Greetings!
I am the owner of a website that has a specific focus and has faced fierce competition from a number of unscrupulous competitors. Unfortunately, our server has been subjected to severe attacks for the past four months, causing two hosting providers - FirstDEDIC & REG - to abandon us. We had hoped that our second provider, DDoS GUARD, would offer protection against such attacks, but unfortunately, we were still unable to prevent significant losses in our audience due to being frozen.
We tried every available option to address this issue, but even after reviewing Packet Filter dоcumentation, we were only able to handle dd attacks up to a limit of a four-gigabit syn-flood with IP address substitution, leaving us quite vulnerable. Our budget is limited to $60 per month for server expenses, or a maximum of $6K to purchase our own modest machine running FreeBSD that we can use to host the site and perform other important tasks related to the project.
We're currently weighing the option of buying our own server as a way to avoid future headaches, but we're concerned about the possibility of our internet provider imposing sanctions as a result of DDoS attacks. Furthermore, we're unsure about the feasibility of hosting a server at home.
Thank you.
It's pointless to rely on your "home" channel's security since even a couple of amateur hackers can easily breach it.
It would be wise to look for a web hosting service that offers DDoS protection. CloudFire and qrator.net/en are good options to consider. Personally, I would suggest Soyoustart as they provide anti-DDOS measures in their hosting plans starting at 30 euros.
Is there any chance that you will be able to defend yourself from a four-gigabit DDOS attack while using a fifty-megabit Internet connection provided by your home provider? Of course not.
If you want to protect yourself, you need to invest in a better Internet channel, purchase high-quality network hardware, and also consider increasing your budget to buy the right equipment to safeguard your website against cyber-attacks. A budget of $40,000 is quite reasonable for this purpose.
Alternatively, you could opt for specialized services that provide website protection at a fair price.
If you buy a server for $6K and it experiences a SYN-flood attack of 4 Gbit/s intensity, it is unlikely that you will be able to defend against it using just a signature.
This means that every time the attacker changes their attack signature, you will need to create a new rule to protect against it. This process will need to be repeated until the attacker begins using packets that are practically indistinguishable from legitimate ones, which makes it even harder to defend against.
I would like to provide you with some recommendations to address the DDoS attacks your website is facing:
1. Invest in a robust DDoS mitigation service: While your budget is limited, it's crucial to prioritize DDoS protection. Consider exploring services like Cloudflare, Sucuri, or Imperva, which offer affordable DDoS mitigation plans starting from $20-$50 per month. These services can effectively absorb and mitigate even the most sophisticated DDoS attacks, protecting your website and ensuring its availability.
2. Explore cloud-based hosting solutions: Instead of hosting your website on a dedicated server, consider moving to a cloud-based hosting platform, such as Amazon Web Services (AWS), Google Cloud, or Microsoft Azure. These platforms often have built-in DDoS protection mechanisms and can scale resources automatically to handle sudden traffic spikes during attacks. Cloud-based hosting may be more cost-effective than maintaining your own server, and you can start with a low-cost plan and scale up as needed.
3. Implement a content delivery network (CDN): Integrate a CDN, such as Cloudflare or Amazon CloudFront, to distribute your website's static content (images, CSS, JavaScript) from servers closer to your users. This can help mitigate the impact of DDoS attacks by distributing the load across multiple locations, reducing the strain on your origin server.
4. Strengthen your network security: Review the Packet Filter dоcumentation and consider implementing advanced firewall rules, such as rate-limiting, IP blacklisting, and TCP SYN cookies, to better defend against specific types of DDoS attacks. Additionally, ensure that your server's operating system and software are up-to-date, as security patches can help mitigate vulnerabilities that could be exploited during an attack.
5. Consider a hybrid approach: If hosting your website on a cloud-based platform is not feasible, you could consider a hybrid approach. Purchase a modest server running FreeBSD, as you mentioned, and use it as the origin server. Then, integrate a CDN and a DDoS mitigation service to handle the incoming traffic and protect your origin server.
6. Engage with your internet service provider (ISP): Discuss the DDoS attacks with your ISP and explore options for additional protection or mitigation measures they can provide. Some ISPs offer specialized DDoS mitigation services or can help you configure your network settings to better handle these attacks.