DDoS-beskyttelse for småbedrifter: hva du trenger å vite

A Distributed Denial of Service attack is one of the oldest and most persistent threats on the internet, yet it remains devastatingly effective. In simple terms, a DDoS attack floods your website or server with so much traffic that legitimate visitors can no longer reach it. The traffic comes from hundreds or thousands of compromised devices — a botnet, spread across the globe, making it nearly impossible to block by filtering a single IP address or region.

The scale of modern DDoS attacks has grown exponentially. In 2019, a large attack might peak at 500 Gbps. By 2025, attacks exceeding 3 Tbps have been recorded, and botnets built from compromised IoT devices like cameras, routers, and smart thermostats can generate staggering volumes of junk traffic. For a small business running on a single cloud server, even a modest 10 Gbps attack is enough to take the entire site offline for hours.

The financial impact goes beyond lost sales during downtime. Research from Kaspersky estimates that the average cost of a DDoS attack for a small business exceeds $120,000 when factoring in lost revenue, recovery expenses, reputational damage, and customer churn. For e-commerce businesses or service providers who rely on their website for lead generation, even thirty minutes of downtime during peak hours can erode months of marketing investment.

There is a persistent misconception that DDoS attacks only target large corporations and government agencies. The reality is the opposite. According to a 2025 report from Cloudflare, over 45% of DDoS attacks targeted businesses with fewer than 250 employees. Small businesses are attractive targets precisely because they tend to have weaker defenses, smaller IT budgets, and less redundancy in their infrastructure.

Attackers target small businesses for several reasons. Competitors in cutthroat industries have been known to hire DDoS-for-hire services, available on the dark web for as little as $30 per hour, to knock a rival offline during a critical sales period. Extortionists send ransom demands threatening an attack unless a cryptocurrency payment is made. And sometimes small businesses are simply collateral damage in attacks aimed at the shared hosting provider they happen to use.

At GRADAX, we have seen this firsthand with our clients. A regional law firm had their website taken offline for six hours during a high-profile case when opposing interests launched a sustained volumetric attack. A local restaurant group lost an entire weekend of online orders during a 48-hour attack that their previous web hosting provider was completely unequipped to handle. These are not hypothetical scenarios, they are increasingly common realities.

Understanding the different categories of DDoS attacks is essential for choosing the right protection. Volumetric attacks are the most common type, accounting for roughly 65% of all incidents. These attacks aim to saturate your bandwidth by flooding your network with massive amounts of data. UDP floods, DNS amplification, and ICMP floods fall into this category. The goal is simple brute force, overwhelm your connection with more traffic than it can handle.

Protocol attacks exploit weaknesses in network protocol implementations to consume server resources. SYN floods are the classic example: the attacker sends a barrage of TCP connection requests but never completes the handshake, leaving your server with thousands of half-open connections that exhaust its connection table. Smurf attacks and ping-of-death variants also fall here. These attacks do not require massive bandwidth, they work by exhausting finite server resources like CPU cycles, memory, or connection slots.

Application-layer attacks are the most sophisticated and hardest to detect. Rather than flooding raw traffic, these attacks mimic legitimate user behavior, sending valid HTTP requests to resource-intensive pages like search results, login forms, or API endpoints. A Slowloris attack, for example, opens connections and sends HTTP headers at an agonizingly slow rate, tying up server threads indefinitely. Because each individual request looks normal, traditional rate limiting often fails to catch them until the server is already overwhelmed.

Modern DDoS protection operates on the principle of absorbing and filtering attack traffic before it ever reaches your origin server. The most effective solutions use a global network of scrubbing centers that sit between the internet and your server. When traffic arrives, it passes through these centers where sophisticated algorithms distinguish legitimate visitors from attack traffic. Clean traffic is forwarded to your server while malicious packets are dropped at the edge.

The filtering process uses multiple detection methods working in concert. Signature-based detection matches traffic patterns against known attack signatures, catching well-documented attack types almost instantly. Behavioral analysis monitors traffic baselines and flags anomalies — a sudden tenfold increase in requests from a single autonomous system number, for instance. Rate limiting caps the number of requests from any single source within a time window. And challenge-based verification presents JavaScript challenges or CAPTCHAs to suspicious traffic, which bots typically cannot solve.

For businesses using our website security services, we implement protection at multiple layers simultaneously. Network-level filtering handles volumetric and protocol attacks before they consume bandwidth. Application-level inspection catches layer-7 attacks that mimic legitimate traffic. And origin shielding ensures that even if an attacker discovers your server's real IP address, direct connections are blocked unless they pass through the protection layer first.

Not all DDoS protection is created equal, and choosing the wrong provider can give you a false sense of security. The first factor to evaluate is network capacity. Your provider's network must be significantly larger than the largest attack they would need to absorb. A provider with 1 Tbps of scrubbing capacity might seem impressive until you realize that multi-terabit attacks are now routine. We recommend providers with at least 10 Tbps of global scrubbing capacity.

Latency overhead is the second critical factor. Some protection services add 50 to 100 milliseconds of latency to every request because traffic must travel to a distant scrubbing center and back. For performance-sensitive applications, this is unacceptable. The best providers maintain scrubbing centers in dozens of global locations, ensuring that traffic is filtered at the nearest edge node with minimal latency impact, typically under 5 milliseconds during normal operation.

Finally, evaluate the provider's time-to-mitigation guarantee. Some providers promise mitigation within seconds through always-on protection that continuously filters traffic. Others offer on-demand protection that only activates when an attack is detected, which can leave your site exposed for several minutes during the detection and rerouting phase. For any business where downtime is unacceptable, always-on protection is worth the premium. Ask providers for their SLA commitments in writing and verify their track record with independent references.

Content Delivery Networks have evolved far beyond simple caching. Modern CDNs like Cloudflare, AWS Shield, and Akamai offer integrated DDoS protection as a core feature, making enterprise-grade defense accessible to businesses of every size. Cloudflare's free tier, for example, includes unlimited unmetered DDoS mitigation, a remarkable offering that has democratized basic protection for millions of websites.

CDN-based protection works by distributing your content across a global network of edge servers. When an attack targets your domain, the traffic is absorbed across the entire network rather than concentrating on a single origin server. Cloudflare's network exceeds 300 Tbps of capacity, meaning even the largest recorded attacks represent a fraction of their available bandwidth. Because legitimate traffic is also served from edge caches, your users experience faster load times and your origin server handles less load overall.

We configure CDN-based protection for many of our clients at GRADAX, integrating it with our cloud server infrastructure for defense in depth. The CDN handles volumetric attacks at the edge while our origin-level protections catch any traffic that slips through. This layered approach has proven highly effective, across all clients using our recommended configuration, we have maintained 100% availability during every attack event in the past eighteen months. For businesses ready to implement this setup, contact our team for a tailored assessment.

Even with strong protection in place, every business needs a documented DDoS response plan. The middle of an attack is the worst time to figure out who to call, what to check, and how to communicate with customers. A good response plan covers four phases: preparation, detection, response, and recovery. Each phase should have clear owners, specific actions, and escalation criteria.

In the preparation phase, document your normal traffic baselines, list all critical IP addresses and domains, and establish communication channels with your hosting provider and DDoS protection vendor. During detection, define what constitutes an attack versus a legitimate traffic spike, a viral social media post can look remarkably similar to a DDoS attack in your analytics. The response phase should include steps for activating additional protection layers, switching to a maintenance page if necessary, and communicating status updates to customers through social media or email.

The recovery phase is often overlooked but equally important. After an attack subsides, verify that all services are functioning correctly, review logs to understand the attack vector, and update your protection rules based on what you learned. Document the timeline and impact for insurance purposes and to inform future planning. We recommend running a tabletop exercise of your DDoS response plan at least twice a year, simulating different attack scenarios and verifying that every team member knows their role.

Beyond dedicated DDoS protection services, several best practices can dramatically reduce your attack surface and improve your resilience. First, never expose your origin server's IP address publicly. Use a reverse proxy or CDN for all traffic, and configure your server's firewall to accept connections only from your protection provider's IP ranges. If an attacker can bypass your protection layer by connecting directly to your origin, all that expensive mitigation infrastructure becomes worthless.

Second, implement rate limiting at the application level for resource-intensive endpoints. Login pages, search functions, and API endpoints should cap requests per IP to reasonable levels, perhaps 10 login attempts per minute or 60 API calls per minute. This will not stop a distributed attack entirely, but it limits the damage any single bot can inflict and buys your infrastructure time to detect and respond. Combine this with geographic filtering if your business only serves specific regions, there is no reason to accept traffic from countries where you have no customers.

Third, maintain infrastructure redundancy and have a failover plan. Run your application across multiple cloud servers in different availability zones so that an attack on one node does not take down your entire operation. Keep DNS TTLs low so you can quickly redirect traffic to backup infrastructure if needed. And ensure your database and file storage can handle a rapid failover without data loss. These measures improve not only your DDoS resilience but your overall website security posture and business continuity capabilities. If you are unsure where your vulnerabilities lie, reach out to us for a complimentary infrastructure assessment.