kuszeras — 2012-11-08T07:38:24-05:00 — #1
I was wondering how do you protect your sites against DoS attack? Is it possible at all? How to survive such attack and have you ever experienced it?
dklynn — 2012-11-08T23:43:05-05:00 — #2
Good hosts (like WebHostingBuzz) monitor their connections and can shut down ports during an attack. While that means that attacks are successful, it prevents damage to your website/database.
You can also help that a bit by blocking IP addresses (ranges, actually) but a well constructed DDOS attack can come from too many vectors to allow the few valid connections that are attempting to come through.
kuszeras — 2012-11-12T16:53:02-05:00 — #3
Thanks dklynn! I wonder whether it is a standard for hosting companies to monitor the traffic.
Has anyone ever encountered such attack? How long did it last and how did it go away?
dklynn — 2012-11-14T00:39:56-05:00 — #4
Yes, I haven't and n/a. Only time will tell (but I have an outstanding host - WebHostingBuzz - and wouldn't expect a DOS attack to last long when up against their monitoring).
wwb_99 — 2012-11-15T11:48:46-05:00 — #5
Most shared hosts will probably melt and shut off your website -- it will take down all 4000 other sites on the server. That is folding money, even at $3.99 a month.
Anyhow, we are on the short list of people certain groups don't like and I've been through at least one concentrated DDoS and probably a number of smaller ones. Also things like a slashdotting which can feel like a DDoS. The major attack lasted the bulk of the week, mainly because we (unlike the half dozen others targeted) did not admit we were under attack and in fact managed to stay up by and large. To be honest, the best thing in many cases is to just go down -- the only thing we got when we managed to stay up through said concentrated attack was to get a really nasty bandwidth bill. Rolling over and playing dead would have been more cost-effective in most senses.
The best defense we had was we knew their plan -- major DDoS attacks are publicly announced with an attack script. If you know where you are being hit you can take measures to kill that traffic inexpensively. IP address blocking doesn't help much -- really too hard to predict, especially without hurting legitimate traffic. Having a reverse proxy that can do very stateful HTTP inspections, as well as take the brunt of the attack helps alot. We could at least stop the proxy so we could operate the app server. Proxies also scale amazingly -- we took the entire force of the attack on a single 4-core IIS reverse proxy that was successfully serving a half dozen sites throughout the attack.
kuszeras — 2012-11-16T04:57:18-05:00 — #6
wwb_99 thank you very much. That was really helpful answer.
andygambles — 2012-11-16T05:02:46-05:00 — #7
We currently utilise CloudFlare to fend off any attacks - www.cloudflare.com