The procedures covered in this article require the Expert WEDOS.protection subscription plan, or higher. For more information, see the article Protection – Subscription Plan.
In this article, you will learn:
DDoS Diagnostics
DDoS attacks are a common type of cyber attack, which are trying to overwhelm a website or application with a high volume of requests. These requests typically originate in various regions, but may also come from a single IP address, range or provider. Some may have a common UserAgent, which can be used to effectively filter them.
The first step to respond adequately to an ongoing DDoS attack is to find out who the attackers are and block them, without restricting the legitimate traffic to your site. The best tool for traffic analysis is the Grafana interface, which you can set up according to the Protection – Grafana manual.
When you suspect your website or application to be under attack, follow these steps:
- Log into your Grafana interface ⧉.
- In the Request host filter on the top left, select the domain which is under attack. If needed, also change the Time range on the top right to 5 minutes.
- Search the logs for suspicious behavior.
- Determine the best blocking method according to the advice below.
In an emergency, you can use GeoIP to quickly block all access from other countries or continents and give yourself time to analyze traffic and set up more effective filters.
There is no one correct way to perform the log analysis, but some general advice is to check:
- Anomalies. The Anomalies table lists requests with error codes. These include blocked requests (456), which the system is already actively blocking. You don’t need to take action against them.
- Requests from countries. If large numbers of requests appear on this list from unusual countires, use GeoIP to block those countries, until the attack subsides.
- TOP10 Client IPs. While not common for a DDoS attacks, you may find abnormally large numbers of requests from a handful of IPs. You can block these using Filters.
- TOP10 UserAgents and ASN Report. In some circumstances, attackers may share a UserAgent, or ASN. You can easily filter these.
If you are unable to pinpoint and filter out the attack source, block the attack using WAF.
Once DDoS attacks fail to bring a system down, they typically withdraw within several minutes. Keep monitoring the situation and when you detect no more malicious traffic, try switching the emergency measures off again.
Emergency Blocking
If the automatic filters are taking too long to prevent a DDoS (or another similar) attack on your website or application, we recommend to set up:
- GeoIP works best to quickly isolate traffic from your country or continent, or block traffic from attacking regions.
- Filters block specific IPs, ASNs or UserAgents.
- Web Application Firewall (WAF) is able to filter traffic based on stricter rules with a higher paranoia level.
GeoIP Blocking
To set up GeoIP, follow these steps:
- Log into WEDOS.global admin panel ⧉.
- Select the domain under attack.
- In the left menu, select GeoIP.
- Enable Custom GeoIP.
- Set up GeoIP according to your requirements (see below) and save.
You will typically use GeoIP blocking to:
- Only make the website or application available to users in a specific area by following these steps:
- In the Settings for Access section, select the Allow Access behavior and save.
- Select the target available region(s) in the GeoIP Map. Traffic from unselected (blue) regions will be blocked.
- In the List of selected regions, click the Save Selected Regions button.
- Block traffic from countries with a high amount or ratio of unblocked problematic requests by following these steps:
- In the Settings for Access section, select the Block Access behavior and save.
- Select the target available region(s) in the GeoIP Map. Traffic from unselected (blue) regions will be allowed.
- In the List of selected regions, click the Save Selected Regions button.
For more information on GeoIP, see the article Protection – Filters, GeoIP, WAF.
Traffic Filtering
The available traffic filters are:
- IP. Blocks all requests from a specified IP address or range.
- ASN. Blocks all requests from a certain ASN (Autonomous System Number, typically identifying an Internet service provider).
- URL. Blocks all traffic to a certain URL, regardless of source. Use this if the attack is targetting a specific resource.
- UserAgent. Blocks traffic based on UserAgent strings.
To set up IP, ASN, URL or UserAgent filters, follow these steps:
- Log into WEDOS.global admin panel ⧉.
- Select the domain under attack.
- In the left menu, select Filters.
- Enable any Custom Filter you want to use.
- Add problematic IPs, ASNs and UserAgents.
For more information on Filters, see the article Protection – Filters, GeoIP, WAF.
WAF Filtering
If there is no clear indicator about the source or target of the malicious traffic, we advise you to increase the WAF paranoia level for the duration of the attack.
To change the WAF Paranoia Level follow these steps:
- Log into WEDOS.global admin panel ⧉.
- Select the domain under attack.
- In the left menu, select WAF.
- Enable Custom WAF.
- In the Paranoia Level section, select Level 2.
For more information on the Web Application Firewall, see the article Protection – Filters, GeoIP, WAF.
FAQ
Why are the options in this article not available to me?
The options are only available to users with the Expert subscription plan or above. For more information, see the article Protection – Subscription Plan.
How long does a DDoS attack typically last?
This type of attack is typically rather expensive, so if it fails to take the target down within the first few minutes, the attackers often break it off and leave.