Protect against Distributed-Denial-of-Service DDOS attack

What is a Distributed Denial of Service (DDOS) Attack?

In 2020, we saw a number of extortion attempts threatening DDOS attacks. In this attack, the cybercriminals use a network of computers and servers to send spurious traffic to your server. Your server gets busy dealing with that useless traffic. The genuine users of your server get an error. As this is a Distributed-Denial-of-Service attack, you have multiple IP addresses simultaneously attacking you. Some of those IPs may even be located in your own country. Whom would you block? A DDOS attack is therefore more problematic than a DOS attack.

How do we mitigate a DDOS Attack?

As long as your servers are connected to the internet, it would be impossible to eliminate the risk of a DDOS attack. The DDOS threat is not easy and many options require paid professional services. We can use a combination of the following.

Monitor your server 24/7, as you never know when to trigger the DDOS response!
If you have a choice, select a reputed service provider that includes DDOS protection. Rule of thumb: Capacity > 1 tbps.
Use a reputed CDN. Rule of thumb: Proximity to your visitors.
Use a Load Balancer with SlowLoris resistance. Rule of thumb: Capacity 10,000 x average genuine traffic.
Use a Reverse Proxy with SlowLoris resistance. Rule of thumb: capacity 1000 x average genuine traffic.
I quite like to clever little trick of "silent drop" in Haproxy. See if that can fit your infrastructure.
Select the right webserver (e.g. Nginx, or OpenLiteSpeed, probably Caddy, but not Apache) for static content. Save that content in browser cache.
Select good quality processor (e.g. php8.1-fpm) for dynamic content
Make sure the webserver has adequate capacity. Rule of thumb: Capacity = 10x average genuine traffic.
Make sure the webserver has extra memory allowing memory caching.
Do server tuning (e.g. limit the number of requests from an IP address)
Use a Web Application Firewall (WAF)
Use geofencing, unless your business is global and needs traffic from dodgy countries!
Use a captcha solution, if possible.
Last but not the least, protect your DNS records against DNS poisoning.

The anti-DDOS measures in my Proof of Concept

Geofencing: I have blocked most countries based on historical data.
Webserver: A fine tuned Nginx Mainline server.
Rate limits: Per IP.
Silent drops: I use the HTTP 444 response instead of 403.
Three layer protection: Layers 3, 4 and 7.

(Note1: I do not have my own CDN and do not use third party CDN as I prefer TLS termination on my own server.)

(Note2: I pray to the almighty God every night.)

We use a strictly necessary technical cookie (__Host-PHPSESSID) to ensure secure browsing. No consent is required under GDPR. See our Cookie Policy and Privacy Policy for details.