Being the target of a DDoS attack is terrible, and I completely understand that you think it’s not fair and you want to do something about it.
However, what I often see after that are a large number of misconceptions about how DDoS attacks work and why dealing with them is hard.
I’ll try to cover some of them in a not too rambly way.
Misconception 1: You can block or filter DDoS attacks
People often believe that there is just some kind of magical “anti-DDoS” thing you can just enable and to “just block” the attack and solve the problem.
That’s not how that works, and that doesn’t exist.
The nasty part of DDoS attacks is that:
- The attack is coming from a lot of different IP addresses, so blocking individual IP addresses is a fools errand.
- The attacker will deliberately try to make traffic appear as regular web traffic as much as possible.
So you can’t “just block” DDoS traffic, because it’s hard to identify.
There are methods, systems and services that can analyze network traffic, identify anomalies and push configuration to block the anomalous traffic. But these solutions can only mitigate attack traffic, not block them entirely.
But you must understand that these systems can be very costly, and often take a lot of fine tuning to be able to reliably distinguish legitimate traffic and attack traffic. And even they will still get it wrong sometimes.
Misconception 2: If you have DDoS blocking/filtering, you are safe
So you have your DDoS mitigation setup, so now you are safe, right?
No.
DDoS mitigation will only mitigate the problem. It will reduce it, but not eliminate it.
Suppose you have a solution that can block 99% of a DDoS attack. But if that attack generates 1000 times the usual traffic. Your DDoS filtering will stop most of it, but you’re still left with your website being hit with 10 times the usual traffic.
That can still be enough traffic to bring down your website, even though you have DDoS protection.
Misconception 3: You can block DDoS attacks with code on your website
For the most part, this is not true.
DDoS attacks come in many flavors, using different methodologies, patterns and traffic types.
But the general rule is that any attack traffic should be stopped as early in the chain as possible. Ideally you want to prevent the traffic from hitting your network entirely, or else block it on the server at the network level. The more “processing” you do on the attack traffic, the more load it generates, and the more likely the traffic will overload the server.
Running PHP code is comparatively a very resource intensive process. Trying to detect DDoS attacks on this level is extremely ineffective, because by the time attack traffic is causing PHP code execution, it has already done it’s job of generating system load.
Blocking IP addresses with .htaccess rules is slightly better, as those rules are pretty efficient. But then you’ll still need to somehow manually identify and block all attack IPs, which as I wrote before, is a fools errand.
And on free hosting specifically, know that even hits that are blocked are still counted towards your hits usage. So blocking attacks there will do absolutely nothing to stop you from reaching the hits limit.
Misconception 4: Cloudflare blocks all DDoS attacks
Cloudflare blocks some attacks. Mostly network level attacks, like DNS floods, are very effectively blocked by Cloudflare because it is technically just impossible to tie that traffic to individual websites and forward it.
Against HTTP attacks, Cloudflare does very little by default. To prevent impact to legitimate visitors, Cloudflare lets through basically anything that looks legit, even if that traffic is 10,000 times your usual traffic. It can sometimes detect some attacks, but generally it’s way too little, way too late.
Only “I’m under attack” mode (and maybe Bot Fighting Mode?) effectively block attacks, but that mode is also quite intrusive to visitors, and is not something you’d typically want to keep enabled for everyone.
Misconception 5: Free hosting does not have DDoS protection
“My website went down because of a DDoS attack, why doesn’t free hosting have DDoS protection” is something we hear a lot.
But free hosting has DDoS protection. iFastNet has been doing this for decades now, and has a lot of experience unfortunately dealing with very big DDoS attacks. With basically every attack, they have investigated the issue, and implemented measures to prevent such attacks from causing more damage. This has resulted in a wide range of measures that can help combat various types of attacks, most of which are confidential for obvious reasons.
The blocking of ping traffic is an example of one measure that was taken after a DDoS attack.
Did you notice it has been quiet recently regarding the DDoS attacks that triggered the extreme hits usage? That’s because measures have been implemented to help detect and block such attacks.
So why do websites still get taken down because of attacks? Because:
- Any DDoS protection system can only protect against the kinds of attacks it can detect. Other types of attacks may not be identified as such at first.
- Even handling the blocked traffic can still generate considerable system load, which is not something we can just let you use indefinitely for free.
Misconception 6: Premium hosting has better DDoS protection
Considering everything I’ve written above, you should understand by now that blocking DDoS attacks is not something you can just throw some money at and make the problem go away.
With both free hosting and premium hosting, iFastNet is doing what they can to block attacks as best they can. Premium hosting being premium doesn’t automagically give it better attack protection.
Premium hosting does have some advantages compared to free hosting:
- Account limits are less harshly enforced. For example you won’t be automatically suspended for a full day because your account got more hits than some fixed number.
- Account limits are higher, so even if your website does get attacked, it’s more likely that it will just be able to take the load.
- Premium servers are less heavily loaded in general, and have much fewer accounts on them, so a single website being attacked doesn’t cause as big of a problem for other customers on the server.
I have actually seen websites on premium hosting get disabled too because they were flooded with attack traffic and had to be disabled to prevent harm to other websites on the server.
So premium hosting doesn’t have better attack protection. It just has more server capacity so that anything that’s not blocked isn’t as likely to cause issues.
