DDoS attacks have the potential to bring any website offline. Even Google and GitHub, with their vast resources, struggle to remain operational during a large-scale attack. Worse, anyone with a few dollars can start one.
If you host websites, you and your users may be subjected to a denial of service attack large enough to knock them offline for hours or even days. However, with the right tools, the worst effects of DDoS attacks can be avoided, which is why cPanel & WHM include several DDoS mitigation features.
In this article, we will define denial of service attacks, explain how they work, and what you can do to avoid them.
Table of Contents
What Is a DDoS Attack and How Does It Work?
Before we get into Distributed Denial of Service (DDoS) attacks, let’s take a look at how a traditional DoS attack works.
Denial of Service Attacks
A DoS attack is an attempt to overload servers with malicious requests and connections. The primary function of a server is to accept and process network connections. Each one consumes a portion of the available bandwidth, memory, and processing power, and too many can exhaust all available resources, preventing new connections. When this happens, websites cannot be accessed; they are effectively removed from the internet.
Attackers take advantage of this flaw by making so many connections and sending so much data that the server or network interface becomes overwhelmed. You may wonder why administrators do not simply block hostile connections. That’s what makes DoS attacks so pernicious: how can we tell good connections from bad when they all look the same?
The source IP address is one method. If an IP address threatens to overload a server, we can block it and go about our business. Attackers are aware of this, and it is one of the motivations for DDoS attacks.
Distributed Denial of Service Attacks
The attacker in a DDoS attack employs a botnet of compromised machines, which can range from other servers to consumer laptops to network-connected security cameras. A botnet is a network of thousands of nodes that an attacker can remotely instruct to flood the target. It’s difficult to block all bots because there are so many of them.
Amplification Attacks
DDoS attacks can become even more nefarious. Attackers struggle to create large botnets to bring down a well-prepared hosting provider. Instead of directly attacking the target, they seek an online service to amplify their requests.
You send a small amount of data when you request a web page, and the server responds with a much larger response. Some DNS servers, Network Time Protocol (NTP) servers, databases and caches, and other services are similarly affected.
The attacker, for example, could use their botnet to send requests to an open NTP server. The initial request is small, with only a few bytes. However, the response could be 200 times more significant. A single megabyte sent by an attacker can generate 200 megabytes of reactions. If they spoof the initial request’s IP address, the data is routed to the target rather than the botnet.
This type of amplification is responsible for some of history’s most significant DDoS attacks, including last year’s 1.35 Terabyte per the second attack on GitHub.
What Are the Types of DDoS Attacks?
The most common way to classify DDoS attacks is by the portion of a network connection that they target. Consider connections to be layers of protocols and data formats, with each layer reliant on the one below it. HTTP, for example, is based on the lower-level TCP protocol.
What is the significance of this? Because DDoS mitigation techniques differ depending on the network layer they target.
The widely used Open Systems Interconnection (OSI) model categorizes connections into seven layers.
- Layer 1 is the physical layer responsible for transmitting raw data over the network’s hardware.
- Layer 2 is the datalink layer, which determines the format of the data.
- Layer 3 is the network layer that determines which path data takes.
- Layer 4 is the transport layer, which is where the TCP and UDP transmission protocols operate.
- Layer 5 is the session layer, which is in charge of managing connections and sessions.
- Layer 6 is the presentation layer, which is in charge of data formats and encryption.
- Layer 7 is the application layer, with which we interact when we click on links or interact with web applications.
DDoS attacks are usually blamed on one of these layers. A Layer 7 attack targets the application layer, which includes web applications, web servers, and the previously discussed NTP amplification attack. SSL connections are frequently targeted by Layer 6 attacks. The popular SYN flood attack targets Layer 4, the transport layer, and takes advantage of a flaw in the TCP protocol.
How to Protect Yourself From an Attack
There is nothing you can do as a server administrator to prevent attackers from sending malicious network requests. You can, however, configure your server’s firewall and a webserver to reject requests from misbehaving IP addresses.
cPanel & WHM include several DDoS mitigation tools to assist you in protecting users from denial of service attacks.
Config Server Security & Firewall
The Config Server Security (CSF) firewall, which provides a WHM plugin with a comprehensive configuration interface, is supported by cPanel and WHM. To begin, you must follow these steps to install the plugin.
Next, go to the ConfigServer Security & Firewall page in the WHM sidebar menu’s Plugins section. Scroll to the bottom and select Firewall Configuration.
Our goal is to enable Connection Tracking and set the “CT LIMIT” value, which controls how many connections the firewall allows from a specific IP address. During a DDoS attack, a large number of connections from the same IP address may be made, and limiting connections can help to filter out unwanted traffic.
The correct value depends on the nature of the attack and typical traffic patterns, so you should experiment, but 300 is a good starting point. If you set this value too low, legitimate connections may be dropped.
On the same page, you may also want to change the PORTFLOOD value. PORTFLOOD restricts connections to a single port. For example, if a server is attacked on HTTP port 80, the following limits new connections to 50 in ten seconds, blocking subsequent attempts.
PORTFLOOD = “80;tcp;50;10”
Finally, the Layer 4 Syn Flood is one of the most common and simple denials of service attacks. SYN flood protection is included in CSF and can be enabled in the Port Flood Settings section of the configuration page.
SYN Flood protection should be enabled, and the SYNFLOOD RATE and SYNFLOOD BURST settings should be adjusted. The default setting may be too high to prevent an ongoing attack. The correct values depend on the attack’s specifics, but 75/s and 50 are good starting points. Keep in mind that if you set these values too low, legitimate traffic may experience connection issues.
Syn Flood protection should be enabled only during an attack because it can cause significant network latency.
Mod_Evasive
Mod evasive is an Apache module that provides sophisticated Layer 7 DDoS mitigation capabilities. It detects potential web application attacks and takes evasive action by rate-limiting IP addresses that make too many requests in a short period of time.
We must first install the mod evasive module. Navigate to the Software menu in WHM and select Easy Apache 4. Navigate to the Apache Modules tab, type “mod evasive,” and hit the install button.
After that, go to the Review Tab, scroll to the bottom of the page, and click Provision. The module and its dependencies may take a few seconds to install in WHM.
The module has reasonable defaults, but you may want to modify the configuration file, which is located on the server’s filesystem at:
/etc/apache2/conf.d/300-mod evasive.conf
Set an email address in the DOSEmailNotify section if you want mod evasive to send an email when it blocks an IP. The comment symbol (#) at the beginning of the line may need to be removed.
The cPanel IP Blocker
cPanel includes an IP Blocker that can be used to block individual addresses as well as ranges of addresses. Manual IP blocking is not practical for a large distributed attack, but it may be useful for smaller attacks. IP Blocker can be found in the security menu of cPanel.
DDoS attacks are an unfortunate reality for web hosting providers. They have grown in size and ease of execution over time. Between 2018 and 2019, the number of attacks more than doubled, and we can expect this trend to continue as long as there is money to be made by threatening the livelihoods of legitimate web hosts and site owners. Fortunately, with cPanel and WHM, as well as some planning, you can fight back and keep your users safe.