home-Word-How does protection against DDoS attacks work? Four ways to protect against DDoS attacks How protection against DDoS attacks works

How does protection against DDoS attacks work? Four ways to protect against DDoS attacks How protection against DDoS attacks works

It is intended for users of the Dedicated Server and Hosted Server services, as well as for clients renting server racks.
We will describe in detail how protection will be provided in this article.

DDoS attacks: quick reference

The abbreviation DDoS stands for Distributed Denial of Service - a distributed denial of service attack. A DDoS attack is the disruption of the functioning of the attacked machine by sending requests to it from numerous hosts.

Typically, DDoS attacks are carried out through a botnet - a network of computers on which malware is installed (this is called zombification).

Some types of attacks can be carried out without a botnet (for example, UDP flood).

We will not dwell in more detail on the classification of DDoS attacks - an interested reader can easily find numerous materials on this topic on the Internet. Of much greater interest to us are existing DDoS protection techniques. We will look at them below.

DDoS protection methods

Methods of protection against DDoS attacks are divided into two large groups: prevention methods and response methods.

To prevent DDoS attacks, hardware methods for protecting the network perimeter are usually used - a firewall in combination with an intrusion detection system (IDS). However, they do not provide protection in the strict sense of the word.

It is quite possible to organize a DDoS attack within the framework of packets allowed by the firewall. When it comes to IDS, they typically work through signature and statistical analysis, comparing incoming packets to existing traffic patterns. If an attack is carried out by sending regular network packets that are not individually malicious, not all IDS will be able to detect it.

In addition, both firewalls and IDS are often session control devices, so they themselves can become the target of attack.

An effective means of minimizing downtime during DDoS attacks is multiple redundancies - organizing clusters of servers located in different data centers and connected to different communication channels. If one of the components of such a system fails, clients will be redirected to working servers. This method has only one drawback: building a distributed cluster with multiple redundancies requires very large financial costs.

Reaction methods are used in a situation where an attack has already begun and needs to be stopped (or at least its consequences minimized).
If the target of the attack is a single machine, then you can simply change its IP address. The new address can then be given only to the most trusted external users. This solution can hardly be called ideal, but it is quite effective.

In some cases, filtering techniques help. By analyzing malicious traffic, you can detect a certain signature in it. Based on the analysis results, you can build a router ACL or firewall rules.
Additionally, most attack traffic often comes from a specific ISP or backbone router. In such a situation, a possible solution is to block the direction from which the questionable traffic is coming (it should, however, be taken into account that legitimate traffic in this case will also be blocked).

If none of the methods listed above helps and nothing else can be done, so-called blackholing is used - redirecting traffic to a non-existent interface (into a “black hole”). As a rule, this leads to the fact that the attacked server is inaccessible from the external network for some time. For this reason alone, blackholing can hardly be called a full-fledged method of protection: in fact, it only helps the organizers of the attack to quickly achieve their goal - to make the attacked resource inaccessible.

In recent years, integrated software and hardware solutions for DDoS protection have become widespread. Their advantage is that they can block malicious traffic without creating problems with the availability of the attacked service for legitimate users. The market offers hardware and software systems for DDoS protection from Cisco, Arbor Networks, F5, Juniper and others.

Our DDoS protection service is also implemented on the basis of a specialized software and hardware complex. It is provided jointly with our partners - the Servicepipe company.

DDoS protection system

The DDoS protection system used includes not one, but several hardware and software systems, including Arbor Pravail and F5. Traffic cleaning and analysis is carried out directly on the network using specialized software tools.

This system provides protection against the following types of attacks:

  • TCP flood;
  • SYN flood;
  • illegitimate combinations of TCP flags;
  • attacks on TCP sessions such as TCP Idle, Slow TCP and others;
  • attacks on HTTP sessions (Slowloris, Pyloris, etc.);
  • HTTP flood;
  • DNS flood;
  • DNS Cache Poisoning;
  • UDP flood;
  • ICMP flood;
  • IP, TCP and UDP fragment attacks;
  • attacks on VoIP and SIP.

If attacks are detected, the following countermeasures can be used:

  • Invalid packet List - filtering of packets that do not comply with RFC;
  • creating black and white lists of IPv4 and IPv6 addresses;
  • GeoIP Filter Lists - filtering traffic by country (blocks traffic from countries where the largest number of DDoS attacks come from).
    GeoIP Policing - traffic policing by country (monitoring incoming traffic and limiting traffic from countries where the largest number of DDoS attacks come from);
  • Flexible Zombie Detection - identifying zombies and creating profiles of legitimate traffic;
  • TCP SYN Authentication - countering TCP floods through client authentication;
  • DNS Authentication - countering DNS floods through client authentication;
  • DNS Scoping - validation of DNS queries using regular expressions;
  • DNS Malformed - checking DNS requests for compliance with RFC;
  • DNS Rate Limiting - limiting the number of DNS requests from one IP address (suitable only for resources with low traffic: in our country, providers very often use NAT. A quite typical case is when the “gray” /16 subnet accesses the Internet through one IP , and all DNS requests come from one address);
  • DNS NXDomain Rate Limiting - validation of DNS responses. This countermeasure is intended for attacks in which the cache of DNS servers is filled with invalid entries; it is aimed at tracking requests with a non-existent DNS name;
  • DNS Regular Expression - filtering DNS queries using regular expressions;
  • TCP Connection Reset - prevents TCP connections from taking too long;
  • Payload Regular Expression - filtering traffic using a regular expression in relation to Payload packets;
  • HTTP Malformed - blocking HTTP traffic that does not comply with RFC;
  • HTTP Rate Limiting - limiting the number of HTTP requests from one IP address;
  • HTTP Scoping - validation of HTTP requests using regular expressions;
  • SSL Negotiation - blocking SSL traffic that does not comply with RFC;
  • AIF and HTTP/URL Regular Expression - applying AIF signatures to the traffic being examined;
  • SIP Malformed - blocking SIP traffic that does not comply with RFC;
  • SIP Request Limiting - limiting the number of SIP requests from one IP address.
How it works

For clients ordering the DDoS protection service, we provide protected IP addresses (one address is included in the basic tariff, additional addresses can be ordered through the control panel). We also allocate a special lane for protected traffic. Traffic from the Internet goes to protected addresses through a network of our partners, where it undergoes a cleaning procedure.
All illegitimate traffic is dropped on the partner’s network. Clients receive only cleared traffic. Outgoing traffic then enters the Internet through the Selectel infrastructure.

The route of cleared traffic is shown in the following diagram:

Advantages

Among the advantages of our DDoS protection system, we should first highlight the following:

  • fast connection: complete setup of DDoS protection takes 1 - 2 business days;
  • affordable prices and transparent tariff scheme: only incoming cleared traffic is subject to payment;
  • no need for complex configuration on the client side: just register a protected IP address with an alias or on a loopback interface;

The service is already available for ordering in the control panel (section “Network Services”).
When ordering, you will need to fill out a special questionnaire and indicate the following:

  • the main purpose of using the server;
  • the number of IP addresses that need to be protected;
  • desired DDoS protection measures.

Based on the information provided, we will build an optimal protection strategy, taking into account the specifics of specific projects.

For the most popular server use cases (web server, application server, DNS server), we have prepared special protection templates suitable for most clients.

“DDoS Protection” is a new service, and for its further development it is very important for us to receive feedback from customers. We will be grateful for any comments, suggestions and wishes. We will try to take into account the most interesting ideas in further work.

With DDoS attacks becoming more common, it's time to look at the basic ways to protect and combat them.

DDoS is an attack method used to deny access to legitimate users of an online service. The attack could be on a bank or e-commerce site, SaaS application, or any other type of network service. Some attacks can even target VoIP infrastructures.

The attacker uses a non-trivial amount of computing resources, which he either built himself or, more often, obtained from vulnerable computers around the world, to send fake traffic to the site of choice for the attack.

For example, if a bank's website can serve 1,000 people at the same time, and an attacker sends 10,000 false requests per second. In this case, none of the real users will be able to access the site. There are many reasons for DDoS attacks: extortion, activism, competition between brand competitors, and simple boredom.

DDoS attacks vary in complexity and size. An attacker can make a fake request appear like random garbage on the Internet. You can also carry out a more troublesome but effective attack - sending data that looks exactly like real web traffic. Additionally, if an attacker has enough computing resources at their disposal, they can send enough traffic to completely overwhelm the victim site's bandwidth.

The simplest types of attacks are considered to be DDOS attacks Layer 3 and 4 (IP and udp/TCP in the OSI stack). It turns out that the server receives so much “flood” that it simply cannot process real network traffic anymore, since the attack sends a lot of data through the network connection to the target. A more complex attack is considered to be from the 7th layer, which “imitates” real users and tries to use web applications, search for content on a site, or perform other complex actions (use the “Add to map” button or other resource functions).

There are four main types of protection against DDoS attacks: Do DDoS protection yourself.

This is the simplest and least effective method. Typically, someone will write some Python scripts that try to filter out bad traffic or the enterprise will try to use their existing firewall to block the traffic. Back in the early 2000s, when attacks were fairly simple, this could have worked. But today, when attacks are too strong, large and complex for this type of defense. The firewall will not withstand the load of even the simplest attack.

Specialized equipment.

It's similar to "Do It Yourself" in that the enterprise does all the work to stop the attack, but instead of relying on scripts or an existing firewall, they purchase and deploy specialized DDoS prevention appliances. This is specialized hardware that sits in the enterprise data center in front of regular servers and routers and is specifically designed to detect and filter malicious traffic. However, there are some fundamental problems with these devices:

They are expensive products that may not work until you are attacked. They can also be expensive to operate. These devices require qualified network and security engineers to operate because they do not have a magic “ ” button.

They must be continually updated by the task force to stay abreast of the latest threats. DDoS tactics change almost daily. Your team should be prepared to update these devices to the latest attack versions.

They can't handle volume attacks. It is unlikely that an enterprise will have enough bandwidth to handle the very large DDoS attacks occurring today. These hardware are of no use when the attack exceeds the network's capacity.

Internet Service Provider (ISP).

Some businesses use their ISP to provide DDoS mitigation. These providers have higher bandwidth than an enterprise, which can help with large volume attacks, but there are three key problems with these services:

Lack of core competency: ISPs are in the business of selling bandwidth and are not always investing the necessary capital and resources to stay ahead of the latest DDoS attacks. This can increase the costs of the services they need to provide, so they do it as cheaply as possible.

Single Provider Protection: Most enterprises today have multiple hosts across two or more network providers to remove a single provider point of failure. Having two or more providers is a best practice for increasing uptime. ISP DDoS mitigation solutions only protect their network links, not other links you have, so now you need DDoS mitigation services from different providers, doubling your costs.

Lack of Cloud protection. Similar to the above case, many web applications these days are split between enterprise-owned data centers and cloud services such as Amazon AWS, GoGrid, Rackspace, etc. Internet service providers cannot secure traffic from these cloud services.

Cloud server protection provider.

These service providers are experts in providing DDoS mitigation from the Cloud. This means that they have accumulated a huge amount of network capacity and bandwidth across multiple sites across the Internet. These resources can accept any type of network traffic, whether you use multiple providers, your own data center, or any number of cloud providers. They can scrape traffic for you and send only “clean” traffic to your data center.

Cloud server protection providers have the following advantages:

Expertise: These providers typically have networking and security engineers and researchers who keep track of the latest DDoS tactics to better protect their customers.

Larger Bandwidth: These providers have much more bandwidth than enterprises, which can handle the most high-volume attacks on their own.

Several types of DDoS attack mitigation equipment are extremely complex. There is a need for multiple layers of filtering to be able to keep up with the latest threats. Cloud providers must use a variety of technologies, both commercial (COTS) and their own proprietary methods to protect against attack.

Cloud server protection providers are the logical choice for businesses for their DDoS protection needs. It is the most cost-effective and scalable solution to keep up with rapid advances in DDoS attacker tools and techniques.

Hello, dear readers of the blog site. Who hasn't heard of CloudFlare? I heard and even studied in detail the possibilities of the service about five years ago, probably (when). But now I won’t say what exactly then stopped me from trying this service (I don’t remember). But that doesn't matter.

The important thing is that on the first working day after the New Year holidays, I still had to connect the site to CloudFlare and, moreover, in emergency mode (with tearing out my hair, drinking liters of coffee and banging my head on the table). This had to be done because access to the site was completely blocked (most likely through a DDoS attack - access via FTP was possible).

I'm a terrible server administrator and, by and large, I understand little about the intricacies and types of DDos attacks (neither how they are organized, nor how to competently fight them off - except for the simplest IP blocking). When you don’t encounter this, then you don’t need it.

But it turns out that on the first working day after the New Year holidays, I was harassed, and neither I nor the hosting technical support could do anything about it. Hiring a freelancer to solve the problem was scary. Well, at least over the phone the guys from Infobox gave me the idea of ​​connecting CloudFlare (as one of the options for solving the problem) and I grabbed this idea like a straw.

I didn’t really count on success (in the few hours it took to reset the old ones and register new NC addresses, I managed to learn a lot about the topic and even drew up a rough plan of action). But to my surprise, the bourgeois miracle service helped! Moreover, even on the free plan. The DDos attack protection mode worked great. Honestly, I didn’t expect it. I was pleasantly surprised. Moreover, the site began to fly like on wings (although it was not a turtle before).

In general, this doesn’t happen, but it still happens...

What is DDoS and what is CloudFlare?

What is Ddos? Well, first of all, it’s an abbreviation for “distributed denial of service.” In Russian, this sounds like a distributed attack, the goal of which is to cause the attacked server (group of servers) to deny service to visitors to the site(s). The site will give an error to everyone who wants to enter it.

The word “distributed” means that a DDoS attack comes from many computers on the network at once. Very often, a so-called botnet is used for this purpose, i.e. a group of computers infected with viruses or otherwise taken under control. The owners of computers included in the botnet may not even realize that they are attacking someone (everything happens in the background).

Physically, this means a huge number of requests made to the server from different IP addresses. If there is one or more addresses, you can easily calculate it from the logs or by opening the page http://xxx.xxx.xxx.xxx/server-status (where x must be replaced with the IP of your server if it is running Apache). After which it will not be a problem to temporarily block suspicious IPs, for example, through the .htaccess file by adding lines to it (replace IP with your own - you can add as many lines with Deny from as you like):

Order allow,deny allow from all Deny from 83.149.19.177 Deny from 87.228.80.49 Deny from 178.212.72.13

This helped me for a while. But there’s no way to fight off real Ddos - you simply won’t have time to detect duplicate IP addresses if they attack from dozens and/or hundreds of hosts. This is what happened to me. As a result, 7 hours of complete downtime!

For the first two hours I talked with the hosting technical support about “help” - “we can’t.” Then in five minutes I connected to the CloudFlare site, in another couple of minutes I changed the DNS records and waited for four hours for the connection to start (they must update on all key NS servers on the network). The site was fully operational only after about a day.

What is DDos? This is a scary thing indeed. You feel completely powerless and hopeless. From the attackers’ side, this is a way to make money (through blackmail or fulfilling a competitor’s order). Constant protection from this evil is very expensive, but CloudFlare, even with a free plan, allows you to fight off a weak-to-medium DDoS attack.

This service has millions of connected sites (about five million) and the service developers always clearly track from which IPs they usually attack now and such visitors, for example, can be shown a captcha (bots are unlikely to solve it) or check the browser for “humanity” such suspicious IPs. And their servers themselves, distributed throughout the world, do a good job of thinning out the denial attack - these requests are simply distributed to different servers and greatly reduce the strength of the attack, reducing all the efforts of the “radishes” to nothing.

For more serious DDoS protection in CloudFlare you need to pay quite a bit ($200). But this is all for a very serious business, where DDoS is more powerful (more money is poured into it), but the owners also have a lot more money. The PRO tariff for $20 or even the free tariff, which has almost everything, will be enough for you and me (read about it below).

What is CloudFlare? This is an online service that dates back to 2009 (it is the same age as my blog). This is by no means hosting, although from the outside it may seem so. It's more of an add-on to the hosting (something like a caching reverse proxy). After connecting the site to this online service, its IP address changes and it seems that you have changed the hoster, but this is not the case.

You will still need hosting and you will work with the site in virtually the same way as you did before. There will be some nuances, but the essence will remain the same. CloudFlare is needed for protection (stable operation) and acceleration of the site.

More than five million sites around the world are already connected to it. This online service owns a distributed network of data centers (more than 120) around the world (one has appeared in Moscow since last year). The latter is especially pleasant, because it provides a much faster response when accessing sites from Russia (although our country is large and we need to build more centers).

So, CloudFlare owns a bunch of servers distributed all over the world. For what? So that the sites added to it load in visitors’ browsers as quickly as possible. All graphics, CSS and Java script codes will be served from the data center that is closest to the given visitor to your site. Did the visitor come from Moscow? This means that the Moscow data center will start working. From USA? This means that graphics and other statics will be given to the visitor from the Cloud Flare node closest to him.

This alone can already increase the average loading speed of pages on your site. But this service has several more aces and jokers in its stash. Working with millions of sites and repelling attacks every second, the service has a database of addresses from which sites are now most often attacked. This alone can, even with a free plan, serve as the first echelon of protection against DDoS attacks (and you don’t need to spend a lot of resources and time on this).

In addition, the service allows you to enable the “Under Attack Mode”, when each access to the site is interrupted for 5 seconds to determine the type of browser from which the visit was made. It was this mode that saved me in the hopeless situation described above. Yes, in this case all bots and some legitimate users are cut off (at a glance, the traffic has become twenty percent less), but this is better than a complete server denial of access.

After the DDoS attack is over, you can disable this mode and select the appropriate vigilance level. If the attack is repeated, it can be easily turned on even from a mobile phone while sitting in the subway (the main thing is to react in time).

In general, even with the free plan, almost everything you need is already there. You can even compress CSS and Java script files on the fly (removing spaces from them) to increase loading speed by a drop. Believe it or not, with the free plan at CloudFlare you can even connect SSL to your site (switch to the encrypted data transfer protocol - https, which Google has been actively encouraging us to do lately). Moreover, the service provides its own free certificate.

Some kind of fantasy, isn't it? See for yourself the comparison table of tariff plans (including Free). Plague! If your hosting goes down (there are problems), then Cloud Flare will serve site pages from its cache during this period of time (and it works - I checked it by stopping the server, but there are nuances that you should read about below, otherwise it won’t work). Maybe I missed something from the free delights, but this is more than enough (for that reason).

By the way, this service does not have an affiliate program, but there are a lot of competitors on the RuNet with crazy price tags (for example, protection against DDoS attacks in qrator costs a lot). Therefore, when you read reviews about CloudFlare on forums or blogs, pay attention to the often very subtle work of these competitors (the capabilities of CloudFlare are underestimated, and their service or add-on is underestimated). Many are underway, but the service is definitely in the category of “this can’t happen, but it still exists.”

No, he also has disadvantages. Which? Well, often very significant:


What do you get from switching to the PRO tariff in CloudFlare?

As I said above, I bought PRO for $20 a month (it turned out to be one and a half times more expensive than hosting) and I was transferred (without my request - automatically) to a new IP, where there are only three neighbors and they are quite legitimate.

In addition, the paid tariff has the opportunity to:

  • Polish (the “Speed” tab from the top menu) - compress images on the fly before sending them to site visitors (you can configure the compression option - lossless or lossy, but more strongly).

  • Mirage - allows you to load the chart on mobile devices not immediately, but as the visitor scrolls the page. In addition, images are compressed to the actual required sizes and only then transferred to the user in the gadget. It seems like this greatly speeds up the site on mobile phones.

    For example, if you open my blog from a mobile phone, then when you quickly scroll the page you will see that instead of pictures, placeholders are inserted, which are replaced with real images only when they hit the viewing screen.

    And now he gives a significantly lower rating - he swears that some of the content on the first screen is not loaded on time. Who will understand him?

  • Page Rules - on a paid account it becomes possible to set more than three rules for pages (or rather, up to 20). Why are these rules needed? For example, they allow you to configure caching not only of static content, but also of HTML pages of the site. Well, there are other applications, but I only need it for the described purpose. Read below on how to set up full site caching (including page text, not just images, scripts and styles).
  • Web Application Firewall - on a paid account you can activate (on the “Firewall” tab from the top menu) a basic set of protection against various attacks such as cross-site scripting (XSS) and SQL injections. All such activity will be cut off (filtered) for another
    CloudFlare (not reaching real hosting). You can also add your own rules, but I’m not good at this, so I limited myself to the standard (time-tested and millions of sites) set.
  • It will also be possible to make your own design for pages with various errors using a paid account. For example, when you turn on the “Under Attack Mode”, all new visitors to the site will be shown a message that their browser is being checked for “humanity” (if you read Search, you might have seen such a message in their over the past year, after they connected Cloud Flare).

    This sign is in bourgeois language and some visitors may simply run away. But if you write something like “Guys, guys, guys! Do not leave! Literally 5 seconds and everything will be done!”, then the chance to retain the visitor will increase. I'm still too lazy to do this...

    • I pay the tariff through PayPal, which is very convenient. When setting up payments, I was asked, but the money was not withdrawn from the card, but directly from the wallet itself (I withdraw to it). It’s cool that every subsequent month the payment occurs without my participation - the money is automatically debited from the PayPal wallet on the day of payment, which is very convenient.

    It’s no wonder, because Paypal allows you to protest the payment within a month and a half, if anything happens.

    How to connect your website to CloudFlare?

    Well, here, by the way, everything is quite simple if the connection wizard can pull out all the necessary settings for transferring your site (its IP, Ms records). However, first things first.

    Go to Cloud Flare and register (like the apple of your eye, because this is the key to your site).

    I’ll say right away that there’s nothing special to be afraid of, because if the connection fails, you won’t have to wait a day for the DNS records to be rewritten again. Just click on the bubbles on the DNS settings page and your site will work directly (I had to do this with one of the minor projects, which for some reason stopped opening with CloudFlare - see the screenshot below). But in any case: all responsibility for your actions lies only with you, and I will be here, as if I had nothing to do with it.

    Immediately after registration, you can go to the page for adding a new site, where you just need to insert its domain name into the proposed line and click on the “Begin Scan” button:

    Here, as you can see, everything is OK - the service found all the main NS records (including mail), which is good. Caching was automatically turned on for future data transferred from this site (the clouds were colored). Go ahead.

    As I said above, even a free tariff plan is suitable for protection against Ddos (you can also get a free SSL certificate with it, if you wish). I described the differences between the PRO plan and the free plan above, so choose what you need (I don’t care). Go ahead.

    Now the main thing. You need to go to the panel of your domain name registrar () and change the NS records there to those suggested at this step by the CloudFlare wizard. For example, in WebMoney Domains this is done on this page:

    You just need to replace the entries in two lines with what Cloud Flare gave you and wait from 4 hours to 2 days until the whole thing is registered on all NS of the Internet. Let’s go further, and after a few hours after registering new NS servers, you can click on the “Recheck Nameservers” button:

    Please note that below are the default settings that will be applied to your site immediately after the final connection to CloudFlare (medium level of security and standard caching, which means that only static images, styles and scripts are cached).

    If the DNS connection has already been completed, then the status after clicking on the mentioned button will change:

    The “Quick Actions” button allows you to quickly switch to protection mode against Ddos and other types of attacks, which is called “Under Attack Mode”. When switching to Cloud Flare, I had to do exactly this. I had this “Under Attack Mode” turned on for about 12 hours until the attack stopped.

    During this time, access to the site is limited and all connections are checked to ensure they are legitimate. Any bots, including search engines, will not be able to get to the site. In general, it is not worth working in it longer than necessary (while the attack is underway). Read a little more about turning on and off the DDoS attack protection mode at the very end of this publication.

    100% uptime for the site using CloudFlare

    By offline operation of a site, I mean a situation where, for some reason, your hosting will go down, and the site will continue to be available to visitors. This, as they say, is an extreme case. But often hosting may simply not cope with high load (caused by traffic or the use of many plugins and poor engine optimization). In this case, caching Html pages in CloudFlare will again help.

    By default, as I understand it, the service caches only static files: images, CSS and JC. All. In principle, this can greatly facilitate the work of hosting and speed up the loading of website pages in different parts of the world. But often this is not enough. And that's not even the main thing. In this mode, the “Always Online” function does not work, because Cloud Flare cannot work miracles and serves pages from its own cache, and if they are not there, it sends them to the hosting (which may be unavailable at the moment).

    In general, the task comes down to enabling caching of all web page content (markup code, including text content), and not just static content. This can be done on the “Page Rules” tab from the top menu (see explanations in the help). Why wasn't this included in the general caching settings? I think it’s because of the great variety of sites and engines they run on. Apparently, it is not possible to ensure stability in this way. You need to act more precisely, based on the structure and specifics of each specific website. IMHO.

    With the free plan you can create only three rules for pages, but with the PRO plan you can create 20. The essence of creating a rule is quite simple. For now, let’s skip what needs to be inserted into the field with a regular expression, and let’s see what we are offered when we click on “+ Add a Setting”:

    Here you can select the Cache levels setting, where in the list of additional settings that opens you can select the last option “Cache everything”. This way, we will force CloudFlare to cache the entire webpage, and not just the static ones.

    It would also be advisable to set the time that the page will be stored in the CloudFlare cache and in the browser cache of site visitors (these are two different settings). It all depends on the degree of dynamism of your site as a whole and its individual pages in particular. I am quite happy with an interval of several days of cache storage in the cloud, and I choose different browser caches (depending on the type of pages).

    To set these settings, you will need to click on the “+ Add a Setting” button a couple more times and select:

  • Browser Cache TTL - setting the cache lifetime in the browsers of your website visitors. For example, if you select one day, then a visitor who visits the same page of your site twice during the day will receive it the second time not from the Internet, but from the cache of his own browser (without changes). But if more than a day passes, the page will be requested from the Internet (from Cloud Flare). For the main page of this blog, I set the Browser Cache TTL to “a couple of hours”, and for the remaining pages - from a day to two. It is possible that something more optimal can be come up with.
  • Edge cache TTL is already the lifetime of the cache on servers in CloudFlare data centers (around the world). If you set the same day, then all visitors to your site will see this page (or a group of pages for which you set the Edge cache TTL equal to a day) without changes, even if this page has changed on the server (for example, comments have been added to it or you changed something in the text, changed the image, etc.).

    • Let me make a reservation right away that the service has the ability to force a cache reset not only for the entire site (which is not particularly recommended), but also individual pages, and even individual static files (images, style files and scripts) when you have made changes to them and you want them to be immediately available to your site visitors.

    This is done on the “Caching” tab (from the top menu) by clicking on the “Purge Individual Files” button (to reset the entire cache you will need to click on the arrow on this button and select the lower of the two items “Purge Everything”). In the window that opens, you need to enter the URL of the page, either pages (one per line), or individual files (full path to pictures, style file, etc.):

    I use this option quite often, for example, after changing pictures, adding a comment to an article, or when changing the site design (I reset the cache for the styles file). Files whose cache you recently reset appear below - you can simply click on them to reset them again. Very comfortably.

    But let's return to the rules settings for individual pages of the site - Page Rules. A little earlier, we clicked on the “Create Page Rule” button and learned how to enable full caching of the content of Html pages, as well as limit the lifetime of the cache in visitors’ browsers and on CloudFlare servers. The result should be something like this:

    Those. We have set the caching rules we need. In the example, this is caching of all content with a cache lifespan in visitors’ browsers of 4 hours and a cache lifespan on the service servers of 2 days. The only thing left to do is to write in the first line of this pop-up window a formula by which the service will understand for which pages of your site these rules should be applied. You can read how to do this by clicking on the “Help” button at the bottom of the rules settings window.

    In my opinion, there are two ways to set rules:

  • On the Pro tariff, it is possible to register 20 rules for pages, which allows you to implement the first option: describe with formulas all types of site pages that should be cached. For my blog, this is the main page, pages with articles, pages of sections, as well as static pages like “About the blog”, etc. Naturally, we will not indicate the admin URLs here, because the cache there can interfere with work.
  • Only three rules are available in the free plan, and in some cases they may not be enough to implement the first method. The second method is to first allow caching of pages of the entire site, and then disable caching of the admin panel and login page. Three rules should be enough for this.
    • How to set up full caching of site pages in CloudFlare

    Now let’s take a closer look at the practical implementation of both methods.

    Let's start with the first option of creating permissive caching rules for all (or most) pages of the site, which will need to be stored in the cache of CloudFlare servers in full (all HTML code with pictures, scripts and styles).

    If pages with articles on your site (like on my blog) end in .html, then one single rule for pages is enough to completely cache them:

    Website/*.html

    Replace my domain name with yours and everything should work. Quite simply - the * sign replaces everything that may appear between the domain name and the .html suffix.

    All that remains is to add a rule to completely cache the main page of the site:

    Website/

    Here, I think, everything is clear and without explanation. The only thing is that for the main page I chose less caching time in users’ browsers, because the content of this page changes more often than others, and it is important that it is displayed in a more or less up-to-date state.

    The caching time on the CloudFlare servers was left high, because when adding a new entry, I simply reset the cache for the main one using the method described just above. It’s very convenient, you just need to get used to doing it first.

    It’s great when all pages except the main one end in .html. For example, my categories and static pages (such as “About the blog”) do not have such an index. I didn’t have to worry too much about the categories, because I chose, as it turned out, a successful template, with the obligatory word (directory) “/category/”, so the rule for this type of page looks like this:

    Website/category/*

    Well, I had to play around with the static pages, but everything seemed to work out.

    As a result, the percentage of data sent from the CloudFlare cache was (according to the analytics built into this system) about 90%, which is very good (in fact, the load on my hosting server decreased by this amount):

    I hosted all my other small projects on a separate CloudFlare account (free). Because Since it was possible to create only three rules for pages on the free plan, I decided to go the opposite way - to allow full caching of the entire site, then prohibiting touching the admin pages.

    I’ll say right away that it didn’t work very well. Instead of 90% downloads from cache, in this case I got less than 50%. But nevertheless, I will give my solutions, maybe you can tell me where I went wrong. So, with the first rule I allowed everything to be cached:

    And the second (this site runs on WordPress) - for the admin pages I chose the bypass caching mode, i.e. these pages are not cached. Everything seems to be working and the speed of the blog has increased significantly, but in analytics, less than 40 percent of the traffic goes through CloudFlare (everything else comes from the hosting server). Why? It's not very clear to me. At the same time, there were no problems with working in the admin panel, which is already good.

    If you have a site on joomla, then you can bypass the admin panel in this way (probably):

    Domen.ru/admin*

    In general, see for yourself which option you choose.

    Problems suddenly arose on one of the sites connected to the free CloudFlare account (it stopped opening), so for now I simply disabled “clouds” on the “DNS” tab from the top menu:

    After that he began to open up. I haven’t started transferring NS records to the old ones yet - maybe there will be a desire to figure out what’s what.

    What to do if a DDos attack starts and how to repel it?

    If you connected to CloudFlair precisely because of an ongoing DDoS attack (or it started after connecting), then it will be possible to reflect it or reduce the effect of it even on the free tariff of this service. To do this, just go to the “Overview” tab from the top menu and click on the “Quick Actions” button:

    Select “Under Attack Mode” from the drop-down list and this service will begin to actively counteract the Ddos attack.

    All users (or bots) will be delayed before contacting your hosting server by the CloudFlare service for 5 seconds, during which it will try to determine whether it is a real user (browser) or a bot.

    Real users will see this picture on their screen for 5 seconds (before opening your website page):

    It is clear that such an “incomprehensible” inscription will scare off some visitors - I observed a drop in attendance in the “Under Attack Mode” by about a quarter compared to normal operation. But it’s better to lose a quarter of visitors than 100%. Do you agree?

    In addition, on the PRO tariff (which I wrote about above), you can change the type of this inscription and reduce the failure rate (for example, translate it into Russian and add a little creativity). In any case, the opportunity is wonderful.

    However, you should not leave the site in the “Under Attack Mode” longer than the time the attack is underway, because you will not only lose some visitors, but also all search engine bots will be cut off from the site, which over time will not have a great effect on traffic. Therefore, periodically disable the “Under Attack Mode” by simply clicking on the “Disable” button (on the “Overview” tab - see the screenshot above) and look at the result.

    If the site has again become unavailable (Ddos continues), then turn on Status: I"m Under Attack! back. So continue to monitor the end of the DDoS attack after two hours, so as not to keep the site in this certainly useful, but suboptimal “Under Attack” mode for too long "

    On a regular basis, I prefer to use the default mode "Medium". By the way, you can change the security mode without switching to “Under Attack Mode”. This can be done on the “Firewall” tab (from the top menu) by selecting the desired option from the drop-down menu of the button with the name of the current Security Level:

    Well, and “I"m Under Attack!” From here you can also turn it on.

    But in general

    So far, it seems like everything I wanted and have to say. Have a look at the “Speed” tab and see what you can use there. In general, excuse me for such a brief description of this absolutely remarkable service, but I’m tired of typing something and taking screenshots (apparently I’m not in shape today).

    In RuNet, I have not yet encountered such patronage, coupled with stunning usefulness. Therefore, I did not consider it burdensome to switch to the PRO tariff with a monthly fee of $20.

    In principle, it was possible not to do this, but it’s somehow calmer, or something...

    CloudFlare is dedicated to the fifth video out of 6 video lessons on the topic of site acceleration, which, in my opinion, makes sense to watch in full in order to perceive the optimization picture as a whole (the desired video can be selected from the drop-down list in the upper left corner of the player window):

    Good luck to you! See you soon on the pages of the blog site

    You might be interested

    How to add a video to a website without affecting page loading speed
    Handyhost - how to choose the best hosting for you
    Acceleration and protection of your website in the Airi.rf cloud service
    Measuring and increasing site speed in GTmetrix, as well as setting up loading the jQuery library from Google CDN How to register a domain (buy a domain name from a registrar)
    How to find and remove unused style lines (extra selectors) in your site's CSS file

    I would like to talk with you about a topic that is relevant today, namely, about DDoS and methods of combating it. Ordinary administrators know what it is, but for most webmasters this abbreviation remains a mystery until they encounter this trouble from personal experience. So, DDoS is an abbreviation for Distributed Denial of Service, when thousands of infected computers send many requests to the server, which it subsequently cannot cope with. The purpose of a DDoS attack is to disrupt the normal operation of the server, and subsequently to “crash” the entire site or server.

    How to protect yourself from this? Unfortunately, there are still no universal protection measures against DDoS attacks. An integrated approach is needed here, which will include hardware, software and even organizational measures.

    Software and hardware systems from networking giant Cisco are the most effective, but you'll have to fork out a fair bit for them.

    To protect IIS servers, you can use a (software) solution from Microsoft, but knowing the generosity of this company, you can guess that they are also far from free.

    Currently, custom DDoS attacks have become a profitable and actively developing niche of online crime. By searching on Google, you can find dozens of proposals from “experts” to eliminate competitors’ websites.

    What are the basic principles for DDoS protection? First of all, there is no need to attract unnecessary attention to yourself (your website) from the radical public by publishing content that can offend the racial, national or religious feelings of any individuals.

    If you were “ordered”, or you did not listen to the previous advice, be on your guard - the hardware resources of the web server must have some performance reserve, and distributed and redundant systems must be built as efficiently as possible. Without understanding the principles of DDoS operation, it is simply impossible to build effective protection. DDoS attacks use a large number of computers infected with malicious code. These computers are united into botnets (“bot-nets” - networks of zombie machines), which, on the orders of an attacker, carry out DDoS attacks, and the owners of the computers often do not even suspect it.

    We, as a hosting company, face DDoS attacks on our clients' websites every day and have some experience in dealing with them. As mentioned above, there are simply no universal protective measures, but an attack can still be repelled. Let's assume that a certain site (let it be domain.ru) is under a DDoS attack. The logs show that a large number of GET requests go to the main page. In most of these cases, bots can be fooled by using a javascript redirect. Eg:


    window.location = "domain.ru/index.php"

    As a result, with each section that is attacked by a GET request directly to the root, the file size will be only a few bytes, which is much better than when the bot comes into contact with a ~50-100kb page and at the same time pulls up ~5-10 SQL queries. Legitimate users who do not have javascript disabled in their browser are redirected to index.php.

    But there is one big BUT - search bots are also not equipped with js interpreters and, just like attack bots, will drown in js redirects. You can use UNIX utilities such as tcpdump or netstat to write a small script that will count the number of connections from a specific IP address and ban it.

    You can identify a bot, for example, by checking its host. A small example of a basic script for blocking IPs that create many connections to the server (this option was tested on Centos 5.6):

    Recording in crond

    */1 * * * * netstat -an | grep tcp | awk "(print $5)" | cut -d: -f1 | sort -n | uniq -c > /var/log/ip.list

    This command creates a list with the number of connections and the IP itself, example:

    10 209.232.223.117
    1 209.85.161.191
    2 212.113.39.162
    1 212.78.78.78
    61 213.142.213.19
    5 213.151.240.177
    1 210.169.67.225
    1 216.179.59.97

    The script itself, which can be run on screen or made a daemon:

    #!/bin/bash
    connects=150 /dev/null 2>&1
    then
    // if the host name contains the word google (Google bots have this word)
    if echo $hostname | grep "google" > /dev/null 2>&1
    then
    // then add it to the white list and record it in the log
    echo "$ip" >> /etc/white.list
    echo `date +%H:%M_%d-%m-%Y` $ip "- ADDED TO WHITE LIST AS $hostname SEARCH BOT IP" >> /var/log/ddos_log
    else
    // if not Google, block it
    route add $hostname reject
    fi
    fi
    fi
    done< /var/log/ip.list

    Let's also look at setting up Apache settings that will help avoid some of the problems caused by a DDoS attack.

    TimeOut – specify the smallest possible value for this directive (web server that is subject to a DDoS attack).

    KeepAliveTimeout directive – you also need to lower its value or turn it off completely.

    It is worth checking the meanings of the various timeout directives provided by other modules.

    The LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, LimitXMLRequestBody directives must be carefully configured to limit resource consumption caused by client requests.

    Make sure you use the AcceptFilter directive (on OSes that support it). By default, it is enabled in the Apache httpd configuration, but for it to work it may require a rebuild with new settings for the kernel of your OS (*nix, *bsd).

    Use the MaxClients directive to specify the maximum number of clients that can be simultaneously connected to the server - by decreasing the value of the directive you can reduce the load on the web server.

    You can protect against DDoS at the software level. A free script will help you with this - DDoS Deflate. With its help you can easily get rid of child flooding and DDoS. The script uses the “netstat” command to detect DDoS and flooding, and then blocks the pests’ IP addresses using the iptables or apf firewall. But you shouldn’t relax and assume that a weak DDoS cannot damage your server. Let’s take, for example, that there are only 10-50 attacking zombie machines, but they all have thick channels, and you, as luck would have it, went on a business trip, or you have dozens (or even hundreds) of servers, and you don’t have time physically “ monitor” them all. In this case, even a small number of machines can “flood” the channel or cause the apache, mysql, etc. web server to fail. It’s another matter when an administrator “monitors” the server around the clock and easily detects attacks. But this happens extremely rarely, so you need to connect an alarm system, and automate the process of blocking attacking zombie cars.

    P.S. The article was sent to me by a user. Please send questions about the article, recommendations for future articles and topics and questions of interest to him.

    Thank you for your attention!

    • Global network of traffic cleaning centers
    • Seamless integration without the need to purchase additional hardware
    • Protection against the most complex and large-scale attacks
      • How can a DDoS attack impact your organization?

        DDoS attack (Distributed-Denial-of-Service) is one of the most common types of cyber attacks. Its goal is to bring the victim enterprise's information system (for example, a website or database) to a state where legitimate users cannot access it.

        The financial and reputational losses of an organization that has suffered an attack of this type can be very large.

        Has your company done everything possible to provide effective protection against DDoS attacks?

      • Protecting your company's online operations

        Today, online transactions play an increasingly important role in an organization's daily interactions with its customers, suppliers and employees. Under these circumstances, no company can ignore the threat posed by DDoS attacks. Your company's online services, like its entire IT infrastructure, are too important to your business to be left without reliable protection.

        • Your clients are becoming more demanding
        • They need constant access to products and services - which means that to ensure a high-quality customer experience, you must not allow any downtime in your online resources.
        • Your employees need stable access to key services
        • Many employees are unable to perform their work tasks if any of the company's systems are taken down by a DDoS attack.
        • The attack could have far-reaching consequences

        Although an attack may be aimed at a specific element of a company's IT infrastructure, it can also affect other areas of your business. For example, an attack against a bank's internal systems could also bring down its ATM network.

      • Financial and reputational damage

        The direct financial costs of restoring systems after a DDoS attack can be quite high, and the damage caused to the company’s reputation will remain for a long time.

        Possible damage

        • Direct financial costs
        • Unfinished online sales transactions – during downtime
        • Unfulfilled bank transactions – and, as a result, possible fines
        • Damage to reputation
        • Negative publicity that discourages both existing and potential customers
        • Damage to the brand – reputation may take years to restore
      • Additional damage

        Whenever customers hear about any “security breach” (including a DDoS attack), they become worried that their confidential information, banking information and credit card numbers will be at risk. Even though these fears may be completely unfounded, the business still suffers losses as a result.

      • Scope of threats

        Unfortunately, in recent years, the costs of organizing DDoS attacks have decreased significantly, while the volume of such attacks has increased significantly.

        Therefore, businesses and government organizations need to be aware of possible threats and take proactive measures to protect against DDoS attacks.

      • Yesterday's protection will not protect you from today's threats

        The scale and complexity of DDoS attacks have increased. For companies this means the following.

        • Modern attacks are much more difficult to defend against
        • It is much more difficult to restore a business after such attacks

        Due to their scale, modern DDoS attacks very quickly paralyze the IT infrastructure of the victim company. During such an attack, requests are sent at a speed of 80–100 GB per second, thus clogging the corporate network bandwidth in a matter of seconds.

        All this means that DDoS attack prevention methods that were effective just a few years ago no longer provide adequate protection. Now companies can protect themselves from such attacks only by using special security services.

      • How DDoS attacks paralyze the work of companies

        Hackers have many ways to overload a target company's IT infrastructure to cause what is known as a "denial of service" attack. The most common types of attacks:

        • Volume attacks
          The goal of such attacks is to block a corporate Internet channel by creating a volume of traffic that significantly exceeds its capacity.
        • Attacks on applications and infrastructure
          In application attacks, attackers attempt to disable servers that host key applications, such as web servers that are critical to your company's online operations. Other infrastructure attacks may target your network equipment and/or server operating systems.
        • Hybrid attacks
          Cybercriminals can also launch sophisticated attacks that combine elements of volumetric attacks and attacks on applications and infrastructure. These attacks are especially dangerous and the most difficult to defend against.
      • Basics of DDoS Protection

        To ensure adequate business protection, you need a reliable DDoS attack prevention solution that allows you to:

        • detect a new attack as quickly as possible
          Goal: ensure business protection immediately after an attack begins.
        • eliminate the consequences of the attack as quickly as possible
          Goal: minimize any disruptions (or completely eliminate them) in business operations
      • Kaspersky Lab solution

        Kaspersky DDoS Protection is a fully integrated solution that includes everything you need to reliably protect your business from DDoS attacks:

        • Special sensor application* – for installation in your IT infrastructure
        • Access to a fault-tolerant distributed network of traffic cleaning centers
        • Advanced analytics on the latest DDoS attacks
        • Services of our Security Center
        • Extended support – including direct access to DDoS protection experts
        • Analysis and reports on the results of attacks that have taken place
        • All of these services are provided under a Service Agreement

        *The sensor application runs on a standard x86 server OS or on a virtual machine. If you need a server, one of Kaspersky Lab's partners will provide it.

      • How we protect your business

        Kaspersky DDoS Protection provides reliable protection for your business against DDoS attacks - from analyzing traffic 24x7, sending notifications about a possible attack and then redirecting traffic, cleaning it and returning “cleaned” traffic to your website, and ending with reporting the results analysis of the past attack.
        Unlike systems from other manufacturers, the Kaspersky Lab solution counters DDoS attacks in two directions:

        • Special security infrastructure - a sensor application installed in your infrastructure and a distributed global traffic cleaning system owned by Kaspersky Lab
        • Kaspersky DDoS Intelligence – monitoring botnet activity for early detection of DDoS attacks
      • Sensor app

        Kaspersky Lab provides a special sensor application that is installed in your IT infrastructure and immediately begins collecting statistics and generating profiles of the use of the protected resource.

        This application monitors traffic, constantly accumulating statistics and behavioral analysis data, and continuously improves algorithms to detect even minor anomalies that may indicate the beginning of a DDoS attack.

        Because the sensor application runs on a standard x86 server or virtual machine, you do not need to purchase or maintain any additional hardware.

      • Cleaning centers

        In the event of a DDoS attack, we notify you of the incident and provide the option to redirect your traffic to Kaspersky Lab cleaning centers to ensure that only clean traffic is returned.

        Kaspersky Lab has created and maintains a distributed network of cleaning centers, which allows us to provide clients with an effective and fault-tolerant traffic cleaning system.

      • DDoS attack analysis

        Kaspersky Lab's antivirus experts use sophisticated DDoS threat monitoring techniques to ensure early detection of DDoS attacks.

        Manufacturers of traditional DDoS attack prevention systems do not have specialized departments dedicated to analyzing this type of threat, so they are not able to provide proactive protection for your company.

      • Automatic and on-demand protection

        Within KDP Connect or Connect+, DDoS attacks are reflected automatically. At the same time, experts immediately conduct a detailed study of the attack and make adjustments, taking into account the power of the DDoS attack, its type and complexity. KDP Control allows you to determine when to redirect traffic to cleanup centers to ward off a DDoS attack.

      • Selecting the optimal level of protection

        Kaspersky Lab offers three levels of solution that you can choose depending on your goals, resources and network infrastructure:

        • KDP Connect – traffic redirection by changing the DNS record in Always On mode (real-time protection), purified traffic is delivered through a proxy server, GRE tunnels or via a dedicated line.
        • KDP Connect + – traffic redirection using the BGP protocol in Always On mode (constant protection), delivery of cleared traffic is carried out through GRE tunnels or a dedicated line.
        • KDP Control – traffic redirection using the BGP protocol in On Demand mode (protection on demand), delivery of cleared traffic is carried out through GRE tunnels or a dedicated line
      • Advantages of the Kaspersky Lab solution

        Protection against the most complex DDoS attacks should not distract the specialists of your IT department and security service from solving important business problems.

        If you use Kaspersky DDoS Protection, Kaspersky Lab takes full responsibility for protecting your company from DDoS attacks.

      • Experts vs. Hackers

        Almost every DDoS attack is characterized by the following features:

        • Hackers research their target
          Attackers first assess vulnerabilities in the victim company's online services and then select the most effective tools to carry out a targeted attack.
        • Cybercriminals are adjusting their tactics
          Hackers monitor the progress of the attack and change tactics and tools used in real time to inflict maximum damage on the attacked organization.

        Since virtually every DDoS attack is managed by real people, Kaspersky Lab's DDoS defense experts also work in real time to ensure the most effective protection and minimize possible damage to your business.

      • Built-in safety device - pros and cons

        Some manufacturers offer hybrid protection that combines an integrated device and remote cleaning centers. At the same time, the company's traffic constantly passes through the built-in device, which provides a certain level of protection against small attacks, and it is proposed to redirect traffic to cleaning centers only in the event of larger-scale attacks. However, the vast majority of modern attacks are capable of clogging both the bandwidth of the built-in device and the Internet channel of the attacked organization within a few seconds. This makes the hybrid approach clearly outdated - it can result in downtime before traffic is routed to the cleanup center.

        Kaspersky DDoS Protection uses a sensor that constantly monitors your traffic without interrupting it. Once the sensor detects a potential attack, you can redirect all traffic to one of Kaspersky Lab's cleaning centers.

        The Kaspersky Lab solution does not imply the use of any built-in devices. Thereby:

        You decide whether to redirect traffic to the cleaning center
        The number of false positives is reduced

      • Greater transparency – for a complete picture

        Although no one can prevent cybercriminals from attacking your business, Kaspersky Lab can provide a quick response to any DDoS attack, complete protection against it, and prompt elimination of the consequences. After the attack is completed, we will provide you with a detailed report, including the following data:

        • Detailed incident analysis
        • Attack Duration
        • How Kaspersky DDoS Protection coped with the attack
      • Why Kaspersky Lab

        Kaspersky DDoS Protection combines three methods of protection against DDoS attacks:

        • Statistical analysis of your online traffic helps us create traffic profiles and detect any deviations in it
        • Behavioral analysis tracks the actions of your website visitors, allowing you to identify any anomalous activity
        • Expert analysis (Kaspersky DDoS Intelligence) increases detection level
      • All-round protection

        Some vendors provide protection against volumetric attacks, while others specialize in protection against application attacks. Kaspersky Lab effectively blocks and mitigates the consequences of all types of DDoS attacks, including:

        • Volume attacks
        • Application attacks
        • Infrastructure attacks on network equipment and server operating systems
        • Hybrid attacks

        Thus, no matter what attack method attackers use, Kaspersky DDoS Protection provides reliable protection for your business.

      • Unique expert knowledge (Kaspersky DDoS Intelligence)

        As modern DDoS attacks have become much more sophisticated, an analytical approach is necessary to protect against them. No other manufacturer of DDoS protection solutions has our IT security expertise or a dedicated team of specialists dedicated to analyzing such attacks.

        As one of the leading providers of anti-malware solutions, we can provide a unique combination of statistical analysis, behavioral analysis and expert DDoS attack analysis to provide comprehensive protection for your business.

      • Effective Threat Detection

        Some vendors may only provide general monitoring of the entire Internet channel, but Kaspersky Lab's solution can perform detailed analysis, effectively identifying even small deviations in your traffic and user behavior.

        We also use special methods that allow us to filter traffic as close as possible to the source of the attack.

      • An integrated approach to protection

        All components of the Kaspersky Lab solution for protection against DDoS attacks were developed by the company’s own specialists, therefore:

        • We fully control the development cycle
        • We can respond more quickly to changes in the nature of DDoS attacks

        Our emergency response team for DDoS attacks works closely with the developers of Kaspersky Lab security solutions. This, in particular, allows you to quickly make changes to software modules to ensure effective protection against new types of attacks on applications.

    Related publications: