{"id":1026,"date":"2023-09-06T12:32:56","date_gmt":"2023-09-06T11:32:56","guid":{"rendered":"https:\/\/harmonweb.com\/blog\/?p=1026"},"modified":"2023-09-06T12:32:56","modified_gmt":"2023-09-06T11:32:56","slug":"how-to-survive-a-ddos-attack","status":"publish","type":"post","link":"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/","title":{"rendered":"How To Survive a DDoS Attack"},"content":{"rendered":"\n<p>DDoS attacks have the potential to bring any website offline. Even Google and GitHub, with their vast resources, struggle to remain operational during a large-scale attack. Worse, anyone with a few dollars can start one.<\/p>\n\n\n\n<p>If you host websites, you and your users may be subjected to a denial of service attack large enough to knock them offline for hours or even days. However, with the right tools, the worst effects of DDoS attacks can be avoided, which is why cPanel &amp; WHM include several DDoS mitigation features.<\/p>\n\n\n\n<p>In this article, we will define denial of service attacks, explain how they work, and what you can do to avoid them.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69d270687df24\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69d270687df24\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#What_Is_a_DDoS_Attack_and_How_Does_It_Work\" >What Is a DDoS Attack and How Does It Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#Denial_of_Service_Attacks\" >Denial of Service Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#Distributed_Denial_of_Service_Attacks\" >Distributed Denial of Service Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#Amplification_Attacks\" >Amplification Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#What_Are_the_Types_of_DDoS_Attacks\" >What Are the Types of DDoS Attacks?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#How_to_Protect_Yourself_From_an_Attack\" >How to Protect Yourself From an Attack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#Config_Server_Security_Firewall\" >Config Server Security &amp; Firewall<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#Mod_Evasive\" >Mod_Evasive<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/harmonweb.com\/blog\/how-to-survive-a-ddos-attack\/#The_cPanel_IP_Blocker\" >The cPanel IP Blocker<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Is_a_DDoS_Attack_and_How_Does_It_Work\"><\/span><strong>What Is a DDoS Attack and How Does It Work?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Before we get into Distributed Denial of Service (DDoS) attacks, let&#8217;s take a look at how a traditional DoS attack works.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Denial_of_Service_Attacks\"><\/span><strong>Denial of Service Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>A DoS attack is an attempt to overload servers with malicious requests and connections. The primary function of a server is to accept and process network connections. Each one consumes a portion of the available bandwidth, memory, and processing power, and too many can exhaust all available resources, preventing new connections. When this happens, websites cannot be accessed; they are effectively removed from the internet.<\/p>\n\n\n\n<p>Attackers take advantage of this flaw by making so many connections and sending so much data that the server or network interface becomes overwhelmed. You may wonder why administrators do not simply block hostile connections. That&#8217;s what makes DoS attacks so pernicious: how can we tell good connections from bad when they all look the same?<\/p>\n\n\n\n<p>The source IP address is one method. If an IP address threatens to overload a server, we can block it and go about our business. Attackers are aware of this, and it is one of the motivations for DDoS attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Distributed_Denial_of_Service_Attacks\"><\/span><strong>Distributed Denial of Service Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The attacker in a DDoS attack employs a botnet of compromised machines, which can range from other servers to consumer laptops to network-connected security cameras. A botnet is a network of thousands of nodes that an attacker can remotely instruct to flood the target. It&#8217;s difficult to block all bots because there are so many of them.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Amplification_Attacks\"><\/span><strong>Amplification Attacks<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>DDoS attacks can become even more nefarious. Attackers struggle to create large botnets to bring down a well-prepared hosting provider. Instead of directly attacking the target, they seek an online service to amplify their requests.<\/p>\n\n\n\n<p>You send a small amount of data when you request a web page, and the server responds with a much larger response. Some DNS servers, Network Time Protocol (NTP) servers, databases and caches, and other services are similarly affected.<\/p>\n\n\n\n<p>The attacker, for example, could use their botnet to send requests to an open NTP server. The initial request is small, with only a few bytes. However, the response could be 200 times more significant. A single megabyte sent by an attacker can generate 200 megabytes of reactions. If they spoof the initial request&#8217;s IP address, the data is routed to the target rather than the botnet.<\/p>\n\n\n\n<p>This type of amplification is responsible for some of history&#8217;s most significant DDoS attacks, including last year&#8217;s 1.35 Terabyte per the second attack on GitHub.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Are_the_Types_of_DDoS_Attacks\"><\/span><strong>What Are the Types of DDoS Attacks?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The most common way to classify DDoS attacks is by the portion of a network connection that they target. Consider connections to be layers of protocols and data formats, with each layer reliant on the one below it. HTTP, for example, is based on the lower-level TCP protocol.<\/p>\n\n\n\n<p>What is the significance of this? Because DDoS mitigation techniques differ depending on the network layer they target.<\/p>\n\n\n\n<p>The widely used Open Systems Interconnection (OSI) model categorizes connections into seven layers.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Layer 1 is the physical layer responsible for transmitting raw data over the network&#8217;s hardware.<\/li><li>Layer 2 is the datalink layer, which determines the format of the data.<\/li><li>Layer 3 is the network layer that determines which path data takes.<\/li><li>Layer 4 is the transport layer, which is where the TCP and UDP transmission protocols operate.<\/li><li>Layer 5 is the session layer, which is in charge of managing connections and sessions.<\/li><li>Layer 6 is the presentation layer, which is in charge of data formats and encryption.<\/li><li>Layer 7 is the application layer, with which we interact when we click on links or interact with web applications.<\/li><\/ul>\n\n\n\n<p>DDoS attacks are usually blamed on one of these layers. A Layer 7 attack targets the application layer, which includes web applications, web servers, and the previously discussed NTP amplification attack. SSL connections are frequently targeted by Layer 6 attacks. The popular SYN flood attack targets Layer 4, the transport layer, and takes advantage of a flaw in the TCP protocol.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_Protect_Yourself_From_an_Attack\"><\/span><strong>How to Protect Yourself From an Attack<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>There is nothing you can do as a server administrator to prevent attackers from sending malicious network requests. You can, however, configure your server&#8217;s firewall and a webserver to reject requests from misbehaving IP addresses.<\/p>\n\n\n\n<p>cPanel &amp; WHM include several DDoS mitigation tools to assist you in protecting users from denial of service attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Config_Server_Security_Firewall\"><\/span><strong>Config Server Security &amp; Firewall<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Config Server Security (CSF) firewall, which provides a WHM plugin with a comprehensive configuration interface, is supported by cPanel and WHM. To begin, you must follow these steps to install the plugin.<\/p>\n\n\n\n<p>Next, go to the ConfigServer Security &amp; Firewall page in the WHM sidebar menu&#8217;s Plugins section. Scroll to the bottom and select Firewall Configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"299\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-17-1024x299.png?v=1659866667\" alt=\"\" class=\"wp-image-1106\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-17-1024x299.png 1024w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-17-300x87.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-17-768x224.png 768w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-17.png 1135w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Our goal is to enable Connection Tracking and set the &#8220;CT LIMIT&#8221; value, which controls how many connections the firewall allows from a specific IP address. During a DDoS attack, a large number of connections from the same IP address may be made, and limiting connections can help to filter out unwanted traffic.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"419\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-18-1024x419.png?v=1659866705\" alt=\"\" class=\"wp-image-1107\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-18-1024x419.png 1024w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-18-300x123.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-18-768x314.png 768w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-18.png 1114w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The correct value depends on the nature of the attack and typical traffic patterns, so you should experiment, but 300 is a good starting point. If you set this value too low, legitimate connections may be dropped.<\/p>\n\n\n\n<p>On the same page, you may also want to change the PORTFLOOD value. PORTFLOOD restricts connections to a single port. For example, if a server is attacked on HTTP port 80, the following limits new connections to 50 in ten seconds, blocking subsequent attempts.<\/p>\n\n\n\n<p>PORTFLOOD = \u201c80;tcp;50;10\u201d<\/p>\n\n\n\n<p>Finally, the Layer 4 Syn Flood is one of the most common and simple denials of service attacks. SYN flood protection is included in CSF and can be enabled in the Port Flood Settings section of the configuration page.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-19.png\" alt=\"\" class=\"wp-image-1108\" width=\"768\" height=\"297\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-19.png 1021w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-19-300x116.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-19-768x298.png 768w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p>SYN Flood protection should be enabled, and the SYNFLOOD RATE and SYNFLOOD BURST settings should be adjusted. The default setting may be too high to prevent an ongoing attack. The correct values depend on the attack&#8217;s specifics, but 75\/s and 50 are good starting points. Keep in mind that if you set these values too low, legitimate traffic may experience connection issues.<\/p>\n\n\n\n<p>Syn Flood protection should be enabled only during an attack because it can cause significant network latency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Mod_Evasive\"><\/span><strong>Mod_Evasive<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Mod evasive is an Apache module that provides sophisticated Layer 7 DDoS mitigation capabilities. It detects potential web application attacks and takes evasive action by rate-limiting IP addresses that make too many requests in a short period of time.<\/p>\n\n\n\n<p>We must first install the mod evasive module. Navigate to the Software menu in WHM and select Easy Apache 4. Navigate to the Apache Modules tab, type &#8220;mod evasive,&#8221; and hit the install button.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"351\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-20-1024x351.png?v=1659866990\" alt=\"\" class=\"wp-image-1109\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-20-1024x351.png 1024w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-20-300x103.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-20-768x263.png 768w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-20.png 1183w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>After that, go to the Review Tab, scroll to the bottom of the page, and click Provision. The module and its dependencies may take a few seconds to install in WHM.<\/p>\n\n\n\n<p>The module has reasonable defaults, but you may want to modify the configuration file, which is located on the server&#8217;s filesystem at:<\/p>\n\n\n\n<p>\/etc\/apache2\/conf.d\/300-mod evasive.conf<\/p>\n\n\n\n<p>Set an email address in the DOSEmailNotify section if you want mod evasive to send an email when it blocks an IP. The comment symbol (#) at the beginning of the line may need to be removed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"199\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-21-1024x199.png?v=1659867109\" alt=\"\" class=\"wp-image-1110\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-21-1024x199.png 1024w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-21-300x58.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-21-768x149.png 768w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-21.png 1266w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_cPanel_IP_Blocker\"><\/span><strong>The cPanel IP Blocker<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>cPanel includes an IP Blocker that can be used to block individual addresses as well as ranges of addresses. Manual IP blocking is not practical for a large distributed attack, but it may be useful for smaller attacks. IP Blocker can be found in the security menu of cPanel.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.cpanel.com\/wp-content\/uploads\/2020\/08\/03-ip-blocker-cpanel.png\" alt=\"\" class=\"wp-image-56901\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"260\" src=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-22.png\" alt=\"\" class=\"wp-image-1113\" srcset=\"https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-22.png 975w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-22-300x80.png 300w, https:\/\/harmonweb.com\/blog\/wp-content\/uploads\/2022\/08\/image-22-768x205.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<p>DDoS attacks are an unfortunate reality for web hosting providers. They have grown in size and ease of execution over time. Between 2018 and 2019, the number of attacks more than doubled, and we can expect this trend to continue as long as there is money to be made by threatening the livelihoods of legitimate web hosts and site owners. Fortunately, with cPanel and WHM, as well as some planning, you can fight back and keep your users safe.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DDoS attacks have the potential to bring any website offline. Even Google and GitHub, with their vast resources,&hellip;<\/p>\n","protected":false},"author":1,"featured_media":1115,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[158],"tags":[],"class_list":["post-1026","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-troubleshooting"],"_links":{"self":[{"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/posts\/1026","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/comments?post=1026"}],"version-history":[{"count":3,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/posts\/1026\/revisions"}],"predecessor-version":[{"id":1114,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/posts\/1026\/revisions\/1114"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/media\/1115"}],"wp:attachment":[{"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/media?parent=1026"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/categories?post=1026"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harmonweb.com\/blog\/wp-json\/wp\/v2\/tags?post=1026"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}