Don’t stop here! Important next steps

Don’t wait until you have been attacked! All of the services listed below will work quickly to help you recover during or after an attack, but you can protect yourself now, before any attack happens! This can reduce costs by lowering your bandwidth usage and keeping you online during an attack. Once you’ve been hit, it can take up to three days for the internet to ‘find’ you at your new, protected address – so in almost every case, it’s much better to be prepared and get started now.

1. Secure Hosting Providers require you to move your website completely to their servers – you’re changing hosting providers. Many of them can help you through this. The benefits of this include the hosted solution often providing many other protection features in addition to DDoS mitigation; the downside can be cost (depending on what you currently pay) and control – you need to be able to trust your domain host, as they have a lot of control over your website.

Pros:

  • Provides one central service for most, if not all, your website needs
  • Provides protection services for DDoS, hacking and spam attacks
  • Often includes many secondary services and consulting, and even limited legal defense in some cases
  • Full support teams are often on staff to help

Cons:

  • You must host your website with the service
  • You must trust the service to manage your site and defend your rights
  • These services are often much more expensive (but you don’t have to pay other hosting / DNS services anymore!)

2. DDoS Mitigation services let you continue hosting your site wherever it is, and just change how others on the internet find and access it – this is generally much easier to set up. These services have servers around the world that, essentially, get out in front of your website and absorb or ignore malicious traffic. They ‘mirror’ and serve constantly-updated copies of your site. These services are easy to set up and you maintain complete control of your website and hosting setup. One challenge with proxied services is that very complex websites can sometimes experience problems with non-admin user logins and complex interactive/javascript area. Please discuss these with your webmaster and the proxy service as most can be resolved.

Pros:

  • Lower cost (often with a free level)
  • Quick and easy to set up
  • You don’t have to change your existing website host
  • You can change or quit the service at any time

Cons:

  • Fewer support options
  • Focused primarily on just mitigating DDoS attacks – does not necessarily include help with malware or spammers.
  • SSL (encrypted) traffic will be briefly decrypted and re-encrypted by the proxy server to pass it from their proxy to your server.

3. Choose a specific provider – for any service, you must be comfortable with the provider. This relates to trust, but also understanding their business model: Is it fee-for-service? If there’s a free version, does it receive less support than a paid alternative? Is it funded by governments? It is best to cover as much detail up front as possible to avoid surprises down the road.

 

For all services ask yourself the following questions:

  • How is the company/organization structured and sustained? What types of vetting or reporting are they required to do, if any?
  • Consider what country/countries they have a legal presence in and which they would be required to comply with law enforcement and other legal requests
  • What logs are created, and for how long are they available?
  • Are there restrictions regarding the type of content the service will host/proxy, and could they have an impact on your site?
  • Are there restrictions on the countries where they can provide service?
  • Do they accept a form of payment you can use? Can you afford their service?
  • Secure communications – you should be able to log in securely and communicate with the service provider privately.
  • Is there an option for two-factor authentication, to improve the security of administrator access? This or related secure access policies can help reduce the threat of other forms of attacks against your website.
  • What type of ongoing support will you have access to? Is there an additional cost for support, and/or will you receive sufficient support if you are using a ‘free’ tier?
  • Can you ‘test-drive’ your website before you move over via a staging site?

Questions for secure hosting services

  • Do they offer full support in moving your site over to their service?
  • Are the services equal to or better than your current host, at least for the tools/services you use? Top things to check are:
    • Management dashboards like cPanel
    • Email accounts (how many, quotas, access via SMTP, IMAP)
    • Databases (how many, types, access)
    • Remote access via SFTP/SSH
    • Support for the programming language (PHP, Perl, Ruby, cgi-bin access…) or CMS (Drupal, Joomla, WordPress…) that your site uses

Questions for DDoS Mitigation services:

  • If you use SSL (also known as HTTPS or secure web traffic), ask how they manage SSL. In some configurations, it may be easiest to share your private SSL key. If you do so, you need to have a high level of trust in the service provider, as they can ‘impersonate’ your site (indeed, this is what you are asking them to do by providing a proxy!)
  • Ask about how administration /editorial logins and pages are managed
  • Talk about any interactive parts of your website (users who log in, comment, admin/editorial needs, complex interactive pages/javascript/animations) – different proxy services manage these differently; you will need to test these before switching completely.

Specific Mitigation Services

Specific services are listed here with extensive notes. Please note that the list provided is not a complete listing of services; there are many more. However, these services all represent good starting points, as they have been used by other members in the independent media / human rights / free speech communities. For immediate coverage, here are options: