Traffic can make or break your website. Too little indicates your website is underused and unpopular. Too much can overwhelm your business. Or it could mean your website is under attack. How does your website respond to the constant change in required resources? If you don’t know the answer to this, you are in for a rude awakening.
Cloud-based hosting and technologies like Kubernetes have done wonders to alleviate the pain of the ebbs and flows of traffic. Scaling up and down automatically can let you sleep easier at night all the while preventing you from going broke. At least, it would seem.
But what happens when that increase in traffic is malicious? What happens when a group of hackers launches a coordinated attack from around the globe against your corporate website? Do you scale up and pay more money? Or do you ignore the attack and let your website crash under the ever increasing load? If neither one of these sounds like a good idea, you’re in luck. There’s a better solution.
There are a variety of alternatives for protecting your website against Denial of Service (DoS) attacks. Before you get too concerned about forking over more money, rest assured that some of these alternatives are free. As your company grows and the risk to your organization increases, you can ramp up the protections with more elaborate and expensive services. But even the teeny tiniest website not generating any revenue can be relatively safe from a DoS attack.
This article outlines four general mechanisms for protecting your website from DoS.
1. Prevent DoS Using Your Cloud Service Provider
Is your website already deployed to a popular cloud provider like Amazon Web Services or Microsoft Azure? If so, you may already have some built-in protection. Since your content is hosted in the cloud, your cloud provider is in a prime location to filter out bad traffic. If the attackers can’t get through your cloud provider’s outer defenses, they won’t be able to touch your web application.
Contact your cloud provider to determine if they provide DoS protection. Here are a few of the most popular alternatives.
- AWS Shield. As an AWS customer, you receive AWS Shield Standard for free. If you want more protection, you can purchase AWS Shield Advanced.
- Azure DDoS Protection. As an Azure customer, you receive Basic for free. If you want more protection, you can purchase Azure DDoS Protection Standard.
- Google Cloud Armor
2. Sign Up For a Cloud-based WAF
A Web Application Firewall (WAF) sifts through all of the HTTP traffic destined for your web application and filters out anything that looks malicious. WAFs have the capability of listening for and preventing a number of different attacks, such as XSS, SQL injection, buffer overflows, and yes – even DoS.
With a little DNS magic, you can inline a WAF with your website. There are a few different techniques for accomplishing this, but most of the time traffic is sent to your website through the WAF. The WAF receives the request and determines whether or not it is malicious. If it is deemed to be benign, the WAF forwards the request onto your website.
Because traffic needs to flow through the WAF, you will typically install a digital certificate to the WAF and traffic will be encrypted between it and the client. You can optionally configure a digital certificate on your web server to secure communications between it and the WAF. I highly recommend this, as you want all information encrypted in transit.
There are a plethora of cloud-based WAFs on the market. Here are a few of the most popular:
- Cloudflare WAF
- Akamai Kona Site Defender
- Imperva Incapsula
- F5 Silverline
- Sucuri Firewall
- AWS WAF
- SonicWALL WAF
3. Purchase an On-premise WAF
If your web application is hosted on-premise and you want a WAF to protect from DoS, then you can purchase a hardware appliance WAF. Appliance WAFs are similar in nature to cloud-based WAFs and are typically installed between your web application server and the public internet. The downside is that hardware can be quite expensive and you’ll need to learn the ins and outs of the device that you purchase.
Everything is moving to the cloud nowadays. I really don’t recommend this route unless you absolutely have to. But if you do, here are some of the more popular products:
4. Add a Plugin To Your Website
Depending upon your website, you may be able to thwart most of the troublesome traffic with a simple plugin. The down side to these is that they are relatively easy to get around for someone who wants to execute a targeted DoS attack against you. There are so many cloud-based WAF providers that offer free services that I would never rely on one of these options alone. Still, for the less advanced attacks, these offer a pretty good bang for the buck.
One option is reCAPTCHA v3. reCAPTCHA has been around for a number of years. It has been, many times, the bane of a user’s existence, as it requires one to type in text that nobody can read. Before you discount reCAPTCHA, you should know that Google has totally revamped it with version 3. Now, it is significantly less intrusive and allows you to configure thresholds based upon a probability that an interaction with your website is either automated or human-driven. One of the neatest features is the ability to throttle down traffic that appears to be from an automated source.
Many control vendors offer honeypots as part of their product. This isn’t your literal pot of honey. A honeypot is a mechanism that looks incredibly enticing and irresistible to an attacker. There are several types of honeypots in the security field. The honeypots I’m referring to specifically target bots. Once one gets in, it is incredibly difficult for it to escape.
As you can see, there are many options for preventing Denial of Service vulnerabilities in your web application. There are options for any size checkbook, for every type of organization, and for every hosting option.
The one warning that I would leave you with is this: do not attempt to create your own DoS prevention framework. It may seem like a fun project, but the number of permutations of DoS attacks is virtually limitless. Even if you have to pay money for a DoS solution that fits the needs of your organization, I promise that you will spend less than if you attempt to develop one yourself.