In the last article, we talked about how to protect your website from malware, in which we discussed how the most common malwares are designed to get access to the target system. But in DoS or DDoS attacks, hackers don’t need to access the system to disturb it or target system operations.
They max out the website’s bandwidth or resources to make it unavailable for legitimate users. With the advancement in cyber tech, these types of attacks are cheaper to produce. DDoS attacks are used to hamper brand reputation, incur transactional losses, bring down the competition.
This article will discuss what DoS, DDoS attacks are and what can be done to protect your website from them.
What is a DDoS Attack?
DoS or a Denial of Service attack is a malicious attempt to prevent legitimate end-users from accessing a targeted system, e.g., a website or application. Generally, attackers send massive requests to the target system, which overwhelms the system resources. However, in the case of a DDoS or Distributed Denial of Service attack, the attacker generates the attack using numerous compromised sources.
DDoS attacks are categorized based on the layer of the Open Systems Interconnection (OSI) model they target. Here is the list of the most common layers hackers attack.
- The Network (Layer 3)
- Transport (Layer 4)
- Presentation (Layer 6)
- Application (Layer 7)
Layer 3 and 4 attacks are known as Infrastructure Layer attacks, and attacks targeted at Layer 6 and 7 are called Application Layer attacks.
Infrastructure Layer Attacks
These are the most common type of DoS attacks that are targeted at Layers 3 and 4. These include vectors such as synchronized (SYN) floods and reflection attacks like User Datagram Packet (UDP) floods. These attacks are typically high volume and aim to overburden the network or application servers.
Application Layer Attacks
Layers 6 and 7 attacks are classified as application-layer attacks. These attacks are less common, but they are also more complex. Application Layer Attacks are smaller in volume than Infrastructure layer attacks, but they tend to focus on specific expensive parts of the application, rendering it unavailable to real users (e.g., flooding HTTP requests to a login page, firing APIs, etc.).
How to Protect your website from DDoS?
Hackers are outdoing themselves year on year. To mitigate the risk of DDoS attacks, website administrators need to stay updated with cyber security trends. Before applying DDoS-specific techniques, one should also set a base security system. For example, you need to set up WAF, a strong password policy, hosting a website with a good hosting provider.
1. Limiting the Options
This is more of a preventive technique. It would help if you did not open system ports or protocols to or for unintended communication. For example, e.g., If you do not expect to blog directly from Word Editor or log in to the website from an app, you should not open WordPress XML-RPC protocol.
2. Scalable Architecture
In a nutshell, DDoS or DoS are designed to consume your system resources. So if you have enough resources to serve attacked traffic and still provide routine access to your real user, you have mitigated the attack. But this incurs a considerable cost as you need need to pay for it all year round.
You need to carefully choose a hosting partner that provides on-demand or auto scalability (Check Kinsta).
3. Use CDN
To safeguard your system from attacks, you need to add a gate in front of your system. For example, you can put your website behind the CDN instead of exposing your website directly to the internet. All of the excess traffic generated by DDoS attacks will then be served from the cached CDN version.
4. Deploy Firewall and load balancers
Like CDN, you can set up WAF (Sucuri, Wordfence, etc.) to cut direct access to your systems. In addition, you can mitigate attacks by setting up IP reputation, geography, etc., based firewall rules.
5. Rate Limiting
Based on your business analytics, you can define good and bad traffic. In a scenario where you cannot block the bad traffic straight away, then you can limit the resource allocation for bad traffic