DDoS attacks have been in the news quite a bit recently, with the Christmas-day denial of service attacks levied against both Sony and Microsoft, no doubt making millions of children unhappy with the quality of their services.
Microsoft and Sony aren’t the only targets of a DDoS attack. In fact, anyone can be the target, up to and including your business website. For that matter, smaller websites with weaker infrastructures are more vulnerable to attack than larger counterparts. Where Playstation Network is taken down and Steam is slightly inconvenienced, a small business side may be rendered completely inoperable for days.
How a DDoS Works
There are actually several different kinds of DDoS attack. They each work in different ways, and require different solutions to mitigate. Before we continue, though, make one thing clear; it’s impossible to be completely protected against every possible DDoS attack. The best you can do is just make it more trouble than it’s worth to take down your site.
- The so-called Layer 3/4 attack is the most common type of attack. When a user sends a query to your server, such as “load the homepage for me,” that query is sent over TCP or UDP protocol and is processed by your server. Under normal circumstances, your server’s hardware can handle hundreds of these requests at a time, acknowledging them and sending the right data to the right client. A DDoS using this method simply sends thousands or hundreds of thousands of these requests at a time. This overwhelms the server and keeps legitimate queries from being processed properly.
- DNS Amplification Attacks are a type of Layer 3/4 attack. They work the same way, but they use unsecured DNS servers to reroute the traffic to come from more diverse sources, and in much greater density. Essentially, they’re TCP/UDP attacks amped up to 11. While high-quality server infrastructure can withstand basic TCP/UDP attacks, a DNS-amplified attack will easily overwhelm all but the most redundant, highly capable architectures. It does this in particular by using specialized queries that require large, complex responses, using up significant resources in sending a response.
- ACK attacks take advantage of the initial connection handshake made between a server and a visitor. Every time you visit a site, your computer sends a SYN request to the server, which replies with an ACK to acknowledge it. ACK attacks operate like DNS amplification attacks by using controlled botnet computers and rerouted, spoofed clients to send an overwhelming number of SYN requests, overloading the server’s ability to ACK.
- Layer 7 Attacks are the newest type of attack and take advantage of certain applications commonly installed on web servers. For example, if your server runs on Apache, the way Apache handles opening threads for connections can be exploited by sending partial queries across multiple connections. Essentially, it exploits a loophole in the code of the server to make it do more work than is has to, using up resources and overwhelming its ability to process information.
Protecting a Site
So, one thing is certain; no single server architecture can withstand a dedicated denial of service attack. There are a few things you can do to make your site more resistant to DDoS attacks, but nothing can make you completely impervious short of running on a supercomputer with one of the Internet backbones as your connection.
- Streamline Your Site
The first option is to streamline your site and its code. Most types of DDoS attack don’t actually load much if anything on your site, so this will only help legitimate users load under times of high stress. However, it can still be effective and lessening the impact a minor DDoS has on your server.
The idea is to streamline the code on your site. Remove unwanted plugins, remove old plugins, make sure any dynamic code or JavaScript is properly formed and loads correctly, and other such improvements.
At this time, you can also implement some basic anti-DDoS scripting. These scripts filter out the most common types of bad traffic to prevent them from using up your server resources. It won’t get everything, but if you can block 90% of what the DDoS hacker is sending your way, you can be much more resilient against attacks.
- Invest in Better Hosting
The second option is to boost the hosting you use. Stronger servers running on better architecture with stronger connections can give you more resilience to DDoS attacks as well. Essentially, if you think of traffic like water in a river, and a DDoS like a flood, this option is digging a bigger trench for the water.
Another option in this category is to invest in specialized equipment to protect your site. This equipment can be expensive, but is designed specifically to filter incoming traffic before it reaches your servers. This is only really effective if you’re the only one on the server and you’re hosting everything in your own data centers. It’s typically not a valid option for small businesses.
- Use a Content Distribution Network
The third option is to use a third party service to serve the most taxing content on your site. Services such as Akamai will host your scripts, images, videos and other content, leaving your servers to serve just the barebones code to users.
Again, this comes down to distributing the load on your content. If a user is trying to DDoS you by loading one particular script or application, and that script is hosted on a third party CDN dedicated to hosting that kind of content, it will be incredibly hard to take down.
- Use Third Party DDoS Protection
The fourth and most effective option is to use a third party service to block unwanted traffic. Services like CloudFlare or Google Shield act as bouncers or gatekeepers for your traffic. All traffic coming to your site routes through them, and they determine if the traffic is legitimate. If it bears the characteristics of a DDoS attack, it is filtered, and your site never knows.
The post The Ultimate Guide to Protecting Your Site from a DDoS Attack appeared first on Growtraffic Blog.