Tutorials

How to protect against a DDoS attack

DDoS attacks are increasing - here's how to fight back

The distributed denial of service attack (DDoS) has become one of the most popular, and most effective, methods deployed by criminals to disrupt the activities of a target business.

The technique, which can be utilised by everyone from so-called 'script kiddies' and amateur coders to professional hackers, involves bombarding a target website or server with artificial traffic to the point that it buckles under the strain.

Every time a computer visits a website, it requests access to that site's content. A DDoS attack exploits this by sending more requests than a server can cope with at any given time. This can result in either long delays for other users requesting content, or a server completely failing.

Given the relatively crude nature of the attack and the fact that it's incredibly difficult to prevent or stop once discovered, DDoS continues to be an effective tool for taking down websites.

Advertisement
Advertisement - Article continues below

A criminal doesn't need to do much of the heavy lifting either, as there are a number of DDoS-for-hire groups operating on the dark web. These services have spent time spreading malware to devices across the world, which can then be mobilised as a visitor to a particular website or used to issue a server request.

While these types of attacks were normally done in isolation, and often in an attempt to tarnish the reputation of or cause financial damage to a particular company, they are often used today as a smokescreen to divert attention away from a far more serious hack.

The largest-ever DDoS attack on record was launched against GitHub in February 2018, although it only managed to knock the code repository offline for 10 minutes. Far greater disruption was caused during a smaller attack on the Dyn DNS server in 2016, which took down some of the world's most popular sites, including Netflix, Spotify and Amazon.

Both of these examples are also demonstrative of the way criminals are using new technologies and exploits to carry out DDoS attacks the Dyn attack is thought to have used an IoT-powered botnet, while the GitHub attack made use of poor authentication on memcached servers.

What's more, it's not just the big-name players on the internet who are at risk from DDoS attacks everyone is. According to March 2018 research from Kaspersky Lab, 27% of businesses caught up in such an incident think they were collateral damage, rather than being the intended target. This reiterates the need for all organisations to know how to protect themselves from a DDoS attack.

Back to basics

Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.

It's also probably worth putting into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.

DDoS response planning

The first thing every organisation should do when suspecting a DDoS attack is confirm it actually happened. Once you've discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.

What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.

Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.

Advertisement
Advertisement - Article continues below

Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.

Prioritise, sacrifice and survive

Ensure the limited network resources available to you are prioritised - make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?

This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.

Multi-vector attacks

Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.

The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.

DDoS mitigation services

It's worth considering investing in DDoS mitigation services if you're particularly likely to be a target of a DDoS attack (for example, if you're a large organisation) or at least knowing about what's out there, just in case.

One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.

Cloudflare isn't the only game in town, though and many network and application delivery optimisation firms offer DDoS mitigation services.

Other well-known brands include Akamai, F5 Networks, Imperva, NETSCOUT Arbor and Verisign. Less well-known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.

Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.

Advertisement
Advertisement - Article continues below

If you're already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it's worth seeing if it offers DDoS protection and how much it would cost. As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it's worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Visit/email-clients/19598/hotmail-outlookcom-upgrades-your-questions-answered
Software

Hotmail.co.uk migration to Outlook.com: Qs answered

11 Nov 2019
Visit/careers/28219/it-manager-job-description-what-does-an-it-manager-do
Careers & training

IT manager job description: What does an IT manager do?

28 Oct 2019
Visit/business-strategy/31780/the-it-pro-panel
Business strategy

The IT Pro Panel

28 Oct 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019