More and more often, in the official messages of hosting providers, mentions of reflected DDoS attacks flash here and there. Increasingly, users, having discovered the inaccessibility of their site, immediately assume DDoS. Indeed, in early March, Runet experienced a whole wave of such attacks. At the same time, experts assure that the fun is just beginning. It is simply impossible to ignore a phenomenon so urgent, formidable and intriguing. So today, let's talk about the myths and facts about DDoS. From the point of view of the hosting provider, of course.

Memorable day

On November 20, 2013, for the first time in the 8-year history of our company, the entire technical site was unavailable for several hours due to an unprecedented DDoS attack. Tens of thousands of our clients throughout Russia and the CIS have suffered, not to mention ourselves and our Internet provider. The last thing that the provider managed to fix before the white light dimmed for everyone was that its input channels were completely clogged with incoming traffic. To visualize this, imagine your bathtub with a regular sink, into which Niagara Falls rushed.

Even the higher-ranking providers in the chain have felt the echoes of this tsunami. The graphs below clearly illustrate what happened that day with Internet traffic in St. Petersburg and in Russia. Notice the steep peaks at 15:00 and 18:00, just when we recorded the attacks. For these sudden plus 500-700 GB.

It took several hours to localize the attack. The server on which it was conducted was calculated. Then the target of the Internet terrorists was calculated. Do you know who was hit by all this enemy artillery? One very ordinary, modest client site each.

Myth number one: “The target of an attack is always a hosting provider. These are the machinations of his competitors. Not mine. " In fact, the most likely target of Internet terrorists is a regular client site. That is the site of one of your hosting neighbors. Or maybe yours.

Not all DDoS ...

After the events on our technical site on November 20, 2013 and their partial repetition on January 9, 2014, some users began to assume DDoS in any private failure of their own site: "This is DDoS!" and "Do you have DDoS again?"

It is important to remember that if we are faced with such a DDoS that even customers feel it, we immediately report it ourselves.

We want to reassure those who are in a hurry to panic: if something is wrong with your site, then the probability that it is DDoS is less than 1%. Simply due to the fact that a lot of things can happen to the site and this "a lot of things" happens much more often. We will talk about the methods of self-rapid diagnostics of what exactly is happening with your site in one of the following posts.

In the meantime, for the sake of accuracy of word usage, let's clarify the terms.

About terms

DoS attack (from the English Denial of Service) - it is an attack designed to cause a server to be denied service due to its overload.

DoS attacks do not involve damage to equipment or theft of information; their purpose - make the server stop responding. The fundamental difference between DoS is that the attack occurs from one machine to another. There are exactly two participants.

But in reality, we practically do not observe DoS attacks. Why? Because the targets of attacks are most often industrial facilities (for example, powerful productive servers of hosting companies). And to cause any noticeable harm to the operation of such a machine, much more power is needed than its own. This is the first thing. And secondly, the initiator of a DoS attack is fairly easy to identify.

DDoS - essentially the same as DoS, only the attack is distributed nature. Not five, not ten, not twenty, but hundreds and thousands of computers access the same server simultaneously from different locations. Such an army of machines is called botnet... It is almost impossible to calculate the customer and the organizer.

Accomplices

What kind of computers are included in the botnet?

You will be surprised, but often these are the most ordinary home cars. Who knows? .. - quite possibly your home computer carried away on the side of evil.

Little is needed for this. An attacker finds a vulnerability in a popular operating system or an application and with its help infects your computer with a Trojan, which on a certain day and hour instructs your computer to start performing certain actions. For example, send requests to a specific IP. Without your knowledge and participation, of course.

Myth number two: « DDoS is being done somewhere far from me, in a special underground bunker where bearded hackers with red eyes are sitting. " In fact, without knowing it, you, your friends and neighbors - anyone can be an unwitting accomplice.

This is really happening. Even if you don't think about it. Even if you are terribly far from IT (especially if you are far from IT!).

Entertaining hacking or DDoS mechanics

The DDoS phenomenon is heterogeneous. This concept combines many options for action that lead to one result (denial of service). Let's consider the variants of troubles that DDoS'ers can present to us.

Overuse of server computing resources

This is done by sending packets to a specific IP, the processing of which requires a large amount of resources. For example, to load a page, you need to execute a large number of SQL queries. All attackers will request this particular page, which will cause server overload and denial of service for regular, legitimate site visitors.
This is an attack of the level of a schoolboy who has devoted a couple of evenings to reading the Hacker magazine. She is not a problem. The same requested URL is calculated instantly, after which access to it is blocked at the web server level. And this is just one of the solutions.

Overload of communication channels to the server (at the exit)

The difficulty level of this attack is about the same as the previous one. The attacker calculates the most difficult page on the site, and the botnet under his control begins to massively request it.

Imagine that the invisible part of Winnie the Pooh is infinitely large
In this case, it is also very easy to understand what exactly the outgoing channel is clogged with and prohibit access to this page. Queries of the same type are easy to see with special utilities that allow you to look at network interface and analyze traffic. Then a rule is written for the Firewall, which blocks such requests. All this is done regularly, automatically and so lightning fast that most users are not even aware of any attack.

Myth number three: "A however, they rarely go to my hosting, and I always notice them. " In fact, you cannot see or feel 99.9% of attacks. But the daily fight against them - this is the day-to-day, routine work of a hosting company. This is our reality, in which the attack is cheap, the competition is off the charts, and not everyone demonstrates legibility in the methods of fighting for a place in the sun.

Overload of communication channels to the server (at the entrance)

This is already a puzzle for those who have read the Hacker magazine for more than one day.

Photo from the site of the radio "Echo of Moscow". We didn’t find anything more visual to represent DDoS with congestion of input channels.
To fill a channel with incoming traffic to the point of failure, you need to have a botnet with the capacity to generate the required amount of traffic. But maybe there is a way to give a little traffic, but get a lot?

There is, and not one. There are many options for increasing the attack, but one of the most popular right now is attack through public DNS servers. Experts call this amplification method DNS amplification(in case someone likes expert terms more). And if it's simpler, then imagine an avalanche: a small effort is enough to break it, and inhuman resources are enough to stop it.

You and I know that public DNS server on request, informs anyone who wants data about any domain name. For example, we ask such a server: tell me about the sprinthost.ru domain. And he, without hesitation, dumps everything he knows to us.

Querying a DNS server is a very simple operation. It costs almost nothing to contact him, the request will be microscopic. For example, like this:

All that remains is to choose a domain name, information about which will constitute an impressive data package. So the original 35 bytes with a slight movement of the hand turn into almost 3700. There is an increase of more than 10 times.

But how do you get the answer to go to the correct IP? How to spoof the IP of the source of the request so that the DNS server issues its responses in the direction of the victim, who did not request any data?

The fact is that DNS servers operate on UDP communication protocol which does not require confirmation of the source of the request at all. In this case, forging an outgoing IP is not a big deal for the user. This is why this type of attack is so popular now.

Most importantly, a very small botnet is enough to implement such an attack. And several scattered public DNS, who will not see anything strange in the fact that different users from time to time request data to the address of the same host. And only then all this traffic will merge into one stream and hammer one "pipe" tightly.

What the dosser cannot know is the channel capacities of the target. And if he does not calculate the power of his attack correctly and does not clog the channel to the server at once by 100%, the attack can be quickly and easily repulsed. Using utilities like TCPdump it is easy to find out that incoming traffic comes from DNS, and deny it at the Firewall level. This option - refusal to accept traffic from DNS - is associated with a certain inconvenience for everyone, however, both the servers and the sites on them will continue to work successfully.

This is just one of the many options for enhancing the attack. There are many other types of attacks, we can talk about them another time. In the meantime, I would like to summarize that all of the above is true for an attack whose power does not exceed the bandwidth to the server.

If the attack is powerful

If the attack power exceeds the capacity of the channel to the server, the following happens. The Internet channel is instantly clogged up to the server, then to the hosting site, to its Internet provider, to the superior provider, and so on and upward (in the long term - to the most absurd limits), as far as the attack power will be.

And that's when it becomes a global problem for all. In short, this is what we had to deal with on November 20, 2013. And when large-scale shocks occur, it's time to turn on special magic!

Something like this looks like a special magic. With the help of this magic, it is possible to calculate the server that the traffic is aimed at and block its IP at the Internet provider level. So that it stops receiving any calls to this IP through its channels of communication with the outside world (uplinks). Lovers of terms: experts call this procedure "Blackhole", from English blackhole.

In this case, the attacked server with 500-1500 accounts remains without its IP. A new subnet of IP-addresses is allocated for it, over which client accounts are randomly evenly distributed. Further, experts are waiting for a repeat of the attack. It almost always repeats itself.

And when it repeats, on the attacked IP there are no longer 500-1000 accounts, but some dozen or two.

The circle of suspects is narrowing. These 10-20 accounts are again distributed to different IP addresses. Once again, the engineers are waiting in ambush for a repeat of the attack. Over and over again, the accounts remaining under suspicion are spread across different IP addresses, and so, gradually approaching, the target of the attack is calculated. All other accounts by this point return to normal operation on the previous IP.

As is clear, this is not an instant procedure, it takes time to implement.

Myth number four:“When there is a massive attack, my hoster has no action plan. He just waits, closing his eyes, when the bombing is over, and replies to my letters with the same type of replies. "This is not the case: in the event of an attack, the hosting provider acts according to plan in order to localize it as soon as possible and eliminate the consequences. And letters of the same type allow you to convey the essence of what is happening and at the same time save the resources necessary for the fastest possible working out of an emergency situation.

Is there a light at the end of the tunnel?

Now we see that DDoS activity is constantly increasing. Ordering an attack has become very affordable and ugly inexpensive. To avoid accusations of propaganda, there will be no pruflinks. But take our word for it, it is.

Myth number five: “A DDoS attack is a very expensive event, and only business tycoons can afford to order one. In extreme cases, this is the intrigue of the secret services! " In fact, such events have become extremely accessible.

Therefore, there is no reason to expect that malicious activity will subside on its own. Rather, it will only grow stronger. All that remains is to forge and sharpen weapons. What we are doing, improving the network infrastructure.

The legal side of the issue

This is a completely unpopular aspect of the discussion of DDoS attacks, since we rarely hear about cases of capturing and punishing the perpetrators. However, you should remember: A DDoS attack is a criminal offense. In most countries of the world, including the Russian Federation.

Myth number six: « Now I know enough about DDoS, I'll order a holiday for a competitor - and nothing will come to me for it! " It is possible that it will be. And if it does, it won't seem a little.

• Linking the DDoS story payment system Assist
• Exciting denouement

In general, we do not advise anyone to engage in the vicious practice of DDoS, so as not to incur the wrath of justice and not bend their karma. And we, due to the specifics of our activity and keen research interest, continue to study the problem, stand guard and improve defensive structures.

PS:we don't have enough warm words to express all our appreciation, so we just say"Thanks!" to our patient clients who warmly supported us on the difficult day of November 20, 2013. You have spoken many encouraging words in our support in

On a computer system in order to bring it to failure, that is, the creation of conditions under which legal (legitimate) users of the system cannot access the resources (servers) provided by the system, or this access is difficult. Failure of an "enemy" system can also be a step towards mastering the system (if, in an emergency situation, the software gives out any critical information - for example, a version, a part of the program code, etc.). But more often it is a measure of economic pressure: downtime of the service that brings income, bills from the provider and measures to avoid an attack significantly hit the "target" in the pocket.

If an attack is carried out simultaneously from a large number of computers, they talk about DDoS attack(from the English. Distributed Denial of Service, distributed denial of service attack). In some cases, the actual DDoS attack is triggered by an unintended action, for example, placing a link on a popular Internet resource to a site hosted on a not very productive server (slashdot effect). A large influx of users leads to exceeding the permissible load on the server and, consequently, denial of service for some of them.

Types of DoS attacks

There are various reasons for a DoS condition:

• Error in the program code, leading to access to an unused fragment of the address space, the execution of an invalid instruction, or other unhandled exception situation when an abnormal termination of the server program - the server program occurs. A classic example is zero reversal (eng. null) address.
• Insufficient validation of user data leading to an infinite or long cycle or increased long-term consumption of processor resources (up to the exhaustion of processor resources) or the allocation of a large amount random access memory(up to the exhaustion of available memory).
• Flood(eng. flood- "flood", "overflow") - an attack associated with a large number of usually meaningless or incorrectly formatted requests to computer system or network equipment, aimed at or leading to system failure due to exhaustion of system resources - processor, memory or communication channels.
• Type II attack- an attack that seeks to cause a false operation of the protection system and thus lead to the unavailability of a resource.

If an attack (usually a flood) is carried out simultaneously from a large number of IP addresses - from several computers dispersed in the network - then in this case it is called distributed denial of service attack ( DDoS).

Exploiting errors

Exploit refers to a program, a piece of software code, or a sequence of software commands that exploits vulnerabilities in software and is used to carry out an attack on a cyber system. Of the exploits leading to a DoS attack, but unsuitable, for example, for taking control of an "enemy" system, the best known are WinNuke and Ping of death.

Flood

For a flood as a violation of netiquette, see Flood.

Flood call a huge stream of meaningless requests from different computers in order to occupy the "enemy" system (processor, RAM or communication channel) with work and thus temporarily disable it. The concept of "DDoS attack" is practically equivalent to the concept of "flood", and in everyday life, both are often interchangeable ("flood the server" = "override the DDoS server").

To create a flood, both ordinary network utilities like ping (this is known, for example, the Internet community "Upyachka"), and special programs can be used. DDoS capabilities are often "sewn up" into botnets. If a cross-site scripting vulnerability or the ability to include images from other resources is found on a site with high traffic, this site can also be used for a DDoS attack.

Communication channel and TCP subsystem flooding

Any computer that communicates with the outside world via the TCP / IP protocol is subject to the following types of flooding:

• SYN flood - in this type of flood attack, a a large number of SYN packets over TCP (requests to open a connection). At the same time, after a short time, the number of sockets available for opening (software network sockets, ports) on the attacked computer is exhausted and the server stops responding.
• UDP flood - this type of flood does not attack the target computer, but its communication channel. ISPs reasonably assume that UDP packets need to be delivered first, and TCP can wait. A large number of UDP packets of different sizes clog up the communication channel, and the server running over the TCP protocol stops responding.
• ICMP flood - the same, but using ICMP packets.

Application level flood

Many services are designed in such a way that a small request can cause a large consumption of computing power on the server. In this case, it is not the communication channel or the TCP subsystem that is attacked, but the service itself (service) itself - by a flood of such "sick" requests. For example, web servers are vulnerable to HTTP flooding - a simple GET / or a complex database query like GET /index.php?search= can be used to disable a web server.<случайная строка> .

DoS attack detection

It is believed that special tools are not required to detect DoS attacks, since the fact of a DoS attack cannot be overlooked. In many cases, this is true. However, quite often successful DoS attacks were observed, which were noticed by the victims only after 2-3 days. It happened that the negative consequences of the attack ( flood attacks) resulted in unnecessary expenses for paying for excess Internet traffic, which was revealed only when receiving an invoice from an Internet provider. In addition, many intrusion detection methods are ineffective near the target, but effective on network backbones. In this case, it is advisable to install the detection systems exactly there, and not wait for the attacked user to notice it and ask for help. In addition, to effectively counter DoS attacks, you need to know the type, nature and other characteristics of DoS attacks, and detection systems allow you to quickly obtain this information.

DoS attack detection methods can be divided into several large groups:

• signature-based - based on qualitative traffic analysis.
• statistical - based on quantitative traffic analysis.
• hybrid (combined) - combining the advantages of both of the above methods.

DoS protection

Countermeasures against DoS attacks can be divided into passive and active, as well as preventive and reactive.

Below is the short list basic methods.

• Prevention. Prevention of reasons prompting certain persons to organize and undertake DoS attacks. (Very often cyberattacks are generally the result of personal grievances, political, religious and other disagreements, provoking behavior of the victim, etc.)
• Filtering and blackholing. Blocking traffic from attacking machines. The effectiveness of these methods decreases as you get closer to the object of attack and increases as you get closer to the attacking machine.
• Reverse DDOS- redirecting the traffic used for the attack to the attacker.
• Elimination of vulnerabilities. Doesn't work against flood- attacks for which the "vulnerability" is the finiteness of certain system resources.
• Building up resources. Naturally, it does not provide absolute protection, but it is a good background for the application of other types of protection against DoS attacks.
• Dispersal. Building distributed and duplicating systems that will not stop serving users, even if some of their elements become unavailable due to a DoS attack.
• Evasion. Moving the immediate target of the attack (domain name or IP address) away from other resources, which are often also affected along with the direct target of the attack.
• Proactive response. Impact on sources, organizer or attack control center, both by man-made and by organizational and legal means.
• Use of equipment to repel DoS attacks. For example DefensePro® (Radware), Perimeter (MFI Soft), Arbor Peakflow® and other manufacturers.
• Purchasing a service to protect against DoS attacks. Relevant if the flood exceeds the bandwidth of the network channel.

see also

Notes (edit)

Literature

• Chris Kaspersky Computer viruses inside and outside. - Peter. - SPb. : Peter, 2006 .-- S. 527 .-- ISBN 5-469-00982-3
• Stephen Northcutt, Mark Cooper, Matt Fearnow, Karen Frederik. Analysis of typical security breaches in networks = Intrusion Signatures and Analysis. - New Riders Publishing (English) SPb .: Publishing House "Williams" (Russian), 2001. - P. 464. - ISBN 5-8459-0225-8 (Russian), 0-7357-1063-5 ( English)
• Morris, R.T= A Weakness in the 4.2BSD Unix TCP / IP Software. - Computing Scienece Technical Report No.117. - AT&T Bell Laborotories, Feb 1985.
• Bellovin, S. M.= Security Problems in the TCP / IP protocol Suite. - Computer Communication Review, Vol. 19, No.2. - AT&T Bell Laborotories, April 1989.
• = daemon9 / route / infinity "IP-spooling Demystified: Trust Realationship Exploitation". - Phrack Magazine, Vol.7, Issue 48 .-- Guild Production, July 1996.
• = daemon9 / route / infinity "Project Neptune". - Phrack Magazine, Vol.7, Issue 48 .-- Guild Production, July 1996.

Links

• DoS attack in the Open Directory Project link directory (

DDoS attack (Distributed Denial of Service attack) is a set of actions that can completely or partially disable an Internet resource. Almost any Internet resource, such as a website, game server, or government resource, can act as a victim. At the moment, it is almost impossible for a hacker to single-handedly organize a DDoS attack. In most cases, an attacker uses a network of computers infected with a virus. The virus allows you to get the necessary and sufficient remote access to the infected computer. A network of such computers is called a botnet. Typically, botnets have a coordinating server. Deciding to launch an attack, the attacker sends a command to the coordinator server, which in turn signals everyone to start making malicious network requests.

DDoS Attacks Reasons

• Personal animosity

This reason is quite common. Some time ago, independent research journalist Brian Krebs revealed the activities of the largest service for carrying out custom DDoS attacks - vDOS. The information was presented in full detail, which caused the arrest of the organizers of this service. In response, the hackers launched an attack on the journalist's blog, the power of which reached 1 Tbit / s. This attack became the most powerful in the world in all years.

• Entertainment

Nowadays, it is becoming easier to organize a primitive DDoS attack on your own. Such an attack would be highly imperfect and not anonymous. Unfortunately, most of those who decided to feel like a "hacker" do not know about either the first or the second. However, many schoolchildren practice DDoS attacks frequently. The outcome of such cases is very diverse.

• Political protest (hacktivism)

One of the first attacks with a social basis was the DDoS attack carried out in 1996 by the hacker Omega. Omega was a member of the Cult of the Dead Crew (cDc) hacker coalition. The term “hacktivism” has become popular in the media due to the increased frequency of cyberattacks that have a social basis. Typical hacktivists are the Anonymous and LulzSec groups.

• Unfair competition

Such motives are common in the game server industry, but in the retail industry, such cases are quite common. Enough efficient way unfair competition capable of ruining a reputation trading platform if its owners do not turn to specialists for help in time. This motive can be distinguished from the rest as the most common one.

• Extortion or blackmail

In this case, the attacker demands a sum of money from the potential victim for not performing the attack. Or for its termination. Large organizations often become victims of such attacks, for example, during 2014, the Tinkoff bank and the IT resource Habrahabr, the largest torrent tracker Rutracker.org, were attacked (how was that?).

Consequences of DDoS attacks

The consequences of DDoS attacks can be very diverse, from the shutdown of your server by the data center to the complete loss of the resource's reputation and client traffic. Many organizations unknowingly choose unscrupulous security providers in order to save money, which often does not bring any benefit. To avoid such problems, we recommend that you contact the professionals in your industry.

Attacks that have gone down in Internet history

Technological progress is taking place by leaps and bounds, and attackers, in turn, are making every effort not to stand still and implement ever more complex and powerful attacks. We have compiled a brief description of the most interesting cases that have gone down in the history of DDoS attacks. Some of them may seem common by modern standards, but at the time they occurred, these were very large-scale attacks.

Ping of Death. A method of attack based on the use of the ping command. This attack gained popularity in the 1990s due to imperfect network equipment. The essence of the attack is to send one ping request to a network node, while the body of the packet includes not the standard 64 bytes of data, but 65535 bytes. Upon receipt of such a packet, the equipment's network stack overflowed and caused a denial of service.

An attack affecting the stability of the Internet. In 2013, Spamhaus fell victim to a 280 Gbps attack. The most interesting thing is that for the attack, the hackers used DNS servers from the Internet, which in turn were very loaded with a large number of requests. On that day, millions of users complained about slow loading pages due to the congestion of the service.

Record attack with traffic over 1 Tbps. In 2016, hackers tried to attack us with a packet attack at 360 Mpps and 1 Tbps. This figure has become a record for the entire existence of the Internet. But even under such an attack, we resisted and the load on the network only slightly limited the free resources of the network equipment.

Characteristics of attacks today

Excluding peak attacks, we can say that the power of attacks grows more than 3-4 times every year. The geography of attackers changes only partially from year to year, because this is due to the maximum number of computers in a specific country... As can be seen from the 2016 quarterly report prepared by our specialists, Russia, the USA and China are the record-breaking countries in the number of bots.

What kinds of DDoS attacks are there?

At the moment, the types of attacks can be divided into 3 classes:

Channel overflow attacks

This type of attack includes, and;

Attacks that exploit vulnerabilities in the network protocol stack

The most popular and interesting attacks of this type are, / attack,

Why choose us? Our equipment is located in key data centers around the world and is capable of repelling attacks up to 300 Gbps or 360 million packets per second. We also have a content delivery network () and a staff of engineers on duty in case of a non-standard attack or emergency situations. Therefore, having come under our protection, you can be sure that your resource is available 24/7. We are trusted by: REG.RU, Argumenty i Fakty, WebMoney, the Russian radio holding company GPM and other corporations.

You can implement protection yourself against only a small number of attacks using traffic analysis or setting up routing rules. Methods for protection against some attacks are given in.

You don't need to order a DDoS attack. Pay the hackers and think about the panic of your competitors. First from the director's chair, and then from the prison bed.

We explain why turning to hackers is the last thing an honest entrepreneur can do and how it threatens.

How to make a DDoS attackeven a schoolboy knows

Today, tools for organizing DDoS attacks are available to everyone. The entry threshold for novice hackers is low. Therefore, the share of short but strong attacks on Russian sites increased . It looks like the hacker groups are just practicing skills.

An illustrative case. In 2014 Educational portal Republic of Tatarstan has undergone DDoS attacks. At first glance, there is no point in attacking: this is not a commercial organization and there is nothing to ask from it. The portal provides grades, class schedules, and so on. No more. Kaspersky Lab experts found the Vkontakte group, where students and schoolchildren of Tatarstan discussed how to make a DDoS attack.

Community of young fighters with the system of the Republic of Tatarstan

Derivative queries from “how to do a DDoS attack on Tatarstan” led cybersecurity experts to an interesting announcement. The performers were quickly found and they had to to pay damages.

They used to tear out pages in diaries, but now they hack sites

Due to the simplicity of DDoS attacks, they are taken by beginners without moral principles and understanding of their capabilities. They can also resell customer data. Rejuvenation of DDoS attackers is a global trend.

Spring 2017 prison term received by a British student. When he was 16 years old, he created program for DDoS attacks Titanium Stresser. The Briton earned 400 thousand pounds sterling (29 million rubles) from its sale. With the help of this DDoS program, 2 million attacks were carried out on 650 thousand users around the world.

The teenagers turned out to be members of the large DDoS groups Lizard Squad and PoodleCorp. Young Americans have invented their own DDoS programs, but used them to attack game servers in order to gain advantages in online games. So they found them.

Whether to trust the reputation of the company to yesterday's schoolchildren, everyone decides for himself.

Punishment forDDoS programsin Russia

How to make a DDoS attackinterested in entrepreneurs who do not want to play by the rules of competition. These are the employees of the "K" Department of the Ministry of Internal Affairs of Russia. They catch the performers.

Russian law provides for punishment for cyber crimes. Based on the established practice, the participants in the DDoS attack can fall under the following articles.

Customers.Their actions usually fall under- illegal access to legally protected computer information.

Punishment:imprisonment for up to seven years or a fine of up to 500 thousand rubles.

Example... An employee of the department of technical protection of information of the administration of the city of Kurgan was convicted under this article. He developed the multifunctional Meta program. With its help, the attacker collected personal data on 1.3 million residents of the region. After - he sold to banks and collection agencies. Hacker received two years in prison.

Performers.As a rule, they are punished by article 273 of the Criminal Code of the Russian Federation - creation, use and distribution of malicious computer programs.

Punishment.Deprivation of liberty for up to seven years with a fine of up to 200 thousand rubles.

Example.19-year-old student from Togliatti received a 2.5 year suspended sentence and a fine of 12 million rubles. By using programs for DDoS attacks he tried to bring down informational resources and websites of banks. After the attack, the student extorted money.

Careless users.Failure to comply with safety rules when storing data is punishable by Article 274 of the Criminal Code of the Russian Federation - violation of the rules for the operation of storage, processing or transmission of computer information and information and telecommunication networks.

Punishment:imprisonment for up to five years or a fine of up to 500 thousand rubles.

Example.If, in the course of accessing information, money was stolen in any way, the article will be re-qualified as fraud in the field of computer information (). So two years in a penal colony got the Ural hackers who got access to the banks' servers.

Attacks on the media.If DDoS attacks are aimed at violating journalistic rights, the actions fall under - obstruction of the lawful professional activity of a journalist.

Punishment:imprisonment for up to six years or a fine of up to 800 thousand rubles.

Example.This article is often reclassified into heavier ones. How to make a DDoS attack knew those who attacked Novaya Gazeta, Ekho Moskvy and Bolshoi Gorod. Regional publications also become victims of hackers.

In Russia, severe punishment for using DDoS programs ... Anonymity from Office "K" will not save you.

Programs for DDoS attacks

According to experts, 2,000 bots are enough to attack an average site. The cost of a DDoS attack starts at $ 20 (1,100 rubles). The number of attacking channels and the operating time are discussed individually. There are also extortions.

A decent hacker will conduct a penetration test before an attack. The military would call this method "reconnaissance by force." The essence of a pentest is a small controlled attack in order to find out the resources of the site's protection.

Interesting fact.How to make a DDoS attackmany know, but the strength of a hacker is determined by a botnet. Criminals often steal access keys to "armies" from each other and then resell them. A well-known trick is to "put" wi-fi so that it forcibly reboots and returns to the basic settings. In this state, the password is standard. Then the attackers gain access to all the traffic in the organization.

The latest hacker trend is hacking smart devices to install cryptocurrency miners on them. These actions can qualify under the usage clause malware(Article 273 of the Criminal Code of the Russian Federation). So the FSB officers the system administrator of the Mission Control Center was detained. He installed miners on the working equipment and enriched himself. The attacker was calculated by power surges.

Hackers will carry out a DDoS attack on a competitor. Then they can get access to its computing power and mine a bitcoin or two. Only these incomes will not get to the customer.

Risks of ordering a DDoS attack

Let's summarize by weighing the advantages and disadvantages of ordering DDoS attacks on competitors.

If the business is annoyed by competitors, hackers will not help. They will only make things worse. Agency "Digital Sharks" unwanted information in legal ways.