DDoS and Null Routing

What is a DDoS attack?

A DDoS attack is a coordinated attack against a website designed to make the website unusable. The name DDoS is abbreviation of Distributed Denial of Service attack which describes both what it is trying to do and how it goes about doing it. The attacker utilises many, in some cases very very many, different computers around the internet to attack the target system. This gives the distributed part of the name as the attack is distributed amongst lots of machines.

The Denial of Service part indicates what the attacker is trying to achieve. What they are trying to do is to stop your site from being online and working normally for your users, that is to say they are attempting to deny normal service to legitimate users.

These attacks usually takes the form of sending huge numbers of page requests or simply junk data which overwhelm the servers ability to service them. When this happens any legitimate page requests are lost in the attack and your site looks offline to anyone trying to visit the it.

What does Memset do if my server is attacked?

The firewalls protecting Memset's internal network from the internet automatically monitor for DDoS attacks and take steps to protect both your server and the other servers on our network. When the firewall detects a large quantity of suspicious data being directed against server inside our network our firewalls will automatically block the responsible external IP address. At the same time a Memset engineer will be notified to look into what is happening and get in contact with the server owner to establish what the situation is.

The objective of a DDoS attack is to overwhelm the infrastructure supporting a website. This can be the server itself or, as is more common, the routers connecting the server to the internet. If your server has a 10Mbps connection then a DDoS that is directing 30Mbps of data at your server will saturate the connection and take it offline. In this case the Memset firewall will be able to block the incoming traffic and maintain normal operation of the server.

DDoS attacks are sometimes very much larger than 30Mbps and can often go into the hundreds of Mbps and even into hundreds of Gbps range. In order to use a firewall to filter out the bad packets all the data must be accepted and routed as far as the Memset firewalls. If the attack is sufficiently large it has the possibility to completely saturate our primary network connections into our data centers or cause so much work for our firewalls that normal networking to all Memset's clients is interrupted as they attempt to filter the junk data. This is not a situation that we can allow to happen.

For these reasons the IP address of the server being attacked in this manner are null routed to protect the Memset's network and all the servers hosted on it.

What is null routing and why does Memset do it?

Null routing is a way to make the internet think that an IP address does not have a destination so any data sent to that IP will not be directed to Memset's network. This works because when data moves between any two machines on the internet every router must know in which direction to send on each packet as it receives it. This is achieved by the large network operators broadcasting to their neighbour networks which IP addresses they are responsible for and where packets bound for their IP addresses should end up.

When an IP is null routed it is broadcast as having no destination at Memset's network so any data that is sent to it will never make it as far as our network equipment. In this way the internet infrastructure does not have to route huge amounts of junk data and Memset's network will not be taken offline as a result of a sustained attack.

Can't you just give me a new IP?

Unfortunately this would only work for a few minutes. The attackers would notice the site back online and simply change the destination IP of their attack to the new one.

For this reason you are not allowed to move your site to another IP or server that you may have with Memset.

When will my IP get routed normally again?

When an IP is null routed no data will arrive at Memset's network so we cannot tell when the attack has stopped. For this reason the IP is typically left null routed for a minimum of 24 hours.

Why am I being attacked?

Memset has no way to determine why your server is being attacked. The only information that we have is the the quantity of data being directed at your server. It is impossible to deduce the motivation of the attacker from this information.

However, some common reason for DDoS attacks are extortion, stifling competition and retaliation. Sometimes criminals will DDoS a site in order to demand payment to stop. If this is the case then we suggest that you contact the UK National Cyber Crime Unit here:

http://www.nationalcrimeagency.gov.uk/about-us/what-we-do/national-cyber-crime-unit

We will be happy to work with them once they contact us.

There are also documented cases involving DDoS's that have been initiated by unscrupulous site operators against competing sites.

Finally there are adolescents who move in online circles where credibility is gained through hacking servers and taking sites offline. Once a site on your server, especially a CMS site such as Joomla, Wordpress, Drupal etc, has been compromised it can be used to hack and attack other sites. When this is done against another hackers sometimes a DDoS attack in retaliation against your server ensues.

What can I do about this?

The only solution that Memset can offer is to wait until the attack has stopped. Once that has happened we will route your IP again and your site will resume normal operation.

If you need to get your site back online immediately or have suffered multiple attacks then you should consider enlisting the services of a a company that specialises in keeping sites online during DDoS attacks as they have specific and specialised resources available to resist such attacks.

Some providers are listed here:

Last updated 16 September 2015, 12:19 GMT