How to Stop a DDoS attack - Includes Essential Tools

What is a DDoS attack?

A DDoS attack is a cyber attack that uses exploited computers and IoT devices to send a wave of traffic to a network. A high volume of traffic congests the network and stops legitimate devices from being able to communicate with one another. Once the network becomes too congested, users can’t access the internet.

DDoS attacks are estimated to cost between $20,000-$40,000 per hour. Taking a preemptive approach to beating DDoS attacks is essential for staying online. Before we look at how to stop a DDoS attack, we first need to outline what a DDoS attack is.

The terrifying thing about DDoS attacks is that they can happen to anyone. Even multinational organizations with dedicated cybersecurity professionals aren’t immune from being attacked.

There are countless examples of large vendors being derailed by an opportunistic attacker:

  • On the 28th February 2018, Github was attacked by a gigantic DDoS attack that peaked at 1.35 Tbs
  • On the 30th September 2017, a DDoS attack put the UK National Lottery offline
  • On October 21st 2016, Dyn was attacked by a Mirar botnet that sent traffic over Port 53
  • On December 31st 2015, BBC sites including BBC iPlayer were disrupted by a 602 Gbps DDoS attack

If you are here for the tools and haven’t got time to read the whole post, here is our summary list of the best tools to stop DDoS attacks:

  • SolarWinds Security Event Manager (FREE TRIAL) Host-based intrusion prevention system that will shut down access to sources detected to be performing a DDoS attack. Runs on Windows Server.
  • Sucuri Website Application Firewall (LEARN MORE) An edge service that protects your web servers by standing in front of them and filtering out malicious activity from general traffic.
  • Paessler PRTG Network Monitor An all-in-one network, server, and application monitor that includes traffic analyzers that alert when excessive traffic volumes arise. Runs on Windows Server.

How does a DDoS attack work?

To put a network offline the attacker needs to use a group of devices to launch an attack. To do this, the attacker sets out to infect a network of computers with malicious software. The network of infected computers form a botnet. The botnet is a network of devices under the control of the attacker which the attacker can use to flood a network with traffic.

If enough traffic is sent to the network it is put out of action. Verisign’s DDoSTrends Report found that the average peak DDoS attack size is 11.2 Gbps. Given the damage that a successful attack can cause it is important for enterprises to be able to protect themselves against these attacks.

Why Do People Launch DDoS Attacks?

Unfortunately, there are many reasons why individuals and groups carry out DDoS attacks. Some attackers are motivated by putting competitors out of action whereas others are motivated by political reasons. A handful are just looking to cause trouble for the sake of it.

It isn’t uncommon for individuals to pay for cybercriminals to launch a botnet on their behalf. While there are many reasons for DDoS attacks the end result is the same; service disruption and downtime.

Ultimately, understanding why attackers launch attacks isn’t as important as knowing how to stop an attack. Well-defined cybersecurity procedures will give you a chance to defend yourself no matter who is trying to attack you, and could help you to stay up if the time comes.

Types of DDoS Attacks

Defending against DDoS attacks starts by developing awareness of the types of DDoS attacks you can encounter. Generally, DDoS attacks can be divided into three main types; volume-based attacks, protocol attacks and application-layer attacks. Each of these attacks works in a different way:

Volume Based Attacks

Volume-based attacks are a type of DDoS attack that relies on volume to disrupt a service. These types of attacks include packet flood attacks like UDP floods, and ICMP floods. In the event of a UDP flood attack, the attacker sends UDP packets to random ports on a computer or network. The host keeps looking for the application listening at the port but finds nothing. The end result is a congested network.

Protocol Attacks

Protocol attacks are DDoS attacks that use protocols to monopolize server resources. Common protocol attacks are Ping of Death, SYN floods and smurf attacks. In the case of a SYN flood, the attacker sends spoofed SYN messages to initiate a TCP handshake with a machine without closing the connection.

Application Layer Attacks

Application layer attacks target the top layer of the OSI model in an attempt to consumer server and network resources. Application layer attacks are popular because the attacker only needs to take a small degree of bandwidth to have a large effect. Slow-rate and low and slow attacks are common types of application-layer attacks that businesses encounter. A low and slow attack is where traffic is used to target application or server resources.

DDoS Attack Prevention Strategy

Once you know what a DDoS attack is, you can start to design a strategy to prevent future attacks. An effective DDoSprevention strategy has several core components:

  • A Log analysis tool
  • A website application firewall
  • A NetFlow Analyzer
  • Hire in house DDoSexperts

DDoSPrevention Tool #1: Detecting Attacks with Log Management Tools

SolarWinds Security Event Manager (FREE TRIAL)

Defending against DDoS attacks before they take place is all about visibility. Having transparency over your log data shows you what is happening in your local environment. SolarWinds Security Event Manager delivers a real-time log management solution that shows log data in real-time so you can see unusual activity on your network.

SolarWinds Security Event Manager

The tool also has alerts with automated responses to cut off DDoS attacks once they’ve been launched. To make sure that you aren’t vulnerable to known bad actors, SolarWinds Security Event Manager scans lists of known malicious devices and can automatically create an alert or block the IP outright.

Automatic responses are effective at reducing your exposure to attackers by decreasing your response time. The lower your response time is, the better able you are to minimize the damage of an attack.

If a DDoS attack does get through your defenses you can use root cause analysis to see where the attack originated. Root cause analysis helps you to tweak your security procedures to make sure that future attacks don’t affect your service. You can download the free trial here.

SolarWinds Security Event Manager Download 30-day FREE Trial

DDoS Protection Tool #2: Protecting a Website from a DDoS Attack with a WAF

Sucuri Website Application Firewall (LEARN MORE)

A Web Application Firewall (WAF) should be at the heart of your DDoS defense strategy. A web application firewall filters and monitors HTTP traffic to find malicious activity. Once bad traffic is recognized the firewall can block it and blacklist the IPs of the machines involved.

Sucuri WAF

Web application firewalls are essential for blocking the bad traffic from a DDoS attack that could potentially put your website offline. Sucuri’s WAF is an industry-standard web application firewall that comes with a website antivirus. The tool has been designed specifically to defend against DDoS attacks on layers 3,4, and 7 of a network.

To defend against attackers Sucuri enables you to configure custom rulesets to filter out suspicious traffic and block botnets from trying to consume your bandwidth. As an added bonus, Sucuri can also block malware, zero-day attacks and brute force hacks.

Sucuri Web Application Firewall View Plans & Details

DDoS protection Tool #3: Using a NetFlow Analyzer to Capture Suspicious Traffic

Paessler PRTG Network Monitor

The biggest risk to your network is the volume of traffic that is sent by an attacker. The amount of traffic that a Botnet can muster determines the severity of the attack. NetFlow analyzers are excellent at picking up traffic spikes that indicate an attack.

PRTG Network Monitor

NetFlow analyzers like Paessler PRTG Network Monitor can show you fluctuations in network traffic and show you when you’re under attack. The NetFlow V5, NetFlow V9, and IPFIX Sensors can show you if malicious traffic is being sent your way. There are graphs of your live traffic data where you can look out for unusual traffic peaks.

You can even configure alert thresholds so that you are sent a notification if traffic reaches a certain level. Having transparency over network traffic helps you leap into a response as soon as an attack hits your network.

Paessler PRTG Network Monitor Download 30-day FREE Trial

Hiring in House DDoS Experts or a Manager Application Security Vendor

If you have the budget to afford it, hiring in house cybersecurity experts to combat DDoS attacks can also be extremely beneficial. Experienced cybersecurity professionals will be familiar with the type of attacks that cybercriminals use and be able to identify where your organization is vulnerable. Knowledgeable cybersecurity professionals are particularly useful for dealing with trickier layer 7 attacks that attackers are increasingly resorting to.

However, if you cannot afford in-house staff you can get good results by investing in a managed security provider who provides ongoing traffic monitoring and penetration testing.

Working with a managed security provider will still give the benefit of expert guidance but without some of the overhead that comes with hiring a full-time employee. A managed security provider is an excellent option for accessing additional expertise while staying cost-efficient.

Other Best Practices for Dealing with DDoS Attacks

There are a number of best practices that you can incorporate to work alongside your defense measures. These are as follows:

  • Overprovision server bandwidth
  • Use a Content Distribution Network (CDN)
  • Secure your network

Overprovision server bandwidth

Overprovisioning is the practice of purchasing more server bandwidth than you need for day-to-day operations. Having a higher bandwidth capacity gives you more resistance against an attack. The reason is that the attacker needs to send a higher volume of traffic to disrupt your service. Overprovisioning can help counter some lower volume attacks.

Use a CDN

DDoS attacks work by targeting your hosting server but if you spread your data across several global servers, there’s no single point of failure. Having no single point of failure means that you can’t be put offline by one server failure because you’ll still have other servers available to work with. A CDN is an excellent method for staying resilient against attacks.

Secure your network

Making sure that your network is secure from attackers is essential for avoiding an attack. To keep your network secure, you should not only be scanning your network infrastructure but also using an intrusion detection system alongside your log management solution to look for vulnerabilities.

Train your Employees

Educating employees on the dangers of cyberattacks and how to secure network devices is paramount to preventing damage to your network. Your employees will be the people on the ground when an attack happens. Training them how to spot malware or suspicious activity and how to respond in an attack will minimize the potential damage of an attack.

Tips for Responding to a DDoS attack

Even with the best strategy in the world, you can’t prevent a DDoS attack from slipping through the net. It is vital to have a plan for how to respond once you know an attack is happening. How you respond once an attack goes live will determine how much damage is done and how long you are offline for. Here are some tips for responding to a DDoS attack:

  1. Know the Signs of an Attack

The first thing you need for a prompt response to an attack is to educate yourself and your employees on the signs of an attack. Are devices unable to access the internet? Is there a ton of unusual traffic on the network? Being able to spot the tell-tale signs of an attack will speed up your responses. Employees can’t spring into action to address an attack if they don’t recognize an attack has taken place!

A bandwidth monitoring tool can be instrumental in looking out for large amounts of traffic on your network. You have a small window of time before your server is overwhelmed to clear server logs to help stay online.

  1. Diagnose the origin of the attack

In order to respond effectively, you need to know where the attack is coming from and what type of attack it is. Restoring operations to your network quickly is impossible if you don’t know where the attack is coming from. In the event that you can’t tell the origin, you will be forced to take a hit and wait for the attack to pass.

  1. Analyze the attack post-event

Once the attack has passed it is time to evaluate what happened. Identify whether there were any vulnerabilities or inadequacies in your response process. Could your bandwidth monitoring tool have better visibility? Could your team’s communication be better or your response time faster? Identifying these areas for improvement is a great way to make sure that you’re prepared if you ever encounter another DDoS attack.

The Key to a Successful Defense: Prevention and Fast Responses

Prevention and fast responses are the core elements of a DDoS defense strategy. Tools like log management solutions, website firewalls or network analyzers will help you catch attacks early but they aren’t enough on their own to stop attacks from affecting your bottom line.

A large degree of your resistance to an attack will depend on how quickly your team responds under pressure. Building an employee culture that emphasizes cybersecurity and recognizes how to fight a DDoS attack will reduce the damage if an attacker slips through the net.