What is the most important question in modern times when your business goes online? This is, of course, protection against Ddos attacks, as unscrupulous competitors may try to disable your site and this will lead to a loss of finances and customer trust. My experience shows that many underestimate the threat of DDoS attacks, considering them to be the lot of large corporations, which in itself is a mistake because Ddos protection ensures the reliability of your server. Any resources are attacked, and the consequences can be catastrophic — from temporary unavailability to complete loss of customers and reputation.

The purpose of this article is not just to scare you, but to equip you with knowledge. I will tell you in detail what a DDoS attack is, what types exist, and how you can protect your resource yourself. I will also explain why, in the end, professional protection is the only right solution for a reliable and fast project.

What is a DDoS attack and why is it so dangerous?

The term "DDoS" stands for "Distributed Denial of Service," which translates to "distributed denial of service." At its core, this is a hacker attack on a computer system, the purpose of which is to bring it to failure by making network services inaccessible to users. Instead of trying to hack the system, the attackers use a huge network of infected computers (the so-called botnet) to send a huge number of requests to a single server at the same time. The server, trying to process this avalanche, becomes overloaded and stops responding even to requests from ordinary visitors. This is how websites, game servers, and online applications are disabled.

DDoS attacks are not a homogeneous threat. They can be divided into three main categories, each of which requires its own approach to protection.:

Volumetric Attacks: The most common and obvious type that aims to saturate the victim's network channel with traffic. These attacks are measured in gigabits or even terabits per second and can easily "take down" even the most powerful server if it is not protected at the provider level. Examples include UDP flood and ICMP flood, which simply clog the channel with meaningless packets. This type of attack is used by beginners and those who just want to quickly shut down the server and prevent the user from accessing what is located on the server.

Protocol Attacks: These attacks exploit vulnerabilities at the network (L3) and transport (L4) levels of the OSI model, consuming server resources. A classic example is a SYN flood, when an attacker sends multiple requests to establish a TCP connection, but does not respond to confirmation. The server keeps open connections, using up all available resources until it runs out of them. This type of attack is already used by more experienced users and hackers, and this type is more dangerous.

Application Layer Attacks: This is the most intelligent type of attack. They mimic the behavior of a real user by sending requests that require large computing resources from the server, such as complex database queries or HTTP flooding. They are much more difficult to detect because the traffic looks legitimate. This type of attack can be considered the most advanced and dangerous, nowadays many have begun to use AI bots for this, because they can well simulate human actions.

Full-fledged protection requires a multi-level approach that will work at each of these levels. Understanding these types of attacks is the key to building an effective defense. There are other types of attacks that you may have heard about, if so, then remember that you need to consider everything to protect your server.

Basic Protection: A step-by-step guide on how to strengthen a server on your own

Before talking about professional solutions, it is important to understand what measures you can take on your own. These steps will not replace full-fledged protection against large-scale attacks, but they will significantly increase the overall security of your server.

Fundamental Security Measures

Strong passwords and SSH keys: First of all, make sure that your access to the server is secure. Use complex, unique passwords that are resistant to brute force attacks. An even more reliable method is to use SSH keys for authentication, completely disabling the ability to log in with a password. This eliminates one of the easiest ways to compromise. Also, make sure to disable direct root login for the user.

root via SSH, which is a standard security recommendation. Don't know how to do this? We shot a video that shows exactly how to disable the root user from remote access

Regular updates: Vulnerabilities in the operating system and software are one of the main reasons for successful attacks. Set up automatic updates or regularly install patches for your OS, web server, databases, and all installed applications. This will help close known security holes, but first you need to wait at least a week or two after the update is released. Why? It's simple, sometimes updates may include new vulnerabilities that are easier to exploit, and this is the main problem.
Using SSL/TLS certificates: Although SSL/TLS certificates do not directly protect against DDoS, they are a critical element of security. The certificate encrypts all traffic between your server and the user's browser, protecting the data from interception and substitution. This increases user trust and is an important factor for search engine optimization. Most likely, at least once you have encountered the problem that when you try to navigate to the site, you get an error indicating that you need to confirm the transition because Is this site not secure? The thing is that the SSL certificate has either not been added or its validity period has expired and now it needs to be updated and added.

Configure the firewall and restrictions at the web server level

Next, we move on to more technical measures. Protection at this level allows you to filter out some of the malicious traffic even before it overloads your application.

iptables protection: This is a built-in firewall for Linux that allows you to filter incoming traffic. It is very effective against SYN flood type attacks. You can create rules to limit the number of simultaneous and new connections from a single IP address, which helps prevent server overload. For example, the following rule limits the number of simultaneous connections from a single IP address:

iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 32 -j DROP

This will limit the number of simultaneous connections to 10 from a single IP address, which is very effective against attacks where the attacker uses a small number of sources.

Limitations in Nginx: The Nginx web server can serve as the first line of defense against application-level attacks. Using the limit_req_zone and limit_conn directives you can limit the speed of requests and the number of simultaneous connections from a single IP address. Buffering settings (proxy_buffering) also helps protect against so-called "slow attacks", when an attacker sends requests very slowly to keep connections open.

Automation and Monitoring with Fail2Ban

Manually blocking attacking IP addresses during an intense attack is almost impossible. Automation comes to the rescue here.

Fail2Ban is a powerful tool that scans server logs (for example, Nginx or SSH logs) for suspicious activity and automatically blocks attacking IP addresses for a certain time. You can configure it to detect and block IP addresses that exceed your Nginx request limits. Don't know how to install it?\

Fortunately, we have made a video that shows this and you can view it here.

Application-level Reinforcement with WAF

The Web Application Firewall (WAF) is used to protect against attacks targeting the vulnerabilities of your web application (for example, SQL injection or HTTP flood).

ModSecurity is one of the most popular WAFs. It works as a web server module (for example, Apache) and analyzes every incoming request for malicious code. It is able to protect against L7-level attacks, but it is powerless against large-scale network attacks. We also have a guide on installing ModSecurity on Nginx and Apache on our channel.

Moving to the next level: Why Professional Protection

Choosing professional protection is a great idea. For each provider, protection comes at its own price and up to a certain limit. With us, it's free and up to 40 Gbps, so your server will be in safe hands and protected. And if you decide to create a server yourself and protect it, then above I have indicated the steps that you should pay attention to.

Conclusion: Your choice is our concern

In today's digital environment, relying solely on one's own strength is a risky strategy. You can spend dozens of hours studying and configuring, but all your efforts will be nullified by a single powerful attack.

We've already taken care of everything so that you can focus on your business.

Stop worrying about technical difficulties. Choose reliability, speed, and security. Select MivoCloud.

Author: Anatolii Cohaniuc

Step-by-step configuration of protection against DDoS attacks: From independent measures to a professional shield