Distributed denial of service protection

The background of this article is the current Russia conflict, which is causing DoS and DDoS attacks to increase.

Table of Contents

What is a DoS or DDoS?

We explain these and similar attacks in our Denial of service attack and Distributed reflective denial of service articles and go into the techniques of the individual scenarios there.

Protection options

One way to protect yourself from DoS attacks is to have a firewall in front of your servers and not just on local systems. Preferably beforehand at the network level before requests to the reverse proxy with a Web Application Firewall (WAF) coming.

Behavior-based rules can be implemented on both firewalls to prevent unwanted actions on the server itself.

Rate limiting with the WAF, upstream load balancers and a horizontally scaling cluster complete the overall picture.

A DDoS can be prevented with it. Of course, this is again a question of money and the technical know-how you need for the configuration and maintenance of the individual technologies.

That's why many resort to external providers for something like this. For example Cloudflare, to name one of the largest providers. But Google with Project Shield also offers this service free of charge for a certain group of users.

However, this does not mean that at least some of the protection mechanisms mentioned above are not implemented. True to the motto defense in depth, take as many measures as possible without losing the usability of the services.

Run through attack scenarios under realistic conditions?
You can do it legally in our holistic hacking lab!
To the Junior Penetration Tester course

Cloudflare

Cloudflare offers several models ranging from $0 to $200 per month. You can also get special offers here.

Create an account

As always, the process begins with account creation. About the Cloudflare Dashboard you can register.

Steps with Cloudflare

Immediately afterwards you should add your website. The root domain is meant here, i.e. without www e.g. Cylinders, Dishes, prosec-networks.com. The same mask then opens again in order to enter further domains. After all domains have been added, continue with the settings.

site setup

On the left up Websites click and in the new mask -Setup .

Steps with Cloudflare

Here at the latest you have to decide on a tariff.

Steps with Cloudflare

After the tariff choice comes the DNS configuration.

Here you have to check which A , AAAA and CNAME entries should be protected.

Steps with Cloudflare

Once the registrations are made, you have to change the name servers in your domain registrar to Cloudflare's. The domain registrar is usually the provider from which the domain was purchased.

Steps with Cloudflare

Changing the name servers can take up to 24 hours.

Depending on the booked tariff, you can then adjust the rules.

Configure DDoS L7

Back to the beginning

If you no longer want to protect a domain with Cloudflare, you can stop the protection in the settings or remove it completely from Cloudflare.

The Advanced Actions area is a bit hidden, at the bottom right.

Project Shield with Google

Project Shield has no plans, it's free.

There is only one condition, you must be "qualified" to use it.

Project Shield with Google

Because state authorities use this service, we do not disclose any further information here.

More information is available at projectshield.withgoogle.com .

Further measures on the firewall

The Cloudflare protection is good, but if the actual public IP of the web server is known, the best protection is useless because it can be bypassed.

On the firewall in front of or from the web server itself, only data traffic from the DDoS provider and your own IP addresses should be allowed, so that the protection does not bypassed .

Further actions in the DNS

Any entries for other services running on the same IP should be removed. If possible, these should be addressed directly via the IP. Something like that must also be considered when configuring the local firewall. Alternatively, Cloudflare offers the Spectrum service for all payment tariffs. This enables services like SSH and FTP too proxies and route through Cloudflare.

In addition, the wildcard entries for the domain should be removed, as this will reveal the public IP.

Further measures on the web server

After switching to a DDoS protection provider, the public IP address should be changed if possible. Such information can sometimes still be obtained years later from historical data. As we all know, the internet never forgets. Certificates and the source code should also be free of the IP address.

The website should also only be accessible via HTTPS, so port 80 can be closed completely.

Furthermore, it should be noted that the Apache web server must be able to resolve the host name from the VHOST configuration. That's why you shouldn't use the default configuration, but create an independent one, only for this domain, and create an entry for yourself in the hosts file.

Further measures with the help of the provider

The provider can also provide active support during a DDoS attack. By activating blackhole routing, you can use the Border Gateway Protocol (BGP) to keep entire autonomous systems (AS) away from your own services. Accidentally eg Meta that in October 2021 done. For blackholing via BGP you need the data from your provider, they usually have their own AS. Using ASNlookup you can find out the AS number using the IP or the company name.

The provider can also provide active support during a DDoS attack.

The owner of the AS can then block the traffic to the attacked IP or, to be more precise, let it run into a black hole. Of course, one can also try to identify the AS of the attacker and block it, but this means that many uninvolved parties will no longer be able to access their own services.

This should be the last measure you take to protect yourself. However, it is the most effective since the data traffic is already discarded in the attacker's AS. This protection requires increased coordination and communication in advance with the provider.

Concluding Remarks

We recommend that you ensure that your online presence is fundamentally secured. When services don't work due to attacks, it always leaves a bad impression or, in the worst case, limits the ability to work. Even with simple and, above all, quick measures, you can massively increase the security of your services.

Don't want to waste time on your way to becoming a penetration tester?
In our courses, led by experienced penetration testers, you will learn everything you really need for this.
Go to the Junior Penetration Tester Intensive Course
Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!


OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


Please accept the cookies at the bottom of this page to be able to submit the form!