What is a DDos Attack, and How Can I Protect My Business?

 

That stands for Distributed Denial of Service and it’s no coincidence that it almost always gets used with the word “attack,” as in DDoS attack. It has become commonplace enough to have its own Wikipedia entry, and it’s not a short one anymore, either.

 

It’s sad, but DDoS attacks are becoming as commonplace as car theft. As yet, nobody has figured out how to protect society from this new evil. Like car theft, it doesn’t affect you every day, but when it does, it causes dramatic (and traumatic) disruption and loss.

 

You are particularly susceptible to this new form of terrorism if you make your living from the internet. To do that, you use service providers, from email servers like MailChimp, Aweber, etc. and hosts like Hostgator, GoDaddy, etc. to payment processors.

 

Aweber recently got shut down by a DDoS attack, but they are by no means the only one. Simply Google ” DDoS attacks” and sit back in disgust as your screen fills with endless examples.

 

It’s not beyond the realm of possibility that the next World War will be fought on the internet. That would, of course, be the ultimate irony, because the internet was developed by the U.S. Armed Forces solely as an impenetrable defense against a nuclear war.

 

Until then, though, DDoS attacks happen everywhere on a smaller scale, and that’s enough for us to be concerned about right now.

 

 

In a nutshell, it’s a malicious attempt to overwhelm a targeted set of servers with an overload of junk service requests. When you sign on to your website, that’s a “service request” to Hostgator, GoDaddy, or whoever does your hosting. They’re used to, say, 5 million requests an hour. So they typically have server capacity to handle that, and maybe an odd spike of, say, another 5 million requests. But when they suddenly get 20 million requests, from all over the world, their servers and/or bandwidth simply run out of capacity.

 

When that happens, legitimate users can’t get their service requests to the service provider. It’s like being caught in traffic: there’s no way to get to your destination, and nothing you can do about it except sit, tap your fingers, get some coffee, go to the bathroom . . . and wait.

 

 

Your first reaction to the idea of a DDoS attack might be something along the lines of, “Too bad, so sad, please pass the gravy.” That would only be because you don’t understand the impact on your business.

 

See, when the baddies bombard your host’s network with that overload of spurious service requests, that bombardment drowns out your measly little service request. One of the tactics the baddies use is millions and millions of spam emails to the host. It’s so common, they even have a name for it: an email bomb.

 

When the baddies email bomb your service provider (AWeber, HostGator, GoDaddy, whoever), you experience that as being unable to log in to your site, whether to edit a blog post, check orders, etc. At first you might think that’s just a little irritating. But, when you try five more times in the next hour, that goes from irritation to bombs of a different flavor floating through the air in your office. You only hope the kids or dog don’t hear you.

 

Now, it’s bad. You feel like your hands are cut off. You can’t access anything online. You can’t complete that blog post. You can’t read or send emails. No tweets. No Facebook. No nothing. Just the echo of those sailor words in your office. One simple act reduces your life to nothing.

 

Yep, that’s bad. But it gets worse. Your customers are unable to log on to read your wisdom or—worse—to buy something. They think you are an incompetent ditz, and they vow never to buy anything from you again.

 

 

 

If you’re reading this, it means your internet connection is working . . . for now. Hopefully, you no longer take that for granted.

 

The logical question is: okay, so what can I do about this new threat? I know to lock my car as a first defense against car theft. But what do I with my site?

 

That’s a good question. Quite honestly, the list of answers is evolving as we speak, because this hazard of the new millennium is only now making its presence felt in the internet community. If you Google “DDoS attacks” you’ll find plenty of things to do—if you’re one of those service providers. But there’s precious little I could find for people like you and I, despite quite a bit of surfing.

 

That means you and I are on the frontier of the new Wild West, forging a common-sense set of defenses and work-arounds to keep our businesses going.

 

In general, my philosophy is to go “old-school” as far as possible. If you have any ideas, please add them in the comments. This is not a lecture by an expert, but a community project, and we need everyone’s help.

 

1. Back up your stuff to your computer at home at least once a month, on the last day of the month, but preferably every Saturday. Making it a routine is the best defense against human nature, which is to either forget or procrastinate. Then put a copy on an external device, preferably a high-capacity USB drive. This will allow you to go somewhere else, like the local library, and operate from there.
2. Practice doing restores.  Everyone around me knows I’m always the one to demonstrate whether something’s idiot proof. And I was horrified to find that I was unable to restore from Backup Buddy, the standard backup service for many businesses. A disaster is the wrong time to find out what you thought doesn’t work. So practice a few restores. Make notes if necessary.
3. Have an email address with one of the large, independent email providers, like Yahoo or Hotmail. This will allow you to go the local library, McDonalds or Starbucks, and send emails. If you’re able, have a “copy-and-forward” on your current email server. That means all emails stay on your server as usual, but a copy gets sent to that other email address. Those usually have unlimited capacity, and the ones that don’t will usually give it to your for about $20 per year—cheap insurance indeed.
4. Have a dummy domain name on a different hosting service. This can be any one of the tens of domain names you’ve purchases for future use, but are currently starving on the vine. If Hostgator is your primary host, then get GoDaddy or another to host the “dummy” site. Be careful, though—many apparently independent hosting services are really all part of the Hostgator family. If one of those gets attacked, it’s likely they all will suffer, because they’re all using the same server farms. Just make sure your alternate hosting service is really a different company. This will cost you an additional $50-100 per year but again, that’s cheap insurance.
5. When you do backups, copy your email addresses from AWeber or your email service into something like a Word or Excel document. I copied mine into an Excel spreadsheet. This way I can manually send emails if Aweber is down (as they were recently).
6. Have a prepared announcement ready in email form on that alternate email host (Yahoo, Hotmail, etc.). Save it in your draft folder. This way it’s nice and clean, devoid of what you really want to say in the heat of the (angry) moment. 🙂
7. When you figure your host may be under attack, it’s quick and easy to go to McDonald’s or Starbucks, log into that email server, and begin sending that prepared email to your list, informing them that you suspect one or more of your hosts are under a DDoS attack. Be sure to include the above Wikipedia link so they can see this is a real, and fairly common, problem, not a result of your negligence. In effect, tell them you locked your car, but a professional band of thieves came with a tow truck in the night and took it anyway.

 

Let me just say as a disclaimer—I’m no expert. at the moment it seems there are no experts at helping users like us get around one of those paralyzing attacks. So, please use this as a starting point, not the definitive list.

 

Let’s make this a community project: add any strategies you have tried or heard about to stay in business when the one you depend on gets paralyzed with one of these (increasingly common) malicious attacks.

 

Start adding to this list in the comments below!