When a Donegal hotel's website went offline at 11am on a Saturday morning in August, the timing could not have been worse. Bank holiday weekend, the peak of the summer season, and every table in the restaurant and every room in the hotel was available to book online. Forty-five minutes of downtime cost an estimated €4,500 in direct lost bookings — the guests who hit an error page and booked somewhere else. The cause was a DDoS attack: someone had flooded the hotel's web server with fake traffic until it collapsed under the load. The hotel's hosting provider took the server offline entirely to protect other customers. The hotel had no DDoS protection, no CDN, and no fallback. The attack itself cost nothing for the attacker to launch. The defence would have cost nothing either — Cloudflare's free plan would have absorbed it automatically.
A Distributed Denial of Service attack is when an attacker sends massive volumes of fake traffic to your web server, overwhelming its capacity to handle legitimate requests. Your server effectively locks up under the artificial load, and real customers get errors or timeouts. For businesses that depend on online bookings, reservations, or e-commerce, the downtime translates directly to lost revenue and, in competitive markets, to customers who do not come back.
WHAT: Who Actually Attacks Small Business Websites in Ireland
The assumption that DDoS attacks are reserved for large banks or government websites is wrong and has cost Irish SMEs significant money. Small businesses are targeted for several reasons. They typically have less protection, making them easier targets. Competitors or disgruntled former employees occasionally use DDoS tools — which are available cheaply on criminal marketplaces — to disrupt a rival's business during peak periods. Criminal groups targeting hospitality businesses use DDoS attacks as a distraction or as leverage: take the booking system down and demand payment to stop. And automated DDoS tools will target any server with a web presence, without any specific targeting decision by a human operator.
NCSC Ireland has noted an increase in DDoS incidents affecting Irish organisations of all sizes, with small and medium businesses increasingly represented in reported incidents.[^1] An Garda Síochána's National Cyber Crime Bureau receives reports of extortion-linked DDoS attacks against Irish hospitality businesses every season.[^2]
DDoS attacks come in three main forms. Volumetric attacks flood your server with raw traffic — packets or bytes — until it runs out of capacity. Protocol attacks exploit weaknesses in network protocols to consume server resources with a much smaller traffic volume. Application attacks target your web application directly, sending requests to computationally expensive endpoints until the server runs out of capacity to process them. Booking forms and availability search functions are common targets for application-layer DDoS against hospitality sites.
Is your Donegal business website protected against the kind of DDoS attack that took a Donegal hotel offline last August? Book a free 20-minute strategy call — we help Irish hospitality and SME businesses implement protection that keeps their sites online under attack.
WHAT NOW: How Cloudflare Stops DDoS Attacks
Cloudflare operates a global network with data centres in over 200 cities worldwide. When you route your domain through Cloudflare, all traffic to your website passes through this network first. That positioning gives Cloudflare three capabilities that are unavailable to a standard web hosting provider.
The first is scale. Cloudflare's network can absorb traffic volumes that would destroy any individual web server. When a DDoS attack hits, the malicious traffic is distributed across Cloudflare's global infrastructure and absorbed before it reaches your origin server. Your server continues to operate normally. Legitimate visitors continue to access your site. The attack fails because it cannot reach anything that can be overwhelmed.
The second is real-time analysis. Cloudflare analyses every request passing through its network, comparing it against known attack signatures, behavioural patterns, and threat intelligence gathered from across its entire customer base. An attack pattern identified on one customer's site is immediately applied to the protection of all other customers. This shared intelligence means that new attack techniques are identified and blocked faster than any individual security tool could manage.
The third is automatic mitigation. On Cloudflare's free plan, DDoS protection is always-on and requires no configuration. There is no threshold to set, no policy to write, and no action required when an attack begins. Cloudflare detects and mitigates automatically. For businesses without dedicated IT staff, this automatic protection model is essential — there is no human intervention required during an attack.
The Data Protection Commission expects businesses that handle personal data online — which includes any hotel or restaurant accepting bookings — to implement appropriate technical measures to ensure availability and integrity of their systems.[^3] DDoS protection directly addresses the availability requirement.
WHY IT MATTERS: Quantifying the Cost of Downtime
The financial impact of website downtime for a Donegal hotel or restaurant is straightforward to estimate. If a hotel generates €2,000 per day in online bookings and its site is offline for four hours during peak booking time, the direct revenue loss is approximately €330 to €500. If the attack happens on a Friday or Saturday evening, or during a bank holiday weekend, the losses are higher and the reputational damage compounds the financial impact.
Beyond direct booking losses, there is the impact on customer trust. A guest who visits your site and finds it unavailable will go elsewhere immediately. Whether they return is uncertain. For small Donegal properties competing with larger chains that have enterprise-level infrastructure, a reputation for website reliability matters.
The cost of Cloudflare's protection: zero on the free plan, €20 per month on the Pro plan. The cost of an hour of DDoS-driven downtime: typically between €100 and €1,000 for a small hospitality business, depending on the time and season. The return on investment of basic DDoS protection is immediate.
A DDoS attack costs the attacker almost nothing. The free tools available to stop it cost your business nothing either. The businesses that absorb the losses are the ones that simply never set it up.
WHAT NEXT: Three Actions to Take This Week
Sign up for Cloudflare's free plan at cloudflare.com and add your domain. The sign-up process is straightforward. You will be asked to add your domain, after which Cloudflare scans your existing DNS records and imports them. The only technical step is updating your domain's nameservers to point to Cloudflare — your domain registrar's control panel handles this.
Once your domain is on Cloudflare, navigate to the Security settings and confirm that DDoS protection is set to "High" rather than the default. Check that the WAF is enabled. Verify that SSL is set to "Full (Strict)" if your hosting server has a valid certificate, or "Flexible" if it does not.
Test your site's availability using a free uptime monitoring service. Tools like UptimeRobot send you an alert the moment your site becomes unavailable, giving you immediate visibility into any future incident. This is your warning system for any downtime — DDoS-related or otherwise.
Related Reading
- Bot Traffic and Fake Bookings: How Cloudflare Stops Fraudulent Reservations
- Cloudflare and Cyber Insurance: Lower Irish SME Premiums
- Cloudflare Free SSL/TLS Certificates: Why Your Site Needs HTTPS
[^1]: NCSC Ireland. Advice for Organisations. https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána. Cyber Crime. https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission. Guidance for Organisations. https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.