Pre-emptive DDoS protection is an important step in ensuring that a DDoS attack doesn’t take your website down when it occurs. DDoS mitigation is about step you can take in the event of an attack…
How to protect your website against DDoS Attacks
DDoS attacks on your website are invariably crafted to damage your online business. This is done by overloading your website so it becomes painfully slow to load, and unreliable in operation or offline for lengthy periods during peak visitor time periods. This can be done via DoS (denial of service) or DDoS (distributed denial of service) attacks and/or prolonged BFL (Brute Force Login) attacks. These attacks are costly if outsourced on the Dark Web, so its usually a premeditated campaign by a business competitor, an ex-member of your staff or a disgruntled customer, and rarely would it be a random attack.
Let me preface this article on DDoS mitigation with the disclaimer that I am not a Linux / Apache security guru. I’m an SEO specialist/consultant and freelance web designer who provides hosting services and website maintenance services for some clients… What knowledge I have has been earned the hard way – at the bleeding edge of customer support, trying to protect my own VPS and the client sites it contains, plus client sites on other hosting provider’s servers…
Several years ago, my VPS came under a sustained and severe attack that rendered it unusable for hours on end. At the time, I was surprised by the lack of (non-technical) guidelines available online to help me find ways to reduce the impact of what was being done to my server. Since then, I’ve also assisted a number of clients to extricate their website from DDoS attacks by a combination of both network DDoS protection AND migration to hosting with both server-level DDoS protection and enhanced security.
2022 Sustained DDoS Attack & DDoS Mitigation Example:
I provide SEO consultancy to a Wellington retailer. Their e-commerce website was subjected to thousands of Brute Force Login attacks over many months throughout 2022. These were repelled via a web application firewall and tight brute-force login protection. We are convinced that this was a deliberate campaign by an aggressive wholesale business owner who was furious at having his product supply overtures declined. When the hacking attacks failed to crack the site’s security, the attack profile shifted to DDoS attacks at peak times.
A DDoS attack at peak times is very effective at stopping business transactions. Both the front end and back end of the website are unusable. These attacks were sustained for a few minutes and came at 10 to 15-minute intervals. Basically, the site is crippled for the duration of the attacks. When the attack eases off, you can log in and/or commence a purchase – but the attack resumes before you can complete your task. The site times out, or gives server errors etc.
The attack can target either the Domain Name or the IP Address…
What We Did to Mitigate Attacks
The first step in DDoS mitigation was to shift the site to Cloudflare – they provide free network-level DDoS services along with other layers of security. There are two challenges to resolve:
- An E-commerce site needs a means to ensure the cart and account pages etc are not indexed by Cloudflare. The fastest and most cost-effective way to do this is to use Cloudflare’s WordPress APO service which costs US$5 per month.
- At this point, the Domain is shielded from DDoS attacks, but not the IP address. Cloudflare proxies the IP address, which makes it slightly more difficult for an attacker, but some online research on historical IP Addresses for the domain will quickly reveal the last known IP the site used. So, now that Cloudflare was operational, we then changed the Hosting Plan so the site now operated on a new IP Address on a completely different server. The IP Address is never revealed so the site is now completely shielded from DDoS attacks by Cloudflare.
In mitigating this attack, we also made a second hosting switch to A2Hosting’s premium Turbo Hosting. This provided server-level DDoS, enhanced security tools plus exceptional performance via Litespeed server, NVMe drives, HTTP/3 etc.. I use this myself and I am very happy to recommend A2Hosting!
We also implemented Cloudflare Firewall Rules to block all countries EXCEPT New Zealand and known good bots such as approved search engines etc.
DDoS attacks may or may not be coming from genuine IP Addresses, or spoofed addresses. Regardless of that, it stands to reason that if you restrict the pool of IP Addresses that can access the site to New Zealand addresses only, you minimise the resources that can be arrayed against the target.
How well did that DDoS mitigation succeed?
Basically, the problem ended abruptly. No further disruptions to the website have occurred since the above process was completed.
FAQ: How to reduce the Impact of a DDOS Attack
What are DDoS Attacks?
Here’s the definition, courtesy of Wikipedia; https://en.wikipedia.org/wiki/Denial-of-service_attack
“a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one – and often thousands of unique IP addresses.
Criminal perpetrators of DDoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.”
What is the DoS Attack Methodology?
A denial-of-service assault is characterised by overt efforts by the attacker to deny approved users of a website service from using that website’s services. There are two common formats for DoS attacks, those that:
- Crash the website services, resulting in the database not available and server error messages
- Flood the services, resulting in extremely slow loading times as the server struggles to process requests
Most serious are the distributed attacks launched from a network of hundreds or thousands of compromised servers and PCs worldwide, referred to as DDoS. This very often involves forged IP sender addresses (IP address spoofing) to ensure that the accurate location of the attacking servers cannot readily be discerned, and also inhibits screening based on the source IP Address.
What are Brute Force Login Attacks?
These take various forms depending on the attack software utilised by whoever it trying to hack your website and/or hosting account.
A serious Brute Force Login attack from many websites all targeting your website and or server can manifest in symptoms like a DoS or DDoS attack:
- the load on your server spikes
- web sites become sluggish or non-responsive
- browsers timeout on attempts to access to WHM, cPanel or FTP
- “Error connecting to database” may occur
- Worst-case scenarios include database corruption.
What is the Impact of DDOS Attacks?
The Impact of DDoS Attacks are not limited to Your Site
Most websites are on low-cast “shared hosting” and any excess resource consumption on YOUR website has a severe negative impact on all the other websites on that server.
Even if your website is on your own VPS, the impact can spread beyond your own site and impact other users on the same network at your hosting company. Where several sites on your VPS are under attack, all sites will be negatively impacted, and other VPS servers on the same server /node may also be affected.
The Impact on You
Suddenly finding that you are the victim of a severe malicious cyber-attack is disconcerting at the very least. Panic is the first and least helpful reaction because most people won’t have a game plan. Figuring out what is going on will be the first problem, closely followed by searching online for “how to stop an attack on my VPS!”
Unfortunately, most material I found was either old, not 100% relevant to my situation, or too technical to be really helpful… Therefore, I had to create a DDoS mitigation plan from scratch…
Can I protect a VPS Server from DDoS & BFL Attacks?
There are not a lot of hosting companies that provide full DDoS protection as a feature of their VPS accounts. For that matter, there are some hosting companies who don’t even include the fundamental requirements such as Mod Security, cpHulk etc… Full DDoS protection is costly, and requires very sophisticated tools that are expensive to purchase and deploy.
Balanced against that, DDoS attacks are also fairly rare because they are difficult to mount on a scale large enough to do prolonged harm to the recipient.
Often what is perceived to be a DDoS attack may well be a Brute Force Login attack across multiple sites on the VPS and segments of the server itself – cPanel, FTP and email accounts. The sheer weight of the login attacks may have the same effect as a DDoS attack, crashing the server or reducing all sites on it to a standstill.
What Can You Do to Mitigate BFL and DDoS?
At the very least, you should have your VPS on a server with a hosting company that provides up-to-date Linux, Apache and PHP software, and a suite of security tools that allow you to provide your websites with reasonable protection… With that, you can do a lot to protect your VPS from within WHM by blocking common loopholes…
Being a customer of a company that responds to support requests in a timely manner can also be a source of comfort when things start going wrong! All sites on my server are under annual website maintenance plans and are protected in this manner.
When your server is unable to cope with the DDoS or BFL load being placed on it, you have several quick DDoS mitigation options, or both in combination;
- Upgrade your VPS Hosting package so that your server has more resources (CPU & RAM)
- Reduce the load on your VPS by getting the busiest websites onto Cloudflare
- Ensure security applications are working to your advantage
- Reduce resource consumption by removing/replacing known problematic plugins: broken link checkers, related posts, caching etc.
What can I do on WHM to Mitigate Attacks?
cpHulk: configure Brute Force protection period to 120 minutes after 2 or 3 failed attempts. Configure IP Address Brute Force Login protection to 131487 minutes (90 days) after additional attempts and maximum failures per IP Address before the IP Address is blocked for one day to 50. That should skip the 1-day blocks for now, and stop those IP addresses from being used again to attack your site for 3 months. That takes the sting out of the cPanel and FTP attacks for the moment… Sure, IP Addresses can be spoofed – but why leave them open if they are being used with malicious intent right now?
Account Passwords: set all account passwords to the maximum 18-character length secure; randomly mixed alpha-numeric, upper and lower case plus a sprinkling of special characters (~!@#$%^&*). Not only Cpanel / FTP – reset Email account passwords too!
Shell Fork Protection: make sure it is enabled
Shell Access: all disabled
Syn Flood Protection: as per ND Chost – hardening TCPIP Syn Flood
Backups: ensure all server accounts and settings are backed up daily, and schedule these to run at times of low traffic, usually 2am in the time zone most visitors come from.
Does reducing Server Load help?
Anything you can do to reduce the load on your VPS from the sites that are loaded on it can significantly help your server cope with external loads generated by someone intent on harm.
Can I protect WordPress Sites on a VPS?
As a WordPress tech support services provider, my priority order is as follows;
1.) WAF: installation of a web application firewall. Either install a firewall on the individual sites on your VPS (or use an external application such as Sucuri Cloudproxy Firewall). I use and recommend Block Bad Queries because it sits in front of WordPress and most of its preventive activities don’t generate many database requests. This makes it VERY fast, and it significantly reduces server load compared to Wordfence and other security plugins. Using it in conjunction with Block Hole Bad Bots makes sense, as some bots can also wreak havoc on a site.
I’d set the Login Protection to “Always On”… Because most WP business sites will only have 1 Admin and a couple of Editor / Contributor users, it is not going to be much of an inconvenience to legitimate users. That way, Brute Force login attacks across multiple individual websites have zero cumulative impact on server loads…
2.) CDN: use a content delivery network like Cloudflare because that can reduce server loads dramatically and that’s a good DDoS mitigation strategy!
3.) Caching: on a WordPress site, a good caching plugin can dramatically reduce page load times. Cached pages sharply reduce the database requests usually in dynamically generating pages, dropping the load normally placed on your server.
4.) Eliminate Resource-intensive Plugins: such as Related Posts, Broken Link Checkers, SEO Rank Checking etc. If you use Wordfence, deactivate “Live Traffic logging” scanning of images and areas outside of WordPress, and “high sensitivity” to reduce scan times and loads. Use the P3 Plugin Profiler to check for resource-hungry plugins.
5.) Heartbeat Control:* installation of the Heartbeat Control plugin can have a beneficial impact on server performance as it helps prevent the heavy CPU use often reported by WordPress users. The
/wp-admin/admin-ajax.php page can cause 100% CPU loading over extended periods.
6.) Administrator Passwords: these were already secure 24-character passwords, enforced via Wordfence. If yours are not, then it is a high priority!
7.) Backups: all WordPress sites already had scheduled database and full backups via BackupBuddy being stored off-site on a 1 Tb Dropbox account secured with 2-factor authentication. If yours are not, it is a high priority.
8.) Two-Factor Authentication: wherever possible, implement two-factor authentication to take away the opportunity to guess user names and passwords!
*Caching: I use WP Rocket on every site on my server. Because I provide full management services on all client sites and have full control over what software is loaded on them.
Can I protect HTML Sites on a VPS?
WAF: installation of a web application firewall, either installed on the individual HTML site/s on your VPS or using an external application such as Sucuri Cloudproxy. The plugin I use here is Perishable Press – 5g Blacklist
CDN: Cloudflare works equally well on static HTML sites, screening out bad actors, turbo-charging page load speeds and reducing server loads.
How much does Cloudflare help?
CDN: using a content delivery network like Cloudflare reduces server loads dramatically! Cloudflare will serve cached pages to more than half your traffic, cutting bandwidth consumption and page load speeds. A “basic” account is free, so there is little excuse for not using this CDN. Cloudflare will also screen many perceived threats before they get to your website… The $5 per month APO (Automatic Platform Optimization) for WordPress is a very good thing too!
Other Security Topics
Does VPS Resilience mitigate DDoS Attacks?
When the DDoS attacks and BFL attacks on my own server first began (a Monday), the server load jumped from the usual 3 – 4 to a massive 239, and the disruption was sustained for almost an hour. All sites were inaccessible, as were WHM and cPanel. The exim stats database was corrupted and required repair.
Attacks continued daily throughout the week, with the impact declining with each step taken… On Tuesday the server load hit 170, but on Wednesday after adding in the Syn Flood protection and starting the installation of firewall software on sites that were being hit hardest, the load peaked at 49 but everything kept running.
By Friday, all sites had firewall software installed, and the peak server load during the daily attack reached 9 – things slowed down but nothing broke. It was also possible to monitor what was happening on WHM – to see which sites were being targeted, and what was consuming server resources.
At that point, I began a DDoS mitigation process by targeting resource-intensive plugins and their settings, completed the installation of a caching plugin on all sites, and added Heartbeat Control on all sites. Backups on all sites were set to off-peak hours. Cloudflare was added to the busiest sites…
Since all of that effort was completed, the server load has not exceeded 5, and for much of the time runs at .85 to 1.5 with occasional spikes to 4. Overall, things are in much better shape than before!
Because I had to make up the game plan day by day, it took longer than it needed to have due to the research required in each stage.
This article was produced in the hope that it might help someone else confronted by similar circumstances. If that’s your situation, I wish you good luck – and if you need help, feel free to ask.
- Cloudflare – what is a DDoS-attack?
- Cloudflare – Understanding Cloudflare DDoS protection
- Amazon – DDoS attack protection/
Page last updated on Wednesday, October 11, 2023 by the author Ben Kemp