How to stop a DDoS attack
DDoS attacks are on the up - here's how to fight back
Of all the ways a hacker can disrupt a business, a DDoS attack is arguably the most annoying. In August, students at the Myerscough College in Lancashire were unable to access their exam results and stuff had to resort to working offline following a DDoS attack.
DDoS stands for distributed denial of service and it has become very popular to cyber criminals looking to infiltrate, or merely disrupt, businesses. Google reportedly blocked a 2.5Tpbs DDoS attack in 2017, just to give you an example of how big they can be.
What’s more, it can be virtually administered by anyone, from novice hackers to seasoned pros. The tools are easily deployed and widely available. It simply bombards a targeted website with artificial traffic until it crashes. When a computer visits a website, it requests access to the content of the site. A DDoS attack exploits this request by sending more than a server can cope with in one go. The attack clogs up the system, causing long delays or even the complete failure of the server.
Once it has started it is incredibly difficult to stop, making DDoS one of the most effective forms of attack. In the first half of 2020, DDoS attacks increased by a whopping 542%, according to a report from NexusGuard.
The largest DDoS attack ever recorded was in 2018. Amazon Web Services (AWS) reportedly blocked an attack that measured at 2.3Tbits/sec. This, it said, was 44% larger than anything it had dealt with before.
It's not just the big-name players on the internet who are at risk from DDoS attacks, either. According to research from Kaspersky Lab, 27% of businesses caught up in such an incident think they were collateral damage, rather than being the intended target. This reiterates the need for all organisations to know how to protect themselves from a DDoS attack.
Rather than over-provisioning, simple things such as bandwidth buffering can allow for traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
It's also probably worth putting into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.
DDoS response planning
The first thing every organisation should do when suspecting a DDoS attack is confirm it actually happened. Once you've discounted DNS errors or upstream routing problems, then your DDoS response plan can kick in.
What should be in that response plan? Contact relevant members of your incident response team, including leads from applications and operations teams, as both are likely to be impacted.
Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Ensure the limited network resources available to you are prioritised - make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no point allowing equal access to high-value applications, whitelist your most trusted partners and remote employees using VPN to ensure they get priority.
Multi-vector DDoS protection
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant, they should all be dealt with using layered DDoS defences. These should include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
For businesses particularly susceptible to DDoS attacks, for example, enterprises and larger organisations, investing in mitigation services, or at the very least assessing available options, may be worth your time.
Cloudflare offers perhaps one of the most well-known such services, offering DDoS protection for a number of high-profile organisations including WikiLeaks, as well as having worked to mitigate a number of high profile attacks. The WireX botnet and the Spamhaus attack of 2013 serve as the best examples.
There are many alternatives in the field of DDoS protection services, and many network and application delivery optimisation firms also offer mitigation against DDoS attacks. The WireX bornet, for example, was taken down as a result of a collaboration between a number of companies, including Cloudflare, but also RiskIQ, Flashpoint, Team Cymru, and Google.
Other companies that fall into the camp include Akami, NETSCOUT Arbor, F5 Networks, Imperva, and Verisign. This is alongside a number of other options that perhaps don’t have the profile of the aforementioned group, including Neustar, DOSarrest and ThousandEyes.
Securing remote workers in the age of teleworking
Using foundational network infrastructureDownload now
A handful of these providers also offer emergency coverage, as it’s known, which can be purchased when a DDoS attack is already in progress, in order to protect the business and its services against the worst elements of the wave. Others, meanwhile, require a more longer-term contract when arranging mitigation for such attacks.
For businesses or organisations using other products from these companies may also want to seek out adding DDoS protection to the overall package. For those using another network optimisation company, alternatively, besides those listed, it would be worth examining what DDoS protection options are on offer, and how much it would cost. ISPs may also offer some form of DDoS mitigation, especially in the form of emergency cover, but this may or may not be as comprehensive as some of the options provided by specialist companies.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now