How does URL redirection affect DDoS attacks

ddosredirect

We're moving our company website to a new domain and a new hosting provider as part of a re-branding project. We intend to create completely new content for the new website, remove all content from the old one, and only leave a generic URL redirect in the old domain, which directs to the main page on the new website.

While it is not a reason for the domain change, we had a lot of DDoS attacks on our old domain. I'd like to know if we can do something with URL redirect to reduce the amount of attacks on the old domain that get directed to the new domain?

A 301 redirect is the best option SEO-wise, but does it just relay any attacks to the new domain?

What about meta refresh? Or just a static anchor link to the new website? Are there other options?

Best Answer

On balance, I would probably go either with a 301, or replace the previous site with a single page providing a link to the new location.

Although I understand your concern about migrating the DDOS attacks along with legitimate traffic, I think it may be a false concern:

you do need to provide a means for legitimate users to find your new site, and that being the case, a sufficiently motivated attacker could too
you are putting up another public website, so even absent concerns about what was happening to the previous site, there is no particular reason I can think of to assume that site would not come under attack, potentially for the same, or similar, reasons to why your first domain was attacked. It is entirely possible your first domain was under attack for something as simple as 'it exists'.

Ultimately, I am not sure there is much you can do to avoid being attacked again.

However, that doesn't mean there isn't something you could do:

rate limit all requests to the old domain, if possible to something as close to 0 as possible (in theory, legitimate users make 1 request, get 1 redirect, and are no longer seen).
only redirect your landing page to your new site via 301. Keep other URLs (in particular, any URLs you know to be specifically targetted) without the redirect (you can always have a generic 'we moved' page), and gather any IPs that hit it - then consider blocking those IPs on both your new and old domains/servers.
similarly, consider using other methods (e.g. an IDS, a WAF) in front of your old domain's server to more specifically identify attackers, and block those where you can.
where you do have a redirect, consider checking user agents. It will be imperfect, but might be of some use in restricting who receives the redirect in the first place.
do all you can to ensure your new domain is more resilient than the old one, and use the attack data from your old domain to gauge what level of protection might be necessary.

Although I couldn't find anything specific to answer your question about the role of 301s in 'migrating' a DDoS, I strongly suspect the answer is 'it depends'.

Notably, it would depend on:

what kind of DDoS you are under - unless it is a layer 7 DDoS, a 301 isn't really relevant.
how sophisticated attacker tools are, and (possibly) how they are configured. I can easily imagine a 301 being used to redirect attackers to a less-visible server/site, so there may be reasons why scripts would ignore them - this is purely speculation on my part, though.

Related Solutions

Is it possible to do a 301 redirect AND redirect to the requested resource

RuslanY's Blog has a great post that describes how to do this with the IIS rewriter.

I will quote his Tip #3 :-

Very often you may have one IIS web site that uses several different host names. The most common example is when a site can be accessed via http://www.yoursitename.com and via http://yoursitename.com. Or, perhaps, you have recently changed you domain name from oldsitename.com to newsitename.com and you want your visitors to use new domain name when bookmarking links to your site. A very simple redirect rule will take care of that: view plaincopy to clipboardprint?

<rule name="Canonical Host Name" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTP_HOST}" negate="true" pattern="^ruslany\.net$" />
    </conditions>
    <action type="Redirect" url="http://ruslany.net/{R:1}" 
            redirectType="Permanent" />
</rule>

To see an example of how that works try browsing to http://www.ruslany.net/2008/10/aspnet-postbacks-and-url-rewriting/. You will see in the browser’s address bar that “www” is removed from the domain name.

Apache 301 redirect all but one file

The Redirect directives don't really have the flexibility to do this. Try using mod_rewrite:

RewriteEngine on
# Equivalent to your first RedirectMatch
RewriteRule ^contactinfo\.html$ http://www.newdomain.com/contact.php [R=301,L]
# Avoids taking any action on this page.
RewriteRule ^filetonotredirect\.html$ - [L]
# Equivalent to your second RedirectMatch
RewriteRule ^.*\.html$ http://www.newdomain.com/index.php [R=301,L]

Best Answer

Related Solutions

Is it possible to do a 301 redirect AND redirect to the requested resource

Apache 301 redirect all but one file

Related Topic