How to stop a DDoS attack

DDoS attack

Of all the ways a hacker can disrupt a business, a DDoS attack is arguably the most annoying. DDoS stands for distributed denial of service and it has become very popular to cybercriminals looking to infiltrate, or merely disrupt, businesses.

What’s more, attacks can be administered by anyone, from novice hackers to seasoned pros, and done so virtually. The tools are easily deployed and widely available. It's a case of simply bombarding a targeted website with artificial traffic until it crashes. When a computer visits a website, it requests access to the content of the site and a DDoS attack exploits this by sending more requests than a server can cope with in one go. The attack clogs up the system, causing long delays or even the complete failure of the server.

DDoS

(Image credit: Shutterstock)

DDoS attacks are on the rise

The sad fact of life for many organisations is that DDoS attacks are increasing. In the first half of 2020, DDoS attacks increased by a whopping 542%, according to NexusGuard.

The largest DDoS attack ever recorded thus far was in 2017. Google revealed that its infrastructure absorbed a 2.5Tbps distributed denial of service (DDoS) attack in 2017, the largest such attack in terms of its sheer volume ever recorded. This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier.

In 2018, Amazon Web Services (AWS) reportedly blocked an attack that measured at 2.3Tbits/sec. This, it said, was 44% larger than anything it had dealt with before.

But, it's not just the big-name players on the internet who are at risk from DDoS attacks. According to Kaspersky Lab, 27% of businesses caught up in such an incident think they were collateral damage, rather than being the intended target. This reiterates the need for all organisations to know how to protect themselves from a DDoS attack.

In the UK, it has been calculated that DDoS attacks could cost the country almost £1 billion per year, according to Netscout's Worldwide Infrastructure Security Report.

While the cloud has been a boon to many, it has also been sadly useful to criminals. According to research by Link11's Security Operation Center (LSOC), the public cloud was used in a quarter of DDoS attacks in a year.

DDoS safeguarding

Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attacks, and give you time to both recognise the attack and react to it.

It's also probably worth putting into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets, and setting lower drop thresholds for ICMP, SYN, and UDP floods. All these will buy you time to try and find help.

It is also a good idea to familiarise yourself with your website's inbound traffic characteristics. The more you know about what looks normal, the easier it becomes to identify anomalous traffic and take action. It is also a good idea to be able to tell the difference between a sudden surge of normal visitors and the start of a DDoS attack.

DDoS response planning

The first thing every organisation should do when suspecting a DDoS attack is confirmed it actually happened. Once you've discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.

What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.

Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.

Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.

DDoS prioritisation

Ensure the limited network resources available to you are prioritised - make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?

This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.

Image of a cyber criminal using several computers in a dark room

(Image credit: Shutterstock)

Multi-vector DDoS protection

Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise data protection, but the smokescreen DDoS remains a very real attack on your business.

The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.

DDoS mitigation services

For businesses particularly susceptible to DDoS attacks, for example, enterprises and larger organisations, investing in mitigation services, or at the very least assessing available options, may be worth your time.

Cloudflare offers perhaps one of the most well-known such services, offering DDoS protection for several high-profile organisations including WikiLeaks, as well as having worked to mitigate many high-profile attacks. The WireX botnet and the Spamhaus attack of 2013 serve as the best examples.

There are many alternatives in the field of DDoS protection services, and many network and application delivery optimisation firms also offer mitigation against DDoS attacks. The WireX botnet, for example, was taken down as a result of a collaboration between several companies, including Cloudflare, but also RiskIQ, Flashpoint, Team Cymru, and Google.

Other companies that fall into the camp include Akami, NETSCOUT Arbor, F5 Networks, Imperva, and Verisign. This is alongside many other options that perhaps don’t have the profile of the aforementioned group, including Neustar, DOSarrest, and ThousandEyes.

RELATED RESOURCE

Securing remote workers in the age of teleworking

Using foundational network infrastructure

FREE DOWNLOAD

A handful of these providers also offer emergency coverage, as it’s known, which can be purchased when a DDoS attack is already in progress, to protect the business and its services against the worst elements of the wave. Others, meanwhile, require a longer-term contract when arranging mitigation for such attacks.

For businesses or organisations using other products from these companies may also want to seek out adding DDoS protection to the overall package. For those using another network optimisation company, alternatively, besides those listed, it would be worth examining what DDoS protection options are on offer, and how much it would cost. ISPs may also offer some form of DDoS mitigation, especially in the form of emergency cover, but this may or may not be as comprehensive as some of the options provided by specialist companies.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.