Have you ever experience Distributed Denial-Of-Service attack? It’s bad news, period. You will find yourself not being able to access the site and your customers neither. You will be prevented to do any work online and your business may suffer. Web development is no fun when this happens.
Wikipedia has this definition:
“In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.”
And there isn’t much you can do about it when it happens. Your site will come down. And possibly, as soon as you are back online, the attack may continue. This is most likely happening because someone wants to harm your business; it’s been documented that DDoS attacks are not random; they are targeted.
This has recently happened to one of our clients and it shot down our dedicated server, with several other websites, for over a day. And we were prepared well, as one of the ways to defend against this kind of an attack is by over-provisioning. In simple terms, have your server ready for much more traffic, then you will need. This may give you time to notice all of this extra traffic coming in, and do something about it.
Sometimes, when a programmer is preparing the server, the tendency might be to prepare for their highest predictable level of customer traffic. A website, for example, might provide enough capacity for a daily traffic of 30,000 visits. This will not be adequate to defend a good-sized DDoS attack. Expect a DDoS attack to send you 100 times this traffic in an hour! That translates to millions of “visits” in a single 24-hour attack. A site only prepared for 30,000 visits will come down pretty quickly. We were prepared for millions and yet the server eventually did come down.
But who is doing this?
Who controls botnets that are coming to your server? Botnets are controlled by the denial of service attacker. In most cased this is done through the use of Trojan viruses. Prolexic, company specializing in DDoS protection, currently tracks over 4,000 control servers, which deploy these botnets for DDoS attacks.
Who should be worried about a DDoS attack? If the purpose of your site is primarily to provide information, financial loss may be minimal. But, if your business is based on e-Commerce, then your losses due to a DDoS attack could be substantial. Some DDoS targets are clear: online gaming websites and financial services firms for example. But, any company or web site could be a target. In the cyber underworld, it is possible to rent 100k of hosts capable of a distributed denial of service attacks of 10 to 100Gbps. This is more than enough to take out practically any popular site on the Internet for not much money per day.
What else can be done on the top of over-provisioning?
Redundant monitoring will give you more time to respond. When you’re under attack, it helps to know it quickly. A good alternative is to subscribe to a third-party service that monitors your site around the clock from several places on the Internet, assessing its responsiveness from an end-user viewpoint and providing alerts to your phone when problems are found.
Will server logs be helpful to keep? Your web server logs will not know the difference between a genuine visitor and a botnet node. Even if your server has enough power and is able to recover from a DDoS attack, it fails because the logs became too large, and there are too many of them. The log data could be used, after the fact, for forensic purposes, its value is actually limited. It’s definitely more important that servers can respond to genuine users during the attack.
If you find log files increasing in size rather quickly, you need to do one of the two things: keeping the data and losing the server, or losing the data and keeping the server functioning. If your website is critical to your business and large log files are preventing you from recovering, delete the logs.
One of the most important factors is to know your hosting provider and what kind of services they offer. Are you dealing with someone who offers customer service 24 hours, 7 days a week? Someone who you can call day or night? After you call them, will they get on the problem immediately? What kind of a priority can you expect when you call? Make sure to know answers to these kinds of questions before you need someone to help you when your business is facing a DDoS.