Editorial: This post was last updated December 5th, 2022.
With DDoS attacks being an ever growing threat to servers across the globe, it’s become a fundamental part of website security. DDoS impacts businesses both in terms of site presence, availability and profits.
The web has had to evolve to respond to the increase in these attacks. For example, back in 2014 a couple of teenagers were able to take the entire XBox live network offline during Christmas.
In today’s post, we’ll be discussing how to stop a DDoS attack from affecting your website and server, and how to prevent DDoS moving forward. We’ll also detail how to check and ensure traffic spikes are legitimate, which is crucial in identifying any ongoing attacks.
What’s a DDoS attack, exactly?
Denial-Of-Service-Attacks (DDoS) focus on making websites or services unavailable. Attackers do this by flooding services with a large amount of traffic, often by using a botnet — a network of compromised devices or computers.
Items to note about DDoS attacks:
- It can cost as little as $150 (USD) for attackers to buy a week-long DDoS attack on the black market.
- A smaller sized DDoS attack can cost only around $10 (USD).
- Every single day around 2,000 DDoS attacks occur globally.
- Mitigation of an ongoing DDoS attack can potentially cost the victim thousands or millions, not including time and bandwidth charges.
With these costs in mind, it’s important to consider this: in comparison, the loss of reputation and sales that can be catastrophic to the average site owner.
What is the best way to prevent DDoS?
Here’s some important steps you can take to prevent a DDoS attack:
- Set up a WAF
- Country blocking
- Monitor web traffic
- Increase bandwidth
- Move to the cloud
- Implement rate-limiting
- Set up caching
1. Set up a WAF.
A web application firewall (WAF) can help detect and block DDoS attacks. It acts as a layer of protection between the hosting server and site visitors will ensure all malicious HTTP/HTTPS traffic is filtered and blocked. You can learn more about web application firewalls in our article What is a WAF?
You can configure rules for your web application firewall to filter out malicious IPs and traffic sources. Furthermore, a good WAF will protect your application against SQL Injections, XSS (Cross-site scripting), RCE (Remote code execution), RFU, and other well known attacks.
To determine which WAF works best for your application, you’ll want to analyze whether it’s in your budget and if a team is necessary and able to properly configure it.
2. Country blocking.
Blocking visitors based on geo-location is usually effective at significantly lowering risks of an attack. The majority of website attacks come from countries such as China, Russia and Turkey. Although we have nothing against those countries, our WAF does give you the option of blocking them from interacting (POST) with your site. This option also can be beneficial in complying with certain organizational policies, in terms of “blocking hackers.”
It’s important to note IP addresses were never meant to designate a geographical location however. Therefore, the Geo-Blocking feature is based on best-effort IP address databases.
There are over 4 billion IPv4 addresses in use, and one can only imagine how hard it is to keep the ownership status updated. An IP address that belonged to a USA company yesterday, could be owned by a Chinese company today for example. Until all changes are done to transfer the IP address ownership, the databases need to re-scan the IP address with the entity responsible for it. This process takes time and therefore decreases the efficiency of a country block tool somewhat. IP database vendors such as MaxMind work hard to keep the IP databases always up-to-date, but unfortunately it’s not “bulletproof” in a sense, although it does offer a great level of accuracy.
Working around blocking systems can be trivial for attackers. If an attacker isn’t using a botnet or purchasing a DDoS service, they may still use some form of anonymous proxy or proxying from outside of the blocked country list. This is normal when using a browser such as Tor, which is free, open-source, and enables anonymous communication. That being said, most botnets are from thousands of hacked servers and devices (IoT), so country blocking can still prevent thousands of bots from spamming connection logs.
3. Monitor web traffic.
Regularly monitoring website traffic is important to find any peaks alluding to a DDoS attack. A lot of the time these attacks are volumetric and network-based (on layers 3 and 4). Understanding which attcks you’re experiencing will help you effectively prevent and respond to DDoS.
In our webinar about the effects of a DDoS attack we demonstrate how a single machine can target a website’s search feature and take it down. When an attacker targets a vulnerable endpoint, it really doesn’t have to take many requests per second to get through.
So how does one know if their site has legitimate traffic exactly? In most cases, an unusual spike is a red flag if it’s sustained for a long period of time. In other cases the timeframe for a spike causing downtime should only be for a short while if it’s due to a viral piece of content or major campaign advertising.
To detect and prevent DDoS more effectively, it’s recommended to have monitoring tools in place — and always check logs, of course. If you have alerts set up in the event you exceed a threshold specific to the number of requests/visitors targeting your site this will help mitigate risks of downtime.
Here’s also some other indicators that will help you consider what’s legitimate traffic or not:
- What time of day did these visits occur. At 2:00 AM local time, for example, do you think your business would see a spike in traffic?
- Where are the visits coming from. If you’re a local coffee shop in Boston, do you really expect traffic from somewhere like Indonesia?
- The time of year the visits occur. Ensuring you adjust for expected surges in traffic during Black Friday for example, and account for this with any monitoring tools.
Search engines like Google make repeated requests to your website, which can appear suspicious on the surface. These are known as crawlers which index your site and rank the site correctly in searches. After all, good SEO helps drive more traffic and revenue.
We have a post discussing the difference between Googlebot legitimately crawling the site and a DDoS attack. On rare occasions, crawlers can lead to an unintended crashing of your website as the crawl rate may be too high or come at a bad time and cause you server’s resources to exhaust.
4. Increase your bandwidth.
Imagine your network is like a highway. If a traffic jam occurs, you might need a bigger highway with more lanes. When a DDoS attack occurs, the attacker typically sends large volumes of traffic to your site in an attempt to overwhelm server resources and make your site unavailable. So, adding more bandwidth to your server is kind of like adding more roads to your highway. If you’re under a DDoS attack, the best way to prevent it from affecting your site is to scale up your bandwidth and absorb more traffic.
5. Move to the cloud.
Moving to the cloud can help prevent a DDoS attack, but it won’t completely eliminate the effect. Cloud services typically have more bandwidth than on-premise solutions. Furthermore, some services even offer assistance to help mitigate the effects of DDoS.
6. Implement rate limiting.
Rate limiting can be used to prevent DDoS by limiting the number of requests a user or IP can make to your website within a specific period of time. This can help prevent a single source from sending large volumes of requests to your web server at once.
For example, if you set a rate limit of 15 requests per minute for each IP, it will only be able to make 15 requests during a one minute period. Any other requests will be blocked until the time period has lapsed, preventing single IPs from overwhelming resources with large volumes of requests.
7. Set up caching.
You can use caching to help reduce the load on your website’s server. Caching essentially allows visitors to access content from temporary storage locations instead of your website’s server, reducing load and preventing your site from becoming overwhelmed by a large number of requests.
Example of how to prevent a DDoS attack
Take a look at quick demonstration of what a DDoS attack does to an unprotected website. See the perspective of the attacker and the victim server and learn how to deflect DDoS attacks.
Ensuring your website isn’t taken offline due to a DDoS will benefit you both in terms of visibility and profits.
Our website security platform provides monitoring, response to attacks and infections, as well as a powerful web application firewall that addresses DDoS attacks, Layer 7 threats, and other various attacks. Add your website behind our WAF and have more peace of mind when it comes to your website’s security.