Editorial: This post was last updated September 8th, 2022.
Nowadays, the term DDoS raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they might be familiar with the effect: an extremely sluggish, shut down, or dysfunctional website.
In this article, we’ll focus on how to know if you’ve been DDoSed, how to spot a DDoS attack, and how to protect your website from future DDoS attacks.
- What is a DDoS attack?
- What are the signs of a DDoS attack?
- How to tell if you are being DDoSed
- Is it legitimate traffic or a DDoS attack?
- DDoS attack live example
- 4 steps to defend against a DDoS attack
- What happens as a result of a DDoS attack?
- How do I protect my website from DDoS?
What is a DDoS attack?
DDoS stands for Distributed Denial of Service. Like the name implies, a DDoS attack is a malicious attempt to disrupt or damage a service by overwhelming system resources with traffic.
At a basic level, DDoS attacks are something like gridlock at a busy intersection — if enough traffic arrives all at once, then the heavy congestion turns into a jam and nobody can get through to the other side.
Services that denial of service attacks can target include:
- a website
- an internet service provider (ISP)
- the Nasdaq Stock Market
- a NASA probe
- a game server
Practically anything connected to the internet is a potential target for DDoS.
The same goes for the source of DDoS attacks: Common culprits include hacked web servers and “internet of things” devices like smart appliances, routers, and even CCTV cameras.
Causes can be accidental or intentional. But a large criminal industry has grown around offering DDoS attacks as a service. There’s a market for attacks on sites, including competitors looking to tarnish others’ reputations and those denying online presence for political reasons.
A DDoS attack simply works like this: An attacker uses a number of machines across the internet (or what’s called a “botnet”). Those machines send a high volume of fake traffic to the target site, all in an attempt to overload server resources and bring the site down.
There are many types and sizes of DDoS attacks and they can be devastating regardless of their size. Even an attack from a single system (DoS) can paralyze a site, so consider the ruthless efficiency of a multi-system attack through DDoS. A powerful DDoS can be as tiny as one request per second, and it can still have devastating effects on a website.
Some services are specifically targeted. Interestingly though, the process is largely automated, and most sites affected are randomly selected. Of course, this doesn’t matter if you’re a target. Regardless of the reason, the results can be detrimental, especially for an ecommerce website.
If you want to know more about the types of distributed denial of service attacks, read our guide on what a DDoS attack is.
What are the signs of a DDoS attack?
Symptoms of a DDoS attack can mimic issues you might find on your computer — slow access to website files, inability to access websites, or even problems with internet connection.
However, there are a few main indicators that you might be facing a denial of service attack and leveraging analytics might help you spot them.
- A sudden influx of requests to a specific endpoint or page
- A flood of traffic that originates from a single IP or range of IP addresses
- A sudden spike of traffic that occurs at regular intervals or at unusual time frames
If you’re seeing unexpected website latency issues, it’s time to investigate.
How to tell if you are being DDoSed
Some pretty obvious signs of a DDoS attack on your site include:
- Problems accessing your website.
- Files load slowly or not at all.
- Slow or unresponsive servers, including “too many connections” error notices.
- Odd traffic patterns like spikes every 5-10 minutes, or spikes at unusual times of the day.
- A flood of traffic coming from a single device type, geolocation, or web browser version.
More specific signs of DDoS will vary depending on the type of attack.
Is it legitimate traffic or a DDoS attack?
Since a DDoS attack generates lots of traffic toward your site, it creates a tricky predicament. How can you tell if your site is just suddenly doing really well (traffic-wise) or if you are currently experiencing a DDoS attack?
If a site goes down due to a spike in legitimate traffic, then the time frame would generally only be for a short while until you’re back up and running again. Sustained spikes in traffic are rarely random, and you’d likely be able to identify reasons for it in legitimate cases. Say, a major advertising campaign or a piece of viral content.
But more subtle attacks aren’t as simple to discern. Let’s say an online retailer with blackhat-hacking skills wants to keep people away from a competitor’s website without them being aware of it. The hacker can DDoS the competitor’s website a few times a day – potentially at random periods throughout the day just to make the competitor’s customers upset with how slow the website is. If the hacker’s server threw 500 hits per day (nothing out of the ordinary), the site wouldn’t be down for more than a few seconds, in intervals. Even mild DDoS attacks like this one hurt the victim’s business and reputation.
Generally, the best way to examine a potential DDoS attack is through analytic tools. Check to see if a specific traffic source continues to query a certain set of data long after the Time To Live (TTL) for the site has elapsed. (This is the time frame that you set for your site to discard held data and free up resources.) If that’s the case, you’re likely looking at a DDoS attack, since legitimate traffic won’t behave in this way.
DDoS attack live example
To give you an idea of what a DDoS attack looks like, we developed this live example of a website getting DDoSed. You can watch how the server resources are depleted and how this disrupts the website’s performance in a matter of minutes.
After watching the video, you’ll be able to better recognize the traits of an attack on your own sites.
4 steps to defend against a DDoS attack
We’ve outlined four steps you can take to defend your site against DDoS attacks:
1. Monitor your website activity
Track your network activity carefully so you can recognize when anything is amiss. This will help you identify traffic spikes and figure out if an attack is occurring.
2. Improve your website’s capacity
Mitigate the effects of any traffic spike by having a high enough capacity to maintain good site performance through it. Hosting solutions with higher levels of processing and memory resources – or ones that can automatically scale – handle load better than lower levels. And a content delivery network (CDN) helps offload some of the weight, too.
3. Lean on a website security provider
Many companies reasonably decide that they do not want to deal with the challenge internally, so they partner with a third party to help block and prevent denial of service attacks.
4. Use a web application firewall
As an example, the DDoS mitigation feature of the Sucuri website firewall automatically blocks fake traffic and requests from malicious bots, without interfering with your legitimate traffic. Our cloud-based network can mitigate large network attacks (Layer 3 & 4), and we specialize in handling Layer 7 attacks against web applications.
What happens as a result of a DDoS attack?
The cost of protecting yourself against a DDoS attack is usually much smaller than the financial impact of a DDoS against your site (or any other hacking attempt).
Since attacks can cause server outages, DDoS attacks can place significant stress on dev or IT resources trying to bring the website back online. Even worse, they can severely disrupt website traffic, user experience, and ultimately the purchase process.
For example, an attack on an e-commerce business during the busy holiday shopping season can impact the entire company’s profitability for the year.
How do I protect my site after a DDoS attack?
While distributed denial of service attacks may be a common occurrence, it doesn’t mean you need to accept it as a part of your company’s online presence.
Limiting the number of requests your web server accepts over time is one way of mitigating DDoS attacks. Unfortunately, rate limiting is often not sufficient at effectively handling complex attacks.
On the other hand, using a web application firewall can significantly help mitigate a layer 7 DDoS attack. Since the firewall filters traffic between the internet and the origin server, it can act as a reverse proxy and protect the website from malicious traffic.
The Sucuri Web Application Firewall leverages an Anycast distributed network, which scatters traffic across a number of distributed servers. Since this approach is effective at diffusing disruptions and helps large volumes of traffic become more manageable, websites can take advantage of this service to further reduce the impact of an attack.
When it comes to attacks against your website or livelihood, it’s always better to take a proactive approach than reactive one.