A DDoS or distributed denial of service attack can cause costly and damaging downtime for websites.
There are a wide variety of types of DDoS attacks, and they keep growing in size and complexity.
Even the world’s largest companies and websites have suffered DDoS attacks, including Amazon Web Services and Google.
It’s possible to stop many DDoS attacks before they start with preventive measures such as web application firewalls and VPNs.
Early detection of a DDoS attack and intervention is key to limiting the harm an attack can do.
Recovering from a DDoS attack requires honest analysis and assessment, as well as a plan to defend better next time.
A DDoS or distributed denial of service attack can be devastating to any business with a web presence because it effectively removes the website that is the target of the attack from the internet. For website-driven companies, it’s essential to take a multi-pronged approach to prevent, intervene in, and recover from a distributed denial-of-service attack. In this article, we’ll cover how to do just that.
What is a DDoS Attack?
So what exactly is a DDoS attack? A basic DDoS attack is when cybercriminals bombard an IP address with fake traffic, flooding the server the IP address points to and any routers upstream of it with so much traffic that it results in a denial-of-service to legitimate traffic.
How does a DDoS attack work? Cybercriminals exploit vulnerabilities in hundreds or thousands of computers and other connected devices (such as IoT devices) via malware. That network of infected devices and computers forms a botnet that is then remotely controlled to carry out the DDoS attacks.
A distributed denial of service attack can last from hours to days to weeks, depending on the cyberattacker’s intentions and the attack’s effectiveness. Some of the most common types of DDoS attacks include:
- Protocol Attacks. These include SYN floods, Smurf DDoS, fragmented packet attacks, etc.
- Volumetric DDoS Attacks. These include ICMP floods, UDP flood attacks, reflection amplification attacks, etc.
- Application-Layer Attacks. These include HTTP floods, Slowloris attacks, etc.
How to Prevent DDoS Attacks
Some of the world’s largest corporations have been the victims of well-orchestrated and prolonged DDoS attacks. Google’s been hit, and Amazon Web Services fought off a DDoS attack for an undisclosed customer that sent requests at 2.3 Tbps for three days. No website then is off-limits, and without a doubt, an ounce of prevention is worth a pound of cure. Here are some ways to prevent a DDoS attack so that legitimate users can always find their way to your business’s website.
Use a Firewall to Prevent DDoS Attacks
Some firewalls can provide protection from DDoS attacks; however, many firewalls can act as entry points for a complex DDoS attack. For a firewall that can actually function to thwart and limit a complex DDoS attack, it’s essential to use a web application firewall (WAF) to protect your site from a DDoS attack.
How does a WAF work? Regardless of what form a WAF takes — appliance, software, or WAF-as-a-service — the general principle in protection is the same. A web application firewall stands between your website or other web apps and monitors, filters, and blocks any malicious or bot-driven traffic that’s trying to reach your site.
Use a VPN to Prevent DDoS Attacks
To understand how a VPN can prevent a DDoS attack, it’s important to first understand what a VPN is.
A VPN, or virtual private network, creates a private network across a public or shared network. The primary purpose of a VPN is to hide while engaging on the internet. With a VPN, everything from your IP address to your online activity and browsing history becomes private, inaccessible by anyone outside your VPN.
In general, then, using a VPN is a great way to prevent DDoS attacks, since a VPN will hide your IP address. Without an accurate IP address, it’s impossible for a DDoS attack to properly locate the network your site is on. That being said, if the company providing your VPN doesn’t itself have robust protection against DDoS attacks and other cyber threats, your site could still become vulnerable at some point. To learn more about VPN services and read VPN reviews, check out our VPN resources page.
Of course, even the best defenses are sometimes breached. Here’s what to do if prevention fails. First up? You need to be able to tell when you’re under attack.
How to Detect DDoS Attacks When They Hit
One key to intervening in and stopping a DDoS attack once it’s underway is to properly detect that it’s happening at all. The first and most obvious symptom of a DDoS attack is a noticeable jump in resource utilization on the targeted server. By frequently monitoring your traffic profile, you’ll be able to identify any traffic jumps or other anomalies. Other symptoms of a distributed denial of service attack are slowed performance, crashes, large amounts of traffic coming from users with similar profiles or geolocations, and spikes in traffic coming from a single or small group of IP addresses.
How to Intervene to Stop a DDoS Attack
Once you’ve identified that a DDoS attack on your site or web app is underway, you can intervene to stop it or limit its harm in the following ways.
If You Run Your Own Server, Mitigate the Attack
If you run your own server, you have a handful of very helpful options that will mitigate a DDoS attack that’s underway:
- Rate limit your router to keep your server from being overwhelmed with traffic
- Drop quick retransmissions
- Add filters so that your router can detect and drop data packets that are:
- coming from unknown or suspicious sources
- Lower your UDP, ICMP, and SYN flood drop thresholds
Contact Your Internet Service Provider
If you don’t run your own server, then as soon as you detect a DDoS attack, it’s important to reach out immediately to your ISP. Your ISP has tools to mitigate harm and protect you from DDoS attacks, including rate limiting, firewalls, DNS, and blocking all traffic. Their efforts may be enough, but in many cases, relying on just your ISP to get you through a DDoS attack unscathed is a recipe for disaster. Prevention and protection up front are the best way to handle your site’s cybersecurity.
Recovering from a DDoS Attack
The first thing to do once you find yourself on the other side of a DDoS attack is to recover from it. But how?
Analyze and Assess the Damage
Whether you get it from application system logs or your security provider, it’s essential that you analyze and assess what occurred and how. Important questions to ask are:
- What type of DDoS attack was it? How did it work?
- What assets were targeted?
- What assets were compromised?
- What was the peak amount of requests — and data — used in the attack?
- What all did the attack impact? Did it just impact the network layer or did it affect the application layer as well?
- How successful was the attack?
- What were the damages? (Lost revenue, bad PR, downtime, etc.)
- Where were the weak points that were targeted?
Reconsider and Redesign Your Response Plan
Once you’ve analyzed and assessed what went wrong and why, it’s important to draw up a response plan that will address weaknesses in web servers, network infrastructure, etc. going forward so that the next time your site is targeted, you’re better prepared.
Invest in Dedicated DDoS Protection Software and Services
If you own your own server, invest in some good DDoS protection. There are many solutions available with protection plans that range from hobbyist to enterprise and can include everything from web application firewalls and bot mitigation to DDoS mitigation services and more.
Regardless of what you choose, the key to recovering from a DDoS attack is to put in place a protection service or other type of defense that will make it less likely that you’ll suffer one again. It’s important to find a solution that not only prevents most attacks but one that is also able to arrest malicious web traffic in real-time to keep your servers safe and your website accessible to users.