Distributed denial of service (DDOS) attacks against websites are becoming an increasingly common occurrence due the simplicity and effective nature of the attack. This can be devastating for any online business, as it is common for these attacks to be sustained for large amounts of time, resulting in the website being offline or difficult to access.
This guide is aimed at small websites on VPS or dedicated servers.
Types of DDOS attack
There are multiple types of DDOS attacks, but we will mostly be looking at layer 7 attacks.
- Layer 3/4 attacks: These are network/transport layer attacks that work by flooding the network with traffic. If you are using a VPS or shared hosting, you will need the help of your hosting provider to mitigate this type of attack.
- Layer 7 attacks: These are application layer attacks that work by simulating real traffic to the website, usually in large volume. These are the most complex type of DDOS attack.
Blocking IP addresses
We have established that layer 7 DDOS attacks target the application itself by simulating real traffic in large volumes. The first thing to check is where the attacks are originating from, and if you can pin this down to particular IP addresses that are causing issues. This kind of information can be found in your web server logs. You should block any IP addresses that you identify as sending malicious traffic.
It is possible to throttle traffic at the web server level, which should help to mitigate DDOS attacks. This should have no impact on legitimate traffic, but should help to reduce the amount of malicious traffic. Modules are available for common web servers such as Apache (mod_evasive), and NGINX (HttpLimitReqModule).
There may be particular parts of your application that have been identified by attackers as vulnerable, such as pages that are resource intensive and don’t utilise caching. It should be possible to see if attackers are taking advantage of this by checking your web server logs. You should temporarily block access to parts of the application that are causing issues so that you can partially bring the application back online (assuming the vulnerable part of the application does not provide critical functionality). Before bringing vulnerable parts of the application back online, you should try to optimise these as much as possible to prevent further attacks.
It is typical for large, complex DDOS attacks to originate from many locations. If you are unable to pinpoint this to particular IP addresses but can identify a common country of origin, you should try to temporarily block the country until the attack subsides. If your website offers products and services to particular countries, you can also try blocking all countries besides your target demographic. This would help to minimise the commercial impact of any attack.
Using affordable DDOS prevention services
As a last resort, you may need to route your DNS through a specialist DDOS prevention service that can provide layer 7 protection. The cost of this can vary from hundreds per month, to thousands. Some affordable DDOS prevention services are: