I last wrote on the topic of DDoS (Distributed Denial of Service) when I highlighted some lessons that small- and mid-sized businesses can learn from the recent WikiLeaks-inspired DDoS attacks. I stated my personal belief that such denial of service attacks are defensible, assuming there is advance preparation and a budget to draw on for the unavoidable bandwidth and mitigation costs.
While I won't be able to detail the various methods and technical setup, I will instead present an overview of the existing options available to SMBs on the DDoS front.
Design with Scalability in Mind
The rapid advancement of computing hardware means that a standard server can serve a lot more users today compared to just a few years ago. The sheer weight behind a DDoS, however, means that even the most well-tuned single-server setup is unlikely to stay in the running against a full-fledged network assault.
One tip to get started is to design your CMS around session data that is stored within a database for versatile load balancing; it also makes sense to separate database systems from front-end Web servers. While the above steps won't offer specific protection from DDoS, the right architecture does go a long way in restoring service when faced with one, while making it easy to scale your organization's website as it grows
SMBs with a larger budget and a desire to keep things in-house can consider a hardware load-balancer to help spread the load across a few Web servers. So while your SMB might be starting small today, it is important to architect your software and hardware infrastructure with scalability in mind.
Leverage the Cloud
SMBs that anticipate heavy traffic right from the get-go, or that have no desire to invest in capital equipment, can consider running their sites on a cloud-based platform. In spite of the fact that cloud platforms have been around for a few years now, cross platform compatibility is unfortunately relatively nascent (some would consider it to be non-existent). For this reason, I would advocate building only in the most established cloud platforms such as Amazon's Elastic Compute Cloud (EC2), as opposed to a new kid on the block.
There are varying degrees of leveraging the cloud of course, which can range from a complete cloud-hosted site, to one that only stores bandwidth-intensive files such as images or videos. Indeed, WikiLeaks initially moved its site to Amazon's EC2 platform in the face of the DDoS it faced. I have also read technical papers that describe solutions to divert traffic towards EC2 when excessive traffic is encountered.
Relying on a Content Delivery Network
There are a number of Content Delivery Networks (CDN) on the market today, with the largest being Akamai, as well as a myriad of other providers such as EdgeCast and Limelight Networks. Implementation options differ across CDN vendors, though the basic concept revolves around absorbing the brunt of both genuine and frivolous traffic requests from servers located at geographical locations near individual attackers (or legitimate users).
While many businesses engage the services of a CDN on a permanent basis to serve their users, the technology behind a typical CDN is also well-suited to defeating a DDoS. This is also why even the hardest hit websites can be brought back up, given the services of a CDN. Regardless of the vendor you eventually settle for, though, be warned that the cost on this front won't be cheap. As with cloud providers mentioned in the previous section, one way to lower the costs here would be to mirror only critical pages on a CDN.