How to Protect Your Website from DDoS Attacks

DDoS attacks have become more ferocious than ever the past few years. This article (original is here, shivarweb.com) describes how you can protect your website against this threat. Posted by 


The following is a contribution from Caroline Black, a writer specializing in Internet Security and technology. A website hack or DDoS attack is one of those things that seems like it could never happen to you…until it does. It’s easier than ever to execute an attack. And targets aren’t just large or controversial organizations – they can even be everyday beauty bloggers. Either way, it pays to be aware of the issue before it happens. Read on!

A distributed denial of service (DDoS) attack is one of the most popular and frightening attacks cybercriminals like to use to attack websites. There are variations of the attack, but the basic premise is accomplished by flooding the website servers with traffic that exceeds what the servers or bandwidth is capable of. Have you ever seen a website go viral so quickly the site crashes from the traffic?

The effects of a DDoS attack are the same, but the case is intentional.

If you are looking for examples of some major DDoS attacks in recent memory, you only need to look at the history of some government websites, the Spamhaus situation and the attack on the Church of Scientology’s website. There are plenty more, and a quick search will yield you many other examples. Botnets that provide the brute force necessary to perform an attack can cost only $50 an hour and are easy to find.

Here is what you need to know in terms of protecting yourself from these vicious attacks:

Tools to Help You

Virtual Private Networks

A Virtual Private Network is a service that will connect your website to an offsite secure server. The connection is encrypted and will reroute your traffic through the offsite server, masking your online activity. Originally a business security and access tool, it now is commonly used by ordinary consumers looking to keep safe online from a variety of attacks.

One of the main threats it protects you against is hackers on public networks, who will often use “sniffer” programs to keep watch over your online activities on the network and intercept any data they wish, such as your financial information or website login credentials. This can easily lead to a hijacked website, and the encryption a VPN offers is one of the few ways to protect yourself.

Anonymity is also a key feature of a VPN. This lets you keep your online activities to yourself with little fear of organizational tracking (or hacker tracking). It will let you access blocked websites otherwise cut off by regional restrictions due to the fact that your IP address is hidden.

This is important, as the IP address of a website or its owner are prime targets for a DDoS attack, whether as an attack in itself or part of a larger scheme. Hackers require an address to make an attack, meaning as long as you are hidden online you are safe.

Plugins

If you use WordPress to host your website, when you might find refuge in beneficial security plugins. They often have built in defenses against DDoS attacks that will react to defend you. They might also optimize your website to minimize DDoS risk. WordFence is a great choice, as is Bulletproof Security. Other tools will arise as time passes, so always try to keep up to date.

Editor’s Note – I’m a fan of iThemes Security. Whatever you use, be sure to keep it and your site up to date. Carefully walk through the configuration. Just installing it doesn’t mean it’s active.

As great as plugins can be, you still need to be cautious when using them. They are often not optimized for security and remain neglected by their creators. Only use trusted applications that are commonly used and well-reviewed. Let someone else test out the new products first.

If you aren’t using WordPress for your website, take note of the strategies and tools used or implemented in the best tools and try to find scripts or applications that will give the same desired effect.

It may require some specialized searching, but the protection will absolutely be worth the cost.

Strategies to Use

Surveillance

Plugins and other tools are nice, but when protecting yourself against a DDoS attack, there is no substitute for your own experience and eyes. They know your website best and know what kind of loading times to expect on your website. You might notice a two-second delay on some pages and figure out that you are the target of a (mostly unsuccessful) DDoS attack, allowing you to respond.

You need to perform regular overviews of everything on your website. It is unlikely, but try to make a full sweep every couple of months and obviously check the main pages every day. If you notice anything out of place, err on the side of caution. The same goes for your website’s performance stats. Do not chalk poor performance up to a bad day. Investigate to see if there are any technical difficulties.

Editor’s Note – I’m a fan of setting up Google Analytics intelligence reports and server alerts. It’s important – and that means you should automate it.

Along with knowing your website, you also need to know about your host or service provider. Know in advance what kinds of protection you have from the start. Ideally you should not have to worry about it if you are paying for their services, but taking things into your own hands is often required to have full protection.

Don’t Look for Trouble

You have absolutely every right to defend the credibility of your website and your own reputation online, but that doesn’t mean you should be going out looking for trouble. Hackers love a good challenge and will attack you if tested. The unskilled ones will try a DDoS attack on you and spend money hiring a botnet to torment you.

Don’t fall for their bait. If you see some threatening comment, just delete or ignore it. A blogger can kick a bee’s nest by calling “hacktivists” common criminals, but it will change little regardless of the truth of the statement. The more hotheaded individuals will try to make an example of you, and even if you’re secure, you have better things to do. Try not to lurk where they lurk, and don’t advertise your blog where it isn’t appropriate.

Have a Buffer

Protection from DDoS attacks and increased traffic in general means you need to have a buffer that can absorb some of the stress that an attack will bring. Don’t assume a bit above your current traffic load is all you need. Be ready for rapid growth, whatever the reason. Check to see what your host or server provider can handle, and don’t be afraid to upgrade if you think it is necessary. It won’t completely protect you, but it will make things a little more difficult for cybercriminals.

You might also want to look into tools that will help act as a buffer or guard for your website. Cloudflare will help protect your website by reacting to traffic patterns. DefensePro is an option if you are running your own servers and want to add some protection. Savvius is an extremely expensive option but will get the job done if you’re working on behalf of a larger corporation.

Having a buffer also means having a response plan. This will vary quite a bit based on what you have to use to defend yourself, but here is a sample plan:

  1. Double check the traffic flow to see exactly what you are up against.
  2. Activate any tools or technologies you have available to you that are able to help bear the load of traffic.
  3. See if you can identify and block the source(s) of the attack.
  4. Temporarily change your IP address if possible to throw the attack off of your trail.
  5. Contact your ISP or administrators to see if there is anything they can do or offer you.
  6. If all else fails, temporarily shut off the servers. You will find yourself with no website, but the cybercriminals find their efforts worthless and move on faster.
  7. Analyze the situation afterword to see if you can make any adjustments in your defense.

Conclusion

DDoS attacks can set your website back months due to the lost readership and confidence you suffer from having a broken website for a time. You do not want dead air, so you need to make every preparation to make sure that you are not attacked by criminals online. It takes time, but once you set up a routine, you will find yourself not even thinking about the investment.

Just make sure that you take action now. Take a look at your website and see what tools you can install. Do a full sweep of your site today to get more accustomed to it. Educate yourself further on how DDoS attacks work. Prepare a backup plan today so you don’t have to worry about tomorrow.