10 Steps for Better Website DDoS Protection

All over the world, DDoS attacks are getting more frequent and last longer, too.

We’re officially sailing in rough water. And not all of our ships are sea-worthy. A study by IDG found that the lack of broad DDoS protection was among the top 3 security challenges faced by organizations.

Realizing this, many companies sought help with specialized mitigation services. This is a great first step. But there are still lines to tighten and halyards to replace. Different resources have varying degrees of DDoS resistance. And using a third-party solution is not always enough.

Let’s look at 10 steps you can take to improve your DDoS protectability. And, hopefully, find a safe mooring in this raging hurricane of junk traffic.

Step 1. Involve security specialists at the design stage

Fixing vulnerabilities in finished products is costlier than mitigating them at the design stage. You can avoid typical pitfalls by involving information security specialists during the concept phase.

Here are a few common problems that arise when you design without security in mind:

1. Instead of using DNS, developers set up access to other resources by hardcoding IP addresses. They are hard to replace later and create vulnerabilities.

1. When apps handle requests using a mixture of protocols, DDoS protection providers can’t discern malicious traffic from legitimate.

1. Sometimes applications are built so interdependently that overloading one component crashes the whole system.

Step 2. Audit the application and create a DDoS protection plan

Your app likely has multiple components. Each requires a different level of DDoS protection.

Understanding every component will allow you to create a robust security loop, protect all layers of your OSI model and plan out how you use firewalls.

Create a roadmap for your initial phase and mid-term development. This will help you systematically implement DDoS protection as your application grows.

Step 3. Decide whether you can disclose SSL private keys

It’s easier to build DDoS protection when SSL keys are disclosed. But if your app provides financial services or deals with private data, better keep them private. This will ensure compliance with PCI-DSS standard.

Some applications can get away with disclosing private keys for certain resources, but not for others.

And there is also a hybrid approach. You can use a certificate-key pair created specifically to protect against DDoS attacks (issued automatically by Let’s Encrypt service).

Step 4. Give your security provider directions on traffic filtering

Imagine that you’re asked to find an apple in a basket of oranges. A mundane task usually. Except, you have to wear oven mitts and a blindfold. Not so trivial anymore, is it?

You put a DDoS mitigation provider in exactly this position without giving them clear documentation on how to filter your traffic.

Discuss the intricacies of the integration with your security partner and prepare a rule book on traffic filtering. This will help them detect fake client requests without losing legitimate packets.

Step 5. Share an overview of your app’s architecture with your Anti-DDoS provider

If you’re following this list, by now you’ve completed an application audit.

Organize the information collected in the process and forward it to your security partner. In particular:

1. Create a list of locations from which non-browser clients can access your app: API, AJAX, mobile apps, and others.

1. Describe the architecture of your application: the protocols it uses, how components interact with each other, and external systems.

1. Give as much information as possible about mobile applications or legitimate bots that interact with your app.

All of this will improve the accuracy of traffic filtering greatly.

Step 6. Conceal your server’s IP address from the attacker

Targeted attacks are common nowadays. And skilled threat actors will certainly do reconnaissance before coming at you guns blazing. If they manage to find one of your app’s IP addresses, they will keep on hammering it. And once discovered, concealing it again will be near impossible.

This is why it is important to ensure that the IP address of the real server is invisible from the outside. Check that it can’t be fished out from mail headers, open ports, or other services.

Step 7. Disable unused services and close unneeded ports

If your house has a front door and a back door, you keep both locked even if one is never used. It’s the same with internet applications.

Give your resources a sharp look, then shut down all unused services and ports. Otherwise, an attack can come from a direction that you — and your security partner — utterly didn’t expect. 

And while we’re on this topic, ensure that your service is only accessible through the IP address supplied by your anti-DDoS provider. Block access to all others. Otherwise, the attacker can bypass your protection entirely.

Step 8. Optimize server components

Unfortunately, DDoS protection products aren’t 100% accurate. During packet filtering, there is always some spillover. Usually, it’s inconsequential — less than 1%. But if your resource is not optimized, when faced with, for example, a terabit-per-second attack, even this slight inaccuracy may be enough to bring it down.

The good news is that this can be avoided with some optimization work:

• If you control the server where your resource is hosted, optimize the operating system’s network stack. Aim to increase the server’s ability to process incoming requests. Pay special attention to performance with popular CMS engines. Also, optimize DBMS performance, if your application uses it.

• If you don’t control the server, discuss performance optimization with your hoster’s technical support team. Usually, upgrading the pricing plan does the trick. And faster page loading at peak hours will be a bonus.

Step 9. Ensure your DNS services are DDoS-resistant

No amount of DDoS protection will help you if your app relies on vulnerable resources. Particularly, your DNS providers can be a weak link.

If attackers target them successfully, your website will be unavailable to users. In the best case scenario, the connection will become severely unstable.

When choosing a provider, inquire about the DDoS protectability in your pricing tier. The servers should have measures in place against attacks on all levels of the OSI model — L3, L4 and L7. Both specialized DNS services and anti-DDoS solutions have such options.

Also, connect to multiple DNS providers — one can be a cheaper plan with weaker defenses. Use this one as a fall-back in case the primary connection gets cut off.

Step 10. Perform stress tests regularly

You’ve completed an audit, created a protection roadmap, eliminated vulnerabilities, and worked together with your security partner to achieve higher DDoS resistance. You’re definitely, doubtlessly, undeniably safe now. Except, that you aren’t.

The truth is, you don’t know if your protection works until it is battle tested. And it would be a real shame if the first real attack exploited some integration technicality you overlooked. Or happened at a time when your provider’s technical support was slacking out watching a football match.

This is why stress testing is so important. And the key to productive stress testing is to go all out. Actively try to find shortcomings in your defenses:

• Test the resilience of components, but also the services they rely on.
• Simulate attacks during weekends and public holidays to validate the readiness of your security partner.
• Put pressure on different layers of the OSI model.
• Repeat a stress test after each major update.

Checklist

Here’s a summary of all the 10 steps for better DDoS protectability which we covered today:

1. Involve security specialists at the design stage
2. Audit the application and create a DDoS protection plan
3. Decide whether you can disclose SSL keys
4. Give your security provider directions on traffic filtering
5. Share an overview of your app’s architecture with your Anti-DDoS provider
6. Conceal your server’s IP address from the attacker
7. Disable unused services and close unneeded ports
8. Optimize server components
9. Ensure your DNS services are DDoS-resistant
10. Perform stress tests regularly

Conclusion

The DDoS threat is like Covid. It’s not going anywhere, but we can learn to live alongside it. Like vaccines and booster shots, there are tools that protect against it. And like masks and social distancing, there are steps we can take to stay safe.

And just like Covid, DDoS is at its most dangerous when we ignore its existence. When we discontinue best practices. It may take some effort to be on constant guard. But the result is all worth it — a more secure world.