With DDoS attacks being an ever growing threat to servers across the globe, it’s become a fundamental part of website security. This impacts businesses both in terms of site presence, availability and profits. Over the last 8 or so years the web has had to evolve to respond to the increase in these attacks. For example, back in 2014 a couple of teenagers were able to take the entire xbox live network offline during Christmas. We’ll be discussing how to stop one of these attacks from affecting you, and prevent them moving forward.
We’ll also be going into detail on how to ensure traffic spikes are legitimate, which is crucial in identifying any ongoing attacks.
What’s a DDoS Attack Exactly?
Denial-Of-Service-Attacks (DDoS) focus on making websites or services unavailable. Attackers do this by flood services. We’ve also created a handy guide detailing What DDoS Attacks are, the types of variants, and motives. Some interesting things to note about this kind of attack and its impact however:
- It can cost as little as $150 (USD) for attackers to buy a week-long DDoS attack on the black market.
- A smaller sized DDoS attack can cost only around $10 (USD).
- Every single day around 2,000 DDoS attacks occur globally.
- Mitigation of an ongoing DDoS attack can potentially cost the victim thousands or millions, not including time and bandwidth charges.
With these costs in mind, it’s important to consider the loss of reputation and sales that can be catastrophic to the average site owner.
What You Should Do To Prevent A DDoS Attack
In order to prevent these impacts to your site, here’s some things you should consider when it comes to website security.
Set up a WAF
Utilizing a Web Application Firewall (WAF) as a layer of protection between the hosting server and site visitors will ensure all malicious HTTP/HTTPS traffic is filtered and blocked. We also go more in depth in our article What is a WAF?
A good WAF is able to protect your application against SQL Injections, XSS (Cross-site scripting), RCE (Remote code execution), RFU, and other well known attacks. In order to determine which WAF works best for your application you’ll want to analyze whether it’s in your budget and if a team is necessary and able to properly configure it.
Blocking visitors based on geo-location is usually effective at significantly lowering risks of an attack. The majority of website attacks come from countries such as China, Russia and Turkey. Although we have nothing against those countries, our WAF does give you the option of blocking them from interacting (POST) with your site. This option also can be beneficial in complying with certain organizational policies, in terms of “blocking hackers.”
It’s important to note IP addresses were never meant to designate a geographical location however. Therefore, the Geo-Blocking feature is based on best-effort IP address databases. There are over 4 billion IPv4 addresses in use, and one can only imagine how hard it is to keep the ownership status updated. An IP address that belonged to a USA company yesterday, could be owned by a Chinese company today for example. Until all changes are done to transfer the IP address ownership, the databases need to re-scan the IP address with the entity responsible for it. The process takes time and therefore decreases the efficiency of a country block tool somewhat. IP database vendors such as MaxMind work hard to keep the IP databases always up-to-date, but unfortunately it’s not “bulletproof” in a sense, although it does offer a great level of accuracy.
Working around blocking systems can be trivial for attackers. If an attacker isn’t using a botnet or purchasing a DDoS service, they may still use some form of anonymous proxy or proxying from outside of the blocked country list. This is normal when using a browser such as Tor, which is free, open-source, and enables anonymous communication. That being said, most botnets are from thousands of hacked servers and devices (IoT), so country blocking can still prevent thousands of bots from spamming connection logs.
Monitor Web Traffic
Regularly monitoring website traffic is important to find any peaks alluding to a DDoS attack. A lot of the time these attacks are volumetric and network-based (on layers 3 and 4). Sometimes this isn’t the case however. In a previous free webinar we demonstrated how a single machine can target a website’s search feature and take it down. When an attacker targets a vulnerable endpoint, it really doesn’t have to take many requests per second to get through.
So how does one know if their site has legitimate traffic exactly? In most cases, an unusual spike is a red flag if it’s sustained for a long period of time. In other cases the timeframe for a spike causing downtime should only be for a short while if it’s due to a viral piece of content or major campaign advertising. To detect this more effectively it’s recommended to have monitoring tools in place, and always check logs of course. If you have alerts set up in the event you exceed a threshold specific to the number of requests/visitors targeting your site this will help mitigate risks of downtime.
Here’s also some other indicators that will help you consider what’s legitimate traffic or not:
- What time of day did these visits occur. At 2:00 AM local time, for example, do you think your business would see a spike in traffic?
- Where are the visits coming from. If you’re a local coffee shop in Boston, do you really expect traffic from somewhere like Indonesia?
- The time of year the visits occur. Ensuring you adjust for expected surges in traffic during Black Friday for example, and account for this with any monitoring tools.
It’s also important to note search engines like Google make repeated requests to your website, which can appear suspicious on the surface. These are known as crawlers which index your site and rank the site correctly in searches. After all, good SEO helps drive more traffic and revenue. We also have a post discussing the difference between Googlebot legitimately crawling the site and a DDoS attack. In some rare occasions such crawlers can lead to an unintended crashing of your website as the crawl rate may be too high or come at a bad time and cause you server’s resources to exhaust.
How to Stop a DDoS Attack
The obvious answer here is blocking them, but how do you do this exactly? Here’s a list of things to consider when preventing or stopping an attack:
- Develop a full list of assets you should implement to ensure proper DDoS identification and prevention. Using filtering tools will also ensure hardware/software components are configured properly.
- Form a response plan. Defining responsibilities for key team members will ensure an organized reaction if an attack arises.
- Make sure your team members know exactly whom to contact in case the attack exceeds your capabilities, by defining alternative methods or solutions.
- Develop communication workflow with your customer base to ensure they’re aware of any potential degradation of performance as a result of an attack.
If you’re interested in knowing more about our solution’s capabilities against DDoS threats, we have two of our WAF engineers showcase the effectiveness of our firewall against DDoS threats in a short video we’ve created, by launching an attack on a site that’s on a server with limited resources, both behind and not behind our WAF.
It remains more important than ever to understand this kind of attack, and ways to stop & prevent it. Making sure your website isn’t taken offline due to a DDoS will always be beneficial both in terms of visibility and profits. I hope this post gives you a better understanding of what to consider and look for in terms of this threat.
Our website security platform provides monitoring, response to attacks and infections, as well as a powerful Web Application Firewall that addresses DDoS attacks, Layer 7 threats, and other various attacks against websites. Add your website behind our WAF and have more peace of mind when it comes to your website’s security.