{"id":56877,"date":"2020-08-28T10:29:37","date_gmt":"2020-08-28T15:29:37","guid":{"rendered":"https:\/\/blog.cpanel.com\/?p=56877"},"modified":"2020-08-28T10:29:37","modified_gmt":"2020-08-28T15:29:37","slug":"how-to-survive-a-ddos-attack","status":"publish","type":"post","link":"https:\/\/devel.www.cpanel.net\/blog\/tips-and-tricks\/how-to-survive-a-ddos-attack\/","title":{"rendered":"How To Survive a DDoS Attack"},"content":{"rendered":"\n

Distributed Denial of Services (DDoS) attacks can take any website offline. Even Google and GitHub, with their immense resources, struggle to stay online during a large attack. Even worse, anyone with a few dollars<\/a> can launch one. <\/p>\n\n\n\n

If you host websites, you and your users could <\/em>be hit with a denial of service attack big enough to take sites down for hours or even days. However, the worst effects of DDoS attacks can be avoided with the right tools, which is why cPanel & WHM includes several DDoS mitigation features. <\/p>\n\n\n\n

In this article, we explain what denial of service attacks are, how they work, and what you can do to survive them. <\/p>\n\n\n\n

What Is a DDoS Attack and How Does It Work?<\/strong><\/h2>\n\n\n\n

Before we get to Distributed <\/em>Denial of Service attacks, let\u2019s look at how a plain old Denial of Service (DoS) attack works. <\/p>\n\n\n\n

Denial of Service Attacks<\/strong><\/h3>\n\n\n\n

A Denial of Service (DoS) attack is an attempt to overwhelm servers with malicious requests and connections. A server\u2019s primary purpose is to accept and process network connections. Each one consumes a chunk of bandwidth, memory, and processing power, and too many can use up all of the available resources, preventing new connections. When that happens, websites can\u2019t be accessed; they are, in effect, knocked off the internet. <\/p>\n\n\n\n

Attackers exploit this vulnerability by creating so many connections and sending so much data that the server or network interface can\u2019t cope. You might be wondering why admins don\u2019t simply block hostile connections. That\u2019s what\u2019s so sneaky about DoS attacks: how do we tell good connections from bad connections when they all look the same?<\/p>\n\n\n\n

One way is the source IP address. If an IP address threatens to overwhelm a server, we can block it and move on with our day. Attackers know this, and it\u2019s one of the motivations for Distributed Denial of Service attacks. <\/p>\n\n\n\n

Distributed Denial of Service Attacks<\/strong><\/h3>\n\n\n\n

In a DDoS attack, the attacker uses a botnet of compromised machines, which can be anything from other servers to consumer laptops to network-connected security cameras. A botnet contains thousands of nodes the attacker can remotely instruct to inundate the target. Because there are so many bots, it\u2019s tough to block them all. <\/p>\n\n\n\n

Amplification Attacks<\/strong><\/h3>\n\n\n\n

DDoS attacks can get even more devious. Attackers struggle to build botnets that generate enough data to take down a well-prepared hosting provider. Instead of attacking the target directly, they look for an online service to amplify their requests. <\/p>\n\n\n\n

When you request a web page, you send a small amount of data, and the server sends back a much larger response. The same is true of some DNS servers, Network Time Protocol (NTP) servers, databases and caches, and others. <\/p>\n\n\n\n

For example, the attacker can use their botnet to send requests to an open NTP server. The initial request is tiny, a few bytes. However, the response may be up to 200 times bigger. An attacker who sends a megabyte can generate 200 megabytes of responses. If they spoof the initial request\u2019s IP address, the data goes not to the botnet, but to the target. <\/p>\n\n\n\n

This type of amplification is behind some of the most significant DDoS attacks in history, including last year\u2019s 1.35 Terabyte per second attack against GitHub<\/a>. <\/p>\n\n\n\n

What Are the Types DDoS Attacks?<\/strong><\/h2>\n\n\n\n

The most popular way to categorize DDoS attacks is according to the part of a network connection they target. You can think of connections as layers of protocols and data formats, with each layer depending on the one below it. For example, the web\u2019s HTTP depends on the lower-level TCP protocol. <\/p>\n\n\n\n

Why does this matter? Because the techniques used to mitigate DDoS attacks depend on the network layer they target. <\/p>\n\n\n\n

The popular Open Systems Interconnection model<\/a> (OSI) divides connections into seven layers. <\/p>\n\n\n\n