The internet is a lot like the wildwest—it operates on trust with very little oversight and no policing, everyone has to look out for themselves. Which makes it very easy for bad actors to anonymously disrupt a website if they want to. One of the most common and difficult types of attacks to respond to is a DDOS (Distributed Denial of Service). This type of attack isn't necessarily a security vulnerability, but it does cause a "Denial of Service" when so much traffic comes to your web server that it is not able to serve real visitors. And the attack is "Distributed" because the traffic looks like it is coming from random legitimate visitors (IP address spoofing). This type of attack can come from a bored teenager or a sophisticated criminal network that has a "botnet" (thousands of hacked computers that are harnessed to carry out the attack at a greater volume).

Prevention Options

Preventing sophisticated DDOS attacks is impossible. Because the internet is based on trust, there is no way to determine which traffic is legitimate and which is fake. There are only a few options, and none of them are great.

Block Traffic

You can easily block all traffic that fits a certain pattern that looks suspicious, but in the process you will also probably block some legitimate traffic. For example, many DDOS attacks pretend to be search engine bots (from Google, Bing, and every other service out there). So if you block these IP addresses or bot names, you are actually blocking Google's search indexing too.

Increase Server Power

Depending on the resources of the attacker, you can increase your server capacity so that it can handle the extra traffic and still serve real visitors. The hope here is that your attacker will exhaust their resources before you exhaust yours. Huge companies like Google are less vulnerable to small recreational attackers, but even their services get overwhelmed sometimes. So if an attacker has the resources, they can even take down the biggest targets.

Finding the Balance

Our strategy is to try to find a balance. We want to make sure our servers can handle spikes in traffic, but at some point it becomes necessary to also block suspsicious traffic. Unfortunately, that sometimes means temporarily blocking legitimate traffic including search engine bots. But we'd rather the majority of visitors are able to access your site (even if search engines can't refresh their index), versus no one having access because the server is overwhelmed by the DDOS attack.

We monitor these attacks and have to continually manually modify our response. Often times though, the attackers will keep sending small pings to our server, and as soon as they detect we've removed our ban on their bots, they immediately start attacking again. So it's ultimately a waiting game, we have to wait until they move on to another target.

We wish there was a better way to respond, but unfortunately there is not. We can work to keep the server up and ensure that the servers remain secure. But if someone wants to randomly attack your site or the server your site is running on, there is only so much that the internet protocols allow us to do.