{"id":3155,"date":"2022-06-27T06:32:00","date_gmt":"2022-06-27T06:32:00","guid":{"rendered":"https:\/\/www.hostinger.com\/blog\/?p=3155"},"modified":"2022-07-30T08:10:34","modified_gmt":"2022-07-30T08:10:34","slug":"how-hostinger-deals-with-ddos-attacks","status":"publish","type":"post","link":"https:\/\/www.hostinger.com\/blog\/how-hostinger-deals-with-ddos-attacks","title":{"rendered":"How Hostinger Deals With DDoS Attacks"},"content":{"rendered":"<h2 class=\"wp-block-heading\" id=\"h-how-to-recognize-a-distributed-denial-of-service-ddos-attack\"><strong>How to Recognize a Distributed Denial-of-Service (DDoS) Attack<\/strong>&nbsp;<\/h2><p>To avoid an attack, you need to know what&rsquo;s coming your way. When you spot an attempt to disrupt the regular operation of a targeted server, service, or network by overburdening it with unwanted traffic, you&rsquo;re dealing with a distributed denial-of-service (DDoS) attack.<\/p><p>A <a href=\"https:\/\/support.hostinger.com\/en\/articles\/5634639-what-is-a-ddos-attack-and-how-to-prevent-it\" target=\"_blank\" rel=\"noopener\">DDoS attack<\/a> attempts to deny access to a targeted server by generating a large amount of malicious internet traffic which overwhelms the target&rsquo;s available resources. We implement traffic filtering solutions to prevent such attacks and guarantee maximum uptime. <\/p><p>We&rsquo;re constantly improving our services and renewing our systems to stay ahead of the game. Today, we&rsquo;ll detail how we combat DDoS attacks and explain our Wanguard traffic filter setup and overall infrastructure.<\/p><h2 class=\"wp-block-heading\" id=\"h-what-does-an-attack-look-like\"><strong>What Does an Attack Look Like?<\/strong><\/h2><p>Here&rsquo;s a real-life example of a DDoS attack. Picture 400 Mbps of UDP traffic heading to a VPS with an available bandwidth of 100 Mbps.&nbsp;<\/p><p><em>Simple Jekyll website load time results:<\/em><br><em>Before the attack: 0.08 seconds<\/em><br><em>During an attack: 23.35 seconds (1st attempt), 30.86 seconds (2nd attempt)<\/em><\/p><p>DDoS attacks are often hard to mitigate because they usually involve whole or multiple botnets targeting you. A botnet consists of many infected systems, so fighting it on your own will, most of the time, prove useless.<\/p><h2 class=\"wp-block-heading\" id=\"h-how-we-deal-with-ddos-attacks\"><strong>How We Deal With DDoS Attacks<\/strong><\/h2><p>We have two DDoS mitigation solutions for dealing with incoming attacks in our infrastructure &ndash; <strong>remotely triggered black hole <\/strong>(RTBH) and <strong>traffic filtering<\/strong>.<\/p><p><strong>RTBH filtering<\/strong> offers a way to eliminate unwanted traffic quickly before it enters our infrastructure. While this method effectively protects our infrastructure as a service provider, it prevents all traffic from hitting us &ndash; not something our clients prefer. Eventually, their websites and VPSs become completely unreachable. As a result, the attackers achieve their goals.<\/p><p><strong>Traffic filtering<\/strong> is the next-level DDoS protection for our services. It only stops the malicious traffic instead of dropping all of it. Malicious traffic is identified by examining the packets flowing through our infrastructure. The following traffic elements are inspected for specific patterns:&nbsp;<\/p><ul class=\"wp-block-list\"><li>packet payload<\/li><li>source port<\/li><li>source IP<\/li><li>destination port<\/li><li>country<\/li><li>and more<\/li><\/ul><p>This filtering process is done on our infrastructure before the traffic reaches our services, so our clients have nothing to worry about.<\/p><h2 class=\"wp-block-heading\" id=\"h-traffic-filtering\"><strong>Traffic Filtering<\/strong><\/h2><h3 class=\"wp-block-heading\"><strong>Setup<\/strong><\/h3><p>We have implemented <strong>out-of-line filtering <\/strong>for our setup. Since we rarely experience powerful DDoS attacks, <strong>in-line filtering<\/strong> would be inefficient in actual practicality and cost &ndash; we have the <strong>RTBH method <\/strong>to combat them, instead.&nbsp;<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\"><img decoding=\"async\" width=\"1071\" height=\"372\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\/public\" alt=\"Simplified filtering setup topology.\" class=\"wp-image-3352\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\/w=1071,fit=scale-down 1071w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/filtering-setup-topology.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1071px) 100vw, 1071px\" \/><\/a><figcaption>Simplified filtering setup topology<\/figcaption><\/figure><\/div><p>Our setup involves filter instances connected to <strong>spine switches<\/strong> through which diverted traffic flows. We use sFlows, which are sent from spine instances to the filter instance, to investigate and divert traffic if needed. Clean traffic is forwarded to leaf switches, while malicious traffic is dropped at the filter instance. It&rsquo;s important to note that the <strong>traffic diversion<\/strong> and <strong>filtering processes<\/strong> are <strong>fully automated<\/strong>.&nbsp;<\/p><p>If any destination host experiences a traffic spike above our set thresholds, we advertise that IP address to the spines using <strong>ExaBGP. <\/strong>When the traffic arrives at a filter instance, we examine the incoming packets to identify the attack pattern. Once complete, new rules are added to the firewall, preventing malicious traffic from reaching its destination.<\/p><h3 class=\"wp-block-heading\"><strong>Hardware<\/strong><\/h3><p>The main elements that the filter server depends on are the CPU and NIC. After some testing and research, we decided to go with the following:<\/p><p><em>CPU: Intel(R) Xeon(R) Silver 4215R @ 3.2 GHz<\/em><br><em>NIC: Intel XL710 (40G)<\/em><\/p><p>During a DDoS attack with <strong>~1.5 Mpps<\/strong> and <strong>8 Gbps<\/strong> of traffic, the CPU usage looks like this:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\"><img decoding=\"async\" width=\"1838\" height=\"660\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/public\" alt=\"A graph of CPU usage of 8 Gpbs of traffic, with the maximum usage of 24.2%.\" class=\"wp-image-3359\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/w=1838,fit=scale-down 1838w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/cpu-usage.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1838px) 100vw, 1838px\" \/><\/a><\/figure><\/div><h3 class=\"wp-block-heading\"><strong>Automation<\/strong><\/h3><p>It would be tough to manage multiple filter instances across all data centers manually. As a result, the whole solution is fully automated, from attack detection to threshold settings. Currently, we use Chef and Ansible for our infrastructure as code (IaC). Changing thresholds or other settings for all instances at once is as easy as changing a few lines of the code.<\/p><h3 class=\"wp-block-heading\"><strong>Configuration<\/strong><\/h3><p>Here&rsquo;s a sneak peek at our configuration:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/hostinger-machine.png\"><img decoding=\"async\" width=\"573\" height=\"163\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/hostinger-machine.png\/public\" alt=\"Hostinger code configuration for hostinger-machine\" class=\"wp-image-3360\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/hostinger-machine.png\/w=573,fit=scale-down 573w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/hostinger-machine.png\/w=300,fit=scale-down 300w\" sizes=\"(max-width: 573px) 100vw, 573px\" \/><\/a><\/figure><\/div><p>Our instance must be able to route packets between interfaces, so forwarding is enabled for both IPv4 and IPv6. Since we don&rsquo;t have any routes via interfaces used for traffic diversion, we must disable reverse path filtering or set it to &ldquo;loose mode&rdquo; &ndash; as we have done &ndash; so the packets coming via those interfaces don&rsquo;t get dropped.<\/p><p>We have increased the maximum number of packets in one NAPI poll cycle (net.core.netdev_budget) to 1000. As we prefer throughput over latency in this case, we&rsquo;ve set our ring buffers to the maximum.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/ethtool.png\"><img decoding=\"async\" width=\"397\" height=\"225\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/ethtool.png\/public\" alt=\"Hostinger ring parameters configuration with the ring buffers set to 4096.\" class=\"wp-image-3351\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/ethtool.png\/w=397,fit=scale-down 397w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/ethtool.png\/w=300,fit=scale-down 300w\" sizes=\"(max-width: 397px) 100vw, 397px\" \/><\/a><\/figure><\/div><p>We&rsquo;ve been running this solution for six months and can see that these small changes are enough to handle any attacks of the anticipated scales. We didn&rsquo;t go deeper into tuning the system as the default values are reasonable and don&rsquo;t cause any problems.<\/p><p>Next, we have actions. An <strong>action<\/strong> is triggered when an attack is detected or finished. We use it to divert traffic (route announcement via ExaBGP), inform our monitoring team about the attack (a Slack message from the instance), and more.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/action.png\"><img decoding=\"async\" width=\"733\" height=\"222\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/action.png\/public\" alt=\"Code onfiguration for actions when an attack is detected or finished.\" class=\"wp-image-3353\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/action.png\/w=733,fit=scale-down 733w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/action.png\/w=300,fit=scale-down 300w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><\/a><\/figure><\/div><p><strong>Thresholds <\/strong>are also managed as code, providing numerous options for detecting an attack. For example, if we detect 100K UDP packets per second aimed at a single target, we start the filtering process. It can also be TCP traffic, HTTP\/HTTPS requests, and so on.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/thresholds.png\"><img decoding=\"async\" width=\"407\" height=\"222\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/thresholds.png\/public\" alt=\"Hostinger configuration for the threshold to detect an attack.\" class=\"wp-image-3347\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/thresholds.png\/w=407,fit=scale-down 407w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/thresholds.png\/w=300,fit=scale-down 300w\" sizes=\"(max-width: 407px) 100vw, 407px\" \/><\/a><\/figure><\/div><p>The prefixes that should be under protection are also added automatically from Chef data bags.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/prefixes.png\"><img decoding=\"async\" width=\"475\" height=\"81\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/prefixes.png\/public\" alt=\"Hostinger code configuration for prefixes that should be under protection.\" class=\"wp-image-3350\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/prefixes.png\/w=475,fit=scale-down 475w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/prefixes.png\/w=300,fit=scale-down 300w\" sizes=\"(max-width: 475px) 100vw, 475px\" \/><\/a><\/figure><\/div><h3 class=\"wp-block-heading\"><strong>Results<\/strong><\/h3><p>What does the handling of a DDoS attack look like on Grafana? Let&rsquo;s look at a recent attack with <strong>8 Gbps <\/strong>and <strong>1 Mpps <\/strong>of traffic below.<\/p><p>Here&rsquo;s the traffic <strong>incoming <\/strong>to the filter instance:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\"><img decoding=\"async\" width=\"1835\" height=\"670\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/public\" alt=\"A graph that shows an attack with 8 Gbps and 1 Mpps of traffic coming into the filter instance.\" class=\"wp-image-3358\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/w=1835,fit=scale-down 1835w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-traffic.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1835px) 100vw, 1835px\" \/><\/a><\/figure><\/div><p>And here&rsquo;s the traffic <strong>outgoing <\/strong>to the end device:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\"><img decoding=\"async\" width=\"1836\" height=\"641\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/public\" alt=\"A graph that shows no traffic going to the end device.\" class=\"wp-image-3355\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/w=1836,fit=scale-down 1836w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-traffic.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1836px) 100vw, 1836px\" \/><\/a><\/figure><\/div><p><strong>Incoming<\/strong> packets per second:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\"><img decoding=\"async\" width=\"1844\" height=\"670\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/public\" alt=\"A graph that shows incoming packets per second.\" class=\"wp-image-3349\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/w=1844,fit=scale-down 1844w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/incoming-packet.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1844px) 100vw, 1844px\" \/><\/a><\/figure><\/div><p><strong>Outgoing<\/strong> packets per second:<\/p><figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\"><img decoding=\"async\" width=\"1838\" height=\"639\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/public\" alt=\"A graph that shows outgoing packets per second.\" class=\"wp-image-3354\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/w=1838,fit=scale-down 1838w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/outgoing-packet.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1838px) 100vw, 1838px\" \/><\/a><\/figure><p>As you can see, there is a short burst of traffic going from the filtering instance to the end device. It is the gap caused by the attack pattern identification process. It&rsquo;s a short amount of time, usually between <strong>1 and 10 seconds<\/strong>, but it&rsquo;s something to be aware of. As seen on the graph, once the attack pattern is identified, you&rsquo;re safe!<\/p><p>What about the speed of attack detection? This part depends on <strong>sFlows,<\/strong> and, as we know, it&rsquo;s not as fast as port mirroring. That said, it&rsquo;s easy to set up, flexible, and costs less. Once an attack starts, the time to divert the traffic to the filter instance takes between <strong>20 and 50 seconds<\/strong>.<\/p><p>This is how the whole process looks from the target instance:<\/p><p><strong>Traffic<\/strong><\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\"><img decoding=\"async\" width=\"1828\" height=\"753\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/public\" alt=\"A graph that shows a short traffic spike during an attack detection.\" class=\"wp-image-3357\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1828,fit=scale-down 1828w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1828px) 100vw, 1828px\" \/><\/a><\/figure><\/div><p><strong>Packets per second<\/strong><\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\"><img decoding=\"async\" width=\"1828\" height=\"753\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/public\" alt=\"A graph that shows a short packet spike during an attack detection.\" class=\"wp-image-3357\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1828,fit=scale-down 1828w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/traffic.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1828px) 100vw, 1828px\" \/><\/a><\/figure><\/div><p>There&rsquo;s a short spike and we&rsquo;re back to business as usual. Depending on the service you&rsquo;re running, you may not even notice it.<\/p><p>At Hostinger, we like to know what is happening in our infrastructure, so let&rsquo;s investigate this case a little bit further:<\/p><p><strong>Attack source<\/strong>. We noticed an increase in IPv4 traffic from a few countries, with India and Taiwan contributing the most. There is a high possibility that those IPs were spoofed, so this information may be inaccurate. We have the list of source addresses and ASNs but won&rsquo;t publish it here for the same reason (spoofing).<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/blog\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\"><img decoding=\"async\" width=\"1838\" height=\"622\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/public\" alt=\"A graph that shows UDP traffic during an attack.\" class=\"wp-image-3348\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/w=1838,fit=scale-down 1838w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-source.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1838px) 100vw, 1838px\" \/><\/a><\/figure><\/div><p><strong>Attack protocol<\/strong>. This attack was mainly based on UDP as we didn&rsquo;t see any unusual increases on the TCP graph.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1825\" height=\"741\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/public\" alt=\"A graph that shows IPv4 traffic by country.\" class=\"wp-image-3356\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/w=1825,fit=scale-down 1825w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-protocol.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1825px) 100vw, 1825px\" \/><\/figure><\/div><p><strong>Attack type. <\/strong>It generated a large amount of traffic to random UDP ports. A few of them are seen on the graph below:<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1837\" height=\"756\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/public\" alt=\"A graph that shows packets by UDP ports.\" class=\"wp-image-3361\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/w=1837,fit=scale-down 1837w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/w=768,fit=scale-down 768w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/4\/2022\/06\/attack-type.png\/w=1536,fit=scale-down 1536w\" sizes=\"(max-width: 1837px) 100vw, 1837px\" \/><\/figure><\/div><h2 class=\"wp-block-heading\" id=\"h-summary\"><strong>Summary<\/strong><\/h2><p>RTBH, as DDoS protection, is effective but eventually causes downtime. After implementing the traffic filtering solution in our infrastructure, we only drop malicious traffic instead of all of it. We&rsquo;ve noticed that RTBH usage has decreased by <strong>90&ndash;95%<\/strong>, resulting in a better uptime for our services and clients.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to Recognize a Distributed Denial-of-Service (DDoS) Attack&nbsp;<\/p>\n<p>To avoid an attack, you need to know what\u2019s coming your way. When you spot an attempt to disrupt the regula\u2026<\/p>\n","protected":false},"author":368,"featured_media":3567,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[171,82],"tags":[2400,2401,264,2307],"hashtags":[],"class_list":["post-3155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-engineering","tag-ddos","tag-ddos-attack","tag-hostinger","tag-technology"],"hreflangs":[],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/posts\/3155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/users\/368"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/comments?post=3155"}],"version-history":[{"count":9,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/posts\/3155\/revisions"}],"predecessor-version":[{"id":3572,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/posts\/3155\/revisions\/3572"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/media\/3567"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/media?parent=3155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/categories?post=3155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/tags?post=3155"},{"taxonomy":"hashtags","embeddable":true,"href":"https:\/\/www.hostinger.com\/blog\/wp-json\/wp\/v2\/hashtags?post=3155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}