A DDoS attack occurs when an individual or group of people tried to send a surge of traffic to a particular server or network. This flood of traffic can overwhelm the server with requests and as a result, the websites on that server go offline.
DDoS stands for Distributed Denial-of-Service; which is pretty apt because it is service that is being denied.
This video from WoodysGamertag gives a good overview about what happens when a DDoS attack occurs.
High level attacks are frequently reported in the news. The attacks on popular websites may suggest that only high traffic websites need to worry about DDoS attacks, but unfortunately that is not the case.
The growth of hacker forums and availability of DDoS scripts has given rise to “Script Kiddies” who are able to participate in DDoS attacks without actually having the technical knowledge of doing them
If you browse one of these popular hacker forums, you can see how pathetic some of the reasons are for attacking a website. Their reasons for being wronged were as petty as being banned from a discussion forum and hackers are willing to perform attacks for others for just a few dollars. Unfortunately, DDoS attacks are cheap to perform and difficult to stop.
Have a look at the DDoS live map at Norse to get an understanding of the volume of DDoS attacks that occur every single day. You may be a little taken back by how many there is.
I suffered a couple of DDoS attacks in 2015. It was a real pain at the time and a big surprise since I did not own any website with major traffic. Plus I am not someone who owns any website that posts controversial opinions on topics such as religion or politics. In the long term it proved to be a good thing as it led me towards an anti-DDoS hosting solution.
I talk about the experience of suffering a DDoS attack in the video below.
Most website owners incorrectly believe that their host have security measures in place to prevent a DDoS attack. That is simply not the case.
When my websites were being attacked I was hosted by KnownHost. Despite them marketing themselves as a company that has a focus on security and despite being a loyal customer of theirs for many years, the first thing they did when my websites was attacked was switch off my websites and tell me to take my business elsewhere.
One of the emails KnownHost did send me said:
“I lose a lot of money when the node goes down due to DDoSes against your site.
The null-route will remain in place for now as we're far from the 24-hour threshold and given your history the null-route will not be lifted prior to this.”
KnownHost were rarely responding to my email messages during this time and quite frankly treated me, a long term customer who always paid on time, very badly. This is particularly frustrating as I had experienced a lot of downtime with them and had always been understanding of their reasons for it.
The cold hard truth is that unless a host explicitly states it has anti-DDoS measures in place, a host will quickly ask you to leave if your website is attacked.
Even if you have are lucky enough to have never received a DDoS attack, it is still important to be aware of what you need to do should you ever be attacked.
Backup Your Websites
I cannot stress enough the importance of securing your website and backing your websites up on a regular basis. There is a chance you will lose everything if your website files and databases are not backed up.
A DDoS attack will not modify your website in any way, however it is still important to have a recent backup of your website if you are attacked.
When my website was attacked, KnownHost disabled my account for two days and rarely answered my emails. Since I was unable to access my account, I could not easily transfer my websites to a new hosting company. Up until my websites were attacked, I would have recommended KnownHost to anyone as I was pleased with the level of support they gave me.
My opinion quickly changed once my websites were attacked. I was no longer a loyal customer. I was now a problem that they simply wanted rid of.
Your hands are tied in a situation like that, but as long as you have up to date backups of your website, you are in a position to transfer your websites to a new hosting company and start moving forward.
Never take any risks with your website. It pays to be cautious and have a plan in place for worst case scenarios.
Hiding Your IP Address
As Sun Tzu once wrote “Know thy self, know thy enemy. A thousand battles, a thousand victories.”
No one expects website owners to have a complex knowledge of how DDoS attacks occur, but it is important to have a basic understanding of what information they need to attack you.
Without doubt the most important information hackers need is your server's IP address. Or as many security experts put it “Protect the origin”.
Attackers will check the domain name service (DNS) for your domain to find your server's IP address.
One way to stop people checking your server's IP address is to use a service such as CloudFlare. Your DNS records will then show CloudFlare's information. Once you start using CloudFlare, you should change your IP address as your previous IP address can still be discovered through public DNS records.
Nick Sullivan from CloudFlare published a great article about this subject in 2013 entitled “DDoS Prevention: Protecting The Origin“.
He noted that you should never initiate an outbound connection based on user action.
“If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like “upload from URL” that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.”
Another way that hackers can discover your server's IP address is through email. When someone leaves a comment on your blog and asks to have updates sent via email, the email that is sent to them contains your IP address. Likewise, when someone signs up to your discussion forum, the confirmation email that is sent to them to active their account contains your server's IP address.
One solution to this is to use a completely different server to handle all outgoing emails. Another option is to use a third-party service that sends emails on your behalf.
Raymond from Raymond.cc provided a great list of these services in his article “7 SMTP Providers to Hide Sender IP Address in Email Headers“. I recommend checking his article out as it explains the process of implementing a third-party email service.
The seven services Raymond recommends (and their locations) are:
- 4SecureMail $39.99 (United States)
- Neomailbox $49.95 (Switzerland)
- Hushmail $49.98 (United Kingdom)
- CounterMail $59 (Sweden)
- Mutemail $69.95 (Bahamas)
- Privacy OffShore $93 (Holland, Hong Kong, Czech Republic, Malaysia)
- AnonymousSpeech $106 (Servers constantly moving in different countries and are always outside the US and UK)
I encourage you to speak to your host about protecting your server's IP address. A good hosting company will help you make your server more secure as it is in their interests for you to protect their network.
DDoS Protection Services
There are a number of services online that help prevent your websites from a DDoS attack.
The one I mentioned previously, CloudFlare, is a good starting point. They have a global network of servers that can help mitigate huge attacks.
Their free plan offers DNS protection, a content delivery network for your files, and stats about your visitors. Updating to their pro plan at $20 per month (plus $5 per additional website) adds a web application firewall (WAF) and mobile optimisation.
CloudFlare cannot stop a fully fledged DDoS attack unless you upgrade to their business plan and that retails at $200 per month per website. This plan offers protection against network attacks (layer 3 and 4) and application attacks (layer 7). Their RailGun feature also improves website performance.
Incapsula have a great reputation for preventing DDoS attacks too. They can prevent all types of DDoS attacks and they also offer DNS server protection. Their business plan retails at $299 per month.
F5 are another good provider of DDoS prevention to check out.
A number of hosting companies offer plans that come with DDoS protection. Offering this kind of functionality to customers can be expensive, so you can expect hosting plans to generally be slightly more expensive.
The company that I use is OVH. Their prices start from as low as $69 per month for a dedicated server; though they do not offer managed support so you would also have to add the cost of hiring a server management service to reach your total cost.
Check out my anti-ddos hosting page for a list of hosting companies that offer protection against DDoS attacks.