What is a DDoS attack?
A DDoSattack is a cyber attack that uses exploited computers and IoT devices to send a wave of traffic to a network. A high volume of traffic congests the network and stops legitimate devices from being able to communicate with one another. Once the network becomes too congested, users can’t access the internet.
DDoSattacks are estimated to cost between $20,000-$40,000 per hour. Taking a preemptive approach to beating DDoSattacks is essential for staying online. Before we look at how to stop a DDoSattack, we first need to outline what a DDoSattack is.
The terrifying thing about DDoSattacks is that they can happen to anyone. Even multinational organizations with dedicated cybersecurity professionals aren’t immune from being attacked.
There are countless examples of large vendors being derailed by an opportunistic attacker:
- On the 28th February 2018, Github was attacked by a gigantic DDoSattack that peaked at 1.35 Tbs
- On the 30th September 2017, a DDoSattack put the UK National Lottery offline
- On October 21st 2016, Dyn was attacked by a Mirar botnet that sent traffic over Port 53
- On December 31st 2015, BBC sites including BBC iPlayer were disrupted by a 602 Gbps DDoSattack
If you are here for the tools and haven’t got time to read the whole post, here is our summary list of the best tools to stop DDoS attacks:
- SolarWinds Security Event Manager (FREE TRIAL) Host-based intrusion prevention system that will shut down access to sources detected to be performing a DDoS attack. Runs on Windows Server.
- Sucuri Website Application Firewall (LEARN MORE) An edge service that protects your web servers by standing in front of them and filtering out malicious activity from general traffic.
- Paessler PRTG Network Monitor (FREE TRIAL) An all-in-one network, server, and application monitor that includes traffic analyzers that alert when excessive traffic volumes arise. Runs on Windows Server.
- 1 What is a DDoS attack?
- 2 How does a DDoS attack work?
- 3 Why Do People Launch DDoS Attacks?
- 4 Types of DDoSAttacks
- 5 DDoSAttack Prevention Strategy
- 6 DDoSPrevention Tool #1: Detecting Attacks with Log Management Tools
- 7 DDoSProtection Tool #2: Protecting a Website from a DDoSAttack with a WAF
- 8 DDoSProtection Tool #3: Using a NetFlow Analyzer to Capture Suspicious Traffic
- 9 Hiring in House DDoSExperts or a Manager Application Security Vendor
- 10 Other Best Practices for Dealing with DDoSAttacks
- 11 Tips for Responding to a DDoSAttack
- 12 The Key to a Successful Defense: Prevention and Fast Responses
How does a DDoS attack work?
To put a network offline the attacker needs to use a group of devices to launch an attack. To do this, the attacker sets out to infect a network of computers with malicious software. The network of infected computers form a botnet. The botnet is a network of devices under the control of the attacker which the attacker can use to flood a network with traffic.
If enough traffic is sent to the network it is put out of action. Verisign’s DDoSTrends Report found that the average peak DDoS attack size is 11.2 Gbps. Given the damage that a successful attack can cause it is important for enterprises to be able to protect themselves against these attacks.
Why Do People Launch DDoS Attacks?
Unfortunately, there are many reasons why individuals and groups carry out DDoSattacks. Some attackers are motivated by putting competitors out of action whereas others are motivated by political reasons. A handful are just looking to cause trouble for the sake of it.
It isn’t uncommon for individuals to pay for cybercriminals to launch a botnet on their behalf. While there are many reasons for DDoSattacks the end result is the same; service disruption and downtime.
Ultimately, understanding why attackers launch attacks isn’t as important as knowing how to stop an attack. Well-defined cybersecurity procedures will give you a chance to defend yourself no matter who is trying to attack you, and could help you to stay up if the time comes.
Types of DDoSAttacks
Defending against DDoSattacks starts by developing awareness of the types of DDoSattacks you can encounter. Generally, DDoSattacks can be divided into three main types; volume based attacks, protocol attacks and application layer attacks. Each of these attacks works in a different way:
Volume Based Attacks
Volume based attacks are a type of DDoSattack that relies on volume to disrupt a service. These types of attacks include packet flood attacks like UDP floods, and ICMP floods. In the event of a UDP flood attack, the attacker sends UDP packets to random ports on a computer or network. The host keeps looking for the application listening at the port but finds nothing. The end result is a congested network.
Protocol attacks are DDoSattacks that use protocols to monopolise server resources. Common protocol attacks are Ping of Death, SYN floods and smurf attacks. In the case of a SYN flood, the attacker sends spoofed SYN messages to initiate a TCP handshake with a machine without closing the connection.
Application Layer Attacks
Application layer attacks target the top layer of the OSI model in an attempt to consumer server and network resources. Application layer attacks are popular because the attacker only needs to take a small degree of bandwidth to have a large effect. Slow-rate and low and slow attacks are common types of application layer attacks that businesses encounter. A low and slow attack is where traffic is used to target application or server resources.
DDoSAttack Prevention Strategy
Once you know what a DDoSattack is, you can start to design a strategy to prevent future attacks. An effective DDoSprevention strategy has several core components:
- A Log analysis tool
- A website application firewall
- A NetFlow Analyzer
- Hire in house DDoSexperts
DDoSPrevention Tool #1: Detecting Attacks with Log Management Tools
Defending against DDoSattacks before they take place is all about visibility. Having transparency over your log data shows you what is happening in your local environment. SolarWinds Security Event Manager delivers a real-time log management solution that shows log data in real-time so you can see unusual activity on your network.
The tool also has alerts with automated responses to cut off DDoSattacks once they’ve been launched. To make sure that you aren’t vulnerable to known bad actors, SolarWinds Security Event Manager scans lists of known malicious devices and can automatically create an alert or block the IP outright.
Automatic responses are effective at reducing your exposure to attackers by decreasing your response time. The lower your response time is, the better able you are to minimize the damage of an attack.
If a DDoSattack does get through your defences you can use root cause analysis to see where the attack originated. Root cause analysis helps you to tweak your security procedures to make sure that future attacks don’t affect your service.
DDoSProtection Tool #2: Protecting a Website from a DDoSAttack with a WAF
A Web Application Firewall (WAF) should be at the heart of your DDoSdefense strategy. A web application firewall filters and monitors HTTP traffic to find malicious activity. Once bad traffic is recognised the firewall can block it and blacklist the IPs of the machines involved.
Web application firewalls are essential for blocking the bad traffic from a DDoSattack that could potentially put your website offline. Sucuri’s WAF is an industry standard web application firewall that comes with a website antivirus. The tool has been designed specifically to defend against DDoSattacks on layers 3,4, and 7 of a network.
To defend against attackers Sucuri enables you to configure custom rulesets to filter out suspicious traffic and block botnets from trying to consume your bandwidth. As an added bonus, Sucuri can also block malware, zero-day attacks and brute force hacks.
DDoSProtection Tool #3: Using a NetFlow Analyzer to Capture Suspicious Traffic
The biggest risk to your network is the volume of traffic that is sent by an attacker. The amount of traffic that a Botnet can muster determines the severity of the attack. NetFlow analyzers are excellent at picking up traffic spikes that indicate an attack.
NetFlow analyzers like Paessler PRTG Network Monitor can show you fluctuations in network traffic and show you when you’re under attack. The NetFlow V5, NetFlow V9, and IPFIX Sensors can show you if malicious traffic is being sent your way. There are graphs of your live traffic data where you can look out for unusual traffic peaks.
You can even configure alert thresholds so that you are sent a notification if traffic reaches a certain level. Having transparency over network traffic helps you leap into a response as soon as an attack hits your network.
Hiring in House DDoSExperts or a Manager Application Security Vendor
If you have the budget to afford it, hiring in house cybersecurity experts to combat DDoSattacks can also be extremely beneficial. Experienced cybersecurity professionals will be familiar with the type of attacks that cybercriminals use and be able to identify where your organization is vulnerable. Knowledgeable cybersecurity professionals are particularly useful for dealing with trickier layer 7 attacks that attackers are increasingly resorting to.
However, if you cannot afford in-house staff you can get good results by investing in a managed security provider who provides ongoing traffic monitoring and penetration testing.
Working with a managed security provider will still give the benefit of expert guidance but without some of the overhead that comes with hiring a full-time employee. A managed security provider is an excellent option for accessing additional expertise while staying cost-efficient.
Other Best Practices for Dealing with DDoSAttacks
There are a number of best practices that you can incorporate to work alongside your defense measures. These are as follows:
- Overprovision server bandwidth
- Use a Content Distribution Network (CDN)
- Secure your network
Overprovision server bandwidth
Overprovisioning is the practice of purchasing more server bandwidth than you need for day-to-day operations. Having a higher bandwidth capacity gives you more resistance against an attack. The reason is that the attacker needs to send a higher volume of traffic to disrupt your service. Overprovisioning can help counter some lower volume attacks.
Use a CDN
DDoSattacks work by targeting your hosting server but if you spread your data across several global servers, there’s no single point of failure. Having no single point of failure means that you can’t be put offline by one server failure because you’ll still have other servers available to work with. A CDN is an excellent method for staying resilient against attacks.
Secure your network
Making sure that your network is secure from attackers is essential for avoiding an attack. To keep your network secure, you should not only be scanning your network infrastructure, but also using an intrusion detection system alongside your log management solution to look for vulnerabilities.
Train your Employees
Educating employees on the dangers of cyberattacks and how to secure network devices is paramount to preventing damage to your network. Your employees will be the people on the ground when an attack happens. Training them how to spot malware or suspicious activity and how to respond in an attack will minimize the potential damage of an attack.
Tips for Responding to a DDoSAttack
Even with the best strategy in the world, you can’t prevent a DDoSattack from slipping through the net. It is vital to have a plan for how to respond once you know an attack is happening. How you respond once an attack goes live will determine how much damage is done and how long you are offline for. Here are some tips for responding to a DDoSattack:
Know the Signs of an Attack
The first thing you need for a prompt response to an attack is to educate yourself and your employees on the signs of an attack. Are devices unable to access the internet? Is there a ton of unusual traffic on the network? Being able to spot the tell-tale signs of an attack will speed up your responses. Employees can’t spring into action to address an attack if they don’t recognise an attack has taken place!
A bandwidth monitoring tool can be instrumental in looking out for large amounts of traffic on your network. You have a small window of time before your server is overwhelmed to clear server logs to help stay online.
Diagnose the origin of the attack
In order to respond effectively, you need to know where the attack is coming from and what type of attack it is. Restoring operation to your network quickly is impossible if you don’t know where the attack is coming from. In the event that you can’t tell the origin, you will be forced to take a hit and wait for the attack to pass.
Analyse the attack post event
Once the attack has passed it is time to evaluate what happened. Identify whether there were any vulnerabilities or inadequacies in your response process. Could your bandwidth monitoring tool have better visibility? Could your team’s communication be better or your response time faster? Identifying these areas for improvement is a great way to make sure that you’re prepared if you ever encounter another DDoSattack.
The Key to a Successful Defense: Prevention and Fast Responses
Prevention and fast responses are the core elements of a DDoSdefense strategy. Tools like log management solutions, website firewalls or network analyzers will help you catch attacks early but they aren’t enough on their own to stop attacks from affecting your bottom line.
A large degree of your resistance to an attack will depend on how quickly your team responds under pressure. Building an employee culture that emphasizes cybersecurity and recognises how to fight a DDoSattack will reduce the damage if an attacker slips through the net.