Blog , 25 Jan 2022

How to Stop a DDoS Attack

Larry Ellis,

Content Creator

DDoS attacks are becoming more frequent

Statistics show around 50 million DDoS (distributed denial of service) attacks occur every year and are growing. Attacks are becoming more complex and often strike different parts of networks simultaneously.  

Today, botnets are pervasive, giving cybercriminals a massive advantage to conduct massive attacks. Thus, cybercriminals challenge society, financial systems, commerce, companies, devices, users, and more.

When DDoS attacks can launch over 1 Tbps at your servers, preventing an attack is almost impossible. Therefore, it is critical to understand how to stop a DDoS attack as it begins to affect your operations.

Types of attacks

First, let’s look at the types of DDoS attack types to understand what is likely to occur.

The 3 Types of DDoS Attacks

1. Application Layer Attack

An Application Layer Attack is a type of DDoS attack that works like a DoS flood attack on a larger scale. Bots send a large amount of traffic to their target, crowding out other users trying to access the target webserver.

Attackers typically direct traffic at time-intensive endpoints, like requests that require large database queries or generate big files. This type of attack uses light requests for the attacker but is bandwidth-intensive, so the target’s resources and network are quickly overwhelmed.

The difference between a DoS attack and a DDoS attack is that the former is meant to disrupt regular traffic while the latter is used to target a network with a flood of Internet traffic.

The Definitive Guide to DDoS Attacks

2. Protocol Attack

A Protocol Attack is a type of DDoS attack which targets how internet protocols facilitate computers’ communications over the internet and aim to exhaust server or firewall resources.

Protocol attacks are designed to eat up the processing capacity of network infrastructure resources like servers, firewalls, and load balancers by targeting Network Layer 3 and Layer 4 with malicious connection requests.

Attackers might send only the first three-part handshakes to the target server. The server responds with the second part, but the attacker does not send the final acknowledgment. This leaves the server being attacked, waiting, and unable to use the connection to respond to other requests for a while. A botnet will multiply queries to the target, overwhelming the target’s servers.

3. Amplification Attack

An Amplification Attack is a type of DDoS attack that uses various internet protocols to multiply the size of each request sent to overwhelm a network’s bandwidth.

These volumetric attacks create congestion by consuming all available bandwidth between the target and the Internet. Since amplification is used, large amounts of data are sent to a target by amplification or another means of creating massive traffic, such as requests from a botnet.

An example is the domain name system (DNS) amplification attack that uses the DNS protocol, which computers use to look up the IP address corresponding to a given website URL. This step makes navigating the internet possible. Clients usually send a request containing the website URL they want to look up to a DNS server and get back a response with the corresponding IP address.  Amplification cripples bandwidth by magnifying the flow of traffic. 

If you are an internet or hosting provider, also see these two articles:

Fighting DDoS Attacks as a Service Provider & How To Tell If Your Customer’s Server Is Being Used In a Botnet Attack

How to stop a DDoS attack

8 Steps to Stop a DDoS Attack

1. Designate a DDoS lead ahead of any attacks

Nominate a DDoS cyber security lead responsible for acting if your company comes under attack. While we know that you wish to prevent DDoS attacks, no known method prevents DDoS attacks.  You can only react quickly to mitigate their impacts.

2. Install a web application firewall (WAF) for DDoS protection

A WAF helps mitigate a layer 5 DDoS attack. By putting a WAF between the Internet and an origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.

Based on a series of rules used to identify layer 7 DDoS attacks, the WAF filters are mitigated. Many WAFs can also implement custom rules quickly in response to an attack.

3. Identify the attack early

Familiarize yourself with your typical inbound traffic profile. If you know what normal traffic looks like, it is easy to see when it changes. DDoS attacks usually start with large spikes in traffic. 

The sooner you can establish that problems with your website are due to a DDoS attack, the sooner you can stop the attack.  But, be sure your spike is not a sudden surge of legitimate visitors vs. the start of a DDoS attack.

4. Over provision bandwidth

Always over-provision website bandwidth between 100 and 500 percent more than normal. Over provision far more than you think you will ever need so that you can accommodate sudden and unexpected surges in traffic due to a marketing campaign or a mention in the media.

While over-provisioning isn’t DDoS attack prevention and does not stop DDoS attacks in progress, it will likely give you a few more minutes to react before your resources are overwhelmed.

5. Defend at your network’s perimeter

Act to partially mitigate the effect of an attack within the first few minutes by:

  • Rate-limiting your router, will help prevent your webserver from becoming overwhelmed
  • Adding filters, so your router can drop packets from obvious sources of attack
  • Timing out half-open connections more aggressively
  • Dropping malformed and spoofed packets
  • Setting lower drop thresholds for SYN, ICMP, and UDP floods.

These steps are effective; however, most DDoS attacks are too large to stop most DDoS attacks. But, these will give you more time as the attack increases in intensity.

6. Call your internet provider or hosting provider

The next step is to call your ISP (or hosting provider if you do not host your Web server), tell them you are under attack and ask for help.

Keep emergency contacts for your ISP or hosting provider readily available so that you can make a call to the right contact quickly. Depending on the strength of the attack, the ISP or hosting provider may have already detected it.

You stand a better chance of withstanding a DDoS attack if your web server is located in a data center managed by your provider, as it will likely have ample bandwidth and high-capacity routers and staff with attack experience. Additionally, the DDoS traffic attacking your web server will not impact your corporate network, email, and VoIP (voice) services with your web server at your hosting provider.

If a DDoS attack is significant, an internet provider or hosting provider will likely first drop or “null route” traffic to your website. After which, they will begin cleaning traffic and forward the regular user traffic to your web applications, dropping all the attack traffic and eventually stopping DDoS.

7. Call A DDoS Mitigation service

Your best chance of staying online for large attacks is to use a DDoS mitigation service. These services use various technologies to help keep your website online. Know ahead of any attack if your internet provider or hosting provider has a pre-existing partner to handle large attacks or if you need to contact a DDoS mitigation service directly.  

It’s not essential how cloud DDoS protection works. However, what’s important is if organizations need DDoS mitigation, the provider will divert their traffic to their service using BGP, so it will only take a few minutes before the service starts forwarding cleaned traffic, dropping the DDoS traffic, to its intended destination.  While this filtering incurs latency, access is still available for regular users.

Subscribing to a DDoS mitigation service is like insurance and critical in your DDoS attack prevention plan.  It may cost a few hundred dollars a month, but if you wait until you need the service, expect to pay much more out of pocket and wait longer before it starts to work and your business recovers.

8. Create A DDoS Playbook

A key component of DDoS attack prevention is to prepare ahead. A DDoS Playbook will help your organization react quickly and effectively to stop an ongoing DDoS attack.

The playbook should detail every step of the planned response to an attack and include:

  • The actions above
  • Contact names and telephone numbers of everyone who may need to help fulfill the playbook’s plan.
  • DDoS mitigation services can help by running a simulated DDoS attack, enabling you to develop and refine a rapid corporate procedure for reacting to an actual attack.
  • The planned response to communicate the problem to customers. Since episodes can last 24 hours and sometimes longer, it is essential to have a communications plan to ensure that the cost to your business is minimized while you remain under attack.
  • Finally, it may be a good idea to prepare a company statement that would be released to the public in the event of an attack. 

With a playbook in place, business strategies designed in advance, and technical protective measures in place, your company won’t be caught off guard and can survive a DDoS attack.

Every business needs to be concerned about DDoS Attacks

DDoS can damage a company’s reputation, negatively impact revenue, and require substantial expenses to remedy the attack. 

Suppose users of your service or customers can’t access your website. In that case, this will prevent your business from operating normally and cause users to go elsewhere or customers to stop purchasing your products.

While DDoS attacks do not directly steal information from a target, attackers often use DDoS to distract targets from other ongoing cyberattacks on the target. At the same time, the target organization is busy trying to manage the DDoS attack, attackers pursue their true objective. For example, DDoS attacks that go on for an extended period are also used to extort target organizations, similar to ransomware attacks.

Share
Linkedin Icon Twitter Icon Facebook Icon E-mal Icon
Two computer monitors showing AbuseHQ

Free Trial

Let's protect your mail servers and customers from spam, phishing, and other email-related threats with Abusix Mail Intelligence!

Free Trial

Products & Tools

Type

Topic

Get in touch

Talk to us

Do you want to remove your IP/domain from one of our blocklists?
Please use our lookup-service and follow the instructions there in order to get that resolved.