Preventing denial of service attacks (DDoS) is certainly something worth looking into, but for most small to mid-sized businesses on the Internet, actually getting that done can be a tall order. This is true for one primary reason. Capacity.
There are measures that can be taken to harden your infrastructure against the most common types of DDoS attacks. Apache, the most widely used web server platform on the Internet does have several modules that can be installed that help. We’re happy to report that mod_security has finally made its way into the Nginx universe. If you’re running IIS on Windows, your choices are limited with respect to preventing denial of service attacks. Overall though, with proper installation and server configuration you can make some headway in preventing DDoS impacts on your web site(s).
In Preventing Denial of Service Attacks, Its All About Capacity
Notice we said some headway. The real issue as stated above is that a truly effective denial of service attack combines clever attack methods with plain old brute force. Its the brute force that will give you gray hair. You can spend hundreds of expensive sysadmin hours tuning your servers to prevent denial of service attacks, but when a bored 20 year old in Russia unleashes a torrent of 3 Gbps at you, none of that will matter. Your upstream links and edge elements (routers, firewalls, etc.) will fill up and tip over long before mod_evasive on Apache can ever help.
So when it comes to preventing denial of service attacks, what can a small or mid-sized business really do? In order to counter-act the brute force component of most DDoS attacks, you’re going to need to have the capacity to handle that data stream. That means either purchasing that capacity from your hosting/colocation/cloud provider or engaging a DDoS mitigation service full-time to “scrub” every packet headed your way. We think that a DDoS mitigation service is a far better choice than buying enough of your own capacity to handle the inrush of garbage, but in each of these scenarios you’re spending more than you probably want to.
The bottom line for most of our target audience here is that preventing denial of service attacks may be effective when they come on a very small scale (it does happen sometimes), but the better strategy is to put together a detailed plan and procedure for what to do in the event that you come under attack. Pick your DDoS mitigation vendor in advance, know how to contact them and start service, and know what steps will be needed in order to put protection in place quickly. If you have a well documented plan in place, you can react to a denial of service attack pretty quickly and with a minimal amount of stress.
In our next post we’ll talk about how DDoS mitigation works, who the leading providers are, and generally what happens when you call one of them for help. In the meanwhile if you want to start working on your denial of service attack contingency plan today, feel free to contact us for help. We’re happy to do what it takes to get you moving in the right direction.