What is a DDoS attack?
When a hacker or a bad person performs a DDoS attack, the victim’s server gets overwhelmed with requests from malicious sources.
The most common way for hackers to perform a DDoS attack is by using an automated tool where they just need to fill in the target address and the number of packets that must be sent within a certain time frame.
How to trace a DDoS attack?
If you want to trace the attacker, you need to use an authoritative DNS server and get access to the logs. The traces of all requests will be stored there, and by parsing them, you can get the information about where the packets came from. If it is enough, you should find out who is sending packets to your server and whom you should contact to stop it.
An alternative way is to use a “black box” solution where you buy some cloud servers (which are up all the time), install honeypots there, hook them up to the firewall that will allow only UDP flood traffic into these servers, then install an authoritative DNS server on the same box.
When the attack starts, all traffic will be redirected to the honeypots, and you will be able to see which machines are attacking you and from where they are coming. However, this method is not always accurate because sometimes the attackers use spoofed IP addresses.
In order to protect your server from a DDoS attack, you need to use a caching nameserver and make sure that it does not allow recursive queries. This is because when you are under attack, the attacker will send thousands of requests every second with spoofed IPs, which will kill your server if you cannot answer them fast enough.
If your nameservers allow recursion and run on a vulnerable platform, the attacker can use them to amplify the attack and flood your server with even more requests.
By following these simple tips, you can make sure that your server is safe from DDoS attacks, and you will be able to focus on your business without worrying about someone trying to take it down.