DDoS protection with Greenhost

It is not uncommon to read in the news about websites being taken offline by malicious DDoS attacks. At Greenhost, we strive to provide the best protection for your website against such threats.

In this article you will learn about various types of DDoS and similar attacks, and what we do to protect your website.

DDoS Image
DDoS (CC-BY-SA 4.0 – Sagor Kumar sr)

DDoS attack, what is it?

A Distributed Denial of Service (DDoS) attack is a malicious attempt to take a website offline. The attacker floods the website's server or network connection with massive amounts of requests or data, overwhelming the server so much that it becomes impossible to respond to legitimate requests from actual users. The result of a DDoS attack for end users is, best case, very long page loads and, worst case, inability to access any page or data.

Unlike a traditional Denial of Service (DoS) attack, which typically originates from a single location, DDoS attacks use a large number of internet-connected devices to launch the attack, making it much more difficult to block. With the proliferation of the Internet of Things, the number of “connected” devices and appliances rose exponentially in the past years. These devices often are very easy to take over, making it DDoS attacks much more effective as well as cheaper and simpler.

The motivations behind DDoS attacks can vary, from being political in nature to various types of conflicts between website owners and attackers. The aim can be either to disrupt someone’s work, or to make sure certain content cannot be visible and accessible by users. Technically the goal is the same for both aims: overloading the website's server, so that it is unable to handle the number of requests, and ultimately, making the content unavailable to users.

Different types of DDoS attack

Volume-based attacks

Internet servers are connected to the Internet’s backbone via dedicated network connections, each with a limited capacity. In a volume-based attack, the attacker attempts to overwhelm that capacity by sending a large volume of data to the server. If the connection reaches its capacity, the server (and all the websites hosted on it) will become unavailable, and will tend to stay offline even after the attack.

Carrying out such an attack requires a wide range of internet-connected devices and the ability to coordinate their attack to the targeted website, which is often achieved through the use of botnets, or by some other type of orchestrating hacked devices that are under the attacker’s control.

A volume-based attack can also use a technique known as “amplification” to greatly enhance its power. In an amplification attack, the attacker first uses spoofing to make it seem like the requests they make are coming from the victim’s server. Then, they send a request for a public resource, like a DNS query, and route the reply to the victim’s website. This attack works best using a protocol where the request is small, but the answer is large (like DNS requests). This allows the attacker to route large amounts of data to the victim, while using only a small amount of bandwidth from its own connection to make the initial request.

Volume-based attacks are often short in nature: from a few minutes up to an hour. We never experienced attacks longer then a few hours: however, even if short, their size can be huge and very disruptive to the infrastructure.

Protection against volume based attacks

To defend against (volume-based) DDoS attacks, a hosting provider needs two key components:

  • large enough capacity to handle massive spikes of incoming traffic; and
  • the ability to process and filter that traffic in real time.

The amount of data transferred in DDoS attacks can range from a few gigabits per second to more than a petabit per second — a million times larger than a gigabit. The infrastructure required to handle such huge transfers requirements is very expensive, making it very hard for a single entity to have the necessary hardware in place.

Greenhost is protected against huge spikes of malicious activity by being connected to NBIP's NaWaS service: a non-profit hosting association specialized in absorbing massive amounts of DDoS data flows. NaWaS provides shared protection among its members, reducing costs and providing protection to a wide range of providers.

If a DDoS attack is detected by Greenhost's systems, part of the traffic spike will be automatically rerouted to NBIP, spreading the weight of the attack, and providing breathing space that helps us maintain clean and open traffic routes to regular users. Once the attack is over, all traffic is routed back to its normal path. This allows Greenhost to sustain high-volume DDoS attacks and keep websites safe.

Higher level attacks (HTTP(S))

Another type of attack directly targets the HTTPS layer: the protocol that connects the web browsing clients with the server that host the website. The goal of a HTTPS attack is to deplete the server’s system resources: instead of overwhelming network connections, the attacker aims to overload the server’s CPU.

Every time a visitor accesses a page, the server will generate the contents of that page and send it to the visitor. This process always requires some amount of CPU load on the server. If many requests are received at the same time, the server may become overwhelmed and unable to handle the volume of requests.

Attackers often try to identify pages that require a lot of CPU resources, with a common target being the search page. Search pages typically involve searching through a large amount of data for keywords, consuming a significant amount of resources on the server. Attackers then try to overwhelm the servers by making repeated search requests.

Protections against higher-layer attacks

At Greenhost, we use real-time software to detect malicious behaviour. Each request on our network is analysed and given a score, with higher scores assigned to requests that are more resource-intensive, such as a search request. If a single user's requests reach a certain threshold within a specified time frame, their IP is temporarily blocked from accessing that resource. This enables us to quickly block IPs involved in a DDoS attack, ensuring that the website remains accessible.

Advanced protection with Deflect


Deflect partnership

We partner with Deflect to provide advanced DDoS protection against attacks that our own measures may not be able to fully defend against. Deflect uses advanced tools to detect and block attacks, including the implementation of automated challenges such as the "I am a human" test. During an attack, these challenges are automatically enabled to provide advanced protection. Once the attack is over, the challenges are disabled, ensuring minimal disruption for the end-user. If you have a high-risk website and often experience attacks, adding Deflect protection will help mitigate those attacks and makes sure your website stays online. There are many commercial DDoS protection providers: we chose to partner with Deflect because of their track record supporting human rights groups, which aligns with our values and those of our community.