×
Community Blog How to Protect Your Website From Traffic Flooding Attacks?

How to Protect Your Website From Traffic Flooding Attacks?

In this blog, you will learn to use DDoS service to prevent your business from traffic flooding attacks and handle traffic peak with Elastic Scaling.

One common category of DDoS attack is a SMS flooding attack. An SMS flooding attack occurs when a high volume of cellular SMS messages are sent to saturate and overload the website’s server.

Business is taking off. You are hiring new people, expanding your customer base and you have just bought a new work van to handle the recent spike in orders.

Purchasing the vehicle is a significant investment for your business, including the extra expenditure to brand the vehicle with your company logo.

But all week you’re beaming with delight at the sight of your company’s new vehicle; which doubles as a portable billboard for your company.

However, four days in you wake up to a nasty surprise. Overnight a local graffiti gang has vandalized and tagged the van in three different colors. The news only gets worst when you spot a crude artistic attempt to depict the male genitalia next to your logo. Having just spent a small fortune (from the company’s point of view) to invest in the new vehicle, this was the last thing you needed!

The cyber world is no different when it comes to malicious operators damaging company assets.

Distributed Denial of Service (DDoS) is one particular attack you want to avoid as a law-abiding netizen. DDoS attacks come in various shapes and sizes, and one common category of DDoS attack is a SMS flooding attack. An SMS flooding attack occurs when a high volume of cellular SMS messages are sent to saturate and overload the website’s server.

This leads to slow website server performance, soaring SMS registration verification charges and leaking of customer contact information.

What is a SMS traffic flooding attack?

For many websites, online users must provide their mobile phone number upon registration in order to validate their identity. Normally, users will click a button during the registration process to send a SMS message and a SMS message is sent to verify the user’s mobile phone number. However, if there are no defense policies protecting the SMS interface, attackers can leverage programs to send high frequency requests to the SMS interface.

Harm to website owner

1) SMS verification requests consume website CPU and memory which can lead to poor performance issues.

2) SMS charges soar!

3) Information of registered users can be leaked, and threaten the business’ reputation and customer base. Explanation: Users that later go to login or signup for an account and whose number has been already registered under a flood attack may be asked to verify their account via email. After adding their email contact details to the account, the hacking party then has access to their email details. The hacker can then sell email contact details to your competitors for precision marketing purposes.

SMS flooding can also be used in special circumstances to assist cybercriminal activities, such as account hacking and transferring money out of a compromised account. Flood attacks that generate thousands of SMS messages can be used to prevent the account owner from detecting a SMS notification of the fraudulent behaviour/transaction.

You can refer to Protect Your Website: How to Avoid SMS Traffic Flooding Attacks to follow the Screenshot and get more.

Related Blogs

Handling Traffic Peaks with Elastic Scaling on PolarDB

Alibaba Cloud PolarDB enables enterprises to scale up in minutes during the Double 11 Shopping Festival through the separation of storage and compute resources.

Whenever there's a large event, such as the Double 11 Shopping Festival or during the Spring Festival holiday season, large amounts of computing resources are required to support spikes in user traffic. To ensure smooth and stable operations of all services on Alibaba Cloud, Elastic Compute Service (ECS) servers and ApsaraDB for RDS databases need to cope with these peaks and fluctuations. Achieving this on a traditional cloud architecture is challenging, which is why Alibaba Cloud created PolarDB to provide minute-level elastic scaling for such scenarios.

Separation of Storage and Compute Resources

Perhaps the greatest feature of Alibaba Cloud PolarDB is the separation of storage and compute resources. Specifically, the compute node (DB Engine) and the storage node (DB Store) are on different physical servers. All I/O operations that go to the storage device are network I/O operations. Some may ask about the network latency and performance. When comparing the latency comparison between using PolarFS to write three data block replicas to PolarStore over the network and writing one data block replica to a local SSD, the results are very close.

PolarDB's storage and compute separation architecture reduces storage costs, ensures high data consistency between the master and backup data, and prevents data loss. In addition, it has a huge advantage that it makes "elastic scaling" of the database extremely simple and convenient.

Challenges of Database Elastic Scaling

Elastic scaling is a major feature of the cloud that attracts many people to migrate their IT systems to the cloud. However, elastic scaling of the database has always been an industry pain point. Unlike ECS instances that purely provide computing services, database elastic scaling has the following difficulties:

  1. First, difficult horizontal expansion. Databases are usually the core of business systems. Data must flow and be shared to create value. When the scale is not too large, databases are generally subject to centralized deployment for the convenience of use. For example, we can use a single SQL statement to complete a query across multiple business databases. Therefore, it is almost impossible to achieve linear scaling by horizontally increasing the number of database servers.
  2. Second, the zero down time requirements. The core position of the database means that if it fails, the entire business will be paralyzed. Therefore, the database must be highly available and be protected from any hardware failures to ensure uninterrupted business. Implementing elastic scaling while ensuring high availability is like changing the engine of a flying plane. As you can imagine, it is not easy.
  3. In addition, data is "heavy". The essential task of a database is to store data, but data is eventually stored in a storage device. When you find that the I/O performance of your storage device is insufficient, upgrading the storage device is never an easy task. If data storage and compute are on the same physical server, the CPU core number and clock speed of the physical server determine the upper limit of its computing power, which makes is difficult to scale up.

Now, when the bottleneck is gone as a result of storage and compute separation, we can finally make new progress in the field of database elastic scaling by combining the architecture design of multiple nodes sharing the same data.

How to Install Concourse CI on an ECS Instance and Encrypt All Traffic

This tutorials covers how to install Concourse CI on an ECS instance installed with Ubuntu 16.04 and how to secure all traffic with SSL encryption.

Concourse CI is a modern, flexible continuous integration platform that allows developers to merge modified code into a shared repository multiple times. After each merge, automatic builds and tests are performed to detect problems in the code that helps the developers to find and resolve the errors quickly.

In this tutorial, we will learn how to install and encrypt Concourse CI on an Alibaba Cloud Elastic Compute Service (ECS) instance installed with Ubuntu 16.04.

Requirements

  1. A newly created ECS instance installed with Ubuntu 16.04.
  2. The static IP address 192.168.43.193 is set up for your instance.
  3. A root password is set up for your instance.

Procedure

To install and secure Concourse CI on an ECS instance, complete all of the following steps:

Launch Alibaba Cloud ECS Instance

First, log on to the Alibaba Cloud ECS Console. Then, create a new ECS instance, choose Ubuntu 16.04 as the operating system and make sure it is with at least 2GB RAM. Next, connect to your ECS instance and log on as the root user.

After you log on to your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

Install and Configure PostgreSQL

Concourse uses PostgreSQL to store its pipeline data. So you will need to install PostgreSQL server to your system. You can install it by using the following command:

japt-get install postgresql postgresql-contrib -y

Traffic Management with Istio (5): Deploy Custom Gateway and Manage Its Certificates with cert-manager

This article discusses how to use cert-manager to deploy Istio custom ingress gateway and manage certificates.

Istio Gateway supports multiple custom ingress gateways. It opens a series of ports to host incoming connections at the edge of the grid, and can use different load balancers to isolate different ingress traffic flows. cert-manager can be used to obtain certificates by using any signature key pair stored in the Kubernetes Secret resource. This article provides instructions on the steps for manually creating a custom ingress gateway and how to use cert-manager to automatically configure certificates in the gateway.

Generate a Signature Key Pair

CA Issuer does not automatically create and manage signature key pairs. The key pairs are either provided by the user or a new signature key pair for a self-signed CA is generated by a tool, such as OpenSSL. For example, you can generate keys and certificates of type x509 by using the following command:

j# Generate a CA private key
$ docker run -it -v $(pwd):/export frapsoft/openssl genrsa -out /export/ca.key 2048
# Create a self signed Certificate, valid for 10yrs with the 'signing' option set
$ docker run -it -v $(pwd):/export frapsoft/openssl req -x509 -new -nodes -key /export/ca.key -subj "/CN=${COMMON_NAME}" -days 3650 -reqexts v3_req -extensions v3_ca -out /export/ca.crt

These commands will output two files, which are the key and certificate of the ca.key and ca.crt signature key pair. If you already have your own key pair, you should name the private key and the certificate 'ca.key' and 'ca.crt' respectively.

Save the Signature Key Pair as a Secret

We are going to create an Issuer that will use this key pair to generate signed certificates. To allow the Issuer to reference our key pair, we will store it in a Kubernetes Secret resource.

Issuers are namespace resources, so they can only reference secrets in their own namespaces. Therefore, we put the key pair into the same namespace as the Issuer. Of course, we could also create a ClusterIssuer, a cluster-scoped version of an Issuer.

The following command will create a Secret that contains a signature key pair in the default namespace:

jkubectl create secret tls ca-key-pair \
   --cert=ca.crt \
   --key=ca.key \
   --namespace=default

Related Courses

Handle Large Traffic with Load Balancer

Increased traffic, often results in a delayed response from web servers or even a halt in service. Load balancing lies in "sharing." When massive traffic is detected, the traffic is distributed to multiple servers to improve the external service capability of the website and avoid the impact of a single point failure. In this online course, we teach the basics of load balancing, principles and scenarios, and master cloud platform load balancing features and usage.

Alibaba Cloud Network Solution

This course aims to help Alibaba Cloud users quickly understand Alibaba Cloud network products, so as to have the ability to select Alibaba Cloud Network services according to scenarios, to enable individual users or enterprise users to quickly understand cloud network technology.

Related Market Products

Handle Large Traffic with Load Balancer

Learn to use Alibaba Cloud's SLB to help your website to handle large bursts of traffic.

Oceanblue Cloud SD-WAN EdgeConnector V100

OBC SD-WAN (SDWAN) solutions makes a fast and easy way to construct a global private network and accelerates various SaaS applications. Customers are able to enjoy ultra-high speed, high quality data transmission service through the internet , MPLS or VPN.

Related Documentation

Why is the actual billed network traffic different from the network traffic reported by the logging feature?

Question

Why is the actual billed network traffic different from the network traffic reported by the logging feature?

Answer

The network traffic reported by the logging feature reflects only the network traffic generated at the application layer. The network traffic that occurs at the network layer is 7% to 15% more than the reported network traffic. The extra network traffic may occur because of the following reasons:

  1. TCP/IP packet headers
    HTTP requests are transmitted based on a TCP/IP stack. The maximum transmission unit (MTU) over the Internet is 1,500 bytes, of which the headers inserted by the TCP and IP protocols occupy 40 bytes. The headers are inserted into each packet by the system kernel based on the underlying protocols in the TCP/IP stack. The size of the headers is not captured at the application layer, and is not reflected in the logging feature. This leads to an estimated 3% of outbound data that is untracked. This estimate is based on the following calculation: 40/(1,500 - 40) = 2.74%.
  2. TCP retransmission
    Depending on the physical network conditions of the Internet, about 3% to 10% of packets may be lost during transmission. The corresponding servers resend the packets that have been discarded during transmission over the Internet. The system kernel and the underlying protocols in the TCP/IP protocol stack process the retransmission and consume some network traffic. This consumption is excluded from the statistics collected at the application layer. The proportion between the network traffic for retransmission and the log statistics result varies, depending on the network conditions. For example, the proportion is lower at off-peak hours in the morning than that at peak hours in the evening. In most cases, the proportion is from 3% to 7%.

Therefore, as an industry standard practice, an excess of 7% to 15% of the consumed network traffic is added to the total billable items. An average proportion of 10% is used for Alibaba Cloud Content Delivery Network (CDN).

How to charge for traffic

How to charge for traffic

  1. A pay-by-traffic data plan offers a monthly data transfer. Traffic included in the traffic package is free of charge. Traffic that exceeds the traffic package is charged based on the amount that you use.
  2. Only outbound traffic is counted as used traffic, and this includes monthly traffic package and the traffic that exceeds the quota of the traffic package. Inbound traffic is not counted.
  3. In the same Virtual Private Cloud (VPC) network, traffic between Simple Application Server instances is free of charge. You are charged for the Internet traffic between Simple Application Server instances and other Alibaba Cloud services.

Traffic packages

Simple Application Server offers free monthly traffic packages. A traffic package is dedicated to a single instance. In most cases, the quota of a traffic package can meet data transmission requirements. A traffic package is reset on the first day of each month. After the traffic package is reset, the amount of used traffic will start from zero.

Note: Notifications will be sent to customers when the amount of traffic used in a package exceeds 50%, 80%, and 95%.

How to charge for traffic after a traffic package is depleted

After a monthly traffic package is used up, the billing method is changed to pay-by-traffic. The charge incurred will be deducted from your account balance.Note: We recommend that you keep a sufficient balance in your account to ensure business continuity after a traffic package is depleted.

Related Products

Server Load Balancer

Alibaba Cloud Server Load Balancer (SLB) distributes traffic among multiple instances to improve the service capabilities of your applications. You can use SLB to prevent single point of failures (SPOFs) and improve the availability and the fault tolerance capability of your applications.

CDN

A scalable and high-performance content delivery service for accelerated distribution of content to users across the globe

0 0 0
Share on

Alibaba Clouder

2,599 posts | 762 followers

You may also like

Comments