By submitting your email address, you agree to receive follow up emails about RankSense’s products and services. You can opt out at any time by clicking the link in the footer of our emails. We share your information with our customer relationship management partners. For information about our privacy practices, please see our privacy policy
by Hamlet Batista | September 04, 2007 | 13 Comments
One of the side effects of success is that you need to worry about security. You see how celebrities have to walk around with bodyguards, their homes have state of the art alarm systems, and the paparazzi is still always looking for a chink in their armor.
The same thing happens online. The more successful you are, the tighter the security of your online assets has to be. (You don't want your competitor ending up with your customer list, do you?)
It is always a good idea to install firewalls, intrusion detection systems, and to have an experienced system administrator or a competent hosting provider that regularly patches your servers with the latest service packs and security updates. Having your site simply defaced is the “best-case scenario” of what could happen when your site's security is breached. It is incredible how hackers break into sites, steal customer information worth thousands of dollars and sell it for a few hundred bucks. Personally, I place decoys in my customer databases so that I can tell when/if this valuable information has been stolen.
Unfortunately there is a type of security attack that is extremely difficult to fight: a distributed denial of service (DDOS). On the up side, you know you are doing really well when hackers try this on you. 😉
What is a Distributed Denial of Service (DDOS) attack?
This is not a trivial attack by some script kiddie. DDOS is a serious and well-planned attack, usually with the purpose extorting ransom. The idea behind it is to exhaust the target server or network’s limited resources. Small attacks try to exhaust the server's CPU or memory by sending a lot of fake requests. The main challenge blocking the attacks is being able to detect legitimate traffic from harmful traffic.
When it is a single script kiddie running a script to send overwhelming requests to your server, it’s enough to block his or her IP. A distributed attack is a whole different ballgame. Distributed attacks scale to a proportion that, no matter what you do, once your bandwidth is exhausted and your system is unable to sustain the number of invalid packets, your network will crumble. SCO was a very notorious case of just this type of massive attack.
DDOS attackers start by spreading viruses or hacking many vulnerable systems, usually at universities where there are high bandwidth connections to the Internet. They install zombies or slaves that are commanded remotely, waiting for instructions. Once they have a sizeable number of infected systems, they assume control from a single master server, which is also a compromised/hacked system. They simply instruct the slaves to attack the IP address or range of IPs of the targeted victim.
A well-known program by security experts that is used for this purpose is the Trinoo or Trin00 program/trojan. A more complex type of DDOS attack involves IP spoofing, altering the source IP of the packets before they leave the attacker's network so that the victim has a really hard time filtering out the bad traffic. IP spoofing (faking IP addresses) is easier said than done, though. Most modern routers come with ingress/egress filtering rules, and TCP sequence numbers are stronger than in the old days. If you lost me there, don't worry, I will come back to this topic in a later post.
Don’t negotiate with terrorists
In October last year we experienced our first DDOS attack. After bringing down our primary and secondary server for several hours, we got an e-mail offering help. The e-mail read something along the lines of: “I'm chinese hacker. I stop attack for $10k”
I have to think that there are site owners that do send the $10,000 dollars. Otherwise, why would he ask for such a sum of money in the first place? But although we lost a lot of money having the server down, paying the hacker would have meant his inevitable return each month. You simply don’t negotiate with terrorists. I can't imagine what amount of brainwashing it would take for me to accept such a “deal.” But what were my alternatives?
I knew some larger affiliate networks that had faced similar problems and they went to a particular company that specializes in protecting companies from these types of attacks. We went knocking on their door, paid more than the hacker was asking plus a big monthly check, and we were supposedly safe after 48 hours of attack.
The attacker adjusted and, despite our expensive security, we were brought down again—a few more times. I commissioned my top systems guy to study some open source solutions and we built a solid framework after about a month. It is the same framework we still use today, and we haven't had any more successful attacks. Let me share it here so you know where to look it up if you ever need it.
Evasive maneuvers with mod_evasive
I am very thankful to the writers of this piece of art—mod_evasive has saved my company a lot of money during the year we have used it. It has been a blessing.
Put simply, it is a rate-limiting Apache module. If it receives more than a specified number of simultaneous requests, it will block the rest. You can return a forbidden status (HTTP 403) or you can setup iptables filtering rules to block the IP address completely. In our experience, there have been almost no false positives and the software scales as long as the server has the CPU and memory to handle the incoming requests.
The default values are reasonably good, but you can tweak them for maximum benefit.
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
An extra layer of protection
The module alone is probably good for most setups, but in our case we wanted to be a little extra cautious. We installed the evasive module in a front-end server that is the only IP visible to all users. That server then passes the filtered requests back to the real servers via another great module: mod_proxy. This type of setup is called a reverse proxy server. There are many advantages to this approach:
You can have multiple, real servers and your setup can intelligently proxy the request to the available one.
You can cache the dynamic responses, reducing the CPU/memory load on the real servers.
The attackers don't know the real servers IPs. They might be able to successfully bring down the reverse_proxies+mod_evasive servers, but they need extra work to find the real ones. You can repl
ace the
proxies with new ones faster than you can real servers, if such a scenario ever happens. It hasn't happened to us.
I hope I didn't get too technical and you were able to follow most of what I discussed here. It is definitely interesting stuff. I can't say you will enjoy a DDOS if it happens to you, but think about it this way: you’re big enough to be attracting attacks. You’re a celebrity in your own right now. 🙂
Chief Executive Officer
Hamlet Batista is CEO and founder of RankSense, an agile SEO platform for online retailers and manufacturers. He holds US patents on innovative SEO technologies, started doing SEO as a successful affiliate marketer back in 2002, and believes great SEO results should not take 6 months
13
REPLIESRankSense automatically creates search snippets using advanced natural language generation. Get your free trial today.
What do you do when you’re losing organic traffic and you don’t know why?
Custom Python scripts are much more customizable than Excel spreadsheets. This is good news for SEOs — this can lead to optimization opportunities and low-hanging fruit. One way you can use Python to uncover these opportunities is by pairing it with natural language processing. This way, you can match how your audience searches with your...
READ POST
As we continue to improve the RankSense app for Cloudflare, we are always working to make the app more intuitive and easy to use. I'm pleased to share that we have made significant changes to our SEO rules interface in the settings tab of our app. It is now easier to publish multiple rules sheets and to see which changes have not yet been published to production.
READ POSTFor the following Ranksense Webinar, we were joined by Antoine Eripret, who works at Liligo as an SEO lead. Liligo.com is a travel search engine which instantly searches all available flight, bus and train prices on an exhaustive number of travel sites such as online travel agencies, major and low-cost airlines and tour-operators. In this...
READ POST
Jez
September 4, 2007 at 5:46 am
Hi Hamlet, Is this countermeasure just designed to stop your servers being knocked over as opposed to dealing with a sustained barrage of requests? Perhaps that type of 'sustained' attack is out-moded now IP spoofing is more difficult??? This is a very interesting post!
Hamlet Batista
September 6, 2007 at 5:25 am
Jez - this technique is very scalable. Another reason I separate the protection from the real server is that the real server is usually CPU and memory intensive, while the protection requires minimum. Ultimately your server hardware and available bandwidth will determine the size of the attacks you can handle.
Protecting Your Site from DDOS Attacks ::
September 4, 2007 at 9:42 am
[...] Success Means Security: How to protect your most profitable web sites from distributed denial of ser... Subscribe! Social Bookmark This! These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
Indiana Jones
September 4, 2007 at 12:18 pm
Usually a hardware firewall is a better solution.
Jez
September 5, 2007 at 2:43 am
A firewall can protect against DDOS?
Hamlet Batista
September 6, 2007 at 5:28 am
There are hardware solutions to DDOS, but my problem with them is flexibility and cost. It is usually easier and cheaper to add more memory and CPU to a Linux server than to a Cisco device. You also don't need an expensive support contract to upgrade the software ;-)
Sharingmatters.com
September 4, 2007 at 11:37 pm
Hi Hamlet. Can you recommend any hosting company that you think is quite safe and protects against different attacks? Your solutions are for dedicated servers but still many people use standard hosting packages.
Jez
September 5, 2007 at 2:47 am
One company I had a dedicated server with said something along the lines of "if you suffer DDOS attacks we will terminate your contract, burn your data to DVD ROM and send it to you in the post"... i.e. that hosting company could not handle sustained DDOS attacks. This was a few years ago when there seemed to be no answer to the problem... they were actually a very good company.... not idiots by any stretch... they were one of the only companies I saw at the time that actually had a policy covering DDOS.
Hamlet Batista
September 6, 2007 at 5:34 am
Many hosting companies have in their TOS a termination clause if you are caught spamming or facing a DDOS attacks. The problem is that those attacks usually affect all of their clients.
Hamlet Batista
September 6, 2007 at 5:31 am
Paul - I only use dedicated and co-located servers so I don't know where to point you. On the other hand, if you are using shared hosting (and you are not upsetting someone) you are probably not an interesting target for these attackers.
Florchakh
September 5, 2007 at 12:13 pm
What a great comprehensive post, I was looking for it* * - sounds spammy but this time I'm serious, I was in dramatical need of getting the DDOS problem solved and I do think your post helped a lot!
Hamlet Batista
September 6, 2007 at 5:32 am
Bart - let me know how it works for you
Jez
September 12, 2007 at 7:08 am
Well we just suffered a "suspected" DDOS attack... have yet to prove this but we lost service several times due to a series of spikes in the volume of requests. Having read this post a few days ago installing this module was on my list of things to do... following our recent problems we installed it in a bit of a hurry (without proper testing :-( )! It will be interesting to see the results!