How to protect against DDoS attacks

What is a DDoS attack?

DDoS (Distributed Denial of Service) is a distributed denial of service attack. Network resource fails as a result of multiple (too many) requests sent to it from big number of compromised computers. Usually the attack is organized via botnets. The attacker infects the computers of careless Internet users. Infected computers act as "zombies" and send meaningless requests to the victims server.

A well-planned attack can disable almost any unprotected resource: from a business card site to a large corporate portal. Processing millions of requests, the server first “slows down” and then stops working altogether. When attacking VDS, all users of a physical server are affected, since all VDS on it share a common communication channel. In this case, the data center is also experiencing a huge load on the network connections, because it passes through all “zombified” traffic.

Why is my site ddos’ed?

A DDoS attack can be relatively easy bought on the black market and used against any network resource that doesn’t please somebody.

It is no secret that sites, created to make business are being attacked most often. Few hours of service interruption for an online business converts to severe losses due to complete stop of orders.

When you launch promotion or announce new product a DDoS attack may strike your website. Most often such attacks are the machinations of your competitors. You can encounter “revenge attacks” or attacks for ideological reasons. Blackmailing for cash can be another reason.

Who is responsible?

The server is “down” - the victim suffers from losses. Unfortunately, the hosting provider will not be able to detect and report the names of entities responsible for the DDoS attack - it is almost impossible to find them.

What should I do if my site has suffered from DDoS attack?

Attacks are fundamentally different in terms of the level and in method to deal with them:

  • Low-level - at the transport and network layers (layer 3-4 of the OSI model). These attacks use the imperfection of the applied network architecture. The most reliable way to protect against them is to connect the DDoS protection service. The server will be back to service in an hour or two.
  • High-level - at layers 5-7 of the OSI model. These attacks emulate the actions of ordinary users of the site (for example, multiple requests for pages of the site). Tracking and guarding against such attacks is more difficult, usually requires server log analysis and applying of the relevant special server configuration.
If nothing is done, normally the attack stops by its own in a day or two.

More on types of attacks.

Hosting provider actions during a DDoS attack on a client

Our monitoring system quickly detects an attack and automatically blackholes the IP address of the server that is being attacked and propagates the blackholed IP address to the connected Internet service providers. Blackholing lasts while attack is active to prevent the negative impact on other clients. Attack detection algorithm analyses packet rate and size of packets destined to the attacked address, as well as the amount of incoming traffic.

You can access the server by activating an additional IP address on it through your personal account (in BILLmanager interface). For a server with OpenVZ virtualization, this will be enough to connect to the server via FTP or SSH. For KVM server, you need to contact support with a request to assign an additional IP address.

If you need access via the control panel of ISPmanager, you should contact support after assigning a new IP address - the staff will reconfigure the panel to operate on a new IP address.