DDoS attacks and detection: how to keep your website resilient

⏱️ Reading time: ~13 minutes | 📅 Published: April 30, 2025 | 🔄 Updated: November 12, 2025

Why Are DDoS Attacks So Dangerous?

DDoS (Distributed Denial of Service) isn't just "server overload." It's a coordinated attack by thousands of infected devices with one goal: make your website unavailable.

Real Consequences: Not Just Downtime

Financial losses (immediate):

• E-commerce: $2,000 per minute of downtime (average figure in 2025)
• Small business: $8,000-$74,000 per hour
• Large companies: up to $1.1 million per single attack (average recovery)

Long-term consequences:

• Reputation: Approximately 67% of customers won't return after multiple outages
• SEO penalties: Google lowers ranking of unstable sites by 30-50%
• Data breaches: 40% of DDoS attacks are diversionary tactics for data theft
• Regulatory fines: GDPR can fine for insufficient protection

Why Have Attacks Become So Common?

Three reasons for exponential growth:

1. DDoS-as-a-Service: Launching an attack costs $5/hour. Anyone can order an attack quickly and easily, like ordering pizza.
2. IoT botnets: Millions of unprotected cameras, routers, and smart TVs have become hackers' zombie army.
3. Geopolitical tensions: Cyber wars between countries use DDoS as a weapon.

Types of DDoS Attacks: Know Your Enemy

Not all DDoS attacks are the same. Each type requires specific protection. Here are three main categories:

1. Volumetric Attacks — "Water Cannon"

How it works: Floods your communication channel with a massive data stream.

Real example: In May 2025, Cloudflare blocked a record 7.3 Tbps (terabits per second) attack. Imagine trying to pour an ocean into a bottle.

Symptoms:

• Entire internet channel saturated (100% utilization)
• Can't access site even from server
• Provider may disconnect your IP

Protection: CDN + Traffic scrubbing (provider-level filtering)

2. Protocol Attacks — "Heart Strike"

How it works: Exploits network protocol weaknesses, exhausting server resources.

Example methods:

• SYN Flood: Opens thousands of connections but doesn't complete them
• Ping of Death: Sends incorrectly sized packets
• Smurf Attack: Uses ICMP for attack amplification

Symptoms:

• Server is "alive" but not responding
• CPU/RAM usage at 100%
• Logs filled with incomplete connections

Protection: Firewall rules + Rate limiting

3. Application-Layer Attacks — "Silent Killer"

How it works: Mimics real users, making requests to your site's heaviest pages.

Real 2025 case: A retail site was attacked with 6 million requests/second. A botnet of 32,381 IP addresses requested pages with large product images. The server couldn't handle content generation.

Symptoms:

• Site works but very slowly
• Database overloaded with queries
• Hard to distinguish from genuine high traffic

Protection: Web Application Firewall (WAF) + Behavioral analysis

How to Detect a DDoS Attack: Early Warning Signs

Fast detection = minimal losses. Here's how to recognize an attack before your site crashes:

🚨 Attack Signs (check immediately)

1. Abnormal traffic spikes
   • Traffic increased by >50% in one minute
   • Activity peak at 3 AM (when your audience is asleep)
   • Geography: suddenly 80% of traffic from a remote location
2. Identical requests
   • Thousands of requests with same User-Agent
   • Requests to one URL repeatedly
   • No JavaScript / cookies (bots)
3. Performance drops
   • Response time >5 seconds (was <1 sec)
   • CPU constantly at 90-100%
   • Databases flooded with queries
4. Strange IP behavior
   • Hundreds of requests from one IP per minute
   • Suspicious IP ranges (known botnets)
   • IP rotation (proxy/VPN signs)

🛠️ Real-Time Tools

1. Log analysis (basic level)

Check access logs for suspicious patterns:

# Top 10 IP addresses by request count
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -10

# If one IP has >1000 requests per minute — it's an attack

2. Real-time monitoring (recommended)

Tools recommended by hosting professionals:

• Grafana + Prometheus: Real-time traffic visualization
• ModSecurity: WAF with automatic attack detection
• Fail2Ban: Auto-blocking suspicious IPs

3. AI-based analysis (enterprise)

Machine learning systems analyze behavior:

• Enterprise CDN Bot Management solutions
• Cloud-based AI Shield systems
• Professional WAF with ML analysis

⚙️ Set Up Alerts (do it now)

Example rule for Grafana Alert:

# Alert if traffic >20% above normal level
IF current_traffic > (average_traffic * 1.2) THEN
  SEND alert_to_admin
  START mitigation_protocol

Protection Tools: What Works in 2025

Protection = multi-layered approach. One tool isn't enough. Here's a proven combination:

🛡️ Level 1: Traffic Filtering

What it does: Analyzes incoming traffic and blocks suspicious traffic while allowing real users.

Solutions for different levels:

🌐 Level 2: CDN (Content Delivery Network)

How it protects: Distributes traffic across hundreds of servers in different countries. Attacking one server is easy, attacking 200 is impossible.

Example: Your origin server in Germany. With CDN you get site copies in 150+ locations. Attack on Germany? Traffic automatically goes through USA, Japan, Brazil.

Different CDN protection levels:

• Free CDN services: Protection up to 100 Gbps, ideal for small business
• Professional CDN platforms: Protection up to 1-10 Tbps, suitable for mid-sized business
• Enterprise CDN solutions: Unlimited protection with 99.99% uptime guarantee

Many hosting providers offer integration with popular CDN services or have their own content delivery networks, allowing clients to get basic protection "out of the box".

Read more about CDN in our article: "How CDN Works and Does Your Website Need It?"

☁️ Level 3: Cloud-Based Protection

What it does: Automatically scales resources during an attack.

How modern cloud solutions work:

1. Attack detection (usually 30-60 seconds)
2. Automatic traffic redirection through scrubbing center
3. Resource scaling (additional servers connect automatically)
4. Malicious traffic filtering at network level
5. Clean traffic returns to your site

Example from practice: An e-commerce project was attacked during a sale. The automated protection system:

• Detected abnormal traffic in less than a minute
• Started mitigation procedure
• Site continued operating without interruption
• Attack lasted 4 hours with peak load up to 85 Gbps

Practical Protection Methods: Step-by-Step Guide

Theory is good. But here's what you can do right now for protection:

🔧 Method 1: Firewall Configuration (20 minutes)

Goal: Limit number of requests from one IP.

For Apache (.htaccess file):

# Limit to 30 requests per minute from one IP
<IfModule mod_ratelimit.c>
  SetOutputFilter RATE_LIMIT
  SetEnv rate-limit 400
</IfModule>

# Block suspicious User-Agents
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} (bot|crawler|spider) [NC]
RewriteRule ^.*$ - [F,L]

For Nginx (nginx.conf file):

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=ddos:10m rate=30r/m;

server {
  location / {
    limit_req zone=ddos burst=5;
  }
}

For iptables (Linux firewall):

# Limit SYN packets (protection from SYN Flood)
iptables -A INPUT -p tcp --syn -m limit --limit 10/s -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

# Limit HTTP requests on port 80
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

⚠️ Important: Test rules in staging environment!⚠️

⚠️ Incorrect configuration can block real users.⚠️

🔀 Method 2: Load Balancing

Goal: If one server falls, others pick up the load.

Simple option (DNS Round Robin):

1. 2+ servers in different datacenters
2. DNS returns different IP addresses
3. Traffic automatically distributes

Advanced option (Application Load Balancer):

We recommend using HAProxy:

# Basic HAProxy configuration for load balancing
frontend http_front
  bind *:80
  default_backend http_back

backend http_back
  balance roundrobin
  server server1 10.0.0.1:80 check
  server server2 10.0.0.2:80 check
  server server3 10.0.0.3:80 check

Result: If attack crashes server1, your server2 and server3 keep working.

📊 Method 3: Auto-scaling (for Cloud)

Goal: Automatically add servers during attack.

How auto-scaling works in cloud platforms:

1. Basic setup
   • Minimum servers: 2
   • Maximum servers: 20
2. Trigger configuration:
   • If CPU >70% for 5 minutes → +2 servers
   • If traffic >10,000 req/sec → +5 servers
3. Result:
   • Normal day: 2 servers ($100/month)
   • Under attack: automatically 12 servers ($600/month, but only during attack)

Defense Strategy: Attack Preparation

Best defense is being prepared. Here's a 3-level action plan:

📋 Level 1: Response Plan (create now)

Your DDoS Response Playbook should include:

Phase 1: Detection (0-5 minutes)

1. Alert arrives on pager/phone
2. Check logs: is it an attack or real traffic?
3. Identify attack type (volumetric/protocol/application)

Phase 2: Isolation (5-15 minutes)

1. Activate CDN (if not already activated)
2. Redirect traffic through scrubbing center
3. Block top 100 attacking IPs
4. Enable "Under Attack Mode" (in CDN)

Phase 3: Neutralization (15-60 minutes)

1. Analyze attack patterns
2. Create custom firewall rules
3. Scale resources if needed
4. Monitor until attack fully stops

Phase 4: Post-Mortem (after attack)

1. Log analysis: where's the attack from, what methods
2. Update protection based on findings
3. Document incident
4. Notify customers (if there were outages)

💾 Level 2: Backup Strategy

Critically important: Backup won't save from DDoS, but will save if attack damaged data.

Minimum scheme:

• Daily backups: database
• Weekly backups: site files
• Offline copy: in another datacenter (not on same server!)
• Testing: try restoring from backup once a month

What to look for in a hosting provider:

• Incremental backups (more efficient than full)
• Flexible frequency and retention period settings
• Backups on geographically distributed servers
• Fast recovery (depends on data volume)
• Process automation without manual intervention

👥 Level 3: Team Training

Conduct DDoS drills every 3 months:

1. Attack simulation
   • Use testing tools (Apache Bench, wrk)
   • Simulate 2x normal load
   • Check if alerts work
2. Response practice
   • Team goes through Response Playbook
   • Someone plays "attacker" role, others defend
   • Time it: how long does neutralization take?
3. Procedure updates
   • What worked? What failed?
   • Update documentation
   • Add new rules to playbook

Common Mistakes: What NOT to Do

These mistakes cost businesses millions. Don't repeat them — click on a mistake to learn details:

Real Cases 2025: What Happened and Lessons Learned

Three real attack stories in 2025 — what went wrong, what worked, and what conclusions you can draw for your business.

Conclusion: DDoS is Reality, But You Can Protect Yourself

DDoS attacks in 2025 — it's not "if" but "when". 358% growth per year shows: the threat is real and growing.

Key conclusions:

1. Multi-layered protection is the only working approach
   • CDN + Firewall + Rate limiting + Monitoring
   • One tool won't protect from all attack types
2. Preparation is more important than power
   • Response plan reduces losses by 80%
   • Regular drills reveal weak points
3. Automation = speed = minimal losses
   • Manual response for 40 minutes? Site already crashed.
   • Automation responds in 30 seconds
4. Small business = same target as big business
   • 65% of attacks target small business
   • Protection available on any budget

What to do right now:

Next 30 minutes:

• Check if you have CDN (if not — consider connecting)
• Configure basic firewall (code examples above)
• Set up alerts for traffic and CPU

Today:

• Create Response Playbook (template above)
• Check backup (can you restore?)
• Update all software to latest versions

This week:

• Conduct stress test (load simulation)
• Train team on basic response
• Consider professional protection (if budget allows)

Modern hosting providers offer various protection levels at infrastructure level — from basic firewall to full anti-DDoS solutions. When choosing hosting, pay attention to:

• Abnormal traffic detection speed (ideally up to 1 minute)
• Mitigation process automation
• Resource scaling capability under load
• Incident notification system
• Transparency in attack reporting

Remember: DDoS protection isn't a one-time setup, but a continuous process of monitoring, updating, and adapting to new threats.

Frequently Asked Questions About DDoS Attacks