To provide an all-around security solution for our customers, we have conditionally separated our security efforts and tools into two major Fleets!
Every website, no matter static or dynamic, utilizes a web server in order to deliver content to its visitors. Therefore, the webserver is considered as a critical hub for the distribution of malware and the main door that allows exploits to come in and out of the whole web hosting environment. For these reasons, we strongly believe that keeping the "door" closed for exploits and open for legitimate users is probably one of the most significant challenges a web hosting company can face.
Thanks to the advancements in the Security field, we are able to provide a vast amount of security improvements, so we can mitigate a large percentage of the attacks that try penetrating our Web Servers.
Whenever a client website is being accessed, the connection passes through our Web Servers. Every connection consists of at least two mandatory components β the IP address of the computer initiating the Request and the Request Body. This allows the Web Server to prepare an answer for the request and to send that answer to the IP address that requests it.
Pretty simple, isn't it? β Yes, but what happens if the requests sent from a single IP address are too many, such as in a DoS attack scenario? - The Web Server gets flooded with millions of requests, and for each, it tries to answer increasing the consumed hardware resources dramatically. To resolve this case, we utilize a security feature called "Connection Limit". It allows for the number of requests per second from a single IP address to be limited to a reasonable amount, thus eliminating the risk of DoS attack to virtually none.
We established that each website visit is associated with an actual connection to our Web Servers, and thanks to the request of that connection, the Web Server can produce web content and return it to the IP address that requested it.
There is, however, an option that allows for not only the number of connections to be abused but also the request's parameters such as the Request URL Length, Request Header Length, and the Request body Length. These can cause a severe overload of the server when they are abusively large. To prevent that scenario, we are limiting these to values that correspond to regular website visits instead of malicious requests.
Furthermore, we also deny access to hidden files and the web listing of parent directories. In fact, all directory listings are disabled by default.
There are millions of ways to exploit a vulnerability in a regular Web Server, however as we mentioned by limiting the number of connections and their length, we ensure that no attacks related to these will be allowed. But what if the request is with fitting length and there is only one request?
For the security of every request, we went even further and implemented a Web Application Firewall Solution (WAF) that inspects every legitimate request for a known vulnerability such as XSS attack or SQL injection. If such an attack is detected, the request is being terminated, and an appropriate message is sent as an answer to the IP address that sent it. If that behavior repeats a few times, the IP address is then banned!
Sometimes the requests sent to our Web Servers are not always for dynamic resources (such as PHP scripts). Instead, the requests are targeting static files (CSS, js, HTML, png, jpg, etc.). However, not always, these static files should be accessible, or at least not always, our customers want these files to be accessible. For that reason, our web server will serve a static file as an answer to a web request only if:
Distributed Denial of Service Attack or DDoS is a type of attack that abuses the allowed amount of concurrent connections per IP address while amplifying the attack by increasing the amount of IP addresses taking part in the attack. In other words, thousands of IP addresses are sending hundreds of requests to a Web Server. That alone is devastating for unprotected servers since this attack completely prevents the webserver from answering the legitimate requests, thus making client websites completely inaccessible. For preventing this, we have implemented Web Server side DDoS protection that consist of: