When our monitoring systems detect an incoming DDoS-attack (Distributed Denial of Service) of multiple Gbit/sec we will be forced to automatically 'nullroute' your address. This will not happen when a DoS-attack is performed (Denial of Service), because in that case we will simply block / nullroute the traffic of the incoming attacker. Attacks up to several Gbit/sec will be filtered so the traffic will not reach the VPS.
Filtering does have limits and in such a situation we are forced to nullroute the IP-address the attack is directed to. With a nullroute the IP-address is being routed to a non existing target /route which causes the data packets for that IP to be dropped, as they can no longer find a destination.
This will mean, that while your IP address is nullrouted, it will not be reachable from the outside. This is of course very unfortunate for 'legitimate' visitors because they can not visit websites and services on the IP address.
What can be done by yourself to prevent or mitigate the impact of a DDoS-attack?
- Run (popular) websites from behind a solution such as 'Cloudflare'. This will mask the actual IP address of the website through the nameservers of Cloudflare which makes it harder to attack your server. It does not offer a 100% guarantee, because a smart attacker can find the IP address through other means. You should always place the subdomains behind Cloudflare as well, otherwise a 'dig' on a subdomain will still return the IP address of the VPS.
Please note: when hiding your websites behind Cloudflare, it is recommended to also start using a new VPS if you have already been the victim of a DDoS attack, as otherwise your website's IP address will still be known by the attacking party.
- Don't run your websites on the same IP-address as the server itself. If you run all services on the default VPS IP you can't reach the server through IPv4 and only through an IPv6-connection.
- For applications / services that have a higher chance to be targeted by malicious attackers, for example Minecraft-servers, IRC-servers and Teamspeak-servers, it's best practice to run those services on a separate IPv4 address.
- Don't run to many websites on one IP-address. While this is technically not a problem, every additional website on the IP-address will increase the possibility of a DDoS-attack. This is also best practice as this will limit the (blacklisting)impact when for example a website on the server is hacked and is being abused for sending spam.