A distributed denial-of-service (DDoS) attack is one of the most popular tools in the cybercriminal arsenal. The motives behind such attacks can vary – from cyber-hooliganism to extortion. There have been cases where criminal groups have threatened their victims with a DDoS attack unless the latter paid 5 bitcoins (more than $5,000). Often, a DDoS attack is used to distract IT, staff, while another cybercrime such as data theft or malware injection is carried out.
How To Survive a DDoS Attack
Distributed Denial of Services (DDoS) attacks can take any website offline. Even Google and GitHub, with their immense resources, struggle to stay online during a large attack. Even worse, anyone with a few dollars can launch one.
If you host websites, you and your users could be hit with a denial of service attack big enough to take sites down for hours or even days. However, the worst effects of DDoS attacks can be avoided with the right tools, which is why Cloudflare and Wordfence have the best mitigation tools.
In this article, we explain what denial-of-service attacks are, how they work, and what you can do to survive them.
What is a Distributed Denial-of-Service (DDoS) Attack?
A Denial of Service (DoS) attack is an attempt to overwhelm servers with malicious requests and connections. A server’s primary purpose is to accept and process network connections. Each one consumes a chunk of bandwidth, memory, and processing power, and too many can use up all of the available resources, preventing new connections. When that happens, websites can’t be accessed; they are, in effect, knocked off the internet.
Attackers exploit this vulnerability by creating so many connections and sending so much data that the server or network interface can’t cope.
In a DDoS attack, the attacker uses a botnet of compromised machines, which can be anything from other servers to consumer laptops to network-connected security cameras. A botnet contains thousands of nodes the attacker can remotely instruct to inundate the target.
The compromised machines form a network, often referred to as a botnet. Then, each machine that’s affected acts as a bot and attacks the targeted server or system.
This allows them to go unnoticed for some time and cause as much damage as possible before they’re blocked.
Amplification Attacks
DDoS attacks can get even more devious. Attackers struggle to build botnets that generate enough data to take down a well-prepared hosting provider. Instead of attacking the target directly, they look for an online service to amplify their requests.
When you request a web page, you send a small amount of data, and the server sends back a much larger response. The same is true of some DNS servers, Network Time Protocol (NTP) servers, databases and caches, and others.
For example, the attacker can use their botnet to send requests to an open NTP server. The initial request is tiny, a few bytes. However, the response may be up to 200 times bigger. An attacker who sends a megabyte can generate 200 megabytes of responses. If they spoof the initial request’s IP address, the data goes not to the botnet, but to the target.
This type of amplification is behind some of the most significant DDoS attacks in history, including the 1.35 Terabyte per the second attack against GitHub.
What Are the Types of DDoS Attacks?
The most popular way to categorize DDoS attacks is according to the part of a network connection they target. You can think of connections as layers of protocols and data formats, with each layer depending on the one below it. For example, the web’s HTTP depends on the lower-level TCP protocol.
Why does this matter? Because the techniques used to mitigate DDoS attacks depend on the network layer they target.
The popular Open Systems Interconnection model (OSI) divides connections into seven layers.
- Layer 1 – the physical layer that transmits raw data over the network’s hardware.
- Layer 2 – the datalink layer, which determines the data’s format.
- Layer 3 – the network layer, which decides which route data takes.
- Layer 4 – the transport layer, which is the level of the TCP and UDP transmission protocols.
- Layer 5 – the session layer, which manages connections and sessions.
- Layer 6 – the presentation layer, which handles data formats and encryption.
- Layer 7 – the application layer, which is the layer we interact with when we click on links or communicate with web applications.
DDoS attacks are typically attributed to one of these layers. A Layer 7 attack targets the application layer, which includes web applications, web servers, and the NTP amplification attack we looked at earlier. Layer 6 attacks often focus on SSL connections. The popular SYN flood attack targets Layer 4, the transport layer, exploiting a weakness in the TCP protocol.
The Difference Between a Brute Force Attack vs. DDoS Attack
I’m sure you’ve heard of a brute-force attack. Like DDoS, it’s another form of ambush on your website. However, they’re both different.
A brute-force attack is a trial-and-error method where hackers try to guess credentials or encrypted data (e.g. passwords) through a pretty extensive effort to guess correctly. It’s considered one of the most popular attacks out there for hacking a WordPress site.
The key difference between DDoS and brute-force attacks is the goal.
DDoS attacks overwhelm a website intending to devastate it, whereas a brute-force attack wants to obtain admin access. When accessed, a hacker will often try to steal personal data, redirect legitimate users to fake websites to steal their personal information, or install malicious software to infect customers’ and administrators’ computers.
WordPress allows unlimited login attempts by default, so it’s crucial to prevent brute-force attacks by limiting the number of attempts a user gets.
Damage that DDoS Attacks Can Do
DDoS attacks aren’t pretty, and they can leave some devastation. The main thing they can do is make a WordPress site inaccessible or reduce the site’s performance. A DDoS attack can create a loss of business and a poor user experience.
Plus, it can cost a lot of money to mitigate the attack by hiring support or security service.
How to Protect Yourself From an Attack
As a server administrator, there is nothing you can do to prevent attackers from sending harmful network requests. However, you can configure both your server’s firewall and a webserver to drop requests from misbehaving IP addresses.
To help you protect users from denial of service attacks, cPanel & WHM includes several DDoS mitigation tools.
Use a Good CDN
A CDN (Content Delivery Network) is a network of servers distributed around the world. The servers store cached copies of your images and other files, which shortens the distance your content has to travel to your visitors.
If your WordPress site gets targeted for a DDoS attack, a CDN can help ensure it doesn’t get to the origin server and make your site unavailable. It does this by sending traffic to other servers if one server is hit with more traffic than it can contend with.
Because of this, your traffic and you won’t notice a thing.
A CDN helps ensure your WordPress site is up and running and prevents any downtime — which can negatively affect your site. It also not only boosts page speed but improves security against threats like DDoS attacks.
When it identifies a DDoS attack, it reroutes the normal traffic to your server and prevents the DDoS connections from ever reaching it. They have an unmetered 51 Tbps capacity to overwhelm a DDoS attack.
Cloudflare has the most number of ‘High’ ratings compared to the other six DDoS vendors across 23 assessment criteria in the 2020 Gartner’s ‘Solution Comparison for DDoS Cloud Scrubbing Centers’ report, so it’s rated up there in our book as a good solution.
Config Server Security & Firewall
cPanel & WHM supports the Config Server Security (CSF) firewall, which provides a WHM plugin with a comprehensive configuration interface.
WordPress Security Plugins
Simple measures can help prevent them, such as a security plugin like Wordfence, Defender, hosting, etc.
Mod_Evasive
Mod_evasive is an Apache module with sophisticated Layer 7 DDoS mitigation features. It detects potential attacks against web applications and takes evasive action by rate-limiting IP addresses that make too many requests in a short time.
The cPanel IP Blocker
cPanel includes an IP Blocker that can be used to block both individual addresses and ranges. For a big distributed attack, manual IP blocking is not practical, but it may be useful for smaller attacks.
Activate WAF
The Web Application Firewall (WAF) is the first layer of protection to stop hacker and bot DDoS attacks before they get to your WordPress site.
It works by filtering requests against an optimized managed rulest covering common attacks and performs virtual patching of WordPress core, plugin, and theme vulnerabilities.
WAF is like your own personal security guard for your WordPress site. It can help protect and mitigate you from DDoS attacks — and much more.
Once activated, you have the options of:
- Entering IPs in the Allowlist and Blocklist
- Enter User Agent in an Allowlist and Blocklist
- Adding URLs to an Allowlist
- Disabling Rule IDs
Disabling XML-RPC
XML-RPC is a system that lets you post on your WordPress blog using favored weblog clients, for example, Windows Live Writer. It’s a remote procedure call that uses XML to encode its calls and HTTP as a transport apparatus.
If you’re using a WordPress mobile app and you want to connect to services, such as IFTTT, or if you want to access and publish your blog remotely, then you’ll need XML-RPC enabled. If not, it’s just another way for hackers to target and exploit your site with a DDoS attack by getting access via XML-RPC.
That being said, if you don’t need it active, it’s worth disabling it.
Disabling Trackbacks and Pingbacks
Pingbacks notify a site when it’s been mentioned by another website. That being said, these notifications can be delivered to any site willing to receive them, which opens you up to DDoS attacks.
That can take your WordPress site down, and you can end up with a massive amount of spam comments.
Taking care of this is simple. Just like disabling XML-RPC, this is a Security Tweak you can make in one click by clicking Disable Pingbacks.
Disabling Rest API with a Plugin
Disabling REST API can help with Application Layer DDoS attacks. Application layer attacks are a type of malicious behavior designed to target the “top” layer in the OSI model. It’s where common internet requests (e.g. HTTP GET) occur.
REST is an acronym for Representational State Transfer. It uses HTTP requests to access and use data. That data can get used to GET, PUT, DELETE, AND POST data types, which refers to the updating, reading, creating, and deleting of operations concerning resources.
API, in regard to a website, is code that allows two software programs to communicate with each other. The API lays out the correct way for a developer to write a program requesting services from an application or operating system.
So, REST tech is generally preferred over similar technologies. This is due to REST using less bandwidth, which in turn makes it more suitable for efficient internet usage.
By disabling REST API temporarily until the DDoS attack ends, it can help stop it.
REST API can be used by some active plugins. Even if there are no plugins, it can be disabled completely, or temporarily.
A plugin like Disable REST API can help.
It will disable the use of the REST API on your WordPress site to unauthenticated users. Once you activate it, REST API will be inaccessible to your site visitors.
Keep in mind that disabling REST API provides only limited protection against DDoS attacks. Your WordPress site is still open to regular HTTP requests.
Also, disabling REST API (and XML-RPC) helps prevent an incoming DDoS attack and helps prevent your site from being compromised and used as a botnet itself to instigate a DDoS attack against other servers.
Just be aware that there can be some risks when it comes to disabling REST API, such as disturbing API services.
What to Do During a DDoS Attack
DDoS attacks can happen even if you have a web application firewall and other protections in place. Companies like Cloudflare and Sucuri deal with these attacks on a regular basis, and most of the time you will never hear about it since they can easily mitigate it.
However in some cases, when these attacks are large, they can still impact you. In that case, it’s best to be prepared to mitigate the problems that may arise during and after the DDoS attack.
Following are a few things you can do to minimize the impact of a DDoS attack.
1. Alert Your Team Members
If you have a team, then you need to inform co-workers about the issue.
This will help them prepare for customer support queries, look out for possible issues, and help out during or after the attack.
2. Inform Customers About the Inconvenience
A DDoS attack can affect the user experience on your website. If you run a WooCommerce store, then your customers may not be able to place an order or login into their accounts.
You can announce through your social media accounts that your website is having technical difficulties and everything will be back to normal soon.
Communication during these tough times makes a huge difference in keeping your brand’s reputation strong.
3. Contact Hosting and Security Support
Get in touch with your WordPress hosting provider. The attack on your site may be part of a larger attack targeting their systems. In that case, they will be able to provide you latest updates about the situation.
Contact your firewall service and let them know that your website is under a DDoS attack. They may be able to mitigate the situation even faster and provide you with more information.
In firewall providers like Cloudflare and Sucuri, you can also set your settings to be in ‘Paranoid/Protection Mode’ which helps block a lot of requests and make your website accessible for normal users.
Conclusion
The clients of these services understand perfectly well the benefits of DDoS attacks and how effective they can be. The cost of a five-minute attack on a large online store is about $5. The victim, however, can lose far more because potential customers simply cannot place an order. We can only guess how many customers an online store loses if an attack lasts the whole day.
The good news? DDoS attacks can be prevented if you know how to stop them.
I provide 24/7 WordPress security and malware removal. Is your site hacked or infected with malware or under a DDoS attack? Kindly email me via [email protected] for instant help.