As a webmaster, keeping your site online during large traffic spikes is what you strive for. But how can you be sure traffic spikes are legitimate? And more importantly, how do you react when they aren’t? The unfortunate reality is DDoS attacks can be a threat for websites big and small. In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future.
So, let’s dive in to the warning signs and help you sort out how to stay online — even during a massive DDoSing.
Contents:
A Distributed Denial-of-Service (DDoS) attack is a cyber assault where regular traffic to a particular server, service, or network is interrupted by a deluge of internet traffic. This onslaught is typically orchestrated using multiple compromised computers or networked resources, including Internet of Things (IoT) devices.
Simply put, think of a DDoS attack as an impromptu, massive traffic jam on a highway that stops regular commuters— in this case, your website visitors— from reaching their desired destination.
There are a number of different types of DDoS attacks. These threats prevent legitimate users from accessing your website by sending bogus requests or more traffic to the server than it can handle.
Here are a few of the most common types of DDoS attacks.
The goal of a volume-based DDoS attack is to overload the website’s bandwidth or cause CPU or IOPS usage issues. If the attacker overloads your resources, the attack has been successful.
Some examples of volume-based DDoS attacks include:
The goal of a protocol-based DDoS attack is to exploit weaknesses in Layer 3 and Layer 4 protocol stacks to consume server or networking hardware resources, resulting in service disruption. If the attacker sends more bandwidth than your network ports can handle or more packets than your server can handle, the attack has been successful.
Some examples of protocol-based DDoS attacks include:
The goal of an application layer attack is to target CPU, memory, or resources that focus on the web application layer, including hitting the web server, running PHP scripts, or contacting the database to load just a single web page.
Some examples of application layer DDoS attacks include:
So let’s position your site against these threats.
The cost for being unprepared to mitigate a DDoS attack can affect loss of traffic for an indeterminable amount of time; but also that time can lead to loss of reputation and sales. These can have the greatest impact on your business.
Here are a few things to understand about DDoS attacks that highlight their impact;
Still have questions about DDoS? Check out this video goes into detail about what DDoS attacks are.
It is important to monitor your website traffic for peaks that can allude to DDoS attacks.
There are DDoS attacks made of huge amounts of traffic. These are called volumetric attacks. Most of the time, they are network-based (layer 3 and layer 4 attacks), but not all DDoS attacks are volumetric. We demonstrated during a free webinar how a live DDoS attack from a single machine targets the website’s search engine to take it down. The traffic can be low as 1 request per second as long as targeting a vulnerable endpoint.
It would be great if your website got millions of new visitors in one hour, but wouldn’t it be suspicious?
A dramatic increase in traffic is a red flag for DDoS attacks. We highly recommend you have monitoring tools in place and always check your logs. Have alerts set up in the event you exceed a threshold specific to the number of requests / visitors targeting your site.
Some other indications to consider:
Note: Googlebot makes repeated requests to your website, which can seem like suspicious behavior on the surface. Googlebot and other search engine crawlers are vital to having a website rank correctly in searches. After all, we all want to rank higher in search results! We have a post that helps highlight the difference between Googlebot legitimate crawling a website and a DDoS attack.
It seems obvious — block them! However, there are few main checklist items that apply to any company when looking to prevent or respond to a DDoS attack. These items include:
Next, let’s take a look at some steps to help stop a DDoS attack before it affects your website and traffic.
There are a number of important steps you can take to stop a DDoS attack in its tracks.
Catching a DDoS attack early makes all the difference in reducing impact and downtime for your website. If you are running your own web servers, ensure you have services that can help you monitor when you are coming under DDoS attack.
Your web server should already be set up to accommodate unexpected increases in traffic, especially if you are running advertisements, campaigns, or special offers. These extra resources can also buy you a few extra minutes of time to react to a DDoS attack before your website’s resources are overwhelmed.
If you run your own web server, there are a few steps you can take to mitigate the effects of a DDoS attack. For example, you can limit the number of requests your web server accepts over time, add filters to drop packets if you know from specific sources if you are able to identify where the attack is originating, or set lower ICMP, SYN, and UDP flood drop thresholds — but unfortunately, these aren’t particularly effective against especially large, highly sophisticated DDoS attacks.
A web application firewall (WAF) can help address DDoS and DoS attacks, layer 7 threats, bad bots and even virtually patch known website vulnerabilities. The WAF is essentially a layer of protection that sits between a website and the traffic it receives. We dive deeper into the topic in this article about what is a WAF.
There are several WAF solutions that will offer automated mitigation of DDoS threats, but one of the best ways to define which WAF works the best for your application is to analyze how effective the protection is—whether it’s within the budget or if your team can properly configure it.
Country-based blocking is typically effective at minimizing risks. It can also help in complying with some organizational policies whose intention is indeed to “block hackers”. Here are a couple of things to note:
It’s not to say that country blocking won’t help prevent DDoS threats; but be sure to understand the implication behind blocking out the entire world except your country. It may not be as black and white a solution as others may lead you to believe. Country blocking is a way to enhance an actual protection against DDoS attacks, such as a website firewall.
Nowadays, most botnets are made of thousands of hacked websites, compromised CCTVs, infected computers, and other internet of things devices. The attacks are distributed all over the world. Having said that, country blocking can prevent thousands of mindless bots from spamming the connection logs. Definitely a plus!
We’ve put together a comprehensive guide outlining what a DDoS attack is, why they happen to websites of all sizes, and how you can prevent DDoS from harming your traffic and server resources.
If you’re interested in knowing more about a web application firewall’s ability to stop DDoS, check out the video below — it clearly demonstrates how the Sucuri Firewall can help to mitigate DDoS.
If you’re looking for a hand stopping a DDoS attack, implementing website monitoring, or just have security questions in general — reach out! Our experienced analysts are available to chat 24/7 to help you with your website.