This is the absolute cheapest and best solution I've been able to find (I've been around the block, you can read my history at the bottom). Since I've deployed this solution 3-4 months ago, we haven't gone down due to DDoS yet! Prior to this, we would go down a few times a week after the skiddies worked around our DDoS proxy to get our server URL, and at times DAILY.
If the attacks are large enough, it will likely knock any site offline, and I'm talking about 100gbps+ which almost all solutions would take your site down, including a hardware firewall. But for everyone here, this solution should be bullet-proof unless you've really attracted some skiddies with a lot of money to pay the people that own massive botnets.
I apologize for the lack of technical details, I hire people out to do the work for me but anyone of technical know-how can easily tell you or you can hire them to do so for you. To disclose further, I've put my affiliate links below. If this helps you, please use my links to help me out. I'm in no way affiliated with either company, other than them providing affiliate links to their customers.
What you need:
- A great DDoS Proxy - a lot of people use Cloudflare, I don't recommend them. We had them for a while and our users would constantly complain about the errors and slow loading times from them. We are using DDoS Defend. They are cheaper, less errors (none so far), and our users love the loading times. I highly recommend these guys.
- A separate VPS to set up as an email server (these guys are also very nice and helpful). The reason I give you these guys is because you can include some DDoS protection on your email IP so if the attacker hits your email server, you at least have some protection and hopefully will be able to continue to send out emails.
- Scrub the originating headers so your web server's IP address does not show up in the email headers (again, I don't know the technical information on how to do it). This is how the attackers can get your web server IP if you are sending out emails from your server behind the proxy without a separate server. Double check to make sure that emails being sent out are only showing the VPS's ip and not your web server.
- For those already using proxies for protection, this is the only place your IP will be leaked, hence why you need a separate server for it. When you've bought this and made the proper changes, make sure you change your web server IP. I'd ask for a different range and see if they will swap it out for you. They may do this for free if you let them know you are protecting their network from DDoS this way.
- Obviously, in your software, you will need to route all your outgoing emails through this server.
- THERE IS ONLY ONE PROBLEM with this solution. Your emails will likely go to spam until you can warm up the IP address and have all your users mark you as NOT SPAM. We've put up notices for our users and the new users to check their spam folders when they join.
- While this is an inconvenience to your users, having the site down for 24 hours a few times a week is a bigger inconvenience to everyone.
One thing to note about DDoS Defend before I explain some of my history with these companies. These guys have been very honest, upfront, and very helpful through all this. I don't see them exaggerating attacks on your site to get you to go with a higher package. Quick ticket replies too. Some of the nicest people you'll meet on the internet. They care about their customers, which is hard to say about any of the companies I've dealt with in the past.
I've used the following DDoS "solutions":
- ServerOrigin - Worst of the worst (imo), which is why they probably merged with BlackLotus. Since the merger, I wouldn't touch either of them with a 10 foot pole. Terrible experiences with them that I won't go into since they are no longer around, but at the time I used them, they were considered one of the "top dogs". If SO's owner works with BL now...oh boy. I'll leave it at that.
- BlackLotus - These guys have great claims but when it came down to it for us, their service slowed our site down tremendously, and the site would go down to DDoS often (no stats now, it has been years so maybe they are better). Myself and a friend had experienced them reporting these large attacks and then saying you need to upgrade your service. Funnily, they claim that when attacks are being mitigated, attackers increase their attacks (opposite of what we've currently documented in our logs). Even funnier, when we moved away from them and still filtered out the attacks, it was far less than previously claimed (maybe a few time fluke?). It's been years since I used them, who knows if their services are better and even the integrity of their company is better.
- SharkTech - Didn't mitigate much for us. We had a lot of technical difficulties with them (*cough* they deleted our harddrives "on accident" - did the same to a friend within days of mine *cough*). Not much more to say about them...didn't work/filter DDoS for us, and I question their tech guys abilities.
- CloudFlare - Best out of all my "failures". They DID work for us. Slowed us down some at peak times. Had a lot of errors that they were claiming were our server errors, when our server wasn't reporting any errors, and I would mess with my hosts file to direct connect to my site when I couldn't do it through cloudflare to make sure my site was up (and it was), and they still claimed it was our server's problem, etc., and now we haven't had any issues with those errors/issues with DDoS Defend. In different areas of the world, they would get far more errors and slow loading speeds at times. I just think their servers are over saturated. I like the idea that the system learns and helps everyone else, which is great due to their sheer size; i.e. someone attacks my site, they filter it, and now those rules apply to everyone else on the entire network. It just didn't work out as well as DDoS Defend has for us.