How to Stop a DDoS Attack in Its Tracks (Case Study)

By | April 11, 2019

In our last contextual analysis, we demonstrated to you how we tidied up a negative SEO assault on Kinsta. Today we are going to demonstrate to you a few stages and investigating we took to stop a DDoS assault on a little WordPress online business webpage. DDoS assaults can appear unexpectedly and littler destinations are typically much increasingly powerless, as they aren’t set up to arrangement with it when it occurs. Give us a chance to make this inquiry. On the off chance that your site was assaulted tomorrow, what might you do? On the off chance that you don’t have any thoughts, at that point maybe you should bookmark and read this article.

What is a DDoS Attack?

DDoS is short for disseminated forswearing of administration. The main role of a DDoS assault is to just overpower your web server and either cripple it or bring it down. One of the disappointing things with these kinds of assault is commonly the assailant doesn’t pick up anything and regularly nothing is hacked. The huge issue with DDoS assaults is with the mind-boggling load related with it. In all probability you will likewise observe your transmission capacity spike to an inconceivable sum, and this could cost you hundreds or even a huge number of dollars. On the off chance that you are on a less expensive or shared host, this can without much of a stretch outcome in a suspension of your record.

On October 21, 2016, the biggest DDoS assault (DNS related) in history happened, cutting down extensive organizations, for example, PayPal, Spotify, Twitter, Reddit, and eBay. Some even considered it the DNS Doomsday of the web. As the web keeps on developing it’s not astounding that DDoS assaults are on the ascent at a disturbing rate. Truth be told, as per information gave from easyDNS, DDoS assaults after some time are deteriorating. For a great deal of locales, it may very well involve time until you are hit.

Did you realize that 83% of WordPress locales are defenseless against programmer assaults?

WordPress destinations facilitated by Kinsta are consequently verified. We use firewalls, screen destinations uptime, and relieve any assaults day in and day out. In the event that your site is hacked, we’ll fix it for nothing!


DDoS assaults after some time

DDoS assaults after some time

As indicated by a report from @Link11GmbH, DDoS assault volume rose half in Q2 2018! 😨


Here at Kinsta, we’re commonly ready to battle off a bigger number of assaults than less expensive hosts, essentially in view of extra security safety measures we have set up. Yet, we additionally prescribe using organizations out there that have substantial frameworks and programming constructed explicitly to upset off DDoS assaults. We will dependably be supporters of giving the specialists a chance to do what they are best at. Cloudflare and Sucuri are two we suggest for WordPress clients or any kind of stage. Putting resources into fair DDoS assurance can spare you time, cash, and dissatisfaction not far off.

Ceasing a DDoS Attack on a Small EDD Site

For this situation examine, we had a little WordPress internet business website which was running Easy Digital Downloads. The site commonly just produced between 30-40 MB daily in data transfer capacity and a few hundred guests for every day. Back in June, it began utilizing a great deal of transmission capacity out of nowhere, without Google Analytics appearing extra traffic. The site right away went to between 15-19 GB of information exchange multi day! That is an expansion of 4650%. Not great. Also, it’s unquestionably not only a little increment in bot traffic. Fortunately, the proprietor had the capacity to rapidly recognize this in Kinsta’s Analytics.

High transmission capacity use on WordPress site

High transmission capacity use on WordPress site

Subsequent to seeing the expansion, it involved checking the server logs to research what was occurring. These kinds of things can without much of a stretch turn crazy. The previous 7 days demonstrated that the site’s/account/page had been mentioned multiple times and delivered a sum of 66 GB of traffic. That is from a site that ordinarily produces somewhat more than 1 GB of absolute information in a whole month. So in a split second we realized something was up.

Examining the main 10 customer IPS throughout the previous 7 days to the site immediately demonstrated some suspicious movement. A dominant part of them had more than 10,000 solicitations, and there were many. Keep in mind, this is a little site which just ought to get a few thousand solicitations all out every month.

Top 10 customer IPs

Top 10 customer IPs (shut out for security purposes)

You can generally depend on Google to furnish you with information. Entering in two or three the top IPs into inquiry, we could undoubtedly observe that the greater part of them were all intermediary addresses, which means somebody was in all likelihood needing to conceal their traffic.

Intermediary IP

Intermediary IP

Changing URLs

The absolute first thing we did was really change the/account/page URL to something else. This is dependably a decent first measure. Be that as it may, this just halted the assault for a brief timeframe, until they found the new URL. Keep in mind, since this is a web based business website, it must have an open record page. Clearly on a blog alone, changing the WordPress login URL and concealing it totally will stop a ton of these sorts of assaults, yet that wouldn’t work for this situation. We call it WordPress Security by haziness.

Hacking or Brute-Force Attempts?

Something else you can affirm in these circumstances is that is anything but a hacking endeavor, which for this situation it wasn’t. WP Security Audit Log is an extraordinary module to rapidly screen and check whether there are any invalid login endeavors on a page. You can likewise check your logs to check whether there are any POST activities occurring in a vast amount. This seemed, by all accounts, to be a great DDoS assault in which they basically send a cluster of traffic to one segment of the site to attempt and overpower it.

IP Blocking

In the event that you are running individually server, the subsequent stage would likely be to introduce an IP blocking or firewall module, for example, WordFence. Nonetheless, much the same as most other oversaw WordPress has, we don’t permit modules like that here at Kinsta. For several reasons. Above all else, they can hugy affect your execution, particularly the filtering abilities. Second, we use load balancers with Google Cloud Platform, which implies a ton of time their IP blocking usefulness wouldn’t function as expected.

In this way, we fabricated our own apparatus. You can now effectively square IP tends to physically utilizing the IP Deny instrument in the MyKinsta dashboard. Or then again you can generally contact our help group as we likewise support geoblocking.

IP Deny instrument

IP Deny instrument

In any case, contingent on the length and size of the assault, this could be an endless procedure of boycotting IPs, which by and large doesn’t take care of the issue quick enough. A ton of DDoS assaults when obstructed in one region, will basically spring up in another, or change IPs and intermediary addresses. So in this example, it bodes well to exploit a DDoS arrangement which could help mechanize the procedure with their effectively inherent standards assembled from years worth of information.

Moving the Site to Cloudflare Didn’t Help

A ton of times Cloudflare completes a not too bad employment of halting some essential bot traffic, yet with regards to the free arrangement, their DDoS insurance isn’t the best. Truth be told, we moved the site to Cloudflare and it brought about considerably progressively suspicious traffic hitting the site. Despite the fact that we think this was basically because of the assault expanding their endeavors. As observed underneath it was coming to the heart of the matter of very nearly 50,000 solicitations for each hour. Their CDN parcel works incredible, yet in the event that you need more, you will no doubt need to pay.

Cloudflare demands

Cloudflare demands

We at that point executed “Rate restricting” on the site. Rate constraining enables you to make rules based traffic coordinating a URL and afterward square/restrain it dependent on action. This can be empowered on the free arrangement, and expenses $0.05 per 10,000 solicitations. Be that as it may, at the rate we were seeing solicitations, it would have been around 36 million solicitations for every month, which would have cost $180 per month without anyone else’s input. So clearly, that was not an answer that was fixing the issue. What’s more, indeed, we tried a wide range of example rules.

IP rate restricting

IP rate restricting

Note: Rate Limiting is charged dependent on the quantity of good (not blocked) demands that coordinate your characterized standards over the entirety of your sites. Be that as it may, for this situation, it wasn’t working.

The subsequent stage, which we knew was at that point coming, was to investigate a real web application firewall. Numerous clients don’t understand this, yet Cloudflare’s free arrangement does exclude this. What’s more, this is nearly required to stop DDoS assaults these days. So the following alternative is move up to Cloudflare’s ace arrangement at $20/month. Notwithstanding, this is the place you should take some time and look at other outsider arrangements.

Free isn’t in every case better, regardless of whether it is for DDoS assurance or #WordPress facilitating. ?


Contrasting Cloudflare with Sucuri

As we would like to think, two of the best arrangements out there right now for web application firewalls that are anything but difficult to actualize for a webpage is Cloudflare and Sucuri. Note: We aren’t associated with both of these organizations. Nonetheless, on the off chance that you truly investigate these you will see that Sucuri is maybe a vastly improved value for your money. How about we investigate, they both have $20/month plans.


With Cloudflare’s Pro arrangement you just get Advanced DDoS Protection at Layers 3 and 4 (read increasingly about layer 3 and 4 DDoS assaults). This will help to consequently stop TCP SYN, UDP and ICMP assaults on their edge servers, so they never achieve your beginning server. To get layer 7 assurance you need to move up to the $200/month plan. Keep in mind, this is a little online business webpage, so $200/month would be very exorbitant, over their facilitating expenses.


With Sucuri’s $20/month plan, you get Advanced DDoS Protection at layers 3 and 4, alongside layer 7. This serves to naturally recognize abrupt changes in rush hour gridlock and ensures against POST floods and DNS-based assaults, so they never achieve your starting point server. So directly off the bat, you are likely going to see better DDoS alleviation with Sucuri. Furthermore, for this situation, we needed layer 7 for HTTP flood assaults.

A HTTP flood assault is a sort of Layer 7 application assault that uses the st

Leave a Reply

Your email address will not be published. Required fields are marked *