Nowadays, the term DDoS probably raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they do know the effect: an extremely sluggish or shut-down website.
In this article, we’ll focus on how to know if you’ve been DDoSed, how to spot a DDoS attack, and how to protect your website in the future.
Hopefully, we can help you handle DDoS attacks without having a full blown meltdown.
What is a DDoS Attack?
DDoS stands for Distributed Denial of Service. Like the name implies, a DDoS attack focuses on damaging a service such as:
- a website
- an internet service provider (ISP)
- the Nasdaq Stock Market
- a NASA probe
- a game server
Practically anything connected to the internet is a potential target.
The same goes for the source of DDoS attacks: Common culprits include hacked web servers and “internet of things” devices like smart appliances, routers, and even CCTV cameras.
Causes can be accidental or intentional. But a large criminal industry has grown around offering DDoS attacks as a service. There’s a market for attacks on sites, including competitors looking to tarnish others’ reputations and those denying online presence for political reasons.
A DDoS attack simply works like this: An attacker uses a number of machines across the internet (or what’s called a “botnet”). Those machines send a high volume of fake traffic to the target site, all in an attempt to overload server resources and bring the site down.
There are many types and sizes of DDoS attacks and they can be devastating regardless of their size. Even an attack from a single system (DoS) can paralyze a site, so consider the ruthless efficiency of a multi-system attack through DDoS. A powerful DDoS can be as tiny as one request per second, and it can still have devastating effects on a website.
Some services are specifically targeted. Interestingly though, the process is largely automated, and most sites affected are randomly selected. Of course, this doesn’t matter if you’re a target. Regardless of the reason, the results can be detrimental, especially for an ecommerce website.
If you want to know more about the types of DDoS attacks, read our guide on what a DDoS attack is.
What Are the Signs of a DDoS Attack?
There are two key indications that you might be facing a DDoS attack:
- When the website is unavailable
- When it takes a long time to access the website
If you’re seeing these website latency issues unexpectedly, it’s time to investigate.
Legitimate Traffic or a DDoS Attack?
Since a DDoS attack generates lots of traffic toward your site, it creates a tricky predicament. How can you tell if your site is just suddenly doing really well (traffic-wise) or if you are currently experiencing a DDoS attack?
If a site goes down due to a spike in legitimate traffic, then the time frame would generally only be for a short while until you’re back up and running again. Sustained spikes in traffic are rarely random, and you’d likely be able to identify reasons for it in legitimate cases. Say, a major advertising campaign or a piece of viral content.
But more subtle attacks aren’t as simple to discern. Let’s say an online retailer with blackhat-hacking skills wants to keep people away from a competitor’s website without them being aware of it. The hacker can DDoS the competitor’s website a few times a day – potentially at random periods throughout the day just to make the competitor’s customers upset with how slow the website is. If the hacker’s server threw 500 hits per day (nothing out of the ordinary), the site wouldn’t be down for more than a few seconds, in intervals. Even mild DDoS attacks like this one hurt the victim’s business and reputation.
Generally, the best way to examine a potential DDoS attack is through analytic tools. Check to see if a specific traffic source continues to query a certain set of data long after the Time To Live (TTL) for the site has elapsed. (This is the time frame that you set for your site to discard held data and free up resources.) If that’s the case, you’re likely looking at a DDoS attack, since legitimate traffic won’t behave in this way.
How to Tell if You Are Being DDoSed
Some pretty obvious signs of a DDoS attack include:
- Problems accessing your website.
- Files load slowly or not at all.
- Slow or unresponsive servers, including “too many connections” error notices.
- Odd traffic patterns like spikes every 5-10 minutes, or spikes at unusual times of the day.
- A flood of traffic coming from a single device type, geolocation, or web browser version.
More specific signs of DDoS will vary depending on the type of attack.
DDoS Attack Live Example
To give you an idea of what a DDoS attack looks like, we developed this live example of a website getting DDoSed. You can watch how the server resources are depleted and how this disrupts the website’s performance in a matter of minutes.
After watching the video, you’ll be able to better recognize the traits of an attack on your own sites.
How to Defend Against a DDoS Attack
The following steps defend your site against DDoS attacks:
Monitor your website activity.
Track your network activity carefully so you can recognize when anything is amiss. This will help you identify traffic spikes and if a DDoS attack might be occurring.
Improve your website capacity.
Mitigate the effects of any traffic spike by having a high enough capacity to maintain good site performance through it. Hosting solutions with higher levels of processing and memory resources – or ones that can automatically scale – handle load better than lower levels. And a content delivery network (CDN) helps offload some of the weight, too.
Use a website security provider.
Many companies reasonably decide that they do not want to deal with the DDoS challenge internally, so they partner with third parties, such as Sucuri.
Use a Web Application Firewall.
As an example, the DDoS mitigation feature of the Sucuri website firewall automatically blocks fake traffic and requests from malicious bots, without interfering with your legitimate traffic. Our cloud-based network can mitigate large network attacks (Layer 3 & 4), and we specialize in handling Layer 7 attacks against web applications.
What Happens as a Result of a DDoS Attack?
The cost of protecting yourself against a DDoS attack is usually much smaller than the financial impact of a DDoS against your site (or any other hacking attempt).
Since these attacks can cause server outages, DDoS attacks can place significant stress on dev or IT resources trying to bring the website back online. Even worse, they can severely disrupt website traffic, user experience, and ultimately the purchase process.
For example, an attack on an e-commerce business during the busy holiday shopping season can impact the entire company’s profitability for the year.
Learn More About How to Protect Your Website After a DDoS Attack
While DDoS attacks may be a common occurrence, it does not mean that you need to accept it as a part of your company’s online presence.
Limiting the number of requests your web server accepts over time is one way of mitigating DDoS attacks. Unfortunately, rate limiting is often not sufficient at effectively handling complex DDoS attacks.
On the other hand, using a web application firewall like the Sucuri Firewall can significantly help mitigate a layer 7 DDoS attack. Since the firewall filters traffic between the internet and the origin server, it can act as a reverse proxy and protect the website from malicious traffic.
The Sucuri Web Application Firewall leverages an Anycast distributed network, which scatters traffic across a number of distributed servers. Since this approach is effective at diffusing disruptions and helps large volumes of traffic become more manageable, websites can take advantage of this service to further reduce the impact of a DDoS attack.
When it comes to attacks against your website or livelihood, it is always better to be proactive than reactive.