How to protect a website from DDoS without a CDN?

Question

I have basic knowledge in Bash and with that knowledge I rented a remote machine in a mostly-self-managed hosting platform (DigitalOcean) and raised a LEMP environment on which I have a website.

I protect my environment with SSHguard. I applied automatic WordPress updates from the CMS CLI. I've established automatic backups of my data.

I tried to ask different people much more experienced in security then I am how to protect from DDoS (after other hardening I did), and everyone suggest me of using a CDN.

Is there really no other way?

I don't want to use a CDN because it an entire system I no desire to utilize if I don't have to.

Do I have any "non-overkill" option left?

Measures to prevent against DDoS are primarily a matter of scale, how important it is to stay online, and what type of DDoS attack you're facing. If you're running a small site that doesn't get much attention, I'd recommend taking the optimistic approach and just hope it doesn't happen to you. Use some basic steps (like keeping backups) to protect your data in the event of an overload, but if you don't know where to start, you're probably going to waste a lot of time trying to figure out how to solve a problem that may never happen to you. That, in itself, can be more costly than an attack. — nbering, Apr 02 '18 at 04:31
I've edited to clarify I already took care of automatic upgrades, backups, and basic protection of the environment, and yet I feel I'm not protected from DDoS. — Arcticooling, Apr 02 '18 at 04:40
I propose to close this question as too broad. There are many question here which discuss several aspects of the problem, like How can a Software application defend against DoS or DDoS?, What techniques do advanced firewalls use to protect againt DoS/DDoS?, How do major sites prevent DDoS? and more. — Steffen Ullrich, Apr 02 '18 at 05:30
@user9303970 Do you expect you will be the victim of a particularly strong DDoS? — forest, Apr 02 '18 at 05:52
Possible duplicate of What techniques do advanced firewalls use to protect againt DoS/DDoS? — again, Apr 02 '18 at 09:25
@forest I don't expect that but it might happen and take me by surprise. — Arcticooling, Apr 02 '18 at 10:35
Unless you think you are particularly likely to be targeted, you probably don't have to worry. I've run moderately controversial websites before that get DDoS threats from time to time and the most I've ever seen was a poorly-executed attack that subsided very quickly, so you probably have little to worry about. Running a GRE tunnel on OVH helps a good bit for all but the biggest attacks. — forest, Apr 02 '18 at 10:42
@forest much thanks. You might want to construct an answer from these data. I'll gladly accept such answer (it's good to have a link or two for GRE tunnel and OVH for an article you see fit). — Arcticooling, Apr 02 '18 at 11:25

forest · Accepted Answer · 2018-04-23T05:12:19.020

While this won't protect from particularly heavy DoS attacks, you can use a VPS service that provides protection against such attacks as part of the regular package. OVH is one such company that provides attack mitigation to all their VPSes. You can either host your site on their servers directly, or run a GRE tunnel through it, giving you the DoS-resistance of the VPS while still allowing you to have the flexibility of running your site on whatever hardware you choose. There are also services that are resellers of OVH, such as one service I used to use which has served me well.

Note that OVH is based in France, so French law applies to any traffic going through it. One other note is that OVH tends to disable TLS handshakes under particularly severe DoS conditions, which can be problematic for sites that exclusively use TLS (e.g. sites that have HSTS). And of course, it is not the only managed VPS host which provides low-cost DoS protection. There are many like it.

_{I am not affiliated with either Internetz.me or OVH.}

How to protect a website from DDoS without a CDN?

1 Answers1