DDoS (Distributed Denial of Service) is an attack where thousands of infected computers simultaneously send requests to your server, overloading it and making it unavailable to real users. Anti-DDoS protection automatically filters malicious traffic, preventing it from reaching your server.
How a DDoS Attack Works
Attack goal: make your website or service unavailable.
Method: send enormous volume of requests exceeding server capacity.
Sources: botnet of thousands of infected computers (zombie machines).
Result:
- Website won't open
- API doesn't respond
- Server overloaded
- Real users cannot connect
Typical scenario:
- Attacker rents botnet (5,000-100,000 computers)
- Launches attack on your IP address
- All computers simultaneously send requests
- Your bandwidth/server can't handle it
- Site goes down
Types of DDoS Attacks
Volumetric (Volume Attacks)
Goal: Overwhelm bandwidth with huge traffic volume.
Methods:
- UDP Flood (UDP packets)
- ICMP Flood (ping flood)
- DNS Amplification (amplification through DNS)
Scale: 10-100+ Gbps traffic.
Example: 50 Gbps attack on your 10 Gbps channel—site completely unavailable.
Protocol Attacks
Goal: Exhaust server or network equipment resources.
Methods:
- SYN Flood (incomplete TCP connections)
- Ping of Death
- Smurf Attack
Scale: thousands of requests per second.
Example: 100,000 SYN requests fill connection table, new requests aren't processed.
Application Layer Attacks
Goal: Overload specific application or service.
Methods:
- HTTP Flood (GET/POST requests)
- Slowloris (slow requests)
- WordPress XML-RPC attacks
Scale: even 100-1000 requests can take site down.
Example: 500 simultaneous requests to heavy report generation script—server overloaded.
DDoS Attack Consequences
For Business
Financial losses:
- E-commerce unavailable = lost sales
- 1 hour downtime can cost $10,000-$100,000
- Black Friday attack = catastrophe
Reputation:
- Customers can't access site
- Negative reviews
- Switch to competitors
SEO:
- Google demotes unavailable sites in rankings
- Lost positions
For Technical Infrastructure
Overload:
- Server unavailable
- Databases not responding
- Other services on same VPS slow down
Additional costs:
- Traffic limit exceeded (if applicable)
- Pay-per-attack protection
- Emergency migration expenses
How Anti-DDoS Protection Works
Level 1: Network Edge Filtering
Where: Provider's data center.
How: Specialized equipment (Arbor, Radware) analyzes all incoming traffic.
What it does:
- Detects anomalies (sudden traffic spike)
- Blocks malicious packets
- Passes legitimate traffic
Speed: milliseconds.
Level 2: Scrubbing Center
Where: Specialized traffic cleaning center.
How: All traffic redirected through scrubbing center during attack.
What it does:
- Deep analysis of each packet
- Machine learning for bot detection
- Filters out 99% malicious traffic
Latency: +5-15 ms delay.
Level 3: Application Firewall
Where: On server or through CDN.
How: HTTP request analysis, jаvascript challenges, CAPTCHA.
What it does:
- Blocks bots at application level
- Challenge-response tests
- Rate limiting (request frequency limitation)
Types of Anti-DDoS Protection
Always-On (Permanent Protection)
How it works: All traffic always goes through filtering system.
Advantages:
- Instant attack response
- No service interruption
- Continuous monitoring
Disadvantages:
- Small added latency (+2-5 ms)
- More expensive
Recommended for:
- Critical business services
- E-commerce
- Financial platforms
On-Demand (Protection on Request)
How it works: Activates only when attack detected.
Advantages:
- No latency during normal operation
- Cheaper
Disadvantages:
- Activation delay 5-15 minutes
- Site will go down before activation
- Requires manual enablement
Recommended for:
- Non-critical projects
- Small business
Hybrid Protection
How it works: Basic always-on protection + additional during serious attack.
Optimal choice: balance of speed and cost.
Protection Levels
Basic Protection (Enabled by Default)
What it protects:
- SYN Flood
- UDP Flood
- ICMP Flood
- Basic volumetric attacks
Volume: up to 10 Gbps.
On THE.Hosting: included free on all VPS.
Extended Protection
What it protects:
- Everything from basic +
- DNS Amplification
- NTP Amplification
- Complex protocol attacks
Volume: up to 100+ Gbps.
Price: ~$50-200/month depending on provider.
Enterprise Protection
What it protects:
- Everything from extended +
- Application Layer (HTTP Flood, Slowloris)
- Zero-day attacks
- Targeted attacks
Volume: 1+ Tbps.
Price: from $500/month.
Recommended for:
- Large business
- Government portals
- Banks
Cloudflare as Additional Protection
What is Cloudflare:
- CDN + WAF + DDoS protection
- Free basic plan
- Proxy between users and your server
How it works:
- DNS points to Cloudflare
- Cloudflare accepts all traffic
- Filters attacks
- Clean traffic sent to your VPS
Advantages:
- Free protection from small attacks
- CDN speeds up site
- SSL out of the box
- Firewall rules
Limitations:
- Free plan: up to ~10 Gbps
- Doesn't protect non-HTTP services (SSH, FTP, game servers)
- Your real IP can leak
Recommendation: Use Cloudflare + provider's Anti-DDoS for maximum protection.
DDoS Attack Signs
How to know you're under attack:
- Sudden traffic spike (10-100x increase)
- Site unavailable or loads 30+ seconds
- CPU at 100% without apparent reason
- Thousands of identical requests in logs
- Server doesn't respond to SSH
- Provider notifies about unusual activity
Check current traffic:
vnstat -lCheck active connections:
netstat -an | grep ESTABLISHED | wc -lIf you see 5000+ connections—possible attack.
Analyze Apache/Nginx logs:
tail -f /var/log/nginx/access.logIf you see thousands of identical requests from different IPs—it's an attack.
What to Do During Attack
Immediate Actions
Step 1: Enable Provider Protection
Open ticket with subject "DDoS Attack":
IP address: 203.0.113.42
Attack type: HTTP Flood
Start time: 15:30 UTC
Status: site unavailable
Step 2: Enable Cloudflare
If not using yet—activate immediately:
- Register at cloudflare.com
- Add domain
- Change NS records at registrar
- Enable "Under Attack" mode
Step 3: Limit Rate
Temporarily limit request count:
Nginx:
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20;Apache:
<IfModule mod_evasive24.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>Long-term Measures
After attack:
- Hide real server IP (through Cloudflare)
- Configure fail2ban for auto-blocking
- Enable permanent Anti-DDoS protection
- Set up monitoring and alerts
- Create attack response plan
DDoS Attack Cost
For Attacker
Botnet rental:
- 1 hour 10 Gbps attack: $20-50
- 1 day 50 Gbps attack: $300-500
- Week 100 Gbps attack: $2000-5000
Conclusion: Attacking is relatively cheap.
For Victim
Without protection:
- Site downtime: $1,000-50,000 lost profit per day
- Reputation losses: irreparable
- Migration to protected hosting: $500-5,000
With protection:
- Attack deflected: $0 losses
- Site operates stably
Conclusion: Protection pays off with first attack.
Who Usually Gets Attacked
Risk Groups
High risk:
- E-commerce stores (especially during sales season)
- Online casinos and bookmakers
- Financial services
- Market competitors
- Game servers
- Political/news sites
Medium risk:
- Large corporate websites
- SaaS platforms
- Popular blogs
Low risk:
- Personal blogs
- Business card sites
- Non-profit projects
Attack Motives
- Competition: Take down competitor's site during peak sales
- Extortion: "Pay Bitcoin or we continue attacking"
- Revenge: Dissatisfied clients, former employees
- Politics: Activism, censorship, information warfare
- For fun: Script kiddies, power demonstration
Preventive Measures
Architectural Solutions
CDN (Content Delivery Network):
- Cloudflare, Akamai, Fastly
- Distributes load worldwide
- Caches static content
Load Balancer:
- Distributes traffic between servers
- During attack on one server—switch to another
Auto-scaling:
- Automatic capacity increase during load growth
- Kubernetes, AWS Auto Scaling
Server Configuration
Rate Limiting:
- Request limitation per IP
- 10-100 requests per second—normal
Firewall Rules:
- Block known botnets
- Geo-blocking (if don't need visits from certain countries)
Fail2ban:
- Automatic IP blocking after N failed attempts
- Protects SSH, FTP, control panels
Monitoring
Alerts when:
- Traffic exceeds normal by 3+ times
- CPU > 80% for 5+ minutes
- More than 1,000 simultaneous connections
- Site not responding
Tools:
- UptimeRobot (availability check)
- Grafana + Prometheus (metrics monitoring)
- Cloudflare Analytics (traffic analysis)
Anti-DDoS on THE.Hosting
Basic protection:
- Included free on all VPS
- Protection from volumetric attacks up to 10 Gbps
- SYN/UDP/ICMP flood filtering
- Automatic activation
Extended protection:
- Protection up to 100+ Gbps
- Application-layer filtering
- Ordered additionally
During attack:
- System automatically detects
- Traffic cleaned
- Client receives notification
- Site continues operating
Protect Your Project from DDoS Attacks
Basic Anti-DDoS protection included in all VPS free. Extended protection available for critical projects.
FAQ
Can Anti-DDoS block legitimate users?
Modern systems distinguish attacks from normal traffic with 99.9% accuracy. False positives are extremely rare.
Does Anti-DDoS slow down site?
Always-on protection adds 2-5 ms latency. Imperceptible to users. On-demand protection doesn't affect until activation.
What if attack is stronger than protection level?
When protection capacity exceeded, scrubbing center with higher throughput connects. Worst case—null-routing (temporary IP blocking to protect infrastructure).
Can you completely protect from DDoS?
No protection from unlimited power attacks. But modern systems deflect 99% of real attacks. For enterprise clients, protection up to several Tbps available.
Do small sites need Anti-DDoS?
Basic protection (free)—mandatory for all. Extended—if your business depends on 24/7 site availability.