If you do fall victim to a DDoS attack, you are not alone. High-profile victims of DDoS attacks in 2018 include organizations as diverse as Google, Amazon, PlayStation, Pinterest, and GitHub – which was on the receiving end of the highest volume DDoS attack ever witnessed.

A basic denial of service (DoS) attack involves bombarding an IP address with large amounts of traffic. If the IP address points to a Web server, then it (or routers upstream of it) may be overwhelmed. Legitimate traffic heading for the Web server will be unable to contact it, and the site becomes unavailable. Service is denied.

A distributed denial of service attack (DDoS) is a special type of denial of service attack. The principle is the same, but the malicious traffic is generated from multiple sources — although orchestrated from one central point. The fact that the traffic sources are distributed — often throughout the world — makes a DDoS attack much harder to block than one originating from a single IP address.

DDoS attacks becoming more frequent

DDoS attacks are becoming increasingly commonplace, according to research published by Corero Network Security at the end of 2017. Its DDoS Trends and Analysis report found that the number of attacks increased by 35% between Q2 2017 and Q3 2017.

One reason for their increased prevalence is the increasing number of insecure Internet of Things (IoT) devices that are being infected and recruited into botnets such as Reaper.

The volume of data launched at DDoS attack victims has also gone up significantly, largely thanks to amplification attacks such as the memcached amplification attack technique. Earlier this year, cybercriminals launched some 15,000 memcached attacks, including an attack on GitHub that maxed out at an astonishing 1.35 Tbps.

Preventing a DDoS attack when malicious actors can launch over 1 Tbps at your servers is almost impossible, and that means that it is more than important than ever to understand how to stop a DDoS attack after it has started to affect your operations. Here are six tips for stopping a DDoS attack.

How to stop a DDoS attack

1. Identify the DDoS attack early

If you run your own servers, then you need to be able to identify when you are under attack. That’s because the sooner you can establish that problems with your website are due to a DDoS attack, the sooner you can stop the DDoS attack.

To be in a position to do this, it’s a good idea to familiarize yourself with your typical inbound traffic profile; the more you know about what your normal traffic looks like, the easier it is to spot when its profile changes. Most DDoS attacks start as sharp spikes in traffic, and it’s helpful to be able to tell the difference between a sudden surge of legitimate visitors and the start of a DDoS attack.

It’s also a good idea to nominate a DDoS leader in your company who is responsible for acting should you come under attack.

2. Overprovision bandwidth

It generally makes sense to have more bandwidth available to your Web server than you ever think you are likely to need. That way, you can accommodate sudden and unexpected surges in traffic that could be a result of an advertising campaign, a special offer or even a mention of your company in the media.

Even if you overprovision by 100 percent — or 500 percent — that likely won’t stop a DDoS attack. But it may give you a few extra minutes to act before your resources are overwhelmed completely.

3. Defend at the network perimeter (if you run your own web server)

There are a few technical measures that can be taken to partially mitigate the effect of an attack — especially in the first minutes — and some of these are quite simple. For example, you can:

• rate limit your router to prevent your Web server from being overwhelmed
• add filters to tell your router to drop packets from obvious sources of attack
• timeout half-open connections more aggressively
• drop spoofed or malformed packages
• set lower SYN, ICMP, and UDP flood drop thresholds

But the truth is that while these steps have been effective in the past, DDoS attacks are now usually too large for these measures to be able to stop a DDoS attack completely. Again, the most you can hope for is that they will buy you a little time as a DDoS attack ramps up.

4. Call your ISP or hosting provider

The next step is to call your ISP (or hosting provider if you do not host your own Web server), tell them you are under attack, and ask for help. Keep emergency contacts for your ISP or hosting provider readily available so you can do this quickly. Depending on the strength of the attack, the ISP or hoster may already have detected it – or they may themselves start to be overwhelmed by the attack.

You stand a better chance of withstanding a DDoS attack if your Web server is located in a hosting center than if you run it yourself. That’s because its data center will likely have far higher bandwidth links and higher capacity routers than your company has, and its staff will probably have more experience dealing with attacks. Having your Web server located with a hoster will also keep DDoS traffic aimed at your Web server off your corporate LAN so at least that part of your business – including email and possibly voice over IP (VoIP) services – should operate normally during an attack.

If a DDoS attack is large enough, the first thing a hosting company or ISP is likely to do is “null route” your traffic – which results in packets destined for your Web server being dropped before they arrive.

“It can be very costly for a hosting company to allow a DDoS onto their network because it consumes a lot of bandwidth and can affect other customers, so the first thing we might do is black hole you for a while,” said Liam Enticknap, a network operations engineer at PEER 1 hosting.

Tim Pat Dufficy, managing director of ISP and hosting company ServerSpace, agreed. “The first thing we do when we see a customer under attack is log onto our routers and stop the traffic getting onto our network,” he says. “That takes about two minutes to propagate globally using BGP (border gateway protocol) and then traffic falls off.”

If that was the end of the story, the DDoS attack would still be successful. To get the website back online, your ISP or hosting company may divert traffic to a “scrubber,” where the malicious packets can be removed before the legitimate ones are be sent on to your Web server.

“We use our experience, and various tools, to understand how the traffic to your site has changed from what it was receiving before and to identify malicious packets,” said Enticknap. He says PEER 1 has the capacity to take in, scrub and send on very high levels of traffic, but with levels of traffic comparable to those experienced by Github, even this scrubbing effort would likely be overwhelmed.

5. Call a DDoS mitigation specialist

For very large attacks, it’s likely that your best chance of staying online is to use a specialist DDoS mitigation company. These organizations have large-scale infrastructure and use a variety of technologies, including data scrubbing, to help keep your website online. You may need to contact a DDoS mitigation company directly, or your hosting company or service provider may have a partnership agreement with one to handle large attacks.

“If a customer needs DDoS mitigation, then we divert their traffic to (DDoS mitigation company) Black Lotus,” said Dufficy. “We do this using BGP, so it only takes a few minutes.”

Black Lotus’s scrubbing center can handle very high levels of traffic, and sends on the cleaned traffic to its intended destination. This results in higher latency for website users, but the alternative is that they wouldn’t be able to access the site at all.

DDoS mitigation services are not free, so it’s up to you whether you want to pay to stay online or take the hit and wait for the DDoS attack to subside before continuing to do business. Subscribing to a DDoS mitigation service on an ongoing basis may cost a few hundred dollars a month. If you wait until you need one, however, expect to pay much more for the service and wait longer before it starts to work.

6. Create a DDoS playbook

The best way to ensure that your organization reacts as quickly and effectively as possible to stop a DDoS attack is to create a playbook that documents in detail every step of a pre-planned response when an attack is detected.

This should include the actions detailed above, with contact names and telephone numbers of all those who may need to be brought into action as part of the playbook’s plan. DDoS mitigation companies can help with this by running a simulated DDoS attack, enabling you to develop and refine a rapid corporate procedure for reacting to a real attack.

An important part of your planned response to a DDoS attack that should not be overlooked is how you communicate the problem to customers. DDoS attacks can last as long as 24 hours, and good communication can ensure that the cost to your business is minimized while you remain under attack.

Equally frustrating, and potentially dangerous to business, revenues and corporate reputation, is when such denial or inability to access the corporate website is not just due to heavy traffic (like during Black Friday), but when this “denial of service” is caused by malicious actors or hacktivists.

We describe DDoS attacks below and discuss hardware and cloud solutions that could potentially help address and mitigate the effects of DDoS attacks before they can do real harm to a company or frustrate its customers.

DDOS Attack. What is this??!

In general, a DDoS attack is a type of cyber attack that uses large numbers of computers and huge volumes of traffic to overwhelm a server or network, slowing it or rendering it completely unresponsive.

DDoS attacks generally require that the attacker control thousands, tens of thousands or hundreds of thousands of computers – usually owned by normal, unsuspecting consumers all over the world – and create their own network out of these “zombie computers.”

That large network of computers is then used to focus traffic, such as a simple request to view a web page or something more malicious, on a single target or group of targets. The targeted servers or networks, not designed to handle simultaneous requests from such large numbers of systems, often get bogged down or stop responding completely.

The amount of traffic generated by these attacks is immense.

Though there are multiple variants of DDoS attacks, the four “main” variants are as follows:

Flooding or Volumetric Attack

A flooding attack sends a large amount of traffic to a victim network to congest the network with traffic. With enough traffic (which today, is much easier through the use of botnets and other DDoS attack tools), the traffic crashes the victim network so legitimate users cannot access their accounts or make purchases online.

Amplification Attack

A different DDoS attack which “manipulates publicly-accessible domain name systems, making them flood a target with large quantities of UDP (user datagram protocol) packets.

Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.” Often the attacking packets are spoofed (or faked) in order to hide the origin of the attack, or to defeat potential firewall defenses.

Resource Depletion Attack

Similar to an amplification attack, a resource depletion attack floods the victim server with bogus information packets to seize up the server, so it cannot respond to legitimate requests for information.

Diversion or Ransom Attack

Lastly, in this attack vector, the attacker commences a DDoS act against victim server to distract the security team and incident responders while the attacker uses different methods to penetrate the network. One popular variant of this attack is to flood the victim’s servers constantly until they pay a ransom (normally in untraceable bitcoin).

A second variant of this attack is to divert the incident response team with a large-scale DDoS attack while implanting malware or Trojans on the network designed to steal data, information or PII, or exploit a known vulnerability.

How to Prevent DDOS Attack

Defending against a concentrated and sustained DDoS attack can be akin to defending against a 4 on 1 “fast break” in a full court game of basketball – there are too many attackers and not enough of you. Your defenses are completely overwhelmed, and the attackers are headed to the basket for an easy score.

Though it’s not always possible to defend against a large, organized DDoS attack without some impact to the targeted network, there are strategies that can help mitigate the effects of even the most vicious DDoS attacks:

1. Recognize the signs of a DDoS attack: the first and best defense against a DDoS attack is the ability to recognize it early. Unfortunately, not all DDoS attacks are easy to distinguish from normal spikes in network or web traffic, or a sudden slowdown in network performance. Invest in the right technology, expertise and training to help you tell the difference, or use an anti-DDoS service as discussed below.
2. Incident response planning: Be ready with a great incident response program and include in it a DDoS mitigation plan.
3. Contact your ISP provider: If your company is feeling the effects of a DDoS attack, it is likely affecting your ISP provider, as well. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack rather than have you call for support. When choosing an ISP, inquire whether any DDoS protective services are available, and consider whether you might want to engage a backup ISP in the event of an attack to keep your business running.
4. Have your threat intel handy: Half the battle in today’s environment is knowing what to look for. What are the potential indicators of compromise that an attack is underway? What threat vectors are most popular? And how are your peers responding to those attacks? Join your local ISAC, use the threat intel service provider or network with your peers to understand the source of threats and attacks.
5. Other Mitigation Defenses and Tools: There are two tools that companies should consider in addition to standard signature-based firewalls and routers (to reject known bad traffic) when thinking about mitigation strategies: (1) Load balancers to balance traffic across multiple servers within a defined network with the goal of creating additional network availability, and (2) a cloud-based anti-DDoS solution to filter or divert malicious DDoS traffic.

Today, with the large-scale commoditization and distribution of sophisticated cyber-attack tools, more and more people have access to sophisticated malware that facilitates DDoS attacks. Given this massive increase, today’s organizations need to be prepared to defend against DDoS attacks or risk outages and other damage.

Consider our advice to help prevent attackers from shutting down your network with a flood of unwanted traffic. Have an incident response plan in place and talk about DDoS countermeasures in advance with your ISP and a security vendor that specializes in mitigating these types of attacks.

Finally, as with any challenge, practice, practice, practice your incident response plan. Your corporate reputation, customers and investors are worth the effort.