Webhosting with DDoS protection

Forums › IT Pro and developers › Webhosting with DDoS protection

HarmLessSolutions

1228 posts

Uber Geek
+1 received by user: 810

Subscriber

#293485 25-Jan-2022 16:44

Hi all,

Our website has spent the last 24 hours or so being bombarded with attempts to gain access to our admin area. We migrated it over to MyHost about a month back from a local webhosting service that was being discontinued. We have been impressed with MyHost's efforts over the past day in restricting access in an attempt to protect our website's integrity.

The advice we are receiving is to enlist the services of Cloudflare to act as a proxy server in order to take advantage of their superior levels of security regarding DDoS attack. Our web developer is suggesting Cloudflare's free plan as sufficient to protect us from the current situation.

I have also had ongoing email contact from Cloudflare over the course of today trying to ascertain their NZ GST status which they are being very evasive about. I realise the free plan will attract no GST but if we need to upgrade through their service levels I would prefer to know what I'm letting myself in for and their attitude in answering queries regarding NZ GST doesn't exactly fill me with confidence.

What experience/feedback do others have with using Cloudflare? Good, bad or indifferent.

https://www.harmlesssolutions.co.nz/

danfaulknor

974 posts

Ultimate Geek
+1 received by user: 533

Trusted

Prodigi

Subscriber

#2856181 25-Jan-2022 16:54

We put all of our hosting customers on Cloudflare, it's fantastic.

Invoices we get from them have no GST because we have provided them with our GST registration number

they/them

Prodigi - Optimised IT Solutions
WebOps/DevOps, Managed IT, Hosting and Internet/WAN.

HarmLessSolutions

1228 posts

Uber Geek
+1 received by user: 810

Subscriber

#2856183 25-Jan-2022 17:02

danfaulknor:

We put all of our hosting customers on Cloudflare, it's fantastic.

Invoices we get from them have no GST because we have provided them with our GST registration number

Thanks for your reply Dan. That would seem to indicate that Cloudflare is in fact registered for NZ GST. From my dealings with them today their billing department don't seem to know.

Also what level of plan are you putting your customers on? Ours is a modestly sized e-commerce website so some of their monthly USD billing rates are pretty daunting.

https://www.harmlesssolutions.co.nz/

freitasm

BDFL - Memuneh
80650 posts

Uber Geek
+1 received by user: 41031

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2856184 25-Jan-2022 17:02

You want Cloudflare.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2856189 25-Jan-2022 17:26

Daunting, in what way? It’s rather simple pricing.

You likely want to be in at-least their Pro plan. It also sounds like you’re running a bigger website on shared hosting, if this works then great but if you’re dealing with credit cards then you have PCI Compliance to deal with on top of this.

Cloudflare is flat rate. I recommend contacting Dan above for help as Cloudflare also has a whole lot of rules you’ll need to configure.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

HarmLessSolutions

1228 posts

Uber Geek
+1 received by user: 810

Subscriber

#2856193 25-Jan-2022 17:37

michaelmurfy: Daunting, in what way? It’s rather simple pricing.

You likely want to be in at-least their Pro plan. It also sounds like you’re running a bigger website on shared hosting, if this works then great but if you’re dealing with credit cards then you have PCI Compliance to deal with on top of this.

Cloudflare is flat rate. I recommend contacting Dan above for help as Cloudflare also has a whole lot of rules you’ll need to configure.

Daunting as in pricey, as I was initially considering needing to go to the Business plan which is priced in US$ and Cloudflare refuse to confirm if NZ GST is a factor.

We don't bother with credit card due to prohibitive compliancy requirements. PayPal integration does all we need in this regard and is widely trusted by customers.

Our web designer is currently working on putting us on Cloudflare (free plan) with MyHost's input.

https://www.harmlesssolutions.co.nz/

freitasm

BDFL - Memuneh
80650 posts

Uber Geek
+1 received by user: 41031

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2856195 25-Jan-2022 17:45

If you register your GST then the invoice comes with no tax added. It is in US$, your credit card will convert based on the rate of the day.

The Business Plan is US$ 200/month plus anything in addition you might have but prices are really not that bad - add load balancing, Argo if you are using those, otherwise don't worry.

Business is only really indicated if you want more firewall rules (or complex ones involving regex) - if you have a very granular set of rules for example. Also if you need PCI/DSS compliance.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

HP

Shop now for HP laptops and other devices (affiliate link).

freitasm

BDFL - Memuneh
80650 posts

Uber Geek
+1 received by user: 41031

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2856208 25-Jan-2022 17:47

HarmLessSolutions:

Our web designer is currently working on putting us on Cloudflare (free plan) with MyHost's input.

A web designer or a web admin? Very different roles.

You will have to consider also if your hosting can create firewall rules to only allow access from IP Ranges | Cloudflare to your IP addresses. You will have to restore visitors' IP as well or look for X-Forward for as per Restoring original visitor IPs – Cloudflare Help Center.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

HarmLessSolutions

1228 posts

Uber Geek
+1 received by user: 810

Subscriber

#2856210 25-Jan-2022 17:55

freitasm:

HarmLessSolutions:

Our web designer is currently working on putting us on Cloudflare (free plan) with MyHost's input.

A web designer or a web admin? Very different roles.

You will have to consider also if your hosting can create firewall rules to only allow access from IP Ranges | Cloudflare to your IP addresses. You will have to restore visitors' IP as well or look for X-Forward for as per Restoring original visitor IPs – Cloudflare Help Center.

Our web designer also does the more complex admin than I can't master so essential one = the other. I do day to day admin; product loading, stock management, invoice processing, dispatch. Typical home based e-commerce operation I guess.

Thanks for your other advice. I'll pass it on as required.

https://www.harmlesssolutions.co.nz/

NPCtom

430 posts

Ultimate Geek
+1 received by user: 56

#2856885 26-Jan-2022 20:09

Cloudflare is great! I deploy all of my websites onto their service. The caching they provide on their free tier plan is incredible in my opinion.

I think the Free tier plan would work well for your requirements, as you say you are using PayPal as your payment gateway. You can also configure custom firewall rules (like rate limiting a login page against an attack). There is also a cool "bot fight mode" included, which I assume serves a captcha to any user that looks suspicious. But I would pay the $20/USD for the Pro plan, just to be on the safe side.

In your specific case I would also lock down all traffic at your origin to only allow HTTPS ingress from CloudFlare IP’s. Kill :80/HTTP if you can on your server. If you can’t, consider getting a VPS. Shared hosting works well if it's balanced and managed properly.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2856886 26-Jan-2022 20:24

CloudFlare free plan is likely sufficient, I use it for all my websites and for customer websites for my small business.

You need to ensure only traffic from CloudFlare and perhaps any private IPs you have can reach the server directly, ie a firewall blocks non-whitelisted IPs at the network edge rather than on your server with iptables or similar as if it reaches your server in any way it won't help the DDOS attack. You would be best with a new IP address but it's not critical. Make sure your DNS is hosted by CloudFlare, there have been attacks in NZ not long ago where DNS servers were targeted so the websites themselves were fine but no-one could get to them because DNS was inaccessible.

If you're under DDOS attack you can worry about details like GST later - if they're registered you pay it, if not you don't, simple.

wpcharged

18 posts

Geek
+1 received by user: 4

#2857284 27-Jan-2022 18:39

What you're after is more brute force protection than DDoS, as the goal of the attacker is to gain access to the site via login attempts rather than to overwhelm the server's resources typically to take the website offline, so don't worry about whitelisting Cloudflare IP's etc as suggested above to get full DDoS protection with Cloudflare.

Unfortunately if the website is on a low cost shared hosting plan it will simply be getting rate limited and throttled by the host, due to these consecutive login attempts. These plans share server resources with 100's of other sites and even small increases in traffic can result in the website going offline. You could check the logs/awstats in cPanel for requests that are returning 5** error responses to see if and how much traffic is getting rate limited on your plan, and even the 'resource usage' if the host has that option. That should give you an idea if upgrading hosting plans is worth it to help to ensure the site stays online with increases in traffic.

Now to Cloudflare, looks like you have this set up already this should help to decrease the amount of spam and malicious bot traffic hitting the site. To further lock down the login page a rule could be added under Rules > Page Rules in Cloudflare, add the URL that's being attacked, then set the security level to "I'm under attack".

Forgot to add, the free plan will suffice for this. Although there are some large images on the site that could be optimized with higher CF plans automatically, it's probably more efficient to optimize the few images on the website itself.

AliExpress

Shop now on AliExpress (affiliate link).

NPCtom

430 posts

Ultimate Geek
+1 received by user: 56

#2857308 27-Jan-2022 18:42

wpcharged:

Now to Cloudflare, looks like you have this set up already this should help to decrease the amount of spam and malicious bot traffic hitting the site. To further lock down the login page a rule could be added under Rules > Page Rules in Cloudflare, add the URL that's being attacked, then set the security level to "I'm under attack".

+1 for this. Specific page rules come free with Cloudflare and they're really great. I tend to lockdown both wp-login.php and xmlrpc.php if I'm using WordPress.

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2857314 27-Jan-2022 18:50

wpcharged:

What you're after is more brute force protection than DDoS, as the goal of the attacker is to gain access to the site via login attempts rather than to overwhelm the server's resources typically to take the website offline, so don't worry about whitelisting Cloudflare IP's etc as suggested above to get full DDoS protection with Cloudflare.

Whitelisting only CDN IPs might not solve this exact problem, but is a good move for general DDOS resilience. There's not much point having a CDN in front of your server if anyone can reach it by IP, particularly if the IP used to be public.

Smaller ISPs might have trouble shedding DDOS loads at the network edge if the IP is addressed directly, the whole ISP could become overwhelmed. Larger providers like AWS / Azure / Google can cope with larger attacks more easily.

wpcharged

18 posts

Geek
+1 received by user: 4

#2857374 27-Jan-2022 19:21

timmmay:

Whitelisting only CDN IPs might not solve this exact problem, but is a good move for general DDOS resilience. There's not much point having a CDN in front of your server if anyone can reach it by IP, particularly if the IP used to be public.

Smaller ISPs might have trouble shedding DDOS loads at the network edge if the IP is addressed directly, the whole ISP could become overwhelmed. Larger providers like AWS / Azure / Google can cope with larger attacks more easily.

Yes if DDoS protection is needed, agreed that is best practice. It will be overkill for this case though, due it to being on a shared host and the unlikelihood of it being targeted for that type of attack.