If you’re running a business website, then you need to give it the best DDoS protection you can manage. The good news is that this can be done on the sort of budget even the average SMB can afford. Here’s what you need to know.
A quick review of DDoS
Before looking at the specifics of how to give your website the best DDoS protection, let’s recap DDoS itself. Understanding what it is and how it works will help you to make informed decisions about what measures to take on your specific website.
DDoS stands for Distributed Denial of Service. The basic idea behind any DDoS attack is to overburden a website with traffic. Infrastructure-level DDoS attacks take place at levels three and four of the OSI seven-layer model. They simply send a flood of traffic to a website in the hope that it causes a crash.
These attacks can be brutal but they are also difficult to sustain. Even though attackers will generally spoof their IP addresses, it’s usually fairly easy for an IT team to figure out the common factor in the attacking traffic and take measures to block it.
In the context of DDoS, application-level attacks are considered to be layers six and seven of the OSI seven-layer model. These attacks are much more astute and hence take more skill to perform. Application-level DDoS attacks target a high-value service (like a login page or a payment page) and aim to slow it down as much as possible while remaining undetected for as long as possible.
How to give your website the best DDoS protection
If you want to give your website the best DDoS protection, then you need to address both kinds of DDoS attacks. In other words, you need to build resilience into both your infrastructure and your applications. Here are the key areas you need to address.
Buying plenty of bandwidth is generally one of the simplest and most affordable ways you can protect your website against DDoS attacks. The more bandwidth you have, the harder cyberattackers have to work to bring down your website, or even just a part of it. This buys you time to identify the attack and work out how to deal with it.
Robust scanning (and routing)
Hopefully, you were already planning to invest in a website vulnerability scanner. Whatever product you choose, it should have an anti-malware scanner and a web applications firewall. In the context of DDoS, it’s the firewall that will deliver the protection. This will monitor your incoming and outgoing traffic and give you the information you need to recognize the fact that you are under DDoS attack and to develop a plan of action to deal with it.
You might want to supplement this with a DDoS mitigation service. These work along similar lines to firewalls but they are optimized for DDoS, whereas standard WAFs are intended for all-round protection, including DDoS.
A DDoS mitigation service only activates when a DDoS attack is detected. They basically scoop up all internet traffic, filter it according to your designated criteria, return legitimate traffic to your server and eject attacking traffic into the digital void. They can do all this so quickly that your website visitors may barely register the slow-down.
DDoS mitigation services tend to be most valuable for infrastructure-level DDoS attacks. These can overwhelm regular firewalls. Without a DDoS mitigation service, you may find yourself either having to put up with the (hopefully short-term) shut-down of your website or end up jettisoning a lot of legitimate traffic in your attempt to clean up the attacking traffic.
Resilient infrastructure and applications
Building resilient infrastructure means putting effective traffic management second on your list of priorities (right behind security). The more efficiently your traffic flows, the harder it will be for it to be compromised by DDoS attacks (and the better the experience your legitimate site visitors will have).
In addition to looking at your overall architecture, you can look at measures such as load balancers, smart DNS lookup, and content distribution networks to try to keep your website’s traffic flowing as quickly as possible.
Building resilient applications
Similar comments apply to building resilient applications. The more efficiently your applications run, the better they will be able to resist DDoS attacks. File uploads are a particular vulnerability. It is strongly recommended to limit the size of the files you allow to be uploaded to prevent file upload systems from being used as an easy attack vector for DDoS attacks.
Please click here now to have your website scanned, for free, by cWatch from Comodo.