The hot topic on Twitter lately has been trending towards DDoS attacks. I’ve decided to write up this article to provide useful information to help not only our customers, but also anyone that happens to stumble upon this write up on how to protect themselves and survive an incoming or ongoing DDoS attack.
Picture one afternoon it’s a busy day, calls are coming in at record numbers, your marketing team has devised a strategy that’s working and bringing in your company capital gains that will help pay salaries and expenses. All this is good until the calls turn from pre-sales to “Your website is down.”
It’s a scary moment. You find in-bound traffic coming from hundreds, or thousands of IP addresses from various countries. Your website is down and nobody can place orders or get information. Not to install fear tactics, but this outage could be the fine line between the success of your business or that moment when everything went sour. After all, your advertising dollars have suddenly been turned against you as a result of this DDoS attack and is now being used to advertise a website that could potentially be hosted on hardware equivalent to a Pentium II in a shoe box. Your customers don’t know you’re using the latest CPUs and SSD drives, all they see is a website that’s just not working.
So what is a DDoS attack, and what does that mean to you? In Layman’s terms, it’s an attack against your website or server, and is meant to overwhelm infrastructure to the point it no longer responds to requests. It can be a port flood, it can be an attack against a weakness in your applications. Whatever the form, it’s designed to take down your services, as well as your neighbors who all mean well. A DDoS attack generally uses many compromised computers (or devices) and networks to coordinate focused attacks against weaknesses in system infrastructure or websites. They can come from computers, other servers, mobile devices, and even street cameras (as per the recent DDoS attacks coming from China).
You know what a DDoS attack is, and you know that it means bad business for you and everyone else. How do you protect against them? That’s a tough question to answer, there’s never a full proof means of protecting against a DDoS attack. You can however mitigate them, or avoid them in full with good practices and maintenance. Below are some guidelines and tips on preventing and avoiding DDoS attacks.
Malicious users who’re looking for easy targets generally try to extort individuals for a sum of money in order to put off a DDoS attack. In many cases, these individuals don’t plan on attacking your website specifically, you’ve likely just received a spam message seeking out respondents. The first thing you want to do is completely discard that email. Do not respond. By responding, you’re proving to the attacker that you do have concern for your website, and you’re a likely victim to grab money from. These individuals usually have no means of facilitating a DDoS attack, and are just spammers. Some do however have the ability to attack websites until they’re no longer responsive. Don’t make yourself a target and respond to these messages. 99/100 times, they will just move onto the next individual until they get a response to exploit.
You always want to be prepared for a DDoS attack even if your website doesn’t attract such traffic. I’ve prepared a list of things you can do to help protect your website. Each one is simple enough to setup without the need of a developer. There are other more advanced options, we’ll address those at the end of this write up.
1. Put your website on CloudFlare. By leveraging CloudFlare’s networks, you’re doing a few things. For starters, the attackers cannot find your IP address if you setup CloudFlare properly. This prevents direct attacks against your server’s IP. Next up, you’re allowing your static content to be served up through CloudFlare, so when you’re under attack, your website will require far less resources than it would have per visitor if the attack is coming from spam bots. There’re many other benefits to going through CloudFlare, most of which protects you against attacks. To learn more about CloudFlare and leveraging their networks with your hosting, visit https://www.cloudflare.com/.
2. Update everything. If you’re using WordPress, update all plugins and WordPress. If you’re running Drupal, update all modules and Drupal core. If you’re not sure how to run updates, an experienced developer can usually do this for you at low cost since they’re well adept at this already. You want to make sure that all of your software and scripts are up to date. Keeping ahead of updates ensures that the latest exploits are patched and cannot be circumvented by an attacker.
3. Choose the right infrastructure. Always know that you’re on a server that’s running an up-to-date firewall and the latest mod security rule sets. OWASP and Comodo are two options to consider. If you’re not sure what this means, speak with your web host and ask them if they’re maintaining these for you. If you’re on an unmanaged server, try to learn how these technologies work and set them up. On cPanel servers, mod security is usually setup by default through EasyApache in it’s initial build. ConfigServer is a great firewall and in active use by thousands of hosts. This comes with profiles as well, with degrees of severity to choose from. And lastly, make sure your hardware is able to withstand some degree of an attack because not all attacks are immediately prevented.
Prevention is the most powerful medicine. In many cases, you may not be able to protect against an active DDoS attack until it subsides or by taking down the website for a period to move it to DDoS protected services.
Identify The Attack
In some cases, you may be under attack already. DDoS attacks will always have a pattern. Whether it’s targeting a specific URL on the server, flooding the same port, or even brute forcing a WordPress login page, the sheer volume of what a DDoS attack can unleash makes it near impossible to not possess a pattern.
Q: A login page is being brute forced. What do I do?
A: Avoid plugin/module based security methods as that will generate heavy overhead on your website and the server. Instead, consider putting a .htpasswd file in your Website’s directory and protect files such as the wp-login.php page and/or the /admin path. This doesn’t work for every website, but for websites that don’t have a lot of users that need to login, this should reduce a lot of overhead.
Q: My page /catalog/widgets/widget24 is getting attacked, what do I do?
A: You might have just gone viral. Then again, it could be an attack. You don’t want to lose a sale, so generally it would be best to keep this up, but use some level of caching to take some overhead off of the database. If you can make the page completely static (as in an .html file), that would be ideal because it would require no database hits. There are WordPress plugins and Drupal modules that do just that. W3 Total Cache and Drupal’s Boost module to name a few.
There are an unlimited amount of cases your services could be circumvented, and a dozen solutions to each method. Not each solution is perfect, but you want some level of protection when you are under attack. Stay general for general protection, and go with a specific defense for a specific attack. Identifying the active attack and handle it before it becomes too difficult to do so.
Speak with your host. Have you been threatened? Let them know so they can take appropriate steps. Do you know who your attacker is? You should report it to the authorities, or at the very least get a police report in so you have some legal recourse should the unfortunate happen. Try to log all attacks encountered so you can pass this information onto any party that helps you in preventing DDoS attacks.
With the rise of DDoS attacks, it’s important to prevent, identify, and communicate. By not taking any action, you’re putting your website, and your network neighbors at risk of downtime and damages.
Your web host should always be willing to work with you on preventing DDoS attacks. Although there aren’t any one-size-fits-all options available, many options will mitigate most attacks.
Some services to consider below.
Some technical options below (a lot of reading involved).