How to Improve Website Resilience for DDoS Attacks – Part I

This article was originally published on Sucuri blog (read here).

Denial of Service (Dos) and Distributed Denial of Service (DDoS) attacks are unforgiving. They test the limits of your web server and application resources by sending spikes of fake traffic to your website. It is also notoriously difficult to conduct forensics on a DDoS attack, making the source of the attack a mystery.

DDoS attacks are getting cheaper, more sophisticated and more readily accessible every day. As a result, they have become an instrument of war for both commercial and political purposes. Attackers might extort website owners for ransom money, or temporarily disable websites they disagree with as a form of hacktivism.

In simple words, DDoS attacks are an untraceable digital Molotov cocktail.

The Consequences of DDoS Attacks

The cost of not being prepared to mitigate a DDoS attack can extend far beyond what one might imagine. It’s not just a temporary loss of traffic and sales.

To an end user, there is no difference between your website suffering from a DDoS attack or it being hacked.

That’s because visitors will think the website has been compromised and is no longer trustworthy.

Although a good website application firewall is able to mitigate far more than 90% of the DDoS attacks automatically, some websites are particularly vulnerable and might require extra intervention. There are a few good practices you can follow to ensure your website can handle peaks of traffic. That’s exactly what this series of post is about.

Remove, Optimize, or Outsource

During an attack, each byte of data will be downloaded a million times by thousands of devices. The first step towards a stronger website is to make it lighter; consider making your hosting server no longer a storage unit, but more like a processing center.

a) Images

Almost every platform has plugins or modules to optimize or resize images which considerably decreases your website size. Some types of images can even be replaced by iconsSVGfont icons or be merged into a single image. Images can also be lazy loaded so they will only be displayed on demand.

Do not forget to adjust your image cache headers to make the browser cache them more often.

b) Videos

Videos occupy a good part of your disk, slow down your backups, and need to be converted to friendly formats. Amateur players won’t stream fast or be reliable enough.

Videos are more likely to suffer from piracy when hosted on the server and will most definitely make your server vulnerable to bandwidth exhaustion attacks.

There are plenty of professional services such as Vimeo, Youtube, Wistia, etc at relatively low cost. These services have special filters that prevent attacks to your videos as well as stream way faster, even with slow connections.

c) CSS & JavaScripts

By minifying your code, you’ll be eliminating useless data from the files. By concatenating, you’ll be merging files. If you cannot get rid of the files or embed them from external sources, try finding lighter alternatives.

d) Fonts

Do not embed lots of fonts. Use only the styles and weights needed and try embedding via a CDN URL such as Google Fonts.

e) Widgets and iFrames

Limit who can iframe your website and avoid using too many widgets.

Social network widgets such as Like Boxes, can be replaced by simple images.

f) Search, Comments, and Chat System

Don’t use internal systems that you can outsource like chat, search, and comment systems since they are known to be targets.

Most professional tools are battle tested and have the state-of-the-art technology in their area. They will allow granular control and are optimized to delivery fast responses at no server cost.

Keep in mind that adding third-party code to your site can be dangerous, so only use trusted sources.

If you cannot outsource, remember to install a CAPTCHA to prevent applications from being abused by bot traffic.

g) POST and WebSockets

Only to be used when necessary, POST requests and WebSockets take up a lot of server resources. Even by making them asynchronous/non-blocking or rate limiting them can be a tough job.

For example, WooCommerce has a neat feature called Cart Fragments AJAX, that updates the cart total without refreshing the page:

?wc-ajax=get_refreshed_fragments

However, disabling it will decrease the resource usage of your server and speed up your website. The same could be done for WordPress Heartbeat API in some cases.

Be careful when you disable POST requests and WebSockets so that you do not break your website.

h) Downloads

For the same reasons as videos:

Try not to host downloaded files, or at least make the download URL temporary based on the visitor IP address.

That way it can’t be used during an attack and it’s less likely to be wrongly cached or pirated.

i) Redirects

When it comes to using redirects, avoid redirect chains.

Get straight to the point.

Let’s say your website uses “www” sub-domain and SSL, so try redirecting “http://yourdomain.com” straight to “https://www.yourdomain.com” instead of going to “https://yourdomain.com” and then to the https version “https://www.yourdomain.com”.

It’s better for the end user who will be able to access the website faster, and to your server that will not need to process two or more redirects.

j) 404

As you may already know, redirecting the old pages and sections of your website to newer links would help in terms of SEO, but it also decreases the resource usage. By performing a simple 301 redirect less resources are used than processing a 404 custom page due to the process of the code, the transfer of static assets, and everything else included in the 404 custom page layout.

I would also recommend keep an eye on the number of 404 response codes, as it could indicate scanning tools looking for information to exploit vulnerabilities or overload your server with random requests.

Conclusion

Today we talked about the first good practice that will increase your website resilience to DDoS attacks. In the next post, we are going to focus on caching best practices and the importance of having a Website Application Firewall to protect your website against DDoS attacks.

If you are interested in this topic, we have written a guide about What is a DDoS Attack.

Comments