DDoS Attacks: How to Protect Your Business Website

What Exactly Is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack floods your website or server with so much traffic that legitimate visitors can no longer get through. Think of it as thousands of people trying to squeeze through a single door at the same time. Nobody gets in.

The "distributed" part is what makes these attacks particularly nasty. The traffic comes from hundreds or thousands of different sources, typically compromised computers and IoT devices that form what security researchers call a botnet. Because the traffic comes from so many places, you cannot simply block one IP address and solve the problem.

DDoS attacks have been around since the late 1990s, but they have grown dramatically in both frequency and scale. In 2024, several attacks exceeded 1 Tbps (terabits per second). For reference, that is roughly equivalent to streaming 200,000 HD videos simultaneously, all aimed at a single target.

The Three Main Types of DDoS Attacks

Not all DDoS attacks work the same way. Understanding the differences matters because each type requires a different defense strategy.

1. Volumetric Attacks

Volumetric attacks are the brute-force approach. The attacker simply sends an enormous amount of data to saturate your bandwidth. Common techniques include:

• UDP floods - The attacker sends massive amounts of UDP packets to random ports on the target server. The server has to check each packet, realize no application is listening on that port, and send back an ICMP "destination unreachable" reply. Multiply that by millions of packets per second and the server drowns.
• DNS amplification - The attacker sends small DNS queries with a spoofed source IP (your IP) to open DNS resolvers. The resolvers send their much larger responses to your server. A 60-byte query can generate a 4,000-byte response, giving the attacker roughly a 70x amplification factor.
• NTP amplification - Similar to DNS amplification but using Network Time Protocol servers. The monlist command in older NTP servers can produce amplification factors of 500x or more.
• Memcached reflection - Exploiting misconfigured Memcached servers exposed to the internet. This technique achieved amplification factors above 50,000x in some cases, making it one of the most powerful volumetric attack vectors ever discovered.

Volumetric attacks are measured in bits per second (bps). Anything above 10 Gbps will overwhelm most single-server hosting setups.

2. Protocol Attacks

Protocol attacks exploit weaknesses in network protocols (layers 3 and 4 of the OSI model) to consume server resources or the resources of intermediate equipment like firewalls and load balancers.

• SYN floods - The attacker sends a rapid succession of TCP SYN requests without completing the three-way handshake. Each half-open connection consumes resources on the server. The connection table fills up and the server can no longer accept new connections, including legitimate ones.
• Ping of Death - Sending malformed or oversized ICMP packets that crash the target system. Mostly a historical curiosity now, but variants still appear.
• Smurf attacks - Broadcasting ICMP echo requests to a network's broadcast address with the source IP spoofed as the victim's address. Every device on the network sends its reply to the victim.
• Fragmented packet attacks - Sending fragmented packets that the server cannot reassemble properly, consuming memory and CPU resources.

Protocol attacks are measured in packets per second (pps). Even relatively modest packet rates can bring down servers and networking equipment if the packets exploit protocol weaknesses effectively.

3. Application Layer Attacks

These are the most sophisticated and often the hardest to detect because they look like normal traffic. The attacker targets specific features of your web application.

• HTTP floods - Sending what appear to be legitimate HTTP GET or POST requests at high volume. A GET flood might repeatedly request your heaviest page (say, a search results page with complex database queries). A POST flood might submit forms repeatedly.
• Slowloris - Opening connections to your web server and keeping them open as long as possible by sending partial HTTP requests. The server waits for each request to complete, and eventually all available connections are tied up.
• R-U-Dead-Yet (RUDY) - Similar to Slowloris but targeting HTTP POST fields. The attacker submits a form with a very long content-length header, then sends the body one byte at a time.
• WordPress XML-RPC attacks - Exploiting the pingback feature in WordPress to amplify requests. This is particularly relevant because WordPress powers a large percentage of websites.

Application layer attacks are measured in requests per second (rps). A well-crafted application layer attack can take down a server with just a few thousand requests per second if each request triggers expensive operations.

How a DDoS Attack Actually Unfolds

Here is what typically happens when a business gets hit:

1. Reconnaissance - The attacker identifies your server's IP address, hosting provider, and potentially your traffic patterns. They might probe your site for resource-heavy pages.
2. Botnet activation - The attacker commands their botnet (rented or built from compromised devices) to begin sending traffic to your server. Botnets are available for rent on dark web marketplaces for as little as $10-50 per hour.
3. Traffic ramp-up - The attack often starts slowly and increases over minutes or hours. Some attackers will test with short bursts first to gauge the target's defenses.
4. Service degradation - Your website starts loading slowly. Database connections time out. SSL handshakes fail. Error rates spike.
5. Complete outage - If the attack overwhelms your defenses, the site goes completely offline. Users see connection timeouts or error pages.
6. Collateral damage - If you are on shared hosting, other sites on the same server may also go down. Your hosting provider might null-route your IP to protect their other customers, which means your site stays down even after the attack stops.

The Business Impact of DDoS Attacks

The cost of a DDoS attack goes well beyond the immediate downtime.

Direct Financial Losses

Business Type	Estimated Cost per Hour of Downtime
Small e-commerce	$1,000 - $10,000
Medium e-commerce	$10,000 - $100,000
Large enterprise	$100,000 - $1,000,000+
Financial services	$1,000,000+

These numbers come from industry reports by Gartner and Ponemon Institute. They include lost sales, lost advertising revenue, and SLA penalties.

Reputation Damage

Customers who cannot reach your site do not wait around. They go to a competitor. Studies consistently show that users who experience an outage are significantly less likely to return. For a business trying to build trust, especially in sectors like finance or healthcare, a visible outage undermines credibility.

SEO Impact

Extended downtime affects search rankings. Google's crawlers will eventually notice that your site is unreachable and may temporarily drop your pages from search results. If the attack causes intermittent availability over several days, the impact on your organic traffic can last weeks.

DDoS as a Smokescreen

One of the more concerning trends is using DDoS attacks as a distraction. While the security team scrambles to restore service, the actual attack is happening elsewhere: data exfiltration, malware installation, or account compromise. Several major data breaches in recent years used DDoS as the initial diversion.

Protection Strategy: CloudFlare and CDN-Based Defense

The single most effective step most businesses can take is putting their website behind a CDN with built-in DDoS protection. We have written in detail about CDN benefits, but here is the DDoS-specific angle.

How CloudFlare Protection Works

CloudFlare (and similar services like AWS Shield or Akamai) operates a massive global network. When you route your traffic through CloudFlare, several things happen:

1. Your real server IP is hidden behind CloudFlare's network. Attackers cannot target your origin server directly (unless they already know the IP from before you set up CloudFlare).
2. Traffic is distributed across CloudFlare's global network of data centers. A volumetric attack that would overwhelm a single server gets absorbed across hundreds of locations.
3. Malicious traffic is filtered at the edge, close to its source, before it ever reaches your server.
4. Legitimate traffic passes through normally with minimal latency added.

CloudFlare's free tier includes basic DDoS protection. For businesses with higher risk profiles, their Pro ($20/month) and Business ($200/month) plans add more sophisticated protections including WAF rulesets and advanced rate limiting.

Anycast Networks Explained

Anycast is the routing technique that makes CDN-based DDoS protection possible. In a normal (unicast) setup, your server has one IP address in one location. With anycast, the same IP address is announced from multiple locations around the world.

When an attacker sends traffic to your IP address, that traffic automatically gets routed to the nearest anycast point of presence. Instead of concentrating the attack on one location, the traffic gets distributed across the entire network. A 100 Gbps attack becomes manageable when it is split across 200+ data centers.

Rate Limiting: Your Second Line of Defense

Rate limiting restricts how many requests a single IP address (or other identifier) can make within a given time window. It is particularly effective against application layer attacks.

Implementing Rate Limiting

Here is a practical approach:

• Identify your normal traffic patterns - Before setting limits, you need to know what normal looks like. Monitor your traffic for a few weeks. How many page views does a typical session involve? How quickly do users navigate between pages?
• Set limits per endpoint - Different pages need different limits. Your homepage might legitimately get 100 requests per minute from a single IP (think: a corporate proxy). Your login page should not get more than 10 attempts per minute from one IP.
• Use progressive responses - Do not immediately block. First, serve a CAPTCHA. Then temporarily block for 5 minutes. Then block for an hour. This reduces false positives.
• Rate limit by more than IP - Sophisticated attackers rotate IP addresses. Consider rate limiting by session token, user agent patterns, or behavioral fingerprints.

Example: Nginx Rate Limiting Configuration

A basic but effective Nginx rate limiting setup:

limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

server {
    location / {
        limit_req zone=general burst=20 nodelay;
    }
    location /api/login {
        limit_req zone=login burst=5;
    }
}

This allows 10 requests per second for general pages with a burst allowance of 20, and 1 request per second for the login endpoint with a burst of 5.

Web Application Firewalls (WAF)

A WAF inspects incoming HTTP traffic and blocks requests that match known attack patterns. Unlike rate limiting, which cares about volume, a WAF examines the content of each request.

What a WAF Can Block

• SQL injection attempts in URL parameters and form fields
• Cross-site scripting (XSS) payloads
• Known bad bot signatures
• Requests from TOR exit nodes or known proxy services (optional)
• Requests with suspicious headers or malformed HTTP
• Geographic restrictions (block traffic from countries where you have no customers)

For application layer DDoS attacks specifically, a WAF can detect patterns like identical requests from rotating IPs, abnormal request rates to specific endpoints, and requests with characteristics of known DDoS tools.

Managed vs. Custom Rules

Most WAF providers offer both managed rulesets (maintained by the provider) and custom rules (you write them). Start with managed rules and add custom ones as you learn your specific threat landscape.

CloudFlare's WAF, for example, includes rulesets maintained by CloudFlare's threat intelligence team that are automatically updated as new attack patterns emerge. You can then add custom rules like "block any POST request to /api/search that exceeds 1KB" or "challenge any request to /admin from outside Switzerland."

Building a Multi-Layered Defense

No single measure stops all DDoS attacks. Effective protection requires layers:

Layer 1: Network Level

• Use a CDN/DDoS protection service (CloudFlare, AWS Shield, etc.)
• Keep your origin server IP hidden
• If possible, use anycast for your own infrastructure
• Ensure your hosting provider has upstream DDoS filtering

Layer 2: Server Level

• Configure your firewall to drop obviously malicious traffic (invalid TCP flags, spoofed packets)
• Enable SYN cookies to handle SYN floods
• Tune kernel parameters for high connection loads
• Implement connection timeouts aggressively

Layer 3: Application Level

• Deploy a WAF with both managed and custom rules
• Implement rate limiting per endpoint
• Cache aggressively to reduce backend load
• Use asynchronous processing for heavy operations
• Implement circuit breakers so that one slow service does not cascade

Layer 4: Monitoring and Response

• Set up alerts for traffic anomalies
• Have a DDoS response runbook ready
• Know your hosting provider's DDoS policies and contacts
• Practice your response plan at least once a year

Real Attack Examples

GitHub (2018) - 1.35 Tbps Memcached Attack

In February 2018, GitHub was hit with the largest DDoS attack recorded at that time: 1.35 Tbps using Memcached amplification. GitHub's traffic went from normal to 1.35 Tbps in under 10 minutes. Their DDoS mitigation provider (Akamai Prolexic) absorbed the attack and service was restored within about 20 minutes. The attack used only about 1,000 different Autonomous Systems, showing how amplification can turn modest resources into massive attacks.

Dyn DNS (2016) - The Mirai Botnet

The Mirai botnet, built from compromised IoT devices (cameras, DVRs, routers), attacked the Dyn DNS infrastructure and took down a significant portion of the internet on the US East Coast. Sites like Twitter, Reddit, Netflix, and CNN became unreachable. The attack demonstrated the danger of unsecured IoT devices and the vulnerability of centralized DNS infrastructure.

Small Business Attacks - The Unreported Majority

For every headline-grabbing attack on a major company, thousands of small and medium businesses get hit without any media coverage. A common pattern: a competitor or disgruntled individual rents a DDoS-for-hire service (called a "booter" or "stresser") for $20-50 and takes down a small business site for hours. The business loses revenue, scrambles to respond, and often has no idea what happened or how to prevent it next time.

We have worked with businesses in Lugano and across Switzerland that experienced exactly this scenario. In most cases, putting the site behind CloudFlare and implementing basic rate limiting was enough to prevent repeat attacks.

The Cost of Downtime vs. the Cost of Protection

Here is the math that should guide your decision:

Protection Level	Monthly Cost	What You Get
CloudFlare Free	$0	Basic DDoS protection, shared SSL, CDN caching
CloudFlare Pro	$20	WAF, enhanced DDoS, image optimization
CloudFlare Business	$200	Custom WAF rules, 100% uptime SLA, priority support
AWS Shield Standard	$0 (with AWS)	Layer 3/4 DDoS protection
AWS Shield Advanced	$3,000	Layer 7 protection, DDoS cost protection, 24/7 DRT

Compare those costs to even one hour of downtime for your business. For most companies, the investment in protection is trivially small compared to the potential losses.

Practical Steps You Can Take Right Now

1. Set up CloudFlare (or a similar service). Even the free tier is dramatically better than no protection. You can do this in under an hour.
2. Hide your origin IP. After setting up CloudFlare, make sure your actual server IP is not exposed in DNS history, email headers, or subdomains that bypass the CDN.
3. Enable rate limiting on your most sensitive endpoints (login, search, API).
4. Set up monitoring. At minimum, use uptime monitoring (like UptimeRobot or Pingdom) so you know immediately when your site goes down.
5. Create a response plan. Who gets called? What are the steps? Write it down before you need it.
6. Test your resilience. Use legitimate load testing tools (not actual DDoS tools) to understand your site's capacity limits.
7. Review your hosting provider's DDoS policy. Some providers will null-route your IP at the first sign of attack. Others offer mitigation. Know which one you are on.

When to Call the Professionals

If your business depends on web availability and you are handling sensitive data or significant transaction volumes, DIY protection has its limits. A professional security assessment can identify gaps in your defense that you might not see.

At Envestis, we help businesses in Lugano and across Switzerland build multi-layered DDoS protection strategies tailored to their specific risk profile and budget. Get in touch with our team if you want a clear picture of where your defenses stand and what needs to be done.