How to protect against a DDoS attack
DDoS attacks are on the up - here's how to fight back
The distributed denial of service attack (DDoS) has become one of the most popular, and most effective, methods deployed by cyber criminals to disrupt the activities of a target business.
The technique, which can be utilised by everyone from so-called 'script kiddies' to professional hackers, involves bombarding a target website or server with artificial traffic to the point that it buckles under the strain.
Every time a computer visits a website, it requests access to that site's content. A DDoS attack exploits this by sending more requests than a server can cope with at any given time. This can result in either long delays for other users requesting content, or a server completely failing.
Given the relatively crude nature of the attack and the fact that it's incredibly difficult to prevent or stop once discovered, DDoS continues to be an effective, and popular tool for taking down websites.
According to a report by NexusGuard, for example, DDoS attacks increased by a massive 542% in the first quarter of 2020 compared to the previous quarter as hackers took advantage of the COVID-19 pandemic to target those relying on remote services as they worked remotely.
The largest-ever DDoS attack was also recorded during the coronavirus crisis. The attack, which was blocked by Amazon Web Services (AWS) hit 2.3 Tbits/sec at its peak, 44% larger than anything the company had recorded previously. This dwarfs previously record-breaking attacks, such as the attacks against GitHub in February 2018 the Dyn DNS server in 2016. The latter took down some of the world's most popular sites, including Netflix, Spotify and Amazon.
It's not just the big-name players on the internet who are at risk from DDoS attacks, either. According to research from Kaspersky Lab, 27% of businesses caught up in such an incident think they were collateral damage, rather than being the intended target. This reiterates the need for all organisations to know how to protect themselves from a DDoS attack.
Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
It's also probably worth putting into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.
DDoS response planning
The first thing every organisation should do when suspecting a DDoS attack is confirm it actually happened. Once you've discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.
What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.
Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Ensure the limited network resources available to you are prioritised - make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.
Multi-vector DDoS protection
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
For businesses particularly susceptible to DDoS attacks, for example, enterprises and larger organisations, investing in mitigation services, or at the very least assessing available options, may be worth your time.
Cloudflare offers perhaps one of the most well-known such services, offering DDoS protection for a number of high-profile organisations including WikiLeaks, as well as having worked to mitigate a number of high profile attacks. The WireX botnet and the Spamhaus attack of 2013 serve as the best examples.
There are many alternatives in the field of DDoS protection services, and many network and application delivery optimisation firms also offer mitigation against DDoS attacks. The WireX bornet, for example, was taken down as a result of a collaboration between a number of companies, including Cloudflare, but also RiskIQ, Flashpoint, Team Cymru, and Google.
Other companies that fall into the camp include Akami, NETSCOUT Arbor, F5 Networks, Imperva, and Verisign. This is alongside a number of other options that perhaps don’t have the profile of the aforementioned group, including Neustar, DOSarrest and ThousandEyes.
Securing remote workers in the age of teleworking
Using foundational network infrastructureDownload now
A handful of these providers also offer emergency coverage, as it’s known, which can be purchased when a DDoS attack is already in progress, in order to protect the business and its services against the worst elements of the wave. Others, meanwhile, require a more longer-term contract when arranging mitigation for such attacks.
For businesses or organisations using other products from these companies may also want to seek out adding DDoS protection to the overall package. For those using another network optimisation company, alternatively, besides those listed, it would be worth examining what DDoS protection options are on offer, and how much it would cost. ISPs may also offer some form of DDoS mitigation, especially in the form of emergency cover, but this may or may not be as comprehensive as some of the options provided by specialist companies.
Digital document processes in 2020: A spotlight on Western Europe
The shift from best practice to business necessityDownload now
Four security considerations for cloud migration
The good, the bad, and the ugly of cloud computingDownload now
VR leads the way in manufacturing
How VR is digitally transforming our worldDownload now
Deeper than digital
Top-performing modern enterprises show why more perfect software is fundamental to successDownload now