Distributed denial-of-service (DDoS) attacks can disrupt website traffic and impact any business. To help website owners and webmasters improve their website resilience to DDoS attacks, we have put together a series of posts.
Here are the topics that will be discussed:
- Website optimization best practices
- Caching best practices
- Web Application Firewall (WAF) protection
- Setup Optimization
Today, we are going to explore website setup optimization best practices.
Optimize Your Setup
Unless you’re a sysadmin or a tech enthusiast, you shouldn’t be taking care of your server. That would involve many aspects, such as constant updates and hardening implementations. Even if you did an awesome job, the server could still be used to attack a target or even your own website.
If you do not have proper sysadmin knowledge, be cautious for there can be a lot of issues when trying to optimize your setup. One time-consuming drawback that could occur is the struggle with databases errors.
Focus on your business. An optimized server requires regular supervision and should be managed by professionals. Nowadays, there are plenty of managed hosting providers that guarantee an excellent uptime service level agreement (SLA), as well as top-notch data centers and technologies.
A single server won’t be able to stand up to a DDoS attack, but a good hosting server can prevent small floods and unnecessary slowness.
Setup Optimization Checklist
As long as you have a good hosting provider, you won’t need to optimize much of your server and you can skip this step. However, if you want to manage your own server or just want to make sure your current hosting is right for the job, these are some details worth checking:
- The data center is Tier III or IV. That level of certification ensures redundancy and reliability;
- The server has a good network throughput (100MBps at least) and your data limit is more than enough;
- The server uses solid-state drive (SSD) instead of hard disk drives (HDD). SSDs can provide much more IOPS which will make a difference when your website is under stress;
- The data center allows you to block IP addresses at the network level. This is very important as discussed on part III [Don’t Get Exposed – Block Non-WAF Connections] (https://blog.sucuri.net/2019/01/how-to-improve-your-website-resilience-for-ddos-attacks-part-iii-waf.html);
- Use HTTP/2 (https://http2.github.io/faq/) to lower the number of connections and speed your page loading time;
- Fine-tune your software settings, from MySQL, PHP, Java or whatever language you’re using. Make sure your web server software is battle-tested and configured to process more and faster requests with fewer resources.
- Remove libraries and modules you don’t use, keep your setup clean and well configured for your type of application. Update to the latest versions available–usually, they are faster–such as PHP 7 for example (https://kinsta.com/blog/php-benchmarks/).
- Native cache systems such as OpCache, FPM cache, and similar can also come handy;
- Disable access log for static files and any other logs not necessary for basic troubleshooting;
- If you feel comfortable changing the guts of your operating system, you could try to tune your kernel to improve the network throughput, system response time, etc. Be careful and always test every setting you changed;
- Use a professional server monitoring software to make sure everything is working perfectly.
How a Huge DDoS Attack Changed History
Here is an example of how a DDoS attack can distress any business, no matter the size of it.
On October 21, 2016, a DDoS attack with an estimated strength of 1.2Tbps targeted Dyn, Inc., a company that managed much of the internet’s domain name system (DNS) infrastructure, including the DNS of Twitter, Netflix, Reddit, CNN, The Guardian. These and many other big websites were inaccessible for a better part of the day in several parts of the world.
Today, having a secondary DNS provider isn’t very common (although it was a possibility since the 1990s). However, back in 2016, it was almost paranoia. This whole story changed on October 21st.
Redundancy is the Key
Nowadays, professional DNS providers offer native secondary DNS integration, which allows control to all DNS records of a website on a single DNS provider dashboard. To take redundancy into consideration, it also automatically syncs with a secondary DNS provider.
Ebay, Amazon and lots of other tech giants are examples of websites that use two DNS providers:
$ dig NS ebay.com +short ns1.p47.dynect.net. a2.verisigndns.com. ns2.p47.dynect.net. ns4.p47.dynect.net. a1.verisigndns.com. ns3.p47.dynect.net. a3.verisigndns.com. $ dig NS amazon.com +short ns3.p31.dynect.net. ns1.p31.dynect.net. ns2.p31.dynect.net. ns4.p31.dynect.net. pdns1.ultradns.net. pdns6.ultradns.co.uk.
Redundancy is one of the most important parts of a solid website security posture. It adds a bit to the budget, but if a website needs an uptime as close to 100% as possible, go for it.
You can have two DNS providers, two Web Application Firewalls (WAF), a geo-replicated hosting environment with autoscaling and much more.
No matter what kind of redundancy you choose, it’s always ideal to have a backup plan.
Last, but not least, don’t be part of a botnet. Make sure your devices are free of malware and enforce strong passwords everywhere, especially on the internet of things (IoT) devices such as CCTV cameras, baby monitors, home routers, etc.
Whether you’re a small or a large website, it’s always a good idea to be prepared to face a DDoS attack. If you want to learn more about how to be protected online, check out our Personal Security blog series.
In this series, we have talked about ways to make a website less prone to suffer DDoS attacks. Please let us know if you have any comments via our social media channels @sucuriseguranca.
Our goal here at Sucuri is to make the internet a better place. Be safe online!