Recently we had a DDOS attack on a systems we handle for one of our client. The image above shows the different places from where the attacks were happening. But before we get into all that, a little bit about DDOS means:
Denial of Service is a form of attack which takes advantage of the capacity limit of your application and infrastructure. So imagine a system that hosts a website. The architecture of the system (including RAM, processor, load balancing etc) means it will have a limit to the number of requests it can handle at the same time. Let's assume it can handle 1,000 requests per min, i.e. 60,000 requests per hour. This is a good number assuming your website gets good traffic. All one has to do is send huge number of requests to your system and your system will be so busy answering these requests, that it won't be able to handle genuine requests that come its way. Those genuine requests may see a long waiting time or even timeout. Obviously an easy solution is to block requests coming from that specific IP, so that your system is back in action. That's where Distributed Denial of Service (DDOS) attack comes in. These attacks happen via multiple infected machines, all of them making multiple requests to your server.
Back to the attack that we faced. As you can see it originated from far too many places for us to manually sit and start blocking IPs out. At one point we were getting 20 million requests per hour, far far more then what our humble system could support. So what can one do in such a case?
1. Firstly stay calm, it's not the end of the world.
2. Understand this is a network issue, and you can't tackle this at the OS or application level. Even if you block these requests at the OS and application level, your system will still be busy catering to these requests and blocking them. You need to tackle this at the network level. Speak to your provider and see if they have any specific plan to manage DDOS attack.
3. Look into services like Sucuri or Cloudflare. These allow you to point your domain IP to them, and then pick up the content from your server seamlessly. The end user is not even aware of this. They even cache your content to deliver faster service. But over and above all that they help manage network traffic. You can block the traffic from specific countries, or allow only in a specific country, lowering the scale of the attack. They also help mitigate the DDOS attack by blocking a huge number of these attacks based on their filters and algorithms.
4. If you use AWS, they have "Shield Advanced" service which you can use, however it's expensive.
5. Sometimes, the above may work, or may not work, you may have to wait for the storm to pass, and even though it seems like a horrible idea, maybe even shut down your services for few days to make the DDOS attack ineffective.
In our case Cloudflare helped mitigate a lot of these attacks, but then few that still managed to pass through were still enough to shut down the services. However by using Cloudflare we made the attack ineffective as the attackers would have noticed that most of their attacks were being blocked. It's possible that this could have been a ransomware, demand money for stopping the DDOS attack - but our client never got contacted. We are just glad that this got resolved, and the attacks went away after two days!
Credit: Image is a snapshot which uses OpenStreetMap https://www.openstreetmap.org/copyright