It’s one thing to understand what a ‘DDoS attack’ is. But it’s another thing to know what to do to stop them. This article will serve as a guide to how you can stop these malicious attacks.
What does it mean?
DDoS (Distributed Denial of Service) attacks are widely regarded as being one of the primary concerns relating to Internet security. This brand of digital assault is a variant of a DoS (Denial of Service) attack that utilizes a very large number of attacking computers to overwhelm the target with fraudulent traffic. In order to acquire the necessary scale needed to carry out this attack, they are quite often performed by ‘botnets’ that are able to homogenize millions of infected machines to unintentionally participate in the attack, despite the fact that they are not the intended target of the attack itself.
Even though DDoS attacks are essentially a branch of DoS attacks – which are assaults whose primary goal is to shut down a machine or network so that it becomes inaccessible to its intended users – they are comparatively more popular; or rather, more infamous. This is due largely in part to the features that both set them apart from DoS attacks and also make them stronger.
According to Cyberpedia, these are the reasons why DDoS attacks are more “preferable”:
- The attacking party can execute an attack of disruptive scale as a result of the large network of infected computers—effectively a zombie army—under their command
- The (often worldwide) distribution of attacking systems makes it very difficult to detect where the actual attacking party is located
- It is difficult for the target server to recognize the traffic as illegitimate and reject it an entry because of the seemingly random distribution of attacking systems
- DDoS attacks are much more difficult to shut down than other DoS attacks due to the number of machines that must be shut down, as opposed to just one
For more details about these attacks, read one of our previous articles, “What is a DDoS Attack?”
The growing problem
It should be noted that if you find yourself falling victim to this kind of attack, don’t worry. You are not the only one. In fact, there have been a handful of attacks made on high-profile companies in 2018, some of which include the likes of Google, Amazon, Pinterest, PlayStation, and GitHub. The latter was actually on the receiving end of the most brutal, highest volume DDoS attack that has ever been witnessed.
These malicious attacks are gradually becoming commonplace if the research that was published in late 2017 by Corero Network is anything to go by. Its DDoS Trends and Analysis report discovered that the total number of attacks had increased by 35% between Q2 2017 and Q3 2017. One of the primary reasons as to why their prevalence is increasing is the growing number of insecure ‘Internet of Things’ (IoT) devices that are being infected and inducted into botnets, such as Reaper.
In addition, the volume of data that is launched at victims of a DDoS attack has been going up at an alarming rate, which is largely due to ‘amplification’ attacks, like the Memcached amplification attack technique. This technique was discovered thanks to several security companies detecting an array of massive UDP (User Datagram Protocol) amplification attacks that were taking advantage of vulnerabilities in Memcached servers to speed up dynamic web applications by caching data and objects in RAM (Random Access Memory). In early 2018, cybercriminals initiated around 15,000 Memcached attacks, including the aforementioned attack on GitHub that maxed out to an astounding total of 1.35 Tbps.
These amplification attacks are part of the reason why preventing DDoS attacks is such a challenge. They involve sending out small packets of data to servers around the world that have been compromised or badly configured, which then respond by sending packets that are much larger to the server that is under attack. A notable example of this is a DNS (Domain Name System) amplification attack, in which a 60-byte DNS request may lead to a 4,000-byte response being sent to the victim; an amplification factor that equals out to roughly 70 times the original size of the packet.
Going back to the main topic of DDoS attacks, preventing them while actors with malicious intentions launch over 1 Tbps at your servers is – as previously stated – a difficult feat. This means that it is incredibly important now more than ever to understand what needs to be done in order to stop a DDoS attack after it has begun to affect your operations.
How to thwart them
From here, we can now start to talk about some helpful tips that can aid you in averting these attacks.
1) Identify the DDoS attack early on
If you are someone who runs their own server(s), then you will need to be able to identify that you’re under attack. This is due to the fact that the sooner you establish that the problems with your website are because of a DDoS attack, the sooner you can put a stop to the attack.
In order to properly do this, it would be a wise move on your part to familiarize yourself with your common inbound traffic profile. Basically, the more you know about what your normal traffic looks like, the easier it will be to notice when its profile changes. A majority of DDoS attacks will start as sharp spikes in traffic, and it’s beneficial to have the ability to tell the difference between an unexpected surge of legitimate visitors and the commencement of a DDoS attack.
Moreover, it is also a good idea to nominate a DDoS leader in your company, who will be solely responsible for acting if there were to ever be a time when you are under attack.
2) Overprovision bandwidth
In a general sense, it makes sense to have much more bandwidth available to your web server than you may initially think you will need. That way, you are able to handle any sudden and unforeseen surges in traffic that could be the outcome of an advertising campaign, a special offer, or even a brief mention of your company in the media.
If you overprovision by 100% or 500%, that in all likelihood won’t stop a DDoS attack. However, it may grant you a few extra minutes to take action before your resources are completely overwhelmed.
3) Defend at the perimeter of the network
It should first be mentioned that this only applies to people who run their own web server.
Anyway, there are a good amount of technical measures that can be taken as a way to at least partially relieve the overall effect of an attack, especially within the first few minutes. Some of these methods are actually quite simple. Examples of these include:
- Rate limit your router so that you can prevent your web server from being overwhelmed
- Include filters in order to command your router to drop packets from obvious origins of the attack
- Timeout any connections that are half-open in a more aggressive manner
- Drop any spoofed or distorted packages
- Set much lower SYN (short for “synchronize”), ICMP (Internet Control Message Protocol), and UDP flood top thresholds
Admittedly, while these steps have proven themselves to be effective in the past, the fact is DDoS attacks are now typically too large for these measures to be able to completely put a stop to a DDoS attack. Once again, the most you can hope for in this case is that they will buy you enough time to prepare yourself while a DDoS attack ramps itself up for initiation.
4) Contact your ISP or hosting provider
The next (logical) step is to get in contact with your ISP (or hosting provider if you are someone who does not host your own web server), tell them that you are under attack, and promptly ask for assistance. Be sure to keep emergency contacts for your ISP or hosting provider readily available so that you can call them quickly. Depending on the overall strength of the attack, your ISP or hoster may have already discovered it, or they might have started to become overwhelmed by the assault.
You would honestly stand a much better chance of enduring a DDoS attack if your web server is located in a hosting center than if you had run it all by yourself. This is mainly because its staff will most likely have more experience dealing with these attacks. By having your web server be located with a hoster, it will also keep DDoS traffic aimed at your web server off of your corporate LAN (Local Area Network), so if nothing else, that particular part of your business – which includes email and possibly voice over IP (VoIP) services – should be able to function normally in the midst of an attack.
Should the DDoS attack be at a large enough capacity, then the very first thing that an ISP or hosting company is likely to do is ‘null route’ your traffic. This will result in packets that were intended for your web server being dropped just before they arrive.
Liam Enticknap, a network operations engineer at PEER 1 hosting, says that, “It can be very costly for a hosting company to allow a DDoS on to their network because it consumes a lot of bandwidth and can affect other customers, so the first thing we might do is black hole you for a while.”
Someone who agrees with Enticknap is Tim Pat Dufficy, the managing director of ISP and hosting company ServerSpace. According to him, “The first thing we do when we see a customer under attack is log on to our routers and stop the traffic getting on to our network. That takes about two minutes to propagate globally using BGP (border gateway protocol) and then traffic falls off.”
If that was entirely the case, then the DDoS attack would still potentially be successful. In order to properly get the website back online, your ISP or hosting company may redirect the traffic to a ‘scrubber’, which is where the malicious packets can be removed before the authentic ones are to be sent to your web server.
Enticknap further explains, “We use our experience, and various tools, to understand how the traffic to your site has changed from what it was receiving before and to identify malicious packets.” Moreover, he says that PEER 1 contains the capacity needed to take in, scrub, and send out to very high levels of traffic, but with levels of traffic that are comparable to those that were experienced by GitHub, even this specific scrubbing effort would in all likelihood be overwhelmed.
5) Contact a DDoS mitigation specialist
For the situations involving very large attacks, it is pretty likely that your best chance at remaining online is to seek out the assistance of a specialist DDoS mitigation company. These organizations possess a large-scale infrastructure and utilize a variety of technologies – which includes data scrubbing – to aid in keeping your website online. You will probably need to contact a DDoS mitigation company directly or your hosting company/service provider might have a partnership agreement with one to deal with these larger attacks.
Dufficy chimes in on this, stating that what his company does when a client needs DDoS mitigation is they divert the traffic to Black Lotus. They carry this out by using BGP (Border Gateway Protocol) and he claims that it takes no longer than a few minutes.
The scrubbing center that is used by Black Lotus is able to handle very high levels of traffic and it sends the scrubbed traffic to its intended destination. This process results in much higher latency for users of the website, but the alternative is that they would be unable to access the site at all.
It should be noted that – like other services of this kind – DDoS mitigation services are not free, so it’s ultimately up to you as to whether you want to pay to remain online or take the hit and wait for the DDoS attack to die down before continuing on with your business. Subscribing to a DDoS mitigation service on a continuous basis may cost you a few hundred dollars per month. If you decide to wait until you are in need of one, you should expect to pay more for the service and wait a while longer before it begins to work.
Here are some of the many DDoS mitigation specialists for you to look into:
- Akamai DDoS mitigation
- Radware DDoS Protection
- Cloudflare DDoS Protection
- NetScout Arbor
- F5 DDoS Protection
6) Construct a DDoS playbook
The best and most reliable way to make sure that your organization reacts as quickly and efficiently as possible to put a stop to a DDoS attack is to create a playbook that keeps detailed records of every step of a pre-planned response whenever an attack is detected. This should include the actions that have already been explained, with contact names and telephone numbers belonging to all of those who might need to be brought into action as part of the plan of the playbook.
DDoS mitigation companies can often help with this by way of running a simulated DDoS attack, thus allowing you to develop and perfect a rapid corporate procedure for responding to a real attack.
The most important part of your planned reaction to a DDoS attack that should not go unnoticed is how you communicate the issue to customers. The duration of a DDoS attack can typically last as long as 24 hours, so solid communication can ensure that the cost to your business is downplayed while you are still under attack.
Overall, it would be a wise decision to familiarize yourself with methods used to stop DDoS attacks as much as possible. Hopefully, this guide provided you with some useful insight.