This page has been robot translated, sorry for typos if any. Original content here.

What country, such and her DOS attacks

Какая страна, такие у нее и DOS-атаки
Every week at least one at least one socio-political Internet resource states about the DOS-attack, which he experienced. The problem of DDOS varies from site to site. Some "fight off" their efforts, others - attract providers, others - "lie down" and wait, "when it all ends."
But all unite one burning desire: to find a wicked one. And also - how to prevent DDOS next time? And even if the first desire subsequently loses relevance, then the task of "how to protect yourself from attack" is permanent.

"ProIT" asked for an answer to the deputy chairman of the board of InAU (Internet Association of Ukraine), Alexander Olshansky. Moreover, he can consider this problem from different sides - as the president of the largest hosting provider in Ukraine MiroHost.net and as a member of the board of InAU - the most authoritative organization that deals with solving acute problems in Wanet.

Started not low:

- Alexander, sorry for the primitive first question, but still: can it be possible with minimal losses to "fight back" from the DOS-attack?

- Can

- But not everyone in Ukraine does it ...

- Why? Some of our clients "fought back", and not once. In Ukraine, there are no attacks with a capacity of more than a million packets per second. I did not see such a DDOS in Ukraine. For our country, the figures are usually about tens of thousands of packets per second.

- One million are some other-wordly things.

- No, they are not beyond. For Russia, for example, the characteristic value can be of the order of one megapacket per second (if it is a serious attack). If we talk about peace, then the power of attacks can be even greater. Therefore, there are companies in the world that protect against DOS attacks. We had an idea to provide such a service in Ukraine. But the problem is that there is no effective demand yet. Most of the attacks we face are aimed at sites that pay for virtual hosting for $ 8-10 per month. And on our proposal in connection with DDOS go at least to a dedicated server for $ 50-70 a month otvetnayut categorical refusal. Accordingly, and to protect against DOS-attacks, such sites are not ready to spend at least any money.

- And if you provided a protection service against DDOS - you should have you hosted (Mirohost.net - ed.)?

-  No. It depends on the technology. But in general, this is a desirable, but not necessary, condition.

- And how many customers should there be for such a service to "work"? 10-100-1000?

- More than 100 at a service price of $ 200-300 per month. That is, the maintenance of the infrastructure to combat DDOS needs $ 20-30 thousand per month.

- In Russia, such companies are working?

- Such companies work everywhere. You can buy this service abroad right now. Only it will cost not $ 300, but $ 3-5 thousand per month. But you will be closed from DDOS so that only atomic war will be scary.

- What is the logic of such protection? Is it clear?

- Absolutely clear. This is a known method. Let's say there is a provider of services. He has a set of IP addresses. This provider puts, for example, at 100 nodes around the world their routers and servers with a firewall. Accordingly, it tunnels its traffic with closed encryption tunnels to these points. And it is announced from them to the outside world (it is a question of BGP announcements). That is, from a technical point of view, it looks as if this provider is connected by wires to these 100 points directly. For example, each inclusion can process 10 gigabits of traffic, including "parasitic" traffic. Accordingly, the total capacity is one terabit. Hence, an attacker in order to "score" such a system, you need to develop one terabit stream (or about 100 megapackets). Next, firewalls at each point of the connection filter traffic, throwing out "garbage". And the traffic cleared from DDOS over the encrypted channel is delivered to the protected server. I describe rather simply, but the principle is clear. Similarly, in a somewhat modified form, protect, for example, root DNS. They are regularly attacked, relatively speaking, for the purpose of "training". I do not remember the exact data, but for 2007 the largest DOS-attack was about 40 megapacks per second. I think that now these values ​​fluctuate around 100 megapackets.

DOS-attacks - this is a big criminal business. In fact, in most cases, it involves extortion. At us on a hosting there are sites from which, I precisely know, extorted money. Usually, "online shopping", online casinos, large information resources - projects, for which the break of contact with users on the Internet threatens with quick and big losses, are chosen as "targets". So, on the eve of March 8, most Ukrainian sites selling flowers "lay". (To the credit of our company, I note that at the same time we managed to maintain a similar resource in working order, hosted by MiroHost.net).

- For Ukraine, however, enough and a small attack.

-Looking for someone. But, it is clear that this is a question of money. The attacker must spend a considerable amount of money. The organization of a small attack is easy and cheap, for example, through a forum. But creating a really big and big attack is a very risky business. In the world, after all, there are many paid detective agencies that specialize in the Internet.

-Are they looking for an attacker? How?

- Yes, they are looking, but usually not in technical ways, but through agents or, for example, offering money for information about the organizer of the attack. And tomorrow the organizers give their own. Because it is impossible to organize it alone.

- Well, why: launched the Trojans, built "robots" and attacked ...

- But someone wrote this Trojan? And someone wrote a library, and someone wrote a compiler, and someone contains a forum through which the customer communicated with the organizer.

The stories that the attacker is not revealing are untrue. Yes, it's expensive, but possible. If it is a question of serious world Internet resources, then the consequences are also very serious. For example, an accusation in a given crime to a customer can be brought in a country where 25 years of imprisonment are provided for this crime.

- When the next DOS attack begins on us, the first thought: to find the one who ordered ... well, further down the list ...

- If we are talking about small DOS-attacks, then, as experience shows, often as an organizer is a child of 15 years, who decided to "be pampered." Although from this the appearance does not become less dangerous.

- Let's put the question in a different way. If we simulate such a situation: the state machine has strained, a technician and a policeman comes to the infected computers. They find out where the computer got infected, further down the chain ....

- Will not help

- In connection with the stupidity of the state machine or from the fact that it is impossible in principle?

- We need a very specialized tool. That is why there are companies in the world that specialize in this. Walking with a policeman - it's also worth the money. And for this attack they paid $ 50.

- Well, $ 500 is still more common.

- $ 500 - this is not an expensive attack. And if you go by standard methods, it may turn out that you need to spend $ 500 thousand on searches. There are two ways how to find a customer: you can arrange all this investigation for $ 500 thousand. And it is possible on the same forum where these DDOS are selling, to promise $ 5 thousand for information about the organizer.

In fact, this is one of the most effective methods. People who sold or rented a bot-no to the customer (a network of computers infected with the virus-eds), they themselves will "surrender". Since in addition to money, they are not interested in anything. Nothing personal.

- In the same context, but somewhat different. How does the hosting provider feel when attacking?

- Feels bad. The hosting provider has the following alternatives. A - turn off the site that is finished. In - protect the site, which is finished free of charge. And C - protect him for money. In most cases, option A is accepted, since B is unprofitable, and the customer is not ready to pay for C. In turn, MiroHost.net tries to minimize the impact of DDOS on its customers, as far as our infrastructure allows. And in many cases we succeed. However, to protect against large DOS-attacks, a specialized service is required at a price much higher than the price that customers are willing to pay today.

- A hosting provider can join the protection scheme for $ 5000 and protect all of their sites?

- For $ 5 thousand can not, but for $ 50 thousand or $ 500 thousand - it is possible. I have already said that the maintenance of the minimal DDOS protection infrastructure costs tens of thousands of dollars a month. And if you buy this service from a third-party provider, then it will cost even more. For example, for a hosting company of our level at Western commercial rates such a service will cost more than $ 200,000 per month. Again, there is no point in this, since most customers are not ready to pay for it. Well, let's say, why do DDOS protection for the site "About my favorite cat"? If someone wants to spend $ 50 and "turn off" it for 2 hours, then there's no point in hindering it.

- That is, usually disconnect sites?

- Once again I repeat: it all depends on the resource itself. In the West, hosters refer to this as follows: if you have an Internet business, pay for anti-DOS protection. In fact, this is insurance. After all, there is no company that can protect you from the fact that a brick will fall on your head. But there is a company that offers you insurance. Here is the same scheme. If you have a website and you consider it important to protect yourself from attacks, then you pay specialized companies, just as you pay for an antivirus.

Hosting providers, as a rule, have nothing to do with this. Some hosters, however, provide such a service in a hosting package. But actually these are two different services. And since the price of anti-DOS protection, as a rule, is much higher, it can be assumed that within the framework of this service hosting is provided free of charge. So creating secure networks is a big fast growing business in the world. We also explored in Ukraine the possibility of providing such a service, but, as I said, the market is not yet available.

- Because in Ukraine there was no superatak?

-Speaking, because there is not enough money in Uanet. The cost of security is proportional to the amount of money that turns into the Internet. As soon as your site starts to earn $ 300 thousand a month, I'm sure that those who want to "milk you" will be found. I believe that in Ukraine there are no more than 50 real Internet projects (on the phone), but perhaps even less. But when such projects become 500 or 5000 - then the market will appear. But it will not be tomorrow. Maybe in three or even five years.

"Maybe high-flown ... but still about information security." After all, for small money you can put all state bodies. And maybe the whole country.

- Yes, in the modern world, this weapon. For example, if you recall the war in Georgia .. In fact, for some time the Georgian sites were unavailable. If we talk about Ukraine, then it is impossible to "fill up" it as Georgia has "overwhelmed" or, in its time, Estonia. Ukraine is significantly better included in the global Internet, we have more channels, and they are more diverse. And Georgia was connected by only two channels. And then one of them was not very good.

Although the reasons to relax, I do not see. Given our size, such an attack will cost significantly more, and organize it more difficult. But here everything depends on who is "on the other side." If they are amateur amateurs, then, most likely, they can not cope with Ukraine. But if we consider this problem from the point of view of state security, that is, to make the assumption that the attack will be organized by a probable external enemy, then Ukraine is today "naked". In fact, there are very few "bare" countries. It is clear that the Americans have something to do, and the British are able to do something, and the Europeans, and perhaps the Russians. But it costs money, and big. For some reason, people perceive security on the Internet as something self-evident. And this is not so. No one is surprised that you need to put an alarm on the car, and buy insurance. And insurance costs 5% of the cost of the car. And the alarm system is 1-2%. Here is the same. Over time, people realize that on the Internet they have to bear the same security costs as they do in real life. I think that in Ukraine this time will come in five years. By the way, this market is free. Any company can try its luck in this case. You can even strongly not rush. But I think that in five years it will be a big market. Today, the turnover of Unite is estimated at $ 10-20 million per year, that is, 1-2% will be $ 100-200 thousand - and that's all that the security market can claim. It's almost nothing. And it is impossible to build a company on this money. But if you take, for example, Russia, where market turnover is estimated at $ 1 billion, then 1-2% is already $ 10-20 million. So it is necessary to wait, while Уанет will grow at least once in 20.