FAQ: How to reduce the Impact of a DDOS Attack

Here’s the definition, courtesy of Wikipedia; https://en.wikipedia.org/wiki/Denial-of-service_attack

“a denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed denial-of-service (DDoS) is where the attack source is more than one – and often thousands of unique IP addresses.

Criminal perpetrators of DDoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.”

A denial-of-service assault is characterised by overt efforts by the attacker to deny approved users of a website service from using that website’s services. There are two common formats for DoS attacks, those that:

• Crash the website services, resulting in the database not available and server error messages
• Flood the services, resulting in extremely slow loading times as the server struggles to process requests

Most serious are the distributed attacks launched from a network of hundreds or thousands of compromised servers and PCs worldwide, referred to as DDoS. This very often involves forged IP sender addresses (IP address spoofing) to ensure that the accurate location of the attacking servers cannot readily be discerned, and also inhibits screening based on the source IP Address.

These take various forms depending on the attack software utilised by whoever it trying to hack your website and/or hosting account.

A serious Brute Force Login attack from many websites all targeting your website and or server can manifest in symptoms like a DoS or DDoS attack:

• the load on your server spikes
• web sites become sluggish or non-responsive
• browsers timeout on attempts to access to WHM, cPanel or FTP
• “Error connecting to database” may occur
• Worst-case scenarios include database corruption.

The Impact of DDoS Attacks are not limited to Your Site

Most websites are on low-cast “shared hosting” and any excess resource consumption on YOUR website has a severe negative impact on all the other websites on that server.

Even if your website is on your own VPS, the impact can spread beyond your own site and impact other users on the same network at your hosting company. Where several sites on your VPS are under attack, all sites will be negatively impacted, and other VPS servers on the same server /node may also be affected.

The Impact on You

Suddenly finding that you are the victim of a severe malicious cyber-attack is disconcerting at the very least. Panic is the first and least helpful reaction because most people won’t have a game plan. Figuring out what is going on will be the first problem, closely followed by searching online for “how to stop an attack on my VPS!”

Unfortunately, most material I found was either old, not 100% relevant to my situation, or too technical to be really helpful… Therefore, I had to create a DDoS mitigation plan from scratch…

There are not a lot of hosting companies that provide full DDoS protection as a feature of their VPS accounts. For that matter, there are some hosting companies who don’t even include the fundamental requirements such as Mod Security, cpHulk etc… Full DDoS protection is costly, and requires very sophisticated tools that are expensive to purchase and deploy.

Balanced against that, DDoS attacks are also fairly rare because they are difficult to mount on a scale large enough to do prolonged harm to the recipient.

Often, what is perceived to be a DDoS attack may well be a Brute Force Login attack across multiple sites on the VPS and segments of the server itself – cPanel, FTP and email accounts. The sheer weight of the login attacks may have the same effect as a DDoS attack, crashing the server or reducing all sites on it to a standstill.

What Can You Do to Mitigate BFL and DDoS?

At the very least, you should have your VPS on a server with a hosting company that provides up-to-date Linux, Apache and PHP software, and a suite of security tools that allow you to provide your websites with reasonable protection… With that, you can do a lot to protect your VPS from within WHM by blocking common loopholes…

Being a customer of a company that responds to support requests in a timely manner can also be a source of comfort when things start going wrong! All sites on my server are under annual website maintenance plans and are protected in this manner.

When your server is unable to cope with the DDoS or BFL load being placed on it, you have several quick DDoS mitigation options, or both in combination.

• Upgrade your VPS Hosting package so that your server has more resources (CPU & RAM)
• Reduce the load on your VPS by getting the busiest websites onto Cloudflare
• Ensure security applications are working to your advantage
• Reduce resource consumption by removing/replacing known problematic plugins: broken link checkers, related posts, caching etc.

cpHulk: configure Brute Force protection period to 120 minutes after 2 or 3 failed attempts. Configure IP Address Brute Force Login protection to 131487 minutes (90 days) after additional attempts and maximum failures per IP Address before the IP Address is blocked for one day to 50. That should skip the 1-day blocks for now, and stop those IP addresses from being used again to attack your site for 3 months. That takes the sting out of the cPanel and FTP attacks for the moment… Sure, IP Addresses can be spoofed – but why leave them open if they are being used with malicious intent right now?
Account Passwords: set all account passwords to the maximum 18-character length secure; randomly mixed alpha-numeric, upper and lower case plus a sprinkling of special characters (~!@#$%^&*). Not only Cpanel / FTP – reset Email account passwords too!
Shell Fork Protection: make sure it is enabled
Shell Access: all disabled
Syn Flood Protection: as per ND Chost – hardening TCPIP Syn Flood
Backups: ensure all server accounts and settings are backed up daily, and schedule these to run at times of low traffic, usually 2am in the time zone most visitors come from.

Anything you can do to reduce the load on your VPS from the sites that are loaded on it can significantly help your server cope with external loads generated by someone intent on harm.

I don’t just rely on plugins; I perform manual audits and security hardening to ensure your site is locked down from the inside out.

As a WordPress tech support services provider, my priority order is as follows;

1.) WAF: installation of a web application firewall. Either install a firewall on the individual sites on your VPS (or use an external application such as Sucuri Cloudproxy Firewall). I use and recommend Block Bad Queries because it sits in front of WordPress and most of its preventive activities don’t generate many database requests. This makes it VERY fast, and it significantly reduces server load compared to Wordfence and other security plugins. Using it in conjunction with Block Hole Bad Bots makes sense, as some bots can also wreak havoc on a site.

I’d set the Login Protection to “Always On”… Because most WP business sites will only have 1 Admin and a couple of Editor / Contributor users, it is not going to be much of an inconvenience to legitimate users. That way, Brute Force login attacks across multiple individual websites have zero cumulative impact on server loads…

2.) CDN: use a content delivery network like Cloudflare because that can reduce server loads dramatically and that’s a good DDoS mitigation strategy!

3.) Caching: on a WordPress site, a good caching plugin can dramatically reduce page load times. Cached pages sharply reduce the database requests, usually in dynamically generating pages, dropping the load normally placed on your server.

4.) Eliminate Resource-intensive Plugins: such as Related Posts, Broken Link Checkers, SEO Rank Checking etc. If you use Wordfence, deactivate “Live Traffic logging” scanning of images and areas outside of WordPress, and “high sensitivity” to reduce scan times and loads. Use the P3 Plugin Profiler to check for resource-hungry plugins.

5.) Heartbeat Control:* Installation of the Heartbeat Control plugin can have a beneficial impact on server performance as it helps prevent the heavy CPU use often reported by WordPress users. The /wp-admin/admin-ajax.php page can cause 100% CPU loading over extended periods.

6.) Administrator Passwords: these were already secure 24-character passwords, enforced via Wordfence. If yours are not, then it is a high priority!

7.) Backups: all WordPress sites already had scheduled database and full backups via BackupBuddy being stored off-site on a 1 Tb Dropbox account secured with 2-factor authentication. If yours are not, it is a high priority.

8.) Two-Factor Authentication: wherever possible, implement two-factor authentication to take away the opportunity to guess user names and passwords!

*Caching: I use WP Rocket on every site on my server. I provide full management services on all client sites and have full control over what software is loaded on them.

WAF: installation of a web application firewall, either installed on the individual HTML site/s on your VPS or using an external application such as Sucuri Cloudproxy. The plugin I use here is Perishable Press – 5g Blacklist

 CDN: Cloudflare works equally well on static HTML sites, screening out bad actors, turbo-charging page load speeds and reducing server loads.

CDN: using a content delivery network like Cloudflare reduces server loads dramatically! Cloudflare will serve cached pages to more than half your traffic, cutting bandwidth consumption and page load speeds. A “basic” account is free, so there is little excuse for not using this CDN. Cloudflare will also screen many perceived threats before they get to your website… The $5 per month APO (Automatic Platform Optimisation) for WordPress is a very good thing too if you are on WooCommerce!

A botnet (aka robot network) is a coordinated network of internet-connected devices used in cybercrime activities by bad guys. The devices may include computers, smartphones and Internet of Things hardware. Loaded up with specialised malware, they are remotely controlled by an attacker, and sent to gain control of other devices. The objective is often financial: theft, extortion, malware, phishing and ransomware.