There are three basic categories of web hosting you can choose from:
Shared hosting providers are companies that sell web hosting on servers that host other customers' websites and often provide you with control panel software, such as cPanel. When using a shared hosting provider, you will need to install and configure your website yourself, but the shared hosting provider will run the web servers for you. These include companies like Dreamhost and Bluehost.
Finally, self-hosted servers are servers you run for yourself. This category includes Virtual Private Servers (VPS) and physical servers that are in data centers. Self-hosted servers are often the best solution for organizations with very specific website needs, however they also require systems administrators and web developers. Protecting self-hosted servers from DDOS attacks is a subject that falls outside of the scope of this guide.
Each category of web hosting has advantages and drawbacks.
- Easy--no in-house technological expertise needed.
- It's free!
- Large companies that provide hosted services generally have stable and secure servers that are capable of absorbing DDoS attacks.
- Updates, security, and DDoS defense are the platform provider's responsibility (although you still need to protect your site by having a strong password).
- Hosted services often have content policies which may not work for your website.
- You have little control over which themes and plugins you can use.
- If your website needs more complicated types of content than blog posts and pages, hosted services might not work for you.
Required level of technical expertise for set up: Low. If you can use Facebook, you can use a hosted service.
How to handle DDOS: You have no control over any of it, but your service provider should help.
Examples: Blogger, Wordpress.com, Maktoob, LiveJournal, Tumblr, Posterous
Shared Hosting Providers
- After installing your CMS, you can install any themes or plugins you want, including automatic backup and security plugins, or custom plugins just for your site.
- The shared hosting provider is responsible for server updates.
- It costs money (~$10/month).
- You are responsible for keeping your CMS and plugins up-to-date yourself. Out-of-date plugins can result in your site getting hacked.
- Because you are sharing a server with other websites, their security problems could potentially compromise your website.
Required level of technical expertise for set up: Medium. You will need to know how to navigate your host's control panel, use FTP/SFTP/SSH software, and install and configure a CMS.
How to handle DDOS:
- Make sure your CMS uses caching. If you are using Wordpress, EFF recommends the WP Super Cache plugin. Drupal has caching built-in. This will be for handling large amounts of traffic.
- If you're getting DDoSed, hopefully your shared hosting provider will help you keep your website up.
Examples: Dreamhost, Go Daddy, Yahoo, Host Gator, Bluehost, Just Host, iPage, FatCow
- You can set up your website exactly the way you want it.
- If you have the technical expertise, you can use a dedicated caching proxy like Varnish or Squid.
- If have the technical expertise, you can set up a load balancer that distributes your web traffic across several web servers to handle all of it. This is how big websites like Facebook, Google, and Amazon manage to stay up even they're flooded with massive amounts of traffic.
- Requires professional systems administrators and developers to maintain.
- More expensive than shared hosting.
Required level of technical expertise for set up: High. You will need a professional system admin, and someone who knows how to install and configure a CMS.
Examples: Amazon EC2, Slicehost, data center
Choosing a web host:
|Base Cost of hosting ($/mo)||DDoS Protection Services||Website Suspension during Attacks||Prohibits DDoS-attracting Activity||Content Restrictions Rating||TOS links|
|iPage||$2.95||Inform of DDoS Y||Y||Y||Green||www.ipage.com/legal/|
|Host Gator||$3.96||Inform of DDoS Y||Y||N||Yellow||www.hostgator.com/tos/tos.php|
|GoDaddy||$4.24||Inform of DDoS Y||N||N||Red||www.godaddy.com/agreements/showdoc.aspx?pageid=TOU&ci=20801&app_hdr=0|
|Hostmonster||$4.95||Inform of DDoS||Y||N||Yellow||www.hostmonster.com/cgi/info/terms.html|
|GreenGeeks||$4.95||Inform of DDoS, mitigation tech||Y||N||Yellow||www.greengeeks.com/legal/tos.php|
|inmotion Hosting||$5.95||Does not offer services||Unknown||Y||Red||www.inmotionhosting.com/policies.html|
|Bluehost||$6.95||Inform of DDoS in large cases, mitigation of most cases||Y||N||Yellow||www.bluehost.com/cgi/info/terms.html|
|Dreamhost||$8.95||Does not offer services||Y||N||Green||dreamhost.com/acceptable-use-policy/|
|Virtual Road||Varies||Inform of DDoS, custom mitigation tech packages||N||N||Green||http://virtualroad.org/get-to-know-us/our-mission|
|AWS||$0 first year, pay per hr after||N||N||Green||aws.amazon.com/aup/|
|Rackspace||Pay per mb||Does not offer services||Y||Y||Red||www.rackspace.com/information/legal/websiteterms/|
* These are large webhosts that are unlikely to inform users of DDoS attack but whose infrastructure leaves them well-equipped to weather most such attacks.