DDoS Protection - How to keep your Web infrastructure safe

DDoS protection is a set of measures that filters out malicious traffic before it gets to your server, and keeps your site or service accessible even under loads of tens of gigabits per second. Without such protection, even the most powerful dedicated server can crash in a few minutes.

What are DDoS attacks and why do attackers need them?

DDoS (Distributed Denial of Service) is an attack from different devices, the purpose of which is to exhaust all server resources: Internet connection, computer power, or the number of connections so that legitimate users cannot access the service.

The motives of attacks are most often reduced to the following signs:

  • Extortion and blackmail - a demand for ransom for stopping the attack.
  • Unfair competition - disabling a competitor's service.
  • Personal hostility - attacks on specific people or companies.
  • Entertainment - the so-called script kiddies.
  • Political protest - attacks on government and media resources.

The consequences for business are palpable: direct financial losses due to downtime, reputational damage and, worst of all, the departure of customers to "more reliable" competitors. According to our company's statistics, even an hour of downtime for an online store during peak season costs more than an annual protection subscription.

Classification of attacks - at what level they hit

DDoS attacks are usually divided into levels of the OSI model - this is the key to choosing protection.

OSI LevelType of attackExamplesWhat it hits
L3 (networks)VolumetricICMP flood (Smurf), UDP flood (Fraggle)Bandwidth
L4 (Transport)ProtocolSYN flood, packet overflowConnection tables, firewall
L7 (application)AppliedHTTP flood; "heavy" database queriesCPU, memory, application logic
MixedHidden adaptiveCombined attacks that change the patternAll levels at the same time

Separately, there are attacks on vulnerabilities: buffer overflows, code errors, DoS through poor resource allocation systems, and attacks on DNS servers - they break not the servers themselves, but the domain name (DNS) systems, which makes the site's availability limited, even if the servers are working well.

Architectural approaches to protection against DDoS attacks on servers

It is important to understand the difference between the three models:

  • On-Premises (local protection) - the equipment is installed at the client, the minimum delay, but limited in the power of the reflected attacks.
  • Cloud protection - traffic is cleared on the provider's distributed filtering network, capable of repelling attacks from 7+ Tbps and over 5 million commands per second.
  • A hybrid scheme - a combination of local tools for basic filtering with a cloud "reserve" in case of major attacks.

We recommend the hybrid approach to most customers: it provides a balance between reaction speed and cost.

Server-level security tools

Before enabling industrial DDoS protection, it is worth closing the underlying vulnerabilities on your own. Here is a comparison of popular tools:

ToolProtection LevelProsCons
IPTables/NFTablesL3-L4Flexible rule setting, freeExpertise required, manual configuration
CSF (ConfigServer Firewall)L3-L4Ready presets, simple configurationLess flexibility than iptables directly
UFW (Ubuntu)L3-L4Easy to configure for beginnersNot as good as CSF in monitoring function
Fail2banL4-L7Auto-blocking by behavior patternsDoes not protect against volumetric attacks
Nginx modules (limit_req)L7Limiting requests to web serversWill not secure the infrastructure as a whole
CDNL7Caching, load distributionSometimes does not close L3-L4
Cloud anti-DoS serviceL3-L7Industrial filtering capacitiesNeed to delegate traffic for which the provider company is responsible

Local tools work well with point threats, but they cannot cope with volumetric attacks of tens or hundreds of gigabits - here a distributed filtering network is needed, which "divides" traffic across multiple points of presence even before it reaches your infrastructure.

The checklist: how to prepare and install protection against DDoS attacks in advance

  • Set up traffic filtering and request limits - the basic firewall and rate limiting reduce the risk of targeted DDoS attacks
  • Connect a CDN - distributes the load and caches static content
  • Enable professional DDoS protection - don't wait for a threat, connect in advance.
  • Keep your software updated all the time - most attacks exploit known vulnerabilities.
  • Conduct stress testing – check at least once a year how the infrastructure is coping with the load.
  • Make backups - in case the threat is accompanied by a hacking attempt.

What to do if DDoS has already started

The procedure is important here:

  • Record the fact of the attacks carried out - traffic growth, abnormal query patterns, unavailability of services.
  • Activate the DDoS protection system modules - if protection has not been enabled permanently, the reaction time is critical.
  • Keep constant monitoring - track the dynamics of the attack in real time.
  • Analyze the attack vector - this determines which filtering rules are needed.
  • Perform a point upgrade - add rules for a specific pattern of DDoS attacks.

Signs that could lead to a threat: a sharp increase in commands from the same IP ranges, an abnormally high CPU load with low real user traffic, massive timeouts, and an increase in server response time.

Who needs protection in the first place

  • Financial sector - banks and insurance companies, where downtime means direct losses and regulatory risks.
  • Medical institutions - clinics with online records and electronic patient records.
  • Government organizations - a frequent target for both protests and targeted cyber attacks.
  • E-commerce and IoT - marketplaces, online sales registers, and smart home devices, where the service being unavailable means a direct loss of revenue.

Case study: a cyberattack on an online store in the midst of a sale

Client - an average online electronics store with about 15,000 unique visitors per day, a standard VPS that did not use dedicated DDoS protection, only a basic firewall with iptables capabilities.

What happened.

On the first day of the seasonal sale, when the site's traffic had already tripled relative to the usual one, the load increased another 40 times within 20 minutes. The cyberattack came in two waves:

  • Volumetric part (L3/L4) - UDP and SYN flooding from a botnet distributed over more than 12,000 IP addresses from different countries, with a total capacity of about 60 Gbit/s
  • Application part (L7) - HTTP flooding was carried out in parallel on product cards and the search page imitating the behavior of ordinary customers, which made automatic filtering more difficult according to simple rules.

Which didn't work.

The local firewall filtered out part of the SYN flood, but the bandwidth of the client's channel (1 Gbit/s) was exhausted in the very first minutes - the host simply stopped receiving legitimate requests, regardless of how well filtering was configured on the machine itself. This is a classic case where on-premises protection is physically unable to cope with a volumetric cyberattack of this magnitude.

What our company has done.

Within 4 minutes of the customer's request, the bandwidth was switched to our distributed microfiltration networks:

  • The volumetric part was cut off at the stage of the data transmission network - the cyberattack "spread" across several points of presence and did not reach the client's channel.
  • For the L7 part, behavioral analysis of commands was enabled: the system distinguished real buyers from bots by a pattern of behavior (click-through rate, lack of interaction with JS, repetitive User agents) and blocked abnormal traffic without captcha for real users.
  • The real IP addresses of the host were additionally masked to prevent a repeat threat bypassing filtering.

Result.

The site was accessible during the hacking attempt, which lasted about 6 hours intermittently.

The page loading speed for legitimate users dropped by no more than 8% at peak times. Sales on the day of the sale were not affected - according to the customer, the conversion remained at the planned stage, and a simple one that would have happened without cyber protection, according to rough estimates of the customer, would have cost more than several years of maintenance.

How to choose a protection service

When choosing a company, pay attention to:

  • The declared capacity of the filtration network (in Tbit/s and RPS).
  • Does the company provide cyber protection at all stages of OSI, not just L3/L4?
  • The reaction rate is how long it takes to switch to filtering from the moment a cyber threat is detected.
  • Transparency of conditions - how the channel is considered to be exceeded, whether there are hidden limits.

FAQ

Yes, this is standard practice - activation time is critical, and a good provider company starts filtering within minutes.

Is it necessary to proxy the entire user flow through the filtering network?

Not always - there are solutions with direct connection and activation of microfiltration only when a hack is detected, which reduces the base latency.

Conclusion

Computer intrusion is no longer a rare and specific problem for large businesses. Local tools like iptables, CSF, or Fail2ban block point and protocol hacks, but they cannot cope with volumetric intrusions of tens or hundreds of gigabits - only a distributed microfiltration network on the provider's side helps here.