Can you survive a web avalanche?

If your business gets linked to from a major website, or referred to by a popular Twitter feed, you may find you suddenly have more traffic than you can handle meaning visitors will suffer a slow experience or no response at all. So what precautions can you take to protect your site from a sudden flood of visitors?

Design for efficiency

The number of visitors you can serve is a direct function of how much bandwidth each visit consumes, so a good starting point is to try to minimise the amount of data from your end. Shrink down images, and use services such as YouTube and SoundCloud to embed media files on your page, rather than trying to serve them yourself.

Think about the load on your web server too, especially if your pages are dynamically generated: for example, WordPress pages are assembled on the fly using PHP and MySQL. When a thousand people are trying to connect at once, you may wish you'd chosen a static approach.

James Kretchmar, EMEA CTO at Akamai, recommends that companies shouldn't wait until the avalanche hits to think about such issues."Keep track of how much load you expect," he told us. "Make sure you've provisioned enough capacity, and monitor how much bandwidth and CPU you're using."

All the same, he acknowledges the difficulty of properly preparing for the unknown. "The trouble is that you don't know when it will come, or how much it will be." If you're hosting your web server whether on-site or in a data centre it raises questions about provisioning resources. "You're spending a lot of money for hardware and services that most of the year will go unused just for those occasions when you have very high load," Kretchmar noted.

The benefits of a virtual web server

A common way to respond to the challenge is to host your website on a virtual server. With this approach, it will be possible to arrange a dynamic, temporary upgrade from your provider to cope with a short-term surge.

Don't assume this will happen as a matter of course, however. "It's important to be aware of the provider's policy if your traffic exceeds your capacity," warned John Graham-Cumming at CloudFlare. "Sometimes, people get a nasty surprise their business ends up on TV, they receive a surge of interest, and then the hosting company decides there's too much traffic. If you're paying for cheap hosting, don't be surprised if they switch you off."

"You can test capacity for yourself. With tools such as ApacheBench, you can hit a website very hard and see what happens. But first, go to the actual host and talk to them about what happens if you suddenly get a flood of traffic."

Content-distribution networks

The most robust solution for unpredictable traffic is to sign up with a content-distribution network (CDN). At its simplest, the service caches the content of your site and re-hosts it from a global network of servers, using local DNS to direct incoming traffic to the nearest mirror. It's a scalable approach that can cope with extreme variations in traffic.

"If your site is linked to from a popular site, it can suddenly have a thousand times its normal traffic," pointed out Kretchmar. "The difference between the peak traffic and normal is so huge that any technology you might put in a box in a data centre is going to have trouble keeping up. You really need to be on a distributed platform that can get the traffic far away from your data centre and close to the end user."

It doesn't necessarily have to be a full-time commitment, either: "In the US," noted Graham-Cumming, "a lot of businesses come to us if they're going to appear on Shark Tank the US equivalent of Dragons' Den or if they're going to be mentioned on one of the daily news shows."

There are other benefits to using a CDN: a global network of servers means faster response times for those visiting your site from abroad, and it means the provider can apply other optimisations as needed.

"At CloudFlare, we call ourselves an edge network'," explained Graham-Cumming, "because it's our servers that your customers hit before getting through to your site. That allows us to do all sorts of things to your traffic to make it faster and better. For example, we can minify' your site that is, reformat it for mobile clients. We can apply a firewall to deflect an attack. Plus, we have tools that can help with efficiency: there's a service called Polish that can reduce the size of images and a tool called Railgun that can cache dynamic content."

DDoS attacks

"People think distributed- denial-of-service (DDoS) attacks are something that only big businesses need to worry about but it can happen to anyone," warned Graham-Cumming. "The tools are so easy to come by that we receive calls from people every day saying, help, I'm under attack'. We've heard of two rival spas in the US that were DDoSing each other to undermine each other's business."

"Another big reason it happens is extortion: the bad guys say, pay us this amount of money, maybe in bitcoins, or we'll take your site offline,'" added Graham-Cumming. Of course, if your site goes offline at a crucial time say, you're a florist on Valentine's Day then your business will be in trouble."

Akamai's Kretchmar agrees that DDoS attacks are a growing problem: "In 2010, the largest ever DDoS attack we'd seen was 68Gbits/sec," he revealed. "Last year it was 360Gbits/sec. Our projection for 2014 is a further 50% increase."

Even a hosted site has little chance of standing up to this sort of bombardment, so what can you do? "DDoS attacks are growing, ever- changing and sophisticated, so there is no fool-proof plan," said James Segil, CMO of Verizon Digital Media Services and former CEO of EdgeCast.

Your best bet is a so-called "DDoS- scrubbing service" that inspects packets and ditches suspicious ones before they reach your web server. By its nature, this is a job that's done in the cloud: "A massively distributed platform such as Akamai's can detect which is the malicious traffic and block it," explained Kretchmar. "It can absorb huge numbers of packets per second, and keep them away from the origin data centre."

Graham-Cumming agrees: "At CloudFlare, we're big enough to absorb the traffic, but if you wait until the attack is underway to pick up the phone, it will take time for us to change the DNS settings and start sending those packets onto our network. The best way to prepare for a DDoS attack is to already be with a service such as ours."

This article first appeared on sister site

Darien Graham-Smith

Darien began his IT career in the 1990s as a systems engineer, later becoming an IT project manager. His formative experiences included upgrading a major multinational from token-ring networking to Ethernet, and migrating a travelling sales force from Windows 3.1 to Windows 95.

He subsequently spent some years acting as a one-man IT department for a small publishing company, before moving into journalism himself. He is now a regular contributor to IT Pro, specialising in networking and security, and serves as associate editor of PC Pro magazine with particular responsibility for business reviews and features.

You can email Darien at, or follow him on Twitter at @dariengs.