What country, such and DOS-attacks
Every week at least at least one socio-political Internet resource announces a DOS attack it has survived. The problem of DDOS different sites solve differently. Some "fight off" their efforts, others - attract providers, and others - "lie down" and wait, "when this is all over."
But all are united by one burning desire: to find the villainer. And also - how to prevent DDOS next time? And even if the first desire subsequently loses relevance, the task “how to defend oneself from an attack” is permanent.
“ProIT” asked Alexander Olshansky, deputy chairman of the board at InAU (Internet Association of Ukraine), to answer. Moreover, he can consider this problem from different sides - as the president of Ukraine’s largest hosting provider, MiroHost.net, and as a member of the board of InAU, the most authoritative organization that deals with the resolution of acute problems in Uanet.
- Alexander, sorry for the primitive first question, but still: is it possible to “fight off” a DOS attack with minimal losses?
- But not everyone in Ukraine does it ...
- Why? Some of our clients “fought back”, and more than once. In Ukraine, there are no attacks with a capacity of more than one million packets per second. I did not see such DDOS in Ukraine. For our country, figures on the order of tens of thousands of packets per second are more typical.
- Million - this is some outrageous things.
- No, not beyond. For Russia, for example, the characteristic value may be on the order of one megapacket per second (if this is a serious attack). If we talk about the world, the power of attacks can be even more. Therefore, there are companies in the world that protect against DOS attacks. We had the idea to provide such a service in Ukraine. But the problem is that there is no effective demand here. Most of the attacks that we face are directed to sites paying virtual hosting for $ 8-10 per month. And our offer in connection with DDOS to switch to at least a dedicated server for $ 50-70 per month will be answered with a categorical refusal. Accordingly, such sites are not willing to spend even any money on protection against DOS attacks.
- And if you provided the DDOS protection service, would it be necessary to host you (Mirohost.net-ed)?
- No. It depends on the technology. But in general, this is a desirable, but optional condition.
- And how many customers should there be in order for such a service to “work”? 10-100-1000?
- More than 100 when the price of the service is $ 200-300 per month. That is, the maintenance of the infrastructure of the fight against DDOS requires $ 20-30 thousand per month.
- Do such companies work in Russia?
- Such companies work everywhere. You can buy such a service abroad right now. Only it will cost not $ 300, but $ 3-5 thousand per month. But then you will be shut off from DDOS in such a way that only nuclear war will be scary for the site.
- And how is the logic of such protection? Is she clear?
- Perfectly clear. This is a known method. Suppose there is a certain service provider. He has a set of IP addresses. This provider, for example, puts its routers and servers with a firewall at 100 nodes worldwide. Accordingly, he tunnels his traffic with closed encrypted tunnels to these points. And it is announced from them to the outside world (this is about BGP announcements). That is, from a technical point of view, it looks as if this provider is connected by wires to these 100 points directly. Suppose each inclusion can handle 10 gigabit of traffic, including “parasitic” traffic. Accordingly, the total capacity is one terrabit. This means that an attacker needs to develop one terrabit of the stream (or about 100 megapackets) in order to “hammer” such a system. Next, firewalls at each switching point filter traffic, throwing out "garbage". And the traffic cleared from DDOS over an encrypted channel is delivered to the protected server. I describe quite simply, but the principle is clear. Similarly, root DNS-s are protected in a slightly modified form, for example. They are regularly trying to attack, relatively speaking, with a view to "training." I do not remember the exact data, but in 2007 the largest DOS-attack was about 40 megapackets per second. I think that now these values fluctuate around 100 megapackets.
DOS attacks are a big criminal business. In fact, in most cases it is associated with extortion. We have sites on the hosting from which, I know for sure, extorted money. Usually, online stores, online casinos are chosen as “targets”; large information resources are projects for which breaking contact with users on the Internet faces rapid and large losses. So, on the eve of March 8, most Ukrainian sites that sell flowers, "lay." (To the credit of our company, I note that at the same time, we managed to maintain in working condition a similar resource hosted by MiroHost.net).
- For Ukraine, however, there is enough of a small attack.
-Looking for someone. But it is clear that this is a question of money. The attacker needs to spend a significant amount of money. Organizing a small attack is easy and cheap, for example, through some kind of forum. But creating a truly large and large attack is a very risky business. In the world there are many paid detective agencies that specialize in the Internet.
- Are they looking for an attacker? How?
- Yes, they are looking, but as a rule, not by technical means, but through an agent or, for example, offering money for information about the organizer of the attack. And tomorrow the organizer give their own. Because alone it can not be organized.
- Well, why: launched Trojans, spawn "robots" and attack ...
- But did someone write this trojan? And someone wrote the library, and someone wrote the compiler, and someone contains a forum through which the customer communicated with the organizer.
The stories that the attacker - undetectable - is not true. Yes, it is expensive, but possible. If we are talking about serious global Internet resources, the consequences are also very serious. For example, the customer may be charged with this crime in a country where 25 years of imprisonment are provided for this crime.
- When the next DOS attack begins on us, the first thought is: to find the one who ordered ... well, and then the list goes on ...
- If we are talking about small DOS attacks, here, as experience shows, often a 15-year-old child turns out to be the organizer, who decided to “play around.” Although this is not becoming less dangerous.
- Put the question differently. If to simulate such a situation: the state machine is tense, a technician and a policeman come to the infected computers. They will find out where the computer got infected from, further down the chain ....
- Will not help
- In connection with the stupidity of the state machine or from the fact that it is in principle impossible?
- We need a very specialized tool. That is why there are companies in the world that specialize in this. Walking with a policeman is also worth the money. And for this attack paid $ 50.
- Well, $ 500 is still more common.
- $ 500 is already a cheap attack. And if you go by standard methods, then it may turn out that you will have to spend $ 500 thousand on searches. There are two ways to find a customer: you can arrange all this investigation for $ 500 thousand. And it is possible on the same forum where these DDOS sell, promise $ 5 thousand for information about the organizer.
In fact - this is one of the most effective methods. People who have sold or leased a bot-no to a customer (a network of computers infected with a virus - ed) will own the customer and “hand over”. Because apart from money, they are not interested in anything. Nothing personal.
- In the same context, but somewhat different. How does the hosting provider feel when attacking?
- Feels bad. The hosting provider has the following alternatives. And - turn off the site, which dosyat. B - protect a site that is free of charge. And C - protect it for money. In most cases, option A is accepted, since B is unprofitable, and the customer is not ready to pay for C. In turn, MiroHost.net tries to minimize the impact of DDOS on its clients, as far as our infrastructure allows. And in many cases we succeed. However, to protect against large DOS attacks, a specialized service is needed at a price that is significantly higher than the price that customers are willing to pay today.
- Can a hosting provider get involved in a $ 5,000 protection scheme and protect all of its sites?
- For $ 5 thousand can not, but for $ 50 thousand or $ 500 thousand - it is possible. I have already said that maintaining a minimum infrastructure for protection against DDOS costs tens of thousands of dollars per month. And if you buy this service from a third-party provider, it will be even more expensive. For example, for a hosting company of our level at Western commercial rates, such a service will cost more than $ 200 thousand per month. And again, there is no point in this, since the majority of clients are not ready to pay for it. Well, let's say, why DDOS-protection of the site “About my beloved cat”? If someone wants to spend $ 50 and “turn it off” for 2 hours, then there is no point in discouraging it.
- That is, usually sites are disabled?
- I repeat: it all depends on the resource itself. In the West, hosters refer to this as follows: if you have an Internet business, pay for anti-DOS protection. In fact - this is insurance. After all, there is no company that can protect you from the fact that a brick will fall on your head. But there is a company that offers you insurance. Here is the same scheme. If you have a website and you consider it important to protect yourself from attacks, then you pay specialized companies, just as you pay for antivirus.
Hosting providers, as a rule, have nothing to do with this. Some hosters, however, provide this service in a hosting package. But in fact these are two different services. And since the price of anti-DOS protection is usually much higher, we can assume that hosting is provided free of charge within this service. So the creation of secure networks is a big fast-growing business in the world. We also investigated the possibility of providing such a service in Ukraine, but, as I said, the market is not yet available.
- Because in Ukraine there was no superaratk?
- It is quick because there is little money in Uaneta. The cost of security is proportional to the amount of money that goes around on the Internet. As soon as your site starts to earn $ 300 thousand per month, I am sure that those who wish to “milk” you will be found. I believe that in Ukraine there are no more than 50 truly profitable Internet projects (offhand), but perhaps even fewer. But when such projects will be 500 or 5000 - then the market will appear. But it will not be tomorrow. Maybe in three years or even in five.
- Maybe pompously ..., but still about information security. After all, for a little money, you can put all government agencies. And maybe the whole country.
- Yes, in the modern world, this is a weapon. Here, for example, if you remember the war in Georgia .. In fact, for a period of time, the Georgian sites were not available. If we talk about Ukraine, then it is impossible to “dump” it as it was “flooded” Georgia or Estonia at one time. Ukraine is much better included in the global Internet, we have more channels, and they are more diverse. And Georgia was connected to only two channels. And then one of them was not very good.
Although the reason to relax, I do not see. Given our size, such an attack will cost significantly more, and it is more difficult to organize it. But it all depends on who "on the other side." If these are amateur amateurs, then, most likely, they cannot cope with Ukraine. But if to consider this problem from the point of view of state security, that is, to make the assumption that the attack will be organized by a likely external opponent, then Ukraine today is “naked”. In fact, there are very few "non-smoking" countries. It is clear that the Americans are able to do something, and the British are able to do something, and the Europeans, and, perhaps, the Russians. But it costs money, and big. For some reason, people take security on the Internet for granted. And it is not. No one is surprised that you need to put an alarm on the car and buy insurance. And insurance costs 5% of the cost of the car. And the alarm - 1-2%. Here is the same. Over time, people realize that on the Internet they have to bear the same cost of security as in real life. I think that in Ukraine such a time will come in five years. By the way, this market is free. Any company can try their luck in this case. You can even not much hurry. But I think that in five years it will be a big market. Today, the turnover of Uaneta is estimated at $ 10-20 million per year, that is, 1-2% will be $ 100-200 thousand - and this is all that the security market can claim. This is practically nothing. And it is impossible to build a company with this money. But if you take, for example, Russia, where market turnover is estimated at $ 1 billion, then 1-2% is already $ 10-20 million. So you should wait until Uanet grows at least 20 times.