Denial of service (DoS) attacks are nothing new – according to Britannica the first documented case dates back to early 2000. Despite being the first one it was a doozie, Amazon and eBay were brought to their knees, resulting in an estimates $1.7 billion in damages.
Today DoS attacks have only become a lot more sophisticated, their potential to do damage has been multiplied many-fold as multiple networks can be utilized to create distributed attacks called DDoS attacks. Thankfully, the protection we have against these attempts to bring our sites down has also become a lot more potent, but can hosts really cope? The answer is not that simple.
What Is a DDoS Attack
To make sure we’re on the same page, let’s go through what denial of service actually is, the basics are pretty simple – even though there are quite a few sub-types. The simple goal of these attacks is to overwhelm your server with traffic.
That’s really all there is to it. If you had 10,000 friends on Facebook and asked them all to visit a site as many times as they could at a specific time, you would be responsible for a rudimentary denial of service attack attempt. All that changes between different DoS types is the technology used and the parts of the network infrastructure targeted.
If a network router has a 10Gbps port (allowing 10Gb per second through) and an attack sends 11Gbps of traffic your way, your website will grind to a halt and give up.
There is a down and an upside to this method. The upside is that there is no actual security threat present. No one is trying to steal your passwords, customer data or hack database. A DDoS usually lasts for a couple of days at the outmost, after which everything goes back to normal.
Regretfully, this is also the downside. Since nothing is actively being hacked, all server components are being used for their intended goal (pushing data back and forth), it is excruciatingly difficult to get around the attacks.
Protecting Against DDoS Attacks
In fact, the only way to get around them is to engage in an arms race. If a network can throw more resources behind a website than the attacker, the website stays up – otherwise, it goes down.
There is no way you’re going to be successful if you have a little server box at home somewhere. Even with the fastest technology available, the number of data attackers can throw at you using DNS amplification, IP spoofing and a distributed resource net will vastly outnumber whatever you have.
The bigger issue is that even hosts have problems in the resource arena. The only way to protect a specific site (or IP rather) is to put an additional layer between the attacker and your site. The only way the layer will be effective if it is itself distributed over a large network.
The idea is that the layer distributes the attack on your site over the whole network. This is kind of like how social security works in theory. Giving everyone healthcare is expensive. However, not everyone needs it all the time. As long as everyone pays a small sum, those that actually need treatment should be able to get it for free.
This is pretty accurate as analogies go. If a whole family is injured in a car crash they may require $300,000 of medical care. However, the social security base is so large (consisting of millions of people) that this can be spread out. If all payees had to actually pay for this cost, it would be something like $0.006 per person, which I would gladly pay to save a whole family.
On the other hand, if the payees would only consist of 100 people, each person would need to pay $3,000 which is a massive amount, especially considering you are not the one getting treatment. This is why small companies cannot handle DDoS attacks on their own.
Are Hosts Lying?
Yes and no. They are bending the truth, or at least not explaining the whole picture and how these mechanisms work. For example, there is a DoS attack nicknamed SMURF. Smurf attacks can be potent, but one component is spoofing the IP address of the attack to match the victims.
This is pretty easy to protect against since you can disable the relaying of requests sent to a network’s broadcast address. Since this is a DDoS protection measure you can claim to protect against you can just say that in cases of large attacks protection is not guaranteed.
As I’ve said before, the only way you stand any chance is to use a huge network which can incur additional costs. Cloudflare is one example of a company who has a mega-network and offers advanced DDoS protection on their $200/month plan. Another alternative popular alternative among WordPress users would be Sucuri who offers DDoS protection starting at $20/month.
In light of this, it is extremely improbable that your $5/month shared service or even your $99/month VPS would offer any extensive DDoS protection that would thwart layer 7 or DNS amplification attacks which are among the most effective.
The reason you can be pretty confident that good protection will cost you is that at the moment you can not fend off many DDoS attack types with software. It’s not a matter of being more clever than attackers and writing some genius firewall code that can stop DDoS traffic in its tracks. It’s more about letting the proper traffic in.
That being said, hosts can do a lot to protect against those DDoS types that can be halted with software, they can work together with security companies, help distributed networks with data and more.
Just like you don’t walk around with a credit card that has a pin code of 1234 even though it is rare for your card to be stolen, hosting companies can be (and usually are) vigilant about basic security. The fact is that protecting against large and coordinated attacks is simply out of the scope of their network.
What Should You Do?
What you should do depends on how much you rely on your website to make actual money. DDoS attacks are not dangerous from a security point of view, the worst case scenario is that your website will be offline for a couple of days.
If this is a headache and an inconvenience but not the end of the world I think it’s OK to turn a blind eye. In case you don’t already, I do recommend managed hosting. There is no way you’ll be protected with a shared hosting account and many high-quality companies offer cheap VPS solutions.
A host like Kinsta will not be able to protect your directly from all DDoS attacks but will fend off more than a low-quality host. Their secure hosting platform also features the following:
- Monitors sites every minute for uptime.
- Has tight-software based restrictions in place and proactively stops malicious code from entering the network.
- Can detect DDoS attacks as they happen.
- Automatically ban IPs that have more than 6 failed login attempts in a minute.
- Only support encrypted SFTP and SSH connections (no FTP).
- Support GeoIP blocking for restricting access from different geographical locations.
In addition, all high-quality hosts are actively researching this topic – being at the forefront of DDoS protection will make sure you get the best possible protection for your money.
A low-quality host will most likely “protect” you by shutting down your servers or banning you from the service completely. They don’t have the resources to do anything else and since they may have thousands of sites on the same server, your site may be shut down, even if it wasn’t the intended target.
Hosts like Kinsta do everything in their power to put a specialized service like Cloudflare or Sucuri in front of your site, put you on a different IP, and other methods which help ease the attack.
If your website is your primary money-maker, or you have a seasonal side-business which you rely on, it may be worth investing in decent DDoS protection year round or just for the seasonal month(s). Right now it seems that the best protection against DDoS is Cloudflare and Sucuri.
With Cloudflare’s Pro plan at $20/month you only get Advanced DDoS Protection at Layers 3 and 4 (read more about layer 3 and 4 DDoS attacks). This will help to automatically stop TCP SYN, UDP and ICMP attacks on their edge servers, so they never reach your origin server. To get layer 7 protection you have to upgrade to the $200/month plan. If you think you have a good chance of being targeted and/or you have a money-making site it’s probably worth the investment.
With Sucuri’s $20/month plan, you get Advanced DDoS Protection at layers 3 and 4, along with layer 7. This helps to automatically detect sudden changes in traffic and protects against POST floods and DNS-based attacks, so they never reach your origin server.
An HTTP flood attack is a type of Layer 7 application attack that utilizes the standard valid GET/POST requests used to fetch information, as in typical URL data retrievals (images, information, etc.) during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques. – Sucuri
DDoS is annoying because it’s simply pointless. No data is stolen, nothing is gained from the attacker’s point of view. The only reason someone would perform a DDoS attack is someone paying them to do so to hinder a competitor for example. An effective DDoS attack requires investment in resources, otherwise, it would bounce off simple protective measures.
DDoS protection is still in its infancy, as time goes by it will get better and better, but attackers will become more efficient as well. Researching this area of the internet is expensive, as is the protection that can be offered.
As a result, hosts may not be outright lying when promising DDoS protection but they are bending the truth hard. Sentences like “this does not guarantee that we can prevent all DDoS attacks” don’t even begin to describe how easily a network can crash in case of an attack.
At the very least, be skeptical and ask your host exactly what it is they offer and how it will protect you against large-scale attacks, should they happen.
Some Further Reading:
If you have any experience with DDoS attacks or protection against them please do share your thoughts in the comments section below!