How to Defend Against Hackers and DDOS Attacks

edmt

12 years ago

In the last couple of days another series of large scale distributed denial of service (DDOS) attacks has hit the internet. (1) Wordfence Blog, (2) ITNews, Australia It is again the old arms race: as defense mechanisms get more and more sophisticated, the attackers get smarter, too. The last big DDOS attack against spam blocker SpamHaus produced traffic of 300 Gigabit per second. That’s 12,000 high speed (25Mbps) internet connections for your home, downloading at full throttle. The new attack averaged 350Gbps with peaks at 400Gbps.

What is a distributed denial of service attack?

During a DDOS attack websites and other internet services are bombarded with traffic in order to shut the service down or to gain privileged access. There is a small problem, though. In order to create this massive traffic you need the help of other computers. You often can force other computers to do just that by sending them requests with fake sender addresses or massive reply-to lists. The Domain Name Service DNS used to be the weak spot to do this, but the newest attack is using NTP, the protocol used to keep the time in sync around the world.

What can be done?

There’s actually a nice list of actions that cans be taken with relative small effort and at little to no cost.

Cloudflare

CloudFlare was already in the vanguard fighting to mitigate the Spamhaus attack and is again in the midst of things with the current attack, fighting the good fight. CloudFlare is a content delivery network, which helps you speeding up your website, but offers also a massive security layer. On Feb, 8th traffic to the websites I manage increased by a factor of nine and most of it (88%) was rejected by CloudFlare and never reached the hosting service. Needless to say, I will use CloudFlare on all the sites I manage. They offer a very powerful free plan, but sites using SSL need to sign up for their Pro plan.

Wordfence

Wordfence is a WordPress security plugin. It does a few things very well and again for free. A paid option is also available.

Wordfence blocks suspicious activity and access from suspicious sources. It also shares this with their command center and distributes block-lists back to the participants. Which means if an attacker gets blocked by Wordfence on some site in the network, it will be blocked on your site right away.
It scans your site for vulnerabilities and compares your WordPress installation against a reference list to see if anything has changed. Changed WordPress files often indicate a compromised site that will be used as a virus vector a link scheme or other malicious activities.
It also logs live traffic, be it your regular human visitors, Google crawlers and most importantly successful and failed logins.
Another log which raises awareness is the “Page Not Found” log. It shows who tried to access these pages and more importantly, which pages. The list tells clearly were there are currently vulnerabilities in websites and who is trying to probe them. For a long time, you could see requests for timthumb.php indicating a weakness in the thumbnail generating software. Current favorite seems to be connector.asp (which is usually irrelevant for WordPress sites)

Some best practices

The list here is long and many can be found on the web. I just want to mention a handful, mostly things that can be done by the user:

Strong passwords. See http://xkcd.com/936/ . It takes seconds for a computer to guess an 8 character password.
Unique passwords for each site. Use a password manager like LastPass if you can’t remember them all.
Hide your admin account by renaming it. It creates more guesswork for the attacker
Have only needed plugins installed on your WordPress site. Delete the rest.
Keep your installation up-to-date. Update your plugins, themes and WordPress installation as soon as you can. Most updates are security related.

Backups

Regular backups won’t prevent hackers from gaining access to your site, but you’ll need them if your site has been compromised. You may need actually multiple versions: one for the last 7 days, and perhaps one for the last four weeks. If your site has been compromised, it is possible that it will take you a while until you notice and your last good backup may be as old as 4 weeks. Come to think of it, make it one more backup for each of the last 6 month.

What’s the golden rule for backups? Learn to restore before you need it. Imagine your site is down and you want to have it back up asap. That’s bad time to watch that how-to-restore tutorial.

Conclusion

Security measures rarely can keep a dedicated attacker away. But they need to be put in place to slow down attackers and to make it costly for attackers. As long as it is more expensive for attackers to hack your site than their potential gain, you are safe. But it will slow you down as well, since some of the measures make it inconvenient for you as well. Don’t give up security for convenience.

The weakest spot in security is the human. Don’t be to lazy to keep your website up-to-date. (It’s okay to hire me for that task). And don’t be reckless with your passwords. Make them complex so it takes a lot of time to guess them and use different ones at each site to avoid your password being sold on the internet for use on other sites.

Image Credit: sxc.hu