DDoS Defence: Using Server Backups

TL;DR

Server backups aren’t a direct DDoS defence, but they’re vital for recovery after an attack. They let you restore services quickly if your servers are overwhelmed or compromised. This guide explains how to use them as part of a wider DDoS protection strategy.

Using Server Backups for DDoS Recovery

1. Understand the Limitations
• Backups won’t stop a Distributed Denial-of-Service (DDoS) attack in progress. They are a recovery tool, not prevention.
• A large DDoS attack can still overwhelm your backup systems if they’re on the same network.
2. Regular Backup Schedule
• Implement frequent backups – daily is common, hourly for critical data.
• Consider different types of backups: full (everything), incremental (changes since last full backup), and differential (changes since last full backup). Incremental backups are faster but slower to restore.
3. Offsite Backups
• Store backups in a separate location from your servers – cloud storage, another data centre. This protects against physical damage or network issues affecting both servers and backups.
• Ensure backup security: encryption (both in transit and at rest) and access controls are essential.
4. Backup Verification
• Regularly test your backups! Restore them to a separate environment to confirm they work correctly. A broken backup is useless when you need it most.
• Automate the verification process if possible.
5. DDoS Attack Response Plan
• Develop a plan outlining steps to take during an attack, including:
• Identifying the attack type (e.g., volumetric, application-layer).
• Contacting your hosting provider or cyber security incident response team.
• Activating DDoS mitigation services (see Step 6).
• Initiating backup restoration if servers are compromised or unrecoverable.
6. DDoS Mitigation Services
• Backups work best when combined with proactive DDoS protection:
• Cloud-based mitigation services: Companies like Cloudflare, Akamai, and AWS Shield filter malicious traffic before it reaches your servers.
• On-premise appliances: Hardware solutions that detect and block attacks at your network edge.
• Rate limiting: Limit the number of requests from a single IP address to prevent flooding. Example using iptables on Linux:

  sudo iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
  sudo iptables -A INPUT -p tcp --dport 80 -j DROP

7. Restoration Process
• If an attack compromises your servers, follow these steps:
1. Isolate the affected servers from the network.
2. Restore from a clean backup to a separate environment.
3. Verify the restored system is secure and functional.
4. Re-image compromised systems if necessary.
5. Bring the restored system online, potentially with DDoS mitigation enabled.
8. Post-Attack Analysis
• After an attack, analyze logs to understand what happened and improve your defences.
• Review your backup strategy: are backups frequent enough? Are they stored securely offsite?