Protecting your VPS hosting from DDoS attacks

The extra control and freedom VPS hosting provides is great for growing businesses looking to expand beyond shared hosting, but with extra power comes extra responsibility. That means taking more care against Distributed Denial of Service (DDoS) attacks.  

On shared hosting, the security is included in the package. With advanced knowledge is it possible for the user to handle security but that responsibility will fall entirely on said user.

With VPS hosting providers, like Namecheap, they do everything they can to secure you at a network level, you can find your website being attacked directly instead.

That’s why we recommend that you protect yourself from these extra DDoS threats. 

What is a DDoS exactly?

Let’s start at the beginning… First came the more simple Denial of Service (DoS) attacks. Imagine opening a real-world shop. When you unlock the door at 9 AM, a crowd of one hundred people rushes in, but they don't buy anything. They stand around, blocking other potential customers from coming in. 

That would be the brick-and-mortar equivalent of a Denial of Service attack (DoS): overwhelm the capacity of a business so they can’t serve their customers.

DoS attacks were mostly run from a computer or two in a basement. That was enough to bring the targeted websites to their knees. But data centers grew more powerful and learned to fend off these simple threats.

Then came Distributed Denial of Service (DDoS) attacks. Hackers developed tools to control vast numbers of machines from a centralized command & control system. These pools of infected computers waiting for their orders are called botnets. These global, coordinated armies of zombified servers, laptops, smartphones, connected toasters, etc. became the perfect tool to launch denial-of-service attacks. Thus, Distributed DoS.

With the advent of the DDoS attack, the volume of ‘blocking traffic’ could be multiplied by the number of computers in the botnet, and that is frequently in the hundreds of thousands, and sometimes in the tens of millions. Enough to take out marquee brands or government websites.

Ok, those are sobering facts, but where does that leave you as the administrator of a Virtual Private Server? We will take a look at the potential damage and possible mitigation.

How can DDoS affect your digital products?

Why would the kind of person creating a DDoS attack decide to target you? 90% of businesses face downtime due to DDoS attacks. There are five broad categories of denial-of-service perpetrators:

  1. Bored kids who are just in it for the laughs and the bragging rights
  2. Criminals demanding payment of a ransom to not take down a site
  3. State actors engaging in cyber warfare against domestic or foreign opponents
  4. Hacktivists with a political agenda targeting people they disagree with
  5. Competitors trying to harm businesses at key times such as Cyber Monday

Often in cases of the first three, your domain name just pops out of a hat, pulled at random from a list of valid domains. The botnet then gets directed at you, no matter your size or your content.

The bored kid may be testing their botnet. The criminal has enough resources at their disposal to try extorting on a massive scale. Broad denial-of-service attacks may be part of a foreign government's cyber arsenal to disrupt the economy in your country and make people feel miserable at every level. 

It may seem implausible that you would fall victim, but the numbers don’t lie. The recent Hiscox Cyber Readiness Report 2021 revealed that cyber-attacks cost US small businesses over $25k a year on average. You could well be in the firing line. 

When you are under attack, if the onslaught is hefty enough and you don't have the proper defenses in place, the effects can be crushing. Your website will no longer be reachable. In the US in the second half of 2020, the average attack duration against online shops was 76 minutes. Against internet publishing and search portals it was 107 minutes.

So you could lose the ability to process sales or serve content for an hour or two. If the attack is timed to coincide with a round of promotion on social media or the release of a news piece about your goods, that could really set you back in your effort to grow your business.

By hitting your server with an avalanche of false requests, a DDoS attack could also severely affect your bandwidth bill.

The DDoS attack might be part of a wider sinister plan. There are documented cases of DDoS attacks used as a diversion. In some cases, attackers hope to hide their attempts to install malware on vulnerable machines under a torrent of denial-of-service attacks. In other cases, the malicious payload is already on the vulnerable machines, but the hackers wait to activate it until the systems administrators are busy responding to a DDoS emergency.

In either case, the DDoS attack was just a cover for the criminals to install their data sniffers, cryptocurrency miners, or ransomware on your machine. So the damage doesn't always stop at being forced offline for a few hours.

What types of DDoS could harm your VPS?

Let's get a little bit technical now. There is more than one kind of DDoS. Some types of attack are a particular burden for servers, including VPS, while others drag down the networking hardware as well.

The simplest forms of denial of service are Volume Attacks. They direct tsunamis of connections to low-level network protocols: 

  • UDP attacks: the machines in the botnet are ordered to send a constant flood of UDP data with spoofed sender data to the targeted domain. UDP attacks clutter the ports on which a server would respond to legitimate requests. 
  • ICMP or ping echo request attacks: botnet participants are ordered to bombard the targeted domain with ping requests without waiting for the answer. Ping floods can overwhelm both incoming and outgoing bandwidth, resulting in a serious slowdown of the affected system.

But on a web server, these two vectors can be mitigated by proper network or firewall configuration, so the creators of DDoS attacks looked at other layers in the network communications stack. They found places where they could get more bang for their bits, where they needed to send only relatively small messages to tie down the targeted domain for a disproportionately long time. These methods are therefore said to have high amplification rates.

The so-called Protocol Attacks exploit weaknesses in various internet protocols that cause them to hang while trying to execute what looks like a legitimate request:

  • TCP-SYN attack: the botnet's infected machines initiate TCP handshakes that look like they come from regular browsers but then keep the server waiting for a connection acknowledgment that never comes. 
  • Slowloris attack: each machine corralled in this kind of attack starts HTTP connections to the webserver on the targeted domain but then just keeps sending more and more bogus HTTP headers, tying the server up listening to these false connections.
  • Ping-of-Death attacks: in a POD attack, the zombified machines in the botnet sneak memory-busting packets into ping requests, which can then break legitimate connections.

A rung farther up the sophistication ladder, so-called Application-Layer attacks target the server software in use at a domain or an internet address:

  • HTTP GET attacks: the DDoS tools can detect the exact version of popular content management tools and then request URLs that are known to require a lot of memory or CPU, such as rarely used views sorted by date or complex search filters.
  • HTTP POST attacks: these exploit the places in a web application where visitors are allowed to upload images or other large amounts of data using POST URLs by sending many unwieldy files at once.

In effect, these attacks mimic the behavior of browser users. That's why these attacks can be hard to detect amid legitimate traffic. HTTP GET attacks can have incredibly high amplification rates. A relatively small number of requests can crash a webserver. They are less of a threat to the surrounding network infrastructure than attacks such as HTTP POST relying on high volumes of data.

These few examples only scratch the surface. The tools that are out there in the wild for launching DDoS attacks give attackers the option of selecting several vectors at the same time. So it is likely that an attack will include methods that will impact your VPS server directly. That's why you should enhance your VPS hosting with DDoS protection.

How to protect your VPS hosted site from DDoS

For a serious hosting provider such as Namecheap, a certain level of anti-DDoS protection at the gateways between the internal network infrastructure and the wider internet makes obvious business sense. 

There are certain types of attacks that hit network infrastructure particularly hard and can be efficiently thwarted with the right settings at a few firewalls. The default setting that makes sense from the host's perspective is the one that doesn't slow down the network for all their clients: look out for patterns, and drop connections that are obviously suspicious.

As a VPS owner, if you see a lot of suspicious UDP or ICMP reach your server, the less sophisticated stuff, for free protection you can also turn to the firewall options available to you in the Linux distribution you are running: netfilter and iptables, or Uncomplicated Firewall if you are administering your server through a graphical user interface.

You can add powerful rule-based filtering to your Apache or Nginx web server install with the ModSecurity and using mod_evasive modules.

These are all free tools to mitigate the simpler attacks. If all DDoS campaigns sent off endless copies of the same template, then these tools could be configured to deflect a lot of them. That is why the creators of these attacks use clever methods of randomizing the content of the messages they send to the servers they target.

To counter these more sophisticated plans of attack, the defenses have to be as smart at uncovering the malicious pattern as the hackers are at hiding it. This means building a system capable of keeping up with constantly changing attack profiles. For best protection, this system would have to be in a position where it can monitor and learn from a lot of DDoS traffic all around the web.

There are various tools that help DDoS protection available in a variety of configurations in free and paid plans. For example, companies such as  Imperva and Sucuri offer services that collect this kind of data from all ongoing attacks on their clients and feed it into machine-learning algorithms. Their systems dynamically adapt to provide everyone in their network with protection against the latest DDoS strategies. Imperva's subscriptions start at $59/year. Sucuri's Basic offering costs $199/year.

These systems are implemented as a cloud-based firewall. You have to configure your DNS records to route to their machines. They have data centers capable of neutralizing billions of DDoS packets per second. They pass all legitimate traffic through to you without any perceptible lag. And you don't have to worry about paying an outrageous bandwidth bill.

Conclusions

When you are running your own VPS, there are a lot of things you need to stay on top of. Taking preventive measures against the danger of DDoS attacks is another one of those tasks that nobody relishes doing, but the alternative can be harmful. If tweaking your server is in your wheelhouse, then you can learn about the Linux tools for some cheap VPS protection. For more peace of mind, the cloud-based firewall approach is well worth the investment, especially since the leading platforms include security and performance features beyond simple DDoS protection.


Ruth Gonzalez

Ruth Gonzalez

More articles written by Ruth.

Join Our Newsletter

Stay inspired

Get all the latest offers, articles, and industry news straight to your mailbox every month.

Need help? We're always here for you.