a form of Distributed Denial of Service (DDoS) attack specifically targeting web servers. In this malicious assault, the attacker overwhelms a web server with an enormous volume of HTTP requests, rendering it incapable of handling legitimate user requests. This tactic capitalizes on the stateless nature of the HTTP protocol, allowing for easy forging and amplification of requests. Such attacks can come from a single source or be distributed across multiple locations, making them harder to trace and block. The simplicity of executing these attacks makes them a popular tool among cybercriminals looking to disrupt online services.

How does it work?

Step 1: Request Amplification

HTTP flood attacks exploit the stateless nature of the HTTP protocol, enabling attackers to forge a vast number of seemingly legitimate requests. These requests are often designed to consume server resources disproportionately.

Step 2: Botnet Deployment

Perpetrators commonly utilize botnets, networks of compromised computers, to amplify the scale and impact of the attack. This distributed approach makes it challenging to trace and mitigate the source of the assault.

Step 3: Targeting Specific Vulnerabilities

HTTP flood attacks may exploit vulnerabilities in web server software, operating systems, or specific applications. By pinpointing weaknesses, attackers maximize the efficacy of their assault.

Types of HTTP flood attacks

In the realm of HTTP flood attacks, adversaries deploy a variety of tactics to overwhelm web servers, each with its own distinctive approach.

• GET Floods: GET Floods are a type of HTTP flood attack that targets the HTTP GET method used in web communication. Attackers send a massive number of GET requests to a web server, designed to look like legitimate user interactions, with the aim of overwhelming the server’s resources and capacity to respond. Imagine your website is a popular restaurant, and suddenly, an overwhelming number of customers flood in, each asking for the menu without any intention of placing an order. GET floods operate similarly, bombarding the server with a surge of requests for information, causing chaos and resource exhaustion.

• POST Floods:  POST Floods focus on the HTTP POST method, which is used for sending data to a server. In these attacks, cybercriminals flood the server with numerous POST requests, often containing seemingly valid data submissions. This flood of requests can strain the server’s CPU and memory resources, causing delayed responses or service disruptions. Picture customers storming in and placing orders at an unprecedented rate, without any regard for the kitchen’s capacity. POST floods emulate this scenario by inundating the server with an excessive number of data-submission requests, pushing the server to its limits and potentially causing it to stumble.

Impact of HTTP flood attack

Picture your website as a bustling city during rush hour and an HTTP flood attack as an unexpected surge in traffic causing digital gridlock. This online congestion not only disrupts normal operations but also leads to inevitable downtime and service interruptions as the server contends with an overwhelming influx of requests.

• Downtime and Service Disruption. Think of your website as a bustling city with countless residents seeking information. An HTTP flood attack is like an unexpected traffic jam, bringing the entire city to a standstill. Downtime and service disruption become inevitable as the server struggles to handle the overwhelming surge of requests.
  Suggested article: Understanding the HTTP status codes

• Financial Loss. Just as a shop loses revenue when forced to close unexpectedly, businesses hit by an HTTP flood attack experience financial setbacks. The loss isn’t just in terms of immediate revenue; it’s also about potential future earnings as user trust takes a hit.
• Reputational Damage. Consider the impact on a brand when its flagship store experiences a sudden closure. Similarly, successful HTTP flood attacks can tarnish a website’s reputation, eroding the hard-earned trust of users. Reputational damage extends beyond the immediate attack, affecting long-term relationships with customers.

5 Signs your website is under HTTP flood attack

Early detection of an HTTP flood attack is crucial for effective response. Here are technical indicators that may signal such an attack:

1. Increased HTTP Request Rates: If your web server logs show a sudden and sustained increase in HTTP GET or POST requests, especially from a range of unusual IP addresses, this could indicate an attack. Monitoring tools can be configured to alert administrators to spikes that exceed baseline levels.
2. Increased CPU and Memory Usage: HTTP flood attacks force the server to handle a massive number of requests, leading to unusual CPU and memory consumption. If your server resources are maxing out unexpectedly, this might be a sign of a flood attack.
3. Slow or Non-Responsive Website: A significant HTTP flood attack can slow down your website or make it entirely unresponsive, as the server struggles to handle the load. If your site becomes inaccessible or experiences frequent timeouts, it may be under attack.
4. Log Files Full of Repetitive Requests: When reviewing server logs, you may notice a large volume of similar requests, often with the same IP range, user agent, or request URL. This repetitive pattern is a hallmark of HTTP flood attacks, as attackers often send requests in bursts.
5. Increased Bounce Rate Without Clear Cause: When legitimate users experience a slow or non-responsive website due to an attack, they are more likely to leave. If you see a sudden increase in bounce rate without an obvious reason, an HTTP flood attack may be the culprit.

Preventive measures against HTTP flood attack

Detecting an HTTP flood attack is akin to being the vigilant lifeguard at a crowded beach.

Monitoring service

Just as a lifeguard watches the ocean for irregularities, detecting HTTP flood attacks involves monitoring for abnormal spikes in web traffic. An unexpected surge signals trouble, prompting a swift response to ensure the safety of the online “beach.” With HTTP/HTTPS Monitoring service you will be able to keep track of the performance and availability of websites, web applications, and web services.

Web Application Firewalls (WAFs)

Think of WAFs as the vigilant eye of the lifeguard tower, surveying the digital sea. These firewalls analyze incoming traffic, identifying and blocking any suspicious activity, acting as a proactive defense against potential threats.

DDoS Mitigation Services

There are services specifically designed to protect against DDoS attacks, including HTTP Floods. DDoD Protection services work by diverting traffic through their networks first, filtering out the bad traffic, and only sending the good traffic to your server.

Implement Content Delivery Networks (CDNs)

CDNs distribute your content across multiple, geographically diverse servers, so it’s closer to your users. This not only speeds up content delivery but also means that traffic is spread out and not directed at a single server, making it harder for an HTTP Flood to have an impact. In addition, at ClouDNS you can build your own CDN with our GeoDNS service. With it you can be one layer protected against these malicious attacks. 

How to create your own CDN using DNS

Creating Redundancies

Have a backup plan, or in technical terms, create redundancies. If one server or network component fails under the load, others can take over. This is like having backup generators ready in case the main power supply goes out.

Conclusion

Though HTTP flood attacks present a real and present danger to web servers, the good news is that they are not insurmountable. By staying vigilant, employing a layered security approach, and embracing both reactive and proactive defense strategies, businesses can effectively dampen the impact of these attacks. Ensuring your website’s resilience in the digital ecosystem is key, allowing you to maintain seamless operations and safeguard your digital assets against such disruptive forces.

The post HTTP flood attack – What is it and How to prevent it? appeared first on ClouDNS Blog.

SYN flood attack: Origin and Basics

In the 1990s, a man named Wietse Venema explained a certain attack method in-depth. On its surface, the concept seems innocuous enough. In a network protocol, namely TCP, a three-way handshake commences communication. Imagine this as a modern chivalry ritual between your computer and the server you want to engage with.

1. You send a SYN (synchronize) packet: “Hi, can we chat?“
2. Server sends back SYN-ACK (acknowledgment): “Sure, let’s talk.“
3. You finish with an ACK: “Cool, let’s get started.“

What SYN flood attack is?

Broadly speaking, a SYN flood attack, also referred to as a TCP/IP-based attack, is a type of Denial of Service (DDoS) attack on a system. It might be compared to an irritating prankster continuously dialing a business phone to keep the line busy and prevent legitimate callers from reaching the establishment. The attacker here sends a flood of SYN requests from either a single or multiple spoofed IP addresses to a server with the malicious intent to halt the server’s functionality to process new incoming service requests. As the server gets trapped in a vicious cycle of responding to these inexistent or half-open connections, it can lead to crashing or becoming unavailable to legitimate users.

How does it work? 

The mechanics of a SYN flood operate in a methodical sequence of steps that exploit the TCP handshake protocol. Let’s break it down for clarity:

Step 1: Identifying the Target

The attacker first picks out the target server. Usually, they’re gunning for a specific service, like a website or an application hosted on that server.

Step 2: Initiating SYN Requests

Here, the attacker commences the mischief by generating a multitude of SYN packets. Each of these SYN packets asks the server, in essence, for permission to establish a connection.

Step 3: Half-Open Connections

Upon receiving a SYN request, the server reciprocates with a SYN-ACK packet and moves the corresponding request to a backlog queue. This places the connection in a “half-open” state, awaiting the client’s final ACK for completion.

Step 4: Server Response

At this juncture, the attacker ghosts the server, never sending the final ACK to complete the handshake. Consequently, the server’s backlog queue starts brimming with incomplete handshakes.

Step 5: Resource Exhaustion

With each half-open connection, the server allocates a chunk of its resources. As these incomplete connections accrue, the server begins to hit its limit on resources.

Step 6: Denial of Service

At this point, the server becomes unable to accept any new connections. Legitimate users trying to connect encounter timeouts or failures, achieving the attacker’s endgame of denying service.

Types of SYN Flood Attacks

SYN flood attacks can take on multiple forms, each with its own level of complexity and associated risks:

1. Direct Attack: In this type of attack, the attacker does not hide their IP address, meaning that all traffic comes from a single source. This makes it relatively easier for network administrators to identify and block the attack by filtering the IP address. However, direct attacks can still overwhelm a server, especially if they come from high-capacity sources.
2. Spoofed Attack: Here, the attacker sends SYN requests using spoofed IP addresses, making it difficult to track the origin of the traffic. The server tries to send SYN-ACK packets to non-existent or unreachable IPs, leaving the connections open and slowly exhausting server resources​. Spoofing adds an extra layer of complexity, making it harder to mitigate, as simply blocking the traffic source won’t solve the problem.
3. Distributed Attack (DDoS): In a distributed SYN flood attack, the attacker uses a botnet – a network of compromised devices – to send SYN requests from various IP addresses. This creates massive amounts of traffic from multiple sources, overwhelming the server and making it extremely difficult to pinpoint and block the attack. This method was infamously used by the Mirai botnet, which leveraged IoT devices to launch one of the largest DDoS attacks in history​.

Ways to mitigate the SYN flood attack

Ah, but there’s hope! Multiple strategies can serve as lifelines in mitigating the fallout from a SYN flood.

SYN cookies

Implementing SYN cookies proves useful in minimizing risk. When deployed, the server doesn’t allocate resources right away for a new SYN request. Rather, it converts the connection into a unique cryptographic cookie. Only when the handshake gets completed does the server expend resources, reducing vulnerability to attacks.

Rate limiting

Another solid tactic involves imposing rate limiting on incoming SYN packets. By setting a strict threshold for the number of allowable new connections per unit of time, the server can effectively nip malicious flood attempts in the bud.

DDoS Protection

Incorporating DDoS protection is an advanced, indispensable strategy. These specialized solutions not only defend against SYN flood attacks but also guard against a broader range of DDoS threats. DDoS protection services usually feature large traffic scrubbing networks that can sift through immense volumes of data, allowing legitimate traffic through while blocking malicious requests.

Anycast DNS

Anycast DNS serves as another invaluable layer of defense. By distributing incoming traffic across multiple data centers (PoPs), it minimizes the load on any single server. This distribution can effectively dilute a SYN flood attack, rendering it far less potent. Anycast DNS is especially beneficial when used in conjunction with DDoS protection services, providing an additional layer of robust, scalable defense.

Robust Load balancers
High-capacity load balancers can significantly improve your system’s capacity to manage an enormous volume of connection requests. In turn, this can enhance your network’s ability to resist SYN flood attacks.

Monitoring services
Real-time Monitoring services track and scrutinize network patterns, activities, and performance, enabling the early detection of potential threats or attacks. These services can monitor server health, network performance, and traffic patterns, thereby identifying and alerting about possible anomalies that might indicate a SYN flood attack.

Firewall rules

Tweaking firewall configurations can also be invaluable. For instance, you can set rules to block incoming requests from a specific IP address if it exceeds a set number of SYN requests within a short timeframe.

Suggested article: Router vs firewall

Consequences of non-protection

• Service disruption: SYN flood attacks can result in service disruption or downtime, as the targeted server becomes overwhelmed and unable to handle legitimate requests.
• Financial loss: Downtime can lead to financial losses for businesses, especially e-commerce websites, online services, and organizations heavily reliant on internet connectivity.
• Reputation damage: Frequent DDoS attacks, including SYN floods, can tarnish a company’s reputation, eroding trust and customer confidence.
• Security overhaul costs: Post-attack, merely patching vulnerabilities won’t suffice. A complete revamp of security protocols becomes vital, often draining both time and financial resources.

Conclusion

In a world increasingly reliant on digital technology, understanding and defending against threats like SYN flood attacks is crucial. While they are a potent threat, solutions such as SYN cookies and robust load balancers offer effective means of mitigation. In essence, maintaining cybersecurity is not just a good idea, but a necessity in today’s digital landscape.

The post Understanding SYN flood attack appeared first on ClouDNS Blog.

Botnet – What does it mean?

A Botnet is a network of different devices, like computers, smartphones, tablets, and IoT, which are infected with malware and controlled by a cyber-criminal, also known as a bot herder. Each individual device within the botnet network is also known as a bot or zombie.

These hijacked devices are utilized to carry out different scams and cyberattacks, like sending spam emails, distributing malware, and preparing DDoS attacks. The assembly of a botnet is usually the infiltration step of a multi-layer scheme. Botnets employ the devices of regular users for scams and disruptions without requiring the permission of the owner.

DDoS Protected DNS Service

You are probably wondering what the botnet attack actually is and how it works. So, let’s expand the topic and clarify for what purposes they are used!

What are botnets used for?

There are different reasons why attackers use botnets. However, the most popular intentions are related to stealing data and money. Here are some of the most common usages of the networks of hijacked devices:

Fraudulent or money stealing

Cybercriminals can perform attacks that involve a botnet network for stealing money directly or indirectly. Some of the popular methods to achieve that are phishing emails or making a fake website that looks exactly like the original bank website, for example. Then, they are able to translate the payment or transaction details and utilize them to steal money.

Data theft

The data of the users is highly valued in the market. Cybercriminals are well aware of that. Therefore, they use botnets for stealing individual personal information, or even more, they break into the database of a precise company. The next step for them is to sell the user information to third parties and make a profit from it. These botnets could stay inactive and only steal personal details.

Perform spamming and phishing frauds

By implementing botnets, attackers can execute large email spamming and phishing scams. That is because they can spread malicious emails to numerous targets easily. Moreover, there are spam botnets that are precisely designed for such tasks.

However, the intentions are always the same, meaning stealing money or information, even if the methods differ. Yet, there are a specific group of cybercriminals who use botnets only because they can. They only aim to show their abilities and demonstrate their superiority to the rest of the world. There are different examples of security breaches where the attackers steal personal details and reveal them on the dark web for free.

Botnet attack – explained in detail

We talk about a Botnet attack when cybercriminals inject malware into the network to control them as a collective used for initiating cyberattacks. Otherwise, botnets themselves are simply a network of devices. 

The scale of a Botnet attack could be pretty large, and any device could fall victim to it. So, cybercriminals use additional machinery or devices to support and improve the mastership of a botnet.

Bot herder is needed to guide and control the group of hijacked devices in the network. The attacker uses it via remote commands to guide the devices and make them complete specific actions.

Bot or zombie computer is an infected device (system) used to create a botnet. The bots are guided by the bot herder’s command, and they behave by its instructions.

Let’s break down the construction process of a Botnet attack. Here are 3 main steps you should know:

Step 1: Prep and Expose

The cybercriminal discovers a vulnerability to introduce into the user’s device. The process of searching for a vulnerability involves the website, human behavior, and application. That way, the attacker prepares a set-up to drown the victim to get exposed to malware without notice. Typically, the vulnerabilities are found in websites and software, and the malware is delivered through emails or messages.

‍Step 2: Infecting the user

The attacker activates the malware, and the user’s device is infected and has compromised security. Typically, for that purpose, cybercriminals use the social engineering method or the Trojan virus. Another more aggressive approach includes deploying drive-by-download strategies to infect the device. However, with all of these methods, cybercriminals aim to weaken the target with botnet malware.

‍Step 3: Taking control over the targeted devices

The last step is taking control of each infected device. All of them are systematized, and the attacker involves a method for managing them remotely. Numerous devices are under control through a massive zombie network. After completing this step, the cybercriminal gains admin-like access to the targeted devices. Moreover, it has the ability to read and change the stored information, capture it, share it, or watch all of the activities on the device.

Most popular Botnet attack types

Botnets are attacks by themselves also, but they are a perfect instrument for performing secondary frauds and cybercrimes on a giant scale. Here are the most popular Botnet attack types:

DDoS attack

DDoS attacks aim to overwhelm a target server, network, or device with massive traffic. The zombie devices (bots) send large amounts of requests aiming to crash or at least slow down the target significantly.

That is one of the most popular forms of using botnets for criminal purposes. Additionally, it is commonly the one that is the most dangerous. The negative effects of DDoS attacks are often long-term and severe. That includes not only financial losses but also reputational damages for the target organization.

That is critical for everyone that has a functional website and especially for businesses that operate and offer their services online. So for sure, proper DDoS protection is a must! Unfortunately, it is already too late for you to plan your response when a DDoS attack appears. Therefore, protection and mitigation should be planned.

Phishing

Botnet attacks are commonly built by phishing tactics. That way, they infect more devices and extend the size of the botnet.

Additionally, phishing and other methods of social engineering attacks include a botnet that sends emails, posts comments or sends messages on social media acting like people or businesses that the victim trusts, commonly used to steal your banking details.

Precisely phishing is hard to defend against because humans easily fall victim to them.

Brute Force attack

Another popular way that bot headers use botnets is to complete different Account Takeover (ATO) attacks, mostly Brute Force attacks (credential cracking).

For a Brute Force attack, the zombie devices are instructed to test the various options of a user password and “crack” it. For instance, if there is a PIN with 4 digits, bot device 1 is going to test “0000”, the second bot device is going to test “0001”, etc. That continues until one of them guesses the correct PIN.

Defending against this botnet attack is also very challenging. It is effective in exploiting weak user credentials.

Which devices can become targets of a Botnet?

Devices infected with malware, also known as “bots” or “zombies,” can be remotely controlled by attackers. Almost any device with an internet connection can potentially become a target for a botnet if it has vulnerabilities that can be exploited. Here are some common types of devices that can be targeted:

• Personal Computers: Desktops and laptops running various operating systems, including Windows, macOS, and Linux, can be targeted by botnets if they have security vulnerabilities. Malware can infect these devices through malicious downloads, email attachments, or drive-by downloads.
• Servers: Web servers, email servers, and other types of servers are attractive targets for botnets because they often have high-speed internet connections and large resources. Compromised servers can be used to host malicious content, launch DDoS attacks, or distribute malware.
• Mobile Devices: Smartphones and tablets are also exposed to botnet infections. Malicious apps, compromised app stores, and phishing attacks can be used to target these devices. Both Android and iOS can be affected by botnet-related threats.
• IoT Devices: Internet of Things devices, such as smart cameras, smart thermostats, routers, and smart appliances, are targeted by botnets. They are often less protected and may have default or weak passwords, making them easy targets for exploitation.
• Network Equipment: Routers, switches, and other devices can be compromised by botnets. Once infected, these devices can be used to control network traffic, redirect users to malicious websites, or participate in DDoS attacks.

Signs your device could be part of a Botnet

Here are the most common signals that your device could be part of a Botnet:

• Unusual Sluggishness: If your device suddenly becomes slow or unresponsive, it may be because a botnet is using its resources.
• Excessive Data Usage: A sudden spike in data usage without an apparent reason could indicate your device is participating in botnet activities.
• Unwanted Pop-ups: Frequent pop-up ads or redirects to suspicious websites may signal that your device is under the control of a botmaster.
• High CPU Usage: Constantly high CPU usage, even when you’re not running intensive applications, can indicate malicious activity.
• Outbound Spam Emails: If your email contacts receive spam from your account without your knowledge, your device may send spam as part of a phishing attack.
• Disabled Security Software: Malware in a botnet often tries to disable antivirus and firewall protection to avoid detection.
• Unexplained Software Installs: Unauthorized software installations or changes to your device’s settings can be a sign that attackers may have control over it.
• Strange Network Activity: Monitor your network traffic for unusual patterns, such as frequent connections to unfamiliar IP addresses or domains.

How to protect yourself?

Here are some things you can do to protect yourself from botnet malware.

• Strong passwords. Make sure all of your smart devices have complex long passwords. That will keep them safer compared to a short and weak password, like “123456”.
• Update your OS. You should update your software. That way, you are receiving all of the security patches that can deal with familiar vulnerabilities.
• Change admin settings and passwords across all of your devices. Make sure to check all potential privacy and security options. That includes everything that connects device-to-device or to the Internet. If you skip changing to custom login credentials and private connectivity, cybercriminals will be capable of breaching and infecting all of your devices.
• Avoid opening suspicious email attachments. Before you download a file, make sure to verify the sender’s email address.
• Avoid clicking on links in messages. Different texts, emails, or social media messages could include malware. Moreover, by doing so, you can avoid drive-by downloads and DNS cache poisoning.
• Reliable antivirus software. It is going to help you improve your security and keep yourself protected from Trojans and other threats.

Impact of Botnets on Businesses

Botnets are a growing threat to businesses of all sizes, exploiting weak spots in networks to carry out malicious activities. Here’s a breakdown of how they can impact your business:

• Financial Losses

Botnets can cause serious financial damage. They might steal sensitive data directly, demand ransoms after launching ransomware attacks, or disrupt your services, leading to lost revenue. For example, a Distributed Denial of Service (DDoS) attack could take down your website, resulting in significant downtime and a drop in productivity.

• Damage to Your Reputation

The impact of a botnet attack goes beyond immediate financial losses. It can also severely damage your company’s reputation. Customers and partners may lose trust in a business’s ability to protect confidential information, resulting in long-term loss of clientele. There could also be legal consequences if your company fails to comply with data protection laws. Recovering from such an attack often requires significant investment in cybersecurity measures, system restorations, and efforts to rebuild public trust.

• Increased Operational Costs

Botnet infections can also lead to the unauthorized use of company resources, increasing operational costs and exposing internal systems to even more security risks. Small and medium-sized businesses are especially vulnerable, as they might not have the necessary infrastructure or expertise needed to effectively defend against these threats.

To reduce the risk of botnet attacks, it’s essential to adopt proactive security measures and include regular employee training, robust incident response plans, and a strong focus on cybersecurity. By taking these steps, you can help protect your business from the negative effects of these attacks.

Some famous Botnet attacks

Mirai – 2016

The massive Mirai botnet attack was initiated through a DDoS attack, and it made the Internet unavailable in the U.S. It was the first major botnet that infected insecure IoT devices. At the peak of the attack, it got to over 600,000 infected devices. 

3ve – 2018

3ve, pronounced Eve, started as a small botnet. Yet, the number of infected devices reached a tremendous 1.7 million. The botnet managed to falsify billions of ad views. As a result, businesses paid millions for ads that no real human, a regular internet user, ever saw.

Conclusion

Botnet and Botnet attacks are cyber threats that should not be neglected! It is important to keep yourself or your organization safe from such malicious attempts. Otherwise, they could lead to large financial and reputational damages!

The post Botnet – what is it, and how does a Botnet attack work? appeared first on ClouDNS Blog.

DNS explanation

DNS or Domain Name System is the backbone of the internet. It connects all the users to the content they need. That means it is a directory service which converts human-readable domain names into numerical IP addresses. It is a constant exchange of information, but sometimes the DNS fails and this causes downtime. A blackout period that can be evaded by using a Backup DNS.

Backup DNS

Backup DNS, also known as Secondary DNS or alternative DNS is a system of one or more DNS servers, who have a copy of the zone data (DNS records) of the Master (Primary) DNS server. It adds resilience, reducing the outage periods by answering requests even if the Master is down.

Backup DNS services provide an additional measure of insurance against service outages. They allow a website to remain up and running even if the primary DNS fails, often by serving DNS requests from a different location. Additionally, backups may use the same protocols as primary servers, or be hosted in distributed cloud networks, which increases reliability and performance. 

How does it work?

Backup DNS works through a few simple steps. Here are they:

1. First, when a user requests a website or application, the DNS query is sent to the primary DNS server. 
2. The primary DNS server then resolves the domain name to the corresponding IP address. But if the master DNS server is down, the request is rerouted to the backup DNS server. 
3. Then, the backup server resolves the domain name and returns the IP address to the requesting device, allowing access to the website or application.

Benefits of Backup DNS

Backup DNS is an essential part of any website or application infrastructure. The primary benefit of having it is improved website or application availability in the event of any primary DNS service failure. Your website or application will remain up and running even if the primary DNS fails, by redirecting users to a different DNS server. 

With a robust Backup DNS service, businesses are better protected from malicious attacks such as Distributed Denial of Service (DDoS) attacks. In addition, for even better safety from these types of cyber threats, there are DDoS Protected DNS services that add another layer of protection.

Backup DNS services can also provide faster DNS lookup times, improved representation of your website or application by serving identical content around the globe, and seamless switching in case of server outages. 

Another benefit lies in its scalability. It is designed to scale with any increase in traffic, both in terms of the number of queries handled and the size of the DNS database. As your website or application grows, Backup DNS can help ensure that you don’t lose any traffic simply due to lack of capacity. Additionally, this services often come with built-in features such as failover capabilities, Anycast DNS, and more, which can all improve the overall performance and reliability of your website or application.

What is the worst that can happen? Dyn DNS attack of 2016

Just ask the Dyn DNS users who were victims of the massive DDoS attack of 2016. Many well-known websites and services were affected: Airbnb, Amazon, Twitter, BBC, CNN, Etsy, Github, PayPal, Spotify, and more. Their users were left without service for quite some time. The attackers created a massive amount of traffic that caused the victim’s system to get stuck and eventually crashed. They did that by using an enormous amount of botnets IoT devices (internet of things). There are plenty of connected devices with low protection that can be easily hijacked. The number of such IoT devices is rapidly growing, but their security level is not improving. This means we will have plenty of similar DDoS attacks in the future.

Who needs Backup DNS?

Backup DNS is beneficial for any organization whose website or application is critical to their success, as it adds an extra layer of protection and reliability. 

It is particularly important for businesses that serve large amounts of online traffic, such as online retail, media, etc. This is because having a reliable Backup DNS prevents disruption of service and lost revenue. 

Additionally, businesses that are subject to malicious attacks, such as governments. banks, healthcare institutions, also benefit from Backup DNS services, as these services can help prevent attackers from overwhelming their primary DNS server.

Additionally, small businesses that are just starting out and may not have the budget of large companies also benefit from this backup service. Why? Because this service is at an affordable price and ClouDNS offers a 30 day free trial for no cost testing. Check out our Secondary DNS service! 

Ultimately, Backup DNS is an invaluable tool for organizations of any size.

Conclusion

If you have more DNS servers, working together on a grid, the traffic that comes from such a DDoS attack will distribute between them. Some of your servers may go down for a while, even your master DNS can go down, but thanks to the DNS backup, the rest will continue, and your clients won’t be left without a service.

The post What is Backup DNS? appeared first on ClouDNS Blog.

What is a flood attack?

A flood attack, often a form of Distributed Denial of Service (DDoS) attack, aims to overwhelm a system with superfluous requests, thus preventing legitimate requests from being fulfilled. The primary objective is to make the target service unavailable, either by consuming all its resources or crashing it altogether. Flood attacks exploit the limitations of a network’s bandwidth, memory, and processing power. By sending an excessive number of requests, they can exhaust these resources rapidly, causing severe disruptions. Attackers often use botnets, a network of compromised devices, to generate the enormous volume of traffic required for such attacks, making it harder to trace and block the sources.

How does it work?

A flood attack works by sending a massive volume of traffic to a targeted server, service, or network. This traffic often appears to be from legitimate users, which makes it challenging to distinguish and filter out. The target system gets overwhelmed by this surge in requests, which eventually leads to its degradation or shutdown. Flood attacks can be executed through various protocols and methods, such as TCP, UDP, ICMP, and HTTP, each exploiting different aspects of the network’s communication process. Advanced flood attacks may use randomization techniques to avoid detection and mitigation efforts, making them more sophisticated and harder to counter.

Why is flood attack dangerous?

• Disruption of service: The most immediate impact is the service disruption. Websites may become unavailable, networks may slow down, and businesses may experience downtime.
• Financial impacts: With downtime comes lost revenue. Especially for businesses that rely heavily on online services, a few minutes of inaccessibility can translate to significant financial losses.
• Damage to reputation: Continuous attacks can tarnish a company’s reputation, causing loss of customer trust and loyalty.
• Resource consumption: An immense amount of resources, both human and technological, need to be diverted to handle the aftermath of such attacks.
• Diversion: Sometimes, attackers use flood attacks as a smokescreen, diverting attention from a more covert breach or intrusion.

How to mitigate it?

• Monitoring: Continuous monitoring of network traffic can help in early detection of unusual traffic spikes, which may indicate a flood attack. Tools like intrusion detection systems (IDS) can be invaluable.
• DDoS Protection: DDoS protection services can help mitigate the effects of a flood attack. These services often use a combination of traffic filtering, rate limiting, and other tactics to ensure only legitimate traffic reaches the target. 
• Secondary DNS: If the primary DNS server becomes overwhelmed due to a flood attack, the secondary DNS server can continue to resolve domain names, ensuring that services remain accessible to legitimate users.
• Firewalls and Routers: Properly configured firewalls and routers can help filter out malicious traffic.
  Router vs firewall
• TTL Analysis: Investigate the TTL values on incoming packets. Abnormal TTLs can indicate potential malicious traffic.
• IP Blocklisting: Identify and block IPs that show malicious activity. This prevents them from accessing your systems further.
  Whitelisting vs Blacklisting

Types of flood attack

DNS Flood Attack

A DNS flood attack specifically targets the Domain Name System (DNS) servers. The DNS is the internet’s phonebook, translating human-friendly URLs (like “example.com“) into IP addresses that computers use to identify each other on the network (like “1.2.3.4”). In a DNS flood attack, attackers send a high volume of DNS lookup requests, usually using fake IP addresses. This causes the DNS servers to try and resolve each request, leading to an overwhelming number of processes. This congestion ensures that genuine requests from real users either get significantly delayed or ignored altogether. If an attacker successfully disrupts a DNS server, it can make a whole swath of websites or online services inaccessible.

SYN Flood Attack

To understand a SYN flood attack, one must first grasp the “three-way handshake” process used to establish a TCP connection. The sequence is SYN, SYN-ACK, and ACK. In a SYN flood attack, the attacker sends a rapid succession of SYN requests but either does not respond to the SYN-ACK replies or sends them from spoofed IP addresses. The target system will keep these connections open, waiting for the final ACK that never comes. This can consume all available slots for new connections, effectively shutting out legitimate users.

HTTP Flood Attack

HTTP flood attacks take advantage of the HTTP protocol that web services operate on. In this attack, a massive number of HTTP requests are sent to an application. Unlike other flood attacks, the traffic sent looks legitimate. The requests can be either valid URL routes or a mixture with invalid ones, making them harder to detect. Because the requests look so much like typical user traffic, they’re particularly difficult to filter out. This method can exhaust server resources and cause legitimate requests to time out or receive delayed responses.

ICMP (Ping) Flood Attack

ICMP, or Internet Control Message Protocol, is a network protocol used by network devices to send error messages. The “ping” tool uses ICMP to test the availability of network hosts. In a Ping flood attack, attackers inundate the target with ICMP Echo Request (or ‘ping’) packets. The target then tries to respond to each of these requests with an Echo Reply. If the attack is voluminous enough, the target system’s bandwidth or processing capabilities may get overwhelmed, causing a denial of service.

Suggeted page: The function of ICMP Ping monitoring

UDP Flood

User Datagram Protocol (UDP) is a sessionless networking protocol. In a UDP flood attack, the attacker sends many UDP packets, often with spoofed sender information, to random ports on a victim’s system. The victim’s system will try to find the application associated with these packets but will not find any. As a result, the system will often reply with an ICMP ‘Destination Unreachable’ packet. This process can saturate the system’s resources and bandwidth, preventing it from processing legitimate requests.

Impact of Flood attacks on different industries

Flood attacks can have devastating effects across various industries, each facing unique challenges and potential damages:

E-commerce:

E-commerce platforms rely heavily on their websites for sales and customer interaction. A flood attack can cause significant downtime, leading to lost sales, decreased customer trust, and potential long-term damage to the brand’s reputation. Additionally, the costs associated with mitigating the attack and enhancing security measures can be substantial.

Suggest: Global Reach, Local Touch: The Role of GeoDNS in eCommerce Expansion

Finance:

In the finance sector, the availability and integrity of online services are critical. Flood attacks can disrupt online banking, trading platforms, and payment processing systems. This not only affects customer transactions but can also lead to compliance issues and regulatory scrutiny. The financial losses and impact on customer confidence can be severe.

Healthcare:

Healthcare providers use online systems for patient management, medical records, and telemedicine. A flood attack can interrupt these services, potentially putting patient health at risk. Delayed access to medical records and appointment scheduling can cause significant operational disruptions and affect the quality of care provided.

Gaming:

The gaming industry is a frequent target of flood attacks, especially during major events or game launches. These attacks can disrupt gameplay, causing frustration among users and leading to a loss of revenue for gaming companies. The competitive nature of online gaming also means that downtime can significantly impact player engagement and retention.

Conclusion

Flood attacks are among the oldest tools in a hacker’s arsenal, but they remain effective. As the digital landscape grows and evolves, so do the methods attackers employ. Regularly updating security infrastructure, staying informed about emerging threats, and employing a proactive defense strategy can go a long way in keeping systems secure and operational.

The post Flood Attack: Prevention and Protection appeared first on ClouDNS Blog.

What is a DDoS amplification attack?

These attacks usually use the UDP protocol. It is a simple connectionless communication model with a minimum protocol mechanism. This means that one of the sides in the communication can send large amounts to the other without restrictions. Without any confirmation, it doesn’t matter if the second side receives the data. 

Due to the way the UDP protocol works, cyber-criminals use it to generate DDoS amplification attacks. The attacker sends a small UDP request with a spoofed IP address of the victim to public services.

The UDP protocol doesn’t require a connection verification between the parties. This is why the public services reply with the requested data to the IP address of the victim. As bigger is the data returned by exploited public service, bigger is the DDoS amplification factor.

In the past few years, hackers have exploited many public DNS resolvers and NTP servers to generate massive DDoS attacks against popular websites and services.

Understanding Memcached

Memcached is a widely-used, open-source caching system that enhances the performance of dynamic web applications by reducing database load. It achieves this by storing data in memory, allowing for rapid retrieval and minimizing the need for repeated database queries. By caching frequently accessed objects such as database query results and session data, Memcached helps applications run more efficiently and respond faster to user requests. Its straightforward design and robust performance have made it a staple in optimizing large-scale web applications. However, without proper configuration and security measures, Memcached can become vulnerable to exploitation, emphasizing the need for diligent management.

Memcached DDoS amplification attack explanation

A Memcached DDoS amplification attack is a malicious exploit where attackers leverage vulnerable Memcached servers to generate overwhelming traffic towards a target. By sending small requests to multiple servers, the attackers receive significantly larger responses, resulting in an amplification effect. This massive traffic surge can cripple the target’s network infrastructure, disrupting service. To mitigate such attacks, organizations should secure their Memcached servers, implement access controls, and utilize robust DDoS mitigation solutions to protect against this highly impactful cyber attack.

How does it work? Step-by step 

1. Identifying vulnerable servers: Attackers scan the internet to locate Memcached servers that are accessible and have User Datagram Protocol traffic enabled. UDP is preferred due to its connectionless nature, making it easier to spoof source IP addresses.

By default Memcached works with enabled UDP support on port 11211. To understand this attack we have reviewed the source code of the database on GitHub.For some reason in the communication settings of the defined a fixed payload of 1400 bytes for the UDP packets.

The basic UDP request sent to Memcached is with size 15 bytes, and the server responds with 1400 bytes. This makes the amplification factor more than 93x! That amplification factor means that with a single server with 1Gbps port and a significant amount of vulnerable servers, the attacker can generate DDoS attacks over 90 Gbps.

2. Spoofing the source IP address: Using various techniques, attackers disguise their own IP address and make it appear as if the attack traffic originates from the targeted victim’s IP address. This ensures that the amplified response traffic is directed towards the victim.

Suggested article: What is DNS Spoofing (DNS poisoning)?

3. Sending small forged requests: Attackers send lightweight and innocuous-looking requests to the vulnerable Memcached servers. These requests typically have a small size, often around 15 bytes, which minimizes the effort required to send them.

4. Amplification of response traffic: Exploiting the Memcached servers’ behavior, which responds to small requests with much larger responses, the attackers achieve an amplification factor that can reach staggering levels. This means that for each small request sent, the server responds with a significantly larger volume of data, often in the range of hundreds or thousands of times larger.

5. Overwhelming the target: The amplified response traffic, generated by the Memcached servers, floods the victim’s network infrastructure with an immense volume of data. This flood of traffic can quickly exhaust the victim’s network bandwidth, computing resources, and cause service disruptions or complete downtime.

How big can it be?

In the realm of cybersecurity, we have witnessed an unprecedented magnification factor, reaching an astonishing 51,200 times the original request size! Picture this: a mere 15-byte request has the potential to unleash a colossal 750 kB response. This mind-boggling amplification factor poses an immense security risk, particularly for web properties ill-equipped to handle the overwhelming deluge of attack traffic. With its significant amplification potential and susceptible servers, Memcached becomes a prime target for malicious actors intent on launching devastating DDoS attacks against a wide array of targets.

Furthermore, according to the GitHub’s February 28th DDoS Incident Report, the largest open source code web service was down due to a Distributed Denial of Service attack that caused intermittent unavailability of their service for a few minutes. The attack exploited a vulnerability in Мemcached, resulting in a volumetric attack that peaked at 1.35Tbps. GitHub successfully mitigated the attack by diverting traffic to Akamai and implementing access control measures, and they are working on improving their automated intervention and expanding their edge network to enhance resilience against future attacks.

How to protect from Memcached DDoS amplification attacks?

Our Anycast Network is protected from such attacks, and we already mitigated more than 20 attacks like this for the last five days.

Тo protect your website, online service, etc you can also implement DDoS protection software. ClouDNS DDoS Protected DNS service can help identify and filter out malicious traffic, thereby minimizing the impact of amplification attacks.

Other way to protect from Memcached DDoS amplification attacks is by regularly monitoring the traffic. We provide robust monitoring solutions which enable the timely detection of abnormal traffic patterns, facilitating early response and mitigation.

Furthermore, with enough network capacity, we can easily filter the attack of the Memcached server responds from UDP port 11211. We can say for sure that all our customers are protected and safe.

The average size of the DDoS attacks we filter was between 50Gbps and 80Gbps. First we expect that value to grow in the next two weeks. Then to drop significantly because the system administrators will take care of the vulnerable servers.

DDoS Protected DNS

Ways to secure a Memcached server

The system administrators of Memcached servers can protect them in one of the following ways:

• Update the configuration of the server to listen only on 127.0.0.1 (localhost). Do this if use the Memcached server only locally and there are no external connections to the server. You can do this with the option –listen 127.0.0.1
• Disable UDP support, if you are not using it. You can do this with the option -U 0
• Add firewall for UDP port 11211, if you need both external connections and UDP support, make sure the server is accessible only by the IPs you need
• Instead of exposing your Memcached server directly to the internet, you can use a caching proxy server
• Restrict access to the Memcached server using access control lists (ACLs) to allow only trusted IP addresses.

Conclusion

By exploiting vulnerable Memcached servers, attackers can unleash a massive flood of traffic, causing widespread disruptions. To defend against these attacks, organizations must secure their Memcached servers, implement strict access controls, and utilize effective DDoS mitigation solutions.

The post DDoS amplification attacks by Memcached appeared first on ClouDNS Blog.

Smurf attack definition

The name Smurf comes from a popular Belgium comics and cartoon with the same name. There are many small blue characters in it who work together to bring down one big bad magician.

The Smurf DDoS attack is a protocol-based DDoS attack that uses the popular Internet Control Message Protocol (ICMP) to send ping packets of data with a spoofed IP address of the source, thanks to malicious software.

The packets are sent to a computer network using an IP broadcast address. The devices on that network will respond and send answers to the IP address. The fact that not only one computer but a whole network of computers respond to the victim’s IP address leads to a substantial amplification and potentially huge traffic towards the victim. So strong that it could severely slow down the victim’s computer and even bring it down for a while.

And you know, downtime means losses for the business.

How does a Smurf attack work?

1. The malicious Smurf software spoofs the packets’ IP address and replaces it with the victim’s IP address. That way, all the traffic will go to it.
2. The packets of data are sent to a broadcast IP address of a router. That way, the router will send the message to all the connected devices inside this broadcast network, and the attack will get amplified many times. So many times as there are devices that respond.
3. Each of the devices will receive the packets of data. They will respond but to the spoofed IP address (the target’s IP address). So the traffic will go directly to the victim.
4. The target starts to receive packets of data that it didn’t ask for. One after another, and if there are too many, the target starts to have problems processing them. Eventually, if the intensity does not go down, the target will be unable to process the pings and be overwhelmed.

What is the history of Smurf attacks?

Dan Moschuk (a.k.a. TFreak), a popular hacker at the time, created the original code for the malware in 1997. Dan was still an adolescent at the time. He sent the original software to some of his friends, and later the smurf.c crashed various IRC servers.

Because of the Smurf attack, network equipment producers started to change the settings of their devices and limit broadcasting to only inside the LAN.

Some years later, TFreak continued his work in malicious software and created a UDP version of the Smurf attack and called it Fraggle.c.

Types of DDoS Smurf attack?

There are two main types of Smurf attack:

Basic Smurf attack

The Basic Smurf attack works, just as we explained to you, flooding a network with ping packets that have spoofed the IP address of the victim. Then, all the devices on the network answer the packets and send the answers to the target, causing massive traffic that can bring down the system over time.

Suggested article: What is flood attack?

Advanced Smurf attack

It looks similar to the Basic Smurf attack but with a small difference. The Advanced can spoof the IP addresses of the packets in a way that it can send the response to more than one target. When the attackers have infected enough networks, they can use this amplified traffic to multiple victims to cause more damage.

How do you detect it?

Detecting a Smurf attack can be a difficult task. ICMP monitoring is a crucial tool when it comes to catching this attack. ICMP is an Internet Control Message Protocol that sends an alert if it detects an attack. This type of monitoring allows for real-time analysis of any suspicious activities, allowing for faster detection and mitigation of any damage caused by a Smurf attack. To set up ICMP monitoring, it is essential to set a threshold based on your network’s typical performance. Once a traffic spike that exceeds the threshold is detected, your IT team can act accordingly. ICMP monitoring provides an efficient and effective way to detect a Smurf attack promptly.

How to mitigate Smurf DDoS attack?

There are 3 things that you can do to mitigate a Smurf attack:

Use DDoS protection

Having a large network of servers means your servers can resist stronger traffic. When you combine it with an intelligent traffic monitor that can find the malicious traffic and a network of scrubbing centers, you will have excellent protection against this type of DDoS attack.

If you want to try it out, you can see our DDoS protection plans right here. Stay safe and keep your business running, lowering the downtime to a minimum.

Forbid the ICMP traffic

You can use your firewall and stop the ICMP traffic completely. This will make it impossible to suffer a Smurf attack or any other DDoS attack based on the ICMP. The problem is that you won’t be able to use a ping command for diagnostics. This could be problematic for administrators who need to check if all of the devices on a network or remote servers are connected and working, so this might not be an option for most people.

Stop packets with a broadcast IP address

You can also set up all your hosts and routing devices to ignore packets that have a broadcast IP address. That way, even if a modified Smurf attack packet gets to your network, it won’t be allowed. If you don’t need to broadcast any other messages, this could be an option. Still, it will limit your configuration, and you might need this feature.

Smurf attack Transmission

The Smurf attack can start from a Trojan horse or malware. It can be downloaded by somebody on the network and executed, or it can be in the form of an application. It is important to educate your staff about the dangers of phishing attacks that can lead to such problems. 

The smurf will remain hidden, on the infected host, for a long time until the attack needs it. Then he or she will activate it, and the process of generation of ICMP packets with a spoofed IP address will start. They will be targeted at the victim, and the DDoS attack will start.

Impact of Smurf DDoS Attack

A successfully executed Smurf DDoS attack can cause severe and far-reaching damage. That is why it is important to be aware of the potential consequences.

• Service Disruption: The primary goal of a DDoS attack, including Smurf attacks, is to disrupt the availability of services. By flooding the victim’s network with traffic, legitimate users are unable to access essential services, leading to downtime and potential loss of revenue.
• Resource Exhaustion: Smurf attacks can overwhelm network infrastructure, including routers, switches, and servers, leading to resource exhaustion. As a result, the victims can experience degraded performance or even complete system failure.
• Reputation Damage: A prolonged DDoS attack can tarnish the reputation of an organization, corrupting trust among customers and partners. The perception of unreliability and insecurity can have long-lasting consequences for the victim’s brand.
• Financial Losses: The financial impact of a Smurf DDoS attack can be significant. That includes not only immediate costs associated with mitigating the attack but also long-term losses originating from decreased productivity and loss in customer trust.

What is Fraggle attack, and how does it differ from Smurf attack?

The Fraggle attack is very similar to the Smurf attack, as both are Distributed Denial of Service (DDoS) attacks that send massive numbers of echo requests with spoofed source IP addresses. However, the primary difference is that the Fraggle attack involves sending User Datagram Protocol (UDP) broadcast packets over ports 7 and 19, instead of the usual ICMP packets used in the Smurf attack. In other words, while the Smurf attack focuses on flooding the victim’s network with ICMP echo requests, the Fraggle attack spreads the attack traffic across a greater area of the target system.

The goal of both the Smurf and Fraggle attacks is the same — to send an overwhelming volume of data to the server or network, quickly overloading it and causing it to crash or become unusable. However, the Fraggle attack has the advantage of avoiding detection by traditional firewall configurations since UDP broadcast packets are usually allowed by most firewalls. It is also important to note that Fraggle attacks can be used in conjunction with Smurf attacks for an even more significant impact. in conjunction with Smurf attacks for an even greater impact.

Conclusion

Staying safe online is getting harder every day. But you and your business can still be protected. By learning about threats like the Smurf attack and other DDoS attacks, you can understand how to stay safe. Use DDoS protection, and don’t let bad actors negatively influence the work of your servers. 

The post What is a Smurf DDoS attack? appeared first on ClouDNS Blog.

Recursive DNS server explained

The Recursive DNS server called, also commonly DNS resolver, has the important responsibility of seeking requested data and responding to users’ DNS queries.

In computing, when we talk about recursion, it is clearly associated with a technique that aims to solve a particular problem. In addition, that involves a program or solution that continuously repeats itself until it reaches the desired goal.

A Recursive DNS server is positioned to function in the middle between the Authoritative DNS server and the end-users that initiate DNS requests. So, each time a user desires to visit and explore a particular website, it types its domain name into the address bar of the browser. From there, the Recursive DNS server receives the request and starts searching for the IP address (IPv4 or IPv6) that corresponds to the domain name. Shortly after the required IP address is found, the DNS resolver returns to the user’s device and provides the needed information. Then the browser on the device (smartphone, laptop, computer, etc.) of the user is able to connect and load the desired website. 

The number of available Recursive DNS servers all over the world is significant. However, the most popular among them are the ones of the Internet service providers (ISP).

Tasks of the Recursive DNS server

The role of the DNS resolver is to complete one of the following tasks:

1. Checks if the IP address is stored in the cache memory. There is a certain period of time, pre-defined by the domain’s owner called Time to Live or TTL. It says for how long the Recursive server can hold the information. If it is still there, it will return the answer fast and won’t take further actions.
2. Searches for the IP address elsewhere. If it is not in the cache, it will continue the searching process until it gets to an Authoritative server which has the information.

How does it work?

The Recursive DNS server takes a very important role in the DNS resolution process. As we mentioned earlier, it operates between the user and the Authoritative DNS server. Yet, it completes several crucial tasks. Let’s summarize how it operates and what actions it performs in this vital process: 

• The DNS resolver is the one that obtains the DNS query from the user.
• It then asks the Root server about the location of the TLD (Top Level Domain) server.
• The Recursive queries the TLD (Top Level Domain) server for information about which is the accountable Authoritative DNS server for the precise domain.
• It makes a request to the Authoritative DNS server responsible for the particular domain. 
• The Resolver gets back to the user and provides the requested data.
• It caches the DNS information for further use.

The existence of Recursive DNS servers is crucial. This is because they support the Authoritative DNS servers, which would not otherwise be able to handle the workload created by themselves. Additionally, DNS Resolvers distribute the load of the huge number of user requests and make the resolution of domain names way easier.

Check out Fantastic Premium DNS service plans by ClouDNS!

Recursion and Iteration: Explaining the Dynamic Duo

Recursion and iteration are two programming concepts that play a crucial role in the functionality of DNS servers, particularly recursive ones. Let’s explore these concepts:

• Recursion 

Recursion, in the context of DNS, refers to the process where a DNS server, upon receiving a query for a domain name, doesn’t have the necessary information in its cache and initiates a series of requests to other DNS servers to resolve the query. Each subsequent request dives deeper into the DNS hierarchy until the authoritative DNS server for the queried domain is reached.

Imagine recursion as a detective following a trail of clues to solve a mystery. The DNS server starts with limited information, asking other servers for more details until it discovers the complete answer. This recursive process ensures that even if a DNS server doesn’t have the needed information, it can still find and deliver a response after consulting other authoritative sources.

• Iteration

Iteration, on the other hand, involves repeating a set of instructions until a specific condition is met. In the DNS context, iteration occurs when a DNS server sends iterative queries to authoritative servers and, at each step, refines the search until it obtains the precise information needed to resolve a domain name.

Think of iteration as a systematic approach where the DNS server persistently refines its search, step by step, until it comes to the solution. This process allows for efficient querying, minimizing the chances of overwhelming authoritative servers with unnecessary requests.

• Recursion and Iteration in Recursive DNS Servers

Recursive DNS servers blend recursion and iteration to navigate into the complex DNS hierarchy. When a recursive DNS server receives a query, it first checks its cache to see if the information is available. If not, it starts a recursive process, reaching out to authoritative servers and using iteration to specify its search for the required data. This dynamic dance between recursion and iteration ensures that DNS queries are resolved quickly and accurately. 

The Benefits of Recursive DNS Servers

Now that we’ve explained the meaning of recursion and iteration let’s explore the benefits that Recursive DNS servers bring to the table.

• Enhanced Performance and Speed: Recursive DNS servers significantly improve the speed of DNS resolution. Maintaining a cache of previously resolved queries allows these servers to respond promptly to reappearing requests without crossing the entire DNS hierarchy again. This results in faster load times for websites and a smoother browsing experience for users.
• Reduced Network Latency: With their ability to store and reuse resolved queries, Recursive DNS servers help minimize network latency. By reducing the time it takes to get information from authoritative servers, these servers contribute to quicker and more responsive internet connections.
• Improved Security: Recursive DNS servers can protect users from malicious activities. Through features like DNS filtering and blocking known malicious domains, these servers safeguard against phishing attacks, malware, and other online threats. They can perform detailed checks and validations before serving DNS responses, adding an extra layer of security to the online experience.
• Load Distribution and Balancing: Recursive DNS servers contribute to the efficient distribution of network traffic by balancing the load on authoritative servers. These servers reduce the load on the DNS infrastructure by caching and serving responses locally.
• User Privacy: They can enhance user privacy by implementing features like DNS over HTTPS (DoH) or DNS over TLS (DoT). These encryption protocols add a layer of security, preventing unauthorized parties from intercepting and monitoring DNS requests.

Vulnerabilities

Cybercriminals are well aware of the importance of Recursive DNS servers. Unfortunately, they managed to use their vulnerabilities and initiate different malicious attacks. Some of the DNS resolvers are public, which makes them an easy target. Attackers often use DNS spoofing attacks or execute DDoS attacks in order to shut the servers down directly.

• Recursive DNS servers and the amplified attacks

DNS Amplified Attacks are a very common threat on the Internet. They exploit the public Recursive DNS servers to generate high traffic and to damage the target.

• Public (Open) recursive DNS

To leave your Recursive DNS server public is dangerous. Such devices are with minimum security and visible IP address. This means that anyone, including cyber-criminal, can easily access it and later use it as a botnet device to amplify their next attack.
Many of the network administrators don’t know their recursive servers are open, and this can lead to severe problems. If you doubt about your DNS server, you can check it on this page: http://openresolverproject.org

• Oversized packets

A threat that some of the attackers take advantage of is manipulating the query packets. They send multiple queries to recursive servers, but with a modified IP addresses, directing all of the generated traffic towards the victims. They use many servers, and if the traffic is high, they can crush the victims’ servers.

Can you have safe Recursive DNS servers?

Yes, it is possible to secure your servers. We recommend you to use our Private DNS servers. They are hidden from the public eye and still have all of the premium features like TTL management, Cloud domains, Secondary DNS, SOA Settings and Hourly statistics
You don’t need to get all of them. You can strategically choose just a few of them where you most need them.

Conclusion 

The Recursive DNS servers are a fundamental component of the global network Internet and the DNS (Domain Name System). The role they play in the DNS resolution process is significant. DNS resolvers simplify and manage to balance the load of numerous DNS requests daily!

The post What is a Recursive DNS server? appeared first on ClouDNS Blog.

What are the DDoS attacks

Cybercriminals are hijacking many random connected devices around the world. The already corrupted devices are called botnets, it is a network that is waiting for instructions from the person in control. The hacker can instruct them to generate traffic to a specific target. The massive number of those devices cripples the defense of the target and brings it down.

Spamhaus 2013

Back in 2013 this was the biggest attack of its time. The website of anti-spam company Spamhaus was down on 18.03.2013 due to a large layer 3 attack. Their servers couldn’t manage the load. The attack was around 75Gbps and back then this was unimaginable (currently there are some with more than 600Gbps). They manage to stop it by signing for Anycast service.

BBC DDoS Attack 2015

A few years ago, on October 21st, 2016, the DNS provider Dyn was struck by a massive DDoS attack. Their servers were down, and for some time, big websites that they were hosting like Amazon, Netflix, Twitter, Reddit and more were out. The culprit of the attack was a botnet called Mirai which was made mostly from IoT devices. The attack had a cascading effect on internet services globally, drawing attention to the vulnerabilities inherent in centralized DNS providers and spurring investment in DDoS mitigation technologies.

Dyn DDoS attack 2016

A few years ago, on October 21st, 2016, the DNS provider Dyn was struck by a massive DDoS attack. Their servers were down, and for some time, big websites that they were hosting like Amazon, Netflix, Twitter, Reddit and more were out. The guilty of the attack was a botnet called Mirai which was made mostly from IoT devices.

Kerbs on Security 2016

In September 2016 just before the Dyn accident, there was another involving the Mirai botnet. The attack was very strong at around 665 Gbps, but that to the Kerbs’s security, they manage to resist it.

The Mirai botnet responsible for the attack was especially alarming for its utilization of Internet of Things (IoT) devices like cameras and routers. This marked one of the first times a botnet had so effectively leveraged commonly used household devices to orchestrate a large-scale DDoS attack.

Blizzard DDoS attack 2017

If you are a gamer, you probably know Blizzard Entertainment, the brand behind Overwatch, World of Warcraft, StarCraft, and Diablo. This company has experienced many attacks over the last years. Most noticeable was in August 2017. Many gamers were unable to connect to their server and play. These attacks are damaging the image of the company and the satisfaction of their clients.

Memcached attacks of March 2018

March was a horrible month. We saw new attacks with a larger than ever before scale. There were two that set a record, the one that hit Arbor Networks with 1.7Tbps traffic and the other that hit GitHub with 1.35Tbps a few days earlier. They both exploited the UDP port 11211. The UDP doesn’t use verification and that is the reason this was possible.

DDoS amplification attacks by Memcached

The different attacks of 2019

In 2019 we didn’t see huge attacks with +1Tbps power, but it wasn’t safe either. 

Yes, there were some strong attacks of around 0.5 Tbps, but we paid attention more to the number of packets per second. In this kind of attack, the criminals do a little work, and the target does a lot of work. This is why they are called asynchronous. The attackers send small packets and receive big ones. The processing occupies the target’s resources. 

Clients of Imperva had a rough start of the year. First, a strong attack of 500 million packets a second in January. It was considered one of the largest PPS (Packets Per Second) attacks known.

Later, on the 30th of April 2019, another client of theirs got attacked with 580 million PPS.

In September 2019, there was another strong attack that was targeting Wikipedia. The popular site didn’t provide information about the magnitude of the attack, but it was down for several hours on different continents.

The AWS Attack 2020

Amazon Web Services (AWS) fell prey to a DDoS attack in February 2020, which peaked at 2.3 terabits per second. The attack was of the Connectionless Lightweight Directory Access Protocol (CLDAP) Reflection type, a common DDoS attack method that amplifies the traffic. Despite the intensity, Amazon successfully mitigated the attack, preventing any significant interruption to its services.

Cloudflare Attack 2020

In August 2020, Cloudflare, a leading DDoS mitigation service, experienced a significant DDoS attack itself. Peaking at 754 million packets per second, it became one of the largest PPS-focused DDoS attacks in history. Remarkably, Cloudflare was able to thwart the attack in seconds using automated systems. However, the incident underscored the evolving complexity of DDoS attacks, showing that even cybersecurity specialists are not immune.

2023 Trends

What can we expect this year? 

• Attacks with a smaller bandwidth, but intense with a high PPS number. The cybercriminals are changing their strategies.

• Increase in the duration of the attacks. Some, they can go for weeks. DDoS protection solutions should be able to withstand longer than before.  

• More sophisticated attacks. It is not just about the volume anymore. For example, the exploit can happen through a different port. 

• More botnets are emerging. There is already a new version of Mirai, new botnet Cayosin, and the IoT number of devices is increasing, and with this, the number of botnet devices.

According to Cisco’s projections, the global landscape for DDoS attacks is expected to witness a significant escalation, with the number of attacks doubling to approximately 15.4 million by 2023. This alarming surge underscores the growing threat of cyberattacks and emphasizes the imperative for organizations to fortify their cybersecurity measures to safeguard against this evolving menace. Since 2018, DDoS attacks have become increasingly prevalent, highlighting the pressing need for proactive defense strategies in the digital realm.

Source: Cisco Annual Internet Report, 2018–2023

How to protect from DDoS attacks?

You can use a DDoS protected DNS plan. Such a plan will include different DDoS protected servers and many Anycast locations. This will do a load balancing that will help you reduce the traffic and spread it to different servers. This way the intense wave of traffic can be reduced and your servers can withstand the DDoS attack.

Protect from DDoS attacks!

Conclusion

The DDoS attack won’t stop, nor will they be lighter. If your business demands your website to be up 100% of the time, you better be prepared with the right security measures.

The post Most significant DDoS attacks in the recent years (UPDATED 2023) appeared first on ClouDNS Blog.