How to stop a DDoS attack that’s already in progress

Take back your site

In this post, we’re going to first learn exactly what a DDoS attack is, how it works, and just how common DDoS attacks really are. Then we’ll cover the easiest and fastest ways to both prevent DDoS attacks, and how to stop a DDoS attack that’s already in progress against your website.

This information will ultimately help you defend yourself against a DDoS attack.

 

Let’s get started.

First things first: What is a DDoS attack?

The acronym DDoS stands for distributed denial-of-service. DDoS attacks are attempts to make online services unavailable by overwhelming them with traffic. The most common targets for DDoS attacks are large companies, like banks and media outlets. However, it has become more common over the past few years for smaller businesses to find themselves asking how to stop a DDoS attack.

Here are a few interesting facts you might not have known about how common DDoS attacks really are;

If you’re anything like me, by now you’re probably wondering how exactly these attacks are carried out in the first place. Long before any attack begins, the attackers build networks of infected computers (known as botnets) by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners’ knowledge.

They get used like an army to launch an attack against any target.

 

These botnets can generate huge floods of traffic to overwhelm their target. Traffic gets generated in multiple ways, like sending more connection requests than a server can handle, overwhelming victims with huge amounts of random data to use up the target’s bandwidth. Some attacks are so big they can max out a country’s international cable capacity.

It’s extremely important that website developers understand how how to stop a DDoS attack before any major damage is done.

Learn how to stop a DDoS attack in its tracks

If you are currently experiencing a DDoS attack — or believe your web property is going to be targeted — take the following steps immediately for maximum protection:

  1. Set up CloudFlare for your domain.

  2. Turn on I’m Under Attack mode.

  3. Turn on the Web Application Firewall (WAF).

  4. Set your DNS records for maximum security.

  5. Do not rate-limit or throttle requests from Cloudflare IPs.

  6. Block specific countries and visitors.

  7. Ask your hosting provider for a new IP Address (optional).

  8. Run email on a separate server (optional).

Let’s look at each step in more detail.

1. Get Cloudflare Business or Enterprise

Time: 2 minutes (or more)
Difficulty: Easy

Cloudflare Business and Enterprise plans offer advanced methods to let you stop a DDoS attack. Once you are on their Business or Enterprise plan their advanced DDoS protection is automatic. It’s also nice to know that Cloudflare does not bill by attack size and does not have an attack cap.

If you are a current Cloudflare customer, upgrade online to the Business plan right from your “My Websites“ control panel and proceed to Step 2.

If you’re new to Cloudflare it’s important to know that their signup process will require a small change to your current DNS settings which takes on average 15 minutes for GoDaddy customers, but can take up to three days depending on your domain registrar.

2. Turn on I’m Under Attack mode

Time: 1 minute
Difficulty: Easy

The mode I’m Under Attack helps mitigate and stop DDoS attacks. This mode enables additional protections to stop potentially malicious HTTP traffic from passing to your server. On their first visits, legitimate visitors will briefly see an interstitial page while the additional checks are performed:

How to Stop a DDoS Attack Interstitial Page
This image is an example of an interstitial page that legitimate visitors might see while you are experiencing a DDoS attack.

To activate the feature, go to the overview for your domain, click Quick actions, and then click Under Attack Mode.

How to Stop a DDoS Attack Mode

3. Turn on the Web Application Firewall

Time: 1 minute
Difficulty: Easy

The Cloudflare Web Application Firewall (WAF) is available to Pro, Business and Enterprise customers. Control of the WAF is found in the Web Application Firewall section of the Cloudflare interface.

How to Stop a DDoS Attack WAF

4. Set your DNS records for maximum security

Time: 10 minutes
Difficulty: Medium

With CloudFlare DNS Settings, you can enable CloudFlare’s security and performance on a per-record basis. Security is ON when the cloud is orange. Security is OFF if the cloud is gray, letting the attacker bypass CloudFlare’s security and attack your web server directly.

Here’s how to set your DNS records for maximum protection:

  1. Enable CloudFlare security (orange cloud) on the web records you use, including FTP, SSH.
  2. Use your origin IP for actions like FTP, SSH, etc.
  3. Delete any wildcard records — unless they are required — as they will expose your origin IP address.
  4. Remove any mail records that expose your origin.
Orange-cloud all records that get web traffic.

 

Protocols like mail, FTP, SSH and cPanel have gray clouds by default. If you enable CloudFlare for these subdomains, the protocols will no longer work. However, if you have gray clouds, an attacker can look up your origin server IP if they know about these subdomains and circumvent CloudFlare’s DDoS security solution. To resolve the issue, enable orange clouds for the subdomains.

Use your origin IP for FTP, SSH, etc.

 

Once you enable an orange cloud on all DNS records, you need to use either the direct IP to access certain protocols like mail, FTP, SSH and cPanel. For example, to FTP you would use ftp.yourdomain.com or ftp://yourserverIP (put in your server IP address). When you do, keep in mind a couple of important points:

  • If there is no cloud, the record cannot be proxied. But that means it’s pointing to another service, so this shouldn’t be a concern.
  • CloudFlare provides an authoritative DNS service to its direct customers; this step only applies for those records delegated to CloudFlare. If you’ve enabled CloudFlare via a hosting partner or CNAME setup, your DNS is controlled elsewhere. If the attacker is attacking your server directly, then you may need to sign up directly through CloudFlare and restart at Step 1.

5. Do not rate-limit or throttle requests from CloudFlare IPs

Time: 10 minutes
Difficulty: Medium

CloudFlare acts as a reverse proxy, so all connections come from one of their IPs. It’s important to ensure your server accepts connections from Cloudflare at all times. CloudFlare IP ranges are listed at cloudflare.com/ips , and the page includes links to simple text files intended for machine parsing. CloudFlare adds any new ranges to the public list at least one month before the new range is used, and uses many methods to publicize new ranges.

6. Block specific countries and visitors

Time: 10 minutes
Difficulty: Medium

CloudFlare’s threat control feature lets you block IP addresses and set challenges for entire countries. Once you add an IP or country, the security rule will take effect within two minutes, offloading that traffic to your server. To decide which country or IPs to add to the IP firewall, check your log files or follow the steps noted below. You can find the IP firewall in the IP Firewall section of the CloudFlare interface.

To get a list of visitors coming to your site from the last 48 hours by number of requests, follow these steps. You can use the information to identify IPs you may want to manually add to your Cloudflare Threat Control Block list.

If your site is still offline after completing these steps, or if you want to take additional security safeguards, please continue to the next step.

7. Ask your hosting provider for a new server IP

Time: 15 minutes
Difficulty: High

If you have already completed all of the steps outlined above and you’re still asking yourself how to stop a DDoS attack, then the attacker likely has your origin server IP. You will need to contact your hosting provider, ask them to give you a new origin IP, and then update it within your CloudFlare DNS settings page. Here’s what to tell your web host:

I am under a DDOS attack. I now have a DDoS protection service called CloudFlare set up for my domain. However, the attacker has my origin server IP and is bypassing my DDoS protection. Please give me a new origin server IP so that the attacker can no longer attack my server directly.

Once you have the new server IP address, make sure you update the IP in your CloudFlare DNS Settings page. With CloudFlare enabled for all web records, it’ll help mask your server’s IP address so the attacker can’t get the new one.

8. Run email on separate server/service

Time: 60 minutes
Difficulty: High

If you’re running mail on the same server as your website, the attacker can always find your origin server IP. To close this possible security gap, use an email service on a separate server, whether through your hosting provider or a third-party provider such as Google Apps.

Mac users can run this command in Terminal to see which IP is being reported with your MX records:

dig +short $(dig mx +short WEBSITE)

For example, if I was concerned about example.com, I would enter:

dig +short $(dig mx +short example.com)

PC users can run this command in command prompt to see what IP is being reported with your MX records:

nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter;

nslookup -q=mx example.com

For both Mac and PC, the output will be an IP address that an attacker can always find. Make sure this IP address is different than the one for your web server. If your email is on the same server, no matter how many times you change your web server, the attacker can always find the new IP.

Get proactive

If you’ve ever had to figure out how to stop a DDos attack in progress, you’ll understand the importance of taking a proactive approach to website security. Check out products — like GoDaddy’s Website Security, powered by Sucuri — that offer a Website Application Firewall (WAF) to protect your clients’ sites against DDoS and other threats.

 


Also published on Medium.

Nathan Reimnitz
Nathan is a certified expert WordPress developer from Scottsdale, Arizona. He's a full-time freelancer for Codeable.io, Clarity.fm, and GoDaddy Pro Connect. Nathan has designed, developed, and deployed customized web-based solutions for mom-and-pop shops all the way up to multi-million dollar corporations. He's helped small businesses around the world grow their organic search traffic and helped maintain corporate websites with 500,000+ annual page views. You can find him on LinkedIn or NathanEllo.com.