DDoS Attacks, Pantheon and You

Since the first documented DoS-style attack in 2000, DDoS attacks continue to flourish. In fact, during the Tokyo 2020 Summer Olympics, the Federal Bureau of Investigation (FBI) issued a notification warning entities to be on alert for DDoS attacks. More recently, the FBI warned of hacktivism activity, specifically leveraging DDoS attacks, in an attempt to disrupt the 2022 US elections.

Further, pro-Russian hacktivist groups are using DDoS attacks to target critical infrastructure companies with limited success by providing the tools and guidance to anyone willing to conduct attacks on behalf of their cause, the FBI said in the alert. 

A DoS attack is a Denial of Service attack, where the attacker attempts to degrade or disable a service by overwhelming the resources of their target. On the web, this generally means overwhelming the capacity of web servers to serve content. Imagine somebody hitting “'reload” in their browser a few thousand times a second. One of the sneaky things about DoS/DDoS attacks is that they can objectively look like organic human traffic (maybe an aggressive ad campaign or a high-traffic news story).

A 'DDoS attack is a Distributed Denial of Service, which is just a fancy way of saying that the attacker is using many different servers (or malware-infected computers) to generate the load. DDoS attacks are harder to orchestrate and also to mitigate.

DDoS attacks are a low effort and accessible way for hackers to try to take down your site. While the concept of a DDoS attack is nothing new, how businesses fight them today is very different than it was several years ago. Fortunately, organizations are actually in a better position than ever to prevent these attacks with tools like Advanced Global CDN (AGCDN) and a web application firewall (WAF). 

Because DDoS attacks are just as prevalent today as they were decades ago, we have received many questions ranging from “How can Pantheon protect my site from an attack?” to “What happens if my sites get attacked?”

How does Pantheon mitigate this type of attack?

DoS/DDoS attacks can target different resources, and typically target one of three layers: the application, the server or the network.

The application

The application is generally the weakest layer since it requires the most computational resources. If your application code is so slow that you can only serve a few requests per second, then it would be trivial to overwhelm it — even your bonafide users might do that!

The good news is that optimizing your website for high traffic levels (proper caching, efficient queries, adequate resources, etc.) is a good practice in general, and a step in the right direction for minimizing the possibility of application-level DoS attacks. The Pantheon platform is able, with just a little work on your side, to squeeze every last drop of performance out of your application code.

Server level

Typically, the first line of defense for DoS attack mitigation involves deploying a web application firewall (WAF) to ignore network activity matching the attacker’s pattern, often blocklisting the IP addresses of the attackers. It is impossible to predict these firewall rules in advance: an IP address might generate legitimate traffic one day and be part of a DDoS the next.

Thus, the crux of mitigating server-level attacks is being able to identify the attacker's pattern, and deploying new firewall rules ASAP. At Pantheon, our strategy is to use smart monitoring to help identify issues as well as platform-wide configuration management to deploy new firewall rules. Instead of a sea of heterogeneous, semi-isolated servers, every server in the Pantheon infrastructure is part of a cohesive system that can be managed and updated quickly.

Network level

Even with performant applications and firewall rules in place, a truly massive or clever DDoS will overload network resources. Network cards and cables will reach their physical limit for pushing bits as attack packets squeeze out legitimate requests. Large and organized DDoS attacks can generate upwards of 50GB/s in network traffic.

Under those circumstances, the only option is to work with the upstream network provider to mitigate the issue, typically in the network hardware itself. We maintain a close relationship with our upstream providers and work with them when we detect network-level issues.

How has Pantheon dealt with DoS/DDoS attacks in the past?

Any non-trivial attack will trigger alerts and notify our operations team. They will identify the issue and develop a solution.

For example, during one recent attack, the PHP worker processes for a particular site were substantially over capacity, generating a disproportionate 503 response codes. 

It was pretty clear something out-of-the-ordinary was going on, and the ops team was able to identify the pattern of the attack and deploy a filter to block the malicious traffic.

This customer happened to be on a basic hosting plan, but that did not change the way we were monitoring or our response time. At some level, we have to align the costs a customer generates with the revenue they produce, but from an operations perspective, a usable network is part of our platform guarantee, whether you are our biggest client or our smallest.

How Pantheon Can Help

Your content delivery network, or CDN, has an immense impact on the speed, responsiveness and availability of your digital footprint. Pantheon has partnered with Fastly to leverage their network, which delivers sub-second page loads. Pantheon provides a CDN to all customers.

For those who need control beyond Pantheon’s CDN, we offer Advanced Global CDN with WAF. With location-based blocking, redirection and IP blocklisting, the solution can be tuned for each CMS, geolocation and IP blocking. See how businesses across all industries, like Los Angeles Tourism, Wheaton College, and O2E Brands, are improving the security of their sites with Advanced Global CDN.

Learn more about Pantheon’s Advanced Global CDN packages, click here or contact sales.