Back to Blog

Why Small Businesses Are Targets

There is a persistent myth that DDoS attacks only target large enterprises and financial institutions. The reality is that small businesses are increasingly targeted precisely because they lack the infrastructure and security teams that larger organizations maintain. A gaming server hosting 200 players, an e-commerce site running on a single VPS, a SaaS startup on shared hosting - these are all targets that attackers can take down with relatively small attacks that would barely register on enterprise infrastructure.

The motivations vary. Competitors use DDoS attacks to disrupt rivals during peak business hours. Extortionists send ransom demands threatening to take sites offline. Disgruntled users or ex-employees attack out of spite. And sometimes attacks are entirely opportunistic - automated tools scan for vulnerable targets and attack them to add to botnets or simply for the attacker's amusement.

According to industry data, over 40% of DDoS attacks in 2024 targeted organizations with fewer than 100 employees. The average attack duration was 45 minutes, and the average cost of downtime for a small business was estimated at $8,000 per hour in lost revenue and recovery expenses.

A Layered Protection Strategy

Effective DDoS protection does not require buying a single expensive solution. Instead, it works best as a series of layers, each adding resilience at a different point in your infrastructure stack.

Layer 1: Host-Level Hardening

These are free or nearly free steps that every server should implement regardless of budget:

  • Enable SYN cookies: Prevents SYN flood attacks from exhausting your connection table. One sysctl setting: net.ipv4.tcp_syncookies = 1
  • Tune connection tracking limits: Increase nf_conntrack_max to handle more concurrent connections before the tracking table fills up.
  • Rate-limit new connections with iptables: Limit inbound connections per source IP to prevent any single attacker from monopolizing your resources. See our iptables SYN flood guide for specific rules.
  • Disable unused services: Every open port is an attack surface. If you do not use UDP services, drop all inbound UDP except DNS responses.
  • Keep software updated: Many application-layer DDoS techniques exploit known vulnerabilities in web servers, CMS platforms, and API frameworks.
# Essential sysctl hardening for DDoS resilience
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 65535
net.core.somaxconn = 65535
net.ipv4.tcp_tw_reuse = 1
net.netfilter.nf_conntrack_max = 524288
net.ipv4.conf.all.rp_filter = 1

Layer 2: DNS and CDN Protection

Moving your DNS to a provider with built-in DDoS protection (like Cloudflare, AWS Route 53, or Google Cloud DNS) protects against DNS-targeted attacks. For web traffic, placing a CDN or reverse proxy in front of your origin server absorbs volumetric attacks at the edge before they reach your infrastructure.

Cloudflare's free plan includes basic DDoS protection and is a reasonable first step for small businesses. However, free-tier protection has limitations - it primarily handles volumetric attacks and may not protect non-HTTP services like game servers, VoIP, or custom TCP applications.

Layer 3: DDoS Detection and Alerting

Protection without detection is incomplete. You need to know when an attack is happening, what type it is, and whether your protection layers are handling it. This is where purpose-built detection tools come in.

Flowtriq was designed with small teams in mind. At $9.99/mo per node, it provides the same per-second detection and attack classification that enterprises rely on. You get instant alerts via Slack, Discord, PagerDuty, or email so you can respond immediately, even with a team of one.

The most dangerous DDoS attack is the one you do not know about. Many small businesses have experienced attacks that degraded their service for hours without anyone realizing the cause. Detection turns invisible outages into actionable incidents.

Layer 4: ISP and Hosting Provider Capabilities

Your hosting provider and ISP are your first line of defense for large volumetric attacks. Before an attack happens, understand what your provider offers:

  • Does your provider offer any DDoS mitigation? Many VPS providers include basic null-routing or traffic scrubbing.
  • What is the process for requesting emergency mitigation during an attack? Do you need to open a support ticket, or is there a hotline?
  • Does your provider support BGP blackhole communities? This allows you to signal specific IP prefixes for blackholing during an attack.
  • What are the bandwidth overage policies? Some providers charge for DDoS traffic, while others exclude it from billing.

Budget-Friendly Protection Stack

Here is a practical protection stack for a small business spending under $50/month:

  1. Cloudflare free tier ($0/mo) - CDN caching and basic DDoS protection for HTTP/HTTPS traffic.
  2. Host-level hardening ($0/mo) - sysctl tuning, iptables rules, SYN cookies. See our guides for specific configurations.
  3. Flowtriq detection ($9.99/mo per node) - Per-second DDoS detection, attack classification, PCAP forensics, and multi-channel alerts.
  4. DNS hardening ($0/mo with Cloudflare) - Move DNS to a provider with anycast infrastructure and built-in DDoS protection.

Total cost: under $15/mo for a single server. This gives you edge protection for web traffic, host-level resilience, second-by-second detection, and automatic alerts. For most small businesses, this stack provides meaningful protection against the majority of attacks they will face.

Annual pricing: Flowtriq's annual plan is $7.99/mo per node (20% savings). For a small business monitoring 3 servers, that is $23.97/mo for comprehensive DDoS detection across your entire infrastructure.

Creating an Incident Response Plan

Even with good protection, attacks will occasionally succeed. Having a documented plan ensures your team responds effectively rather than scrambling during a crisis. Your plan should cover:

  • Who gets notified and how (set up Flowtriq alert channels for this)
  • First-response firewall rules to apply during different attack types
  • Contact information for your hosting provider's emergency support
  • Criteria for escalating to your ISP or a mitigation provider
  • Communication templates for notifying customers about service disruptions

For a detailed incident response framework, see our DDoS incident response playbook.

Getting Started

Start with the free steps: harden your server configuration, set up proper firewall rules, and move DNS behind a provider with DDoS protection. Then add detection with Flowtriq to ensure you know about attacks the moment they start. A free 7-day trial gives you time to see how detection works for your specific traffic patterns.

Back to Blog

Related Articles

Fundamentals

How to detect a DDoS attack: signs, tools & response steps

A practical guide on identifying DDoS attacks early and responding before services go down.
Mitigations

iptables rules to survive a SYN flood

Emergency iptables rules that buy you time while waiting for upstream mitigation.
Comparisons

Cloud DDoS protection comparison: 2025 guide

Comparing cloud-based DDoS protection services for features, pricing, and effectiveness.