How to Stop DDoS Attacks

A distributed denial of service (DDoS) attack begins by exploiting a vulnerability in the victim organization’s system security, where attackers repeatedly check the system to ensure the attack achieves maximum damage. It spreads via malware, shutting down the entire system and making the website inoperable.

There can be all kinds of reasons behind DDoS attacks, ranging from cybercrime to hacktivism to even bad luck. And while you may have taken the necessary precautions, the risks are ever-present. Eventually, someone out there will try and take you down, which is why you need to be prepared with an action plan.

This Nira guide will detail a step-by-step rundown to help you stop DDoS attacks to protect your system security and minimize any damage.

1. Identify the DDoS Attack

There can be tons of reasons why your website is performing negatively or has been taken offline. Your job is to identify when you’re under a DDoS attack—fast. The sooner you can establish your website problems, the sooner you can work on responding to the attack.

And no, you can’t just assume it’s a DDoS attack. For instance, a bot crawling your website can also severely reduce availability. If that’s the case, you’ll need a different solution.

To identify the DDoS attack early, you’ll have to familiarize yourself with your typical inbound traffic profile. Once you know what your normal traffic looks like, it’ll be easier to understand when the traffic profile changes and your website is in danger.

Check your log data for the following two signs of a DDoS attack:

  1. Massive spikes in traffic
  2. A high volume of requests from a single IP address in a short span of time

Alternatively, you can ping your website through an external source with free online tools like WebSitePlus to check availability and response time.

DDoS attacks have different time spans. They can happen quickly, where they take a site offline temporarily. Or they can negatively impact website performance over months. That’s why you should check logs periodically, set up alerts to flag anomalies, and be aware of your normal traffic patterns.

We also recommend nominating a DDoS leader in your company for handling these attacks.

2. Overprovision Bandwidth

Having more bandwidth available to your web server allows you to accommodate sudden and unexpected traffic surges that can lead to your website going down. (This kind of traffic surge doesn’t have to come from a DDoS attack, incidentally–it can also come from a special offer you put up or even a mention of your company on social media, for example.)

Admittedly, overprovisioning bandwidth—be it by 100% or 500%—won’t stop a DDoS attack. But it‘ll give you some precious time to plan and respond before your resources are overwhelmed. And being extra-prepared for a traffic surge is never a bad idea.

3. Defend Your Network Perimeter and Mitigate Suspicious Traffic

You can take a few measures to partially mitigate the effects of a DDoS attack, including:

  • Setting lower SYN, ICMP, and UDP flood drop thresholds
  • Dropping malformed or spoofed packages
  • Rate limiting your router
  • Adding filters to indicate your router to drop packets from obvious attacks sources
  • Giving timeouts to half-open connections

It can be tempting to block anything that looks even remotely suspicious, but permanently blacklisting every IP address that causes an alert can also result in blocking legitimate traffic (also known as false positives).

Instead, consider dropping questionable traffic or redirecting them to null routes, where source behavior can be observed properly. If the traffic tries to reconnect immediately, it’s likely from legitimate users. Malicious traffic will try switching IP addresses once it realizes it’s been discovered.

4. Contact Your ISP

Next, get in touch with your ISP—or hosting provider if you don’t host your own web server—and inform them about the attack and ask for help. It’s possible that the ISP or hosting company may have detected the attack already or in the worst-case scenario, may themselves start to be overwhelmed by it.

If your web server is located in a hosting center, they will likely have higher bandwidth and higher capacity routers than you, which enables them to respond to DDoS attacks faster. Let’s not forget they will also have experts who have experience in handling cyberattacks efficiently. The odds are just better this way.

If the DDoS attack is large enough, it’s likely your hosting company or ISP will “null route” your traffic, dropping packets meant for your web server before they arrive. This is done to stop the attack from overwhelming the ISP or hosting company’s servers, and in turn, affecting other customers.

While this may sound like the end to the ordeal, it isn’t. You still have to get the website back online.

To do this, your ISP or hosting company will divert traffic to a “scrubber.“ This is where all malicious packages will be removed, and legitimate ones sent on to your web server. That said, this technique isn’t effective for very large DDoS attacks.

5. Get in Touch With an Experienced Specialist

As mentioned, for very large DDoS attacks, you need to bring out the big guns.

Your best bet is to enlist the services of a DDoS mitigation company. They have a large-scale infrastructure, plus advanced technologies and tools and data scrubbing facilities that will help you get your website back quickly. But before you contact a DDoS mitigation company directly, speak to the support staff at your hosting company or ISP. Most of the time, they already have a partnership agreement with one to handle large-scale cyberattacks on their customers’ websites.

Keep in mind that DDoS mitigation services aren’t free. Subscribing to these services can involve a few hundred dollars a month. You decide whether you want to pay extra to get online or wait for the DDoS attack to subside and take a hit.

6. Don’t Panic

We probably should’ve started our tutorial with this step, but you must remain calm and think carefully.

When under a DDoS attack, everything will be going haywire—your support team will be inundated with calls, your company will be losing revenue, and your data’s security will be in danger. Everybody will be looking to you for directions, so make sure you don’t panic and maintain control of the situation.

Think fast, and you’ll be able to get your server working in no time.

Common Problems When Stopping DDoS Attacks

In this section, we will review a few of the main stumbling blocks you should be prepared for when stopping DDoS attacks. Let’s take a quick look.

Missing Early Warning Signs

Quickly identifying the signs of a DDoS attack means you can take timely action and mitigate the damage—or minimize it. However, getting to this stage takes knowledge and experience.

There is a common misconception that all DDoS attacks come with high traffic, which, in turn, makes eliminating warning signs easier. That unfortunately isn’t the case.

The common signs of a DDoS attack are slow website performance, poor connectivity, website crashes, and high demand for a single bench or endpoint. Sudden spikes in traffic from users with a common profile and suspicion traffic sourcing from a single or a small group of IP addresses can also be treated as red flags.

A low-volume DDoS attack with a short time span often goes undetected and is termed a random event. However, these attacks are generally a test or diversion for a more dangerous breach (think ransomware). As such, you should work on detecting a low-volume attack just like how you would prioritize a large-scale DDoS attack.

Not Having the Right Action Plan

You know you’re experiencing a DDoS attack. But what do you do next?

DDoS attacks are steadily growing over the years, accounting for over 55% of the overall annual cybercrime costs per organization. Given this rising magnitude, you need to have a solid DDoS attack plan, but deciding how to play it out can be challenging. More so if you’re new to the game.

Fortunately, you can implement a few best practices to curb the negative effects of a DDoS attack:

  • Invest in the appropriate technology, including cloud-based web servers, to prevent overwhelming your web servers and handle the overflow.
  • Carefully assess ongoing DDoS risks. It’s better to be overcautious rather than negligent when it comes to cybersecurity.
  • Provide your staff with adequate training to recognize the signs of a DDoS attack
  • Timely implement online outage mitigation and response strategies

Speaking of assessing ongoing DDoS risks…

Understanding Potential Damages

Understanding and assessing potential damages helps you determine how much you should spend on protecting your properties. Knowing this will help you prioritize your data and endpoints and minimize damage.

Some damages are direct, while others are indirect. Below, we’ve compiled a list of potential damages from a DDoS attack:

  • Loss of revenue, where you end up making a loss for the total time your website or application is down. For example, if your website generates $500,000 a day, you’ll end up losing over $20,000 for every hour of downtime.
  • Damage to reputation, where any loss of availability caused by a cyberattack will impact your company’s brand and reputation. According to Radware’s 2018 Application and Network Security Report, over 43% of companies experienced reputation loss as a result of falling victim to a cyberattack.
  • Loss of customers, which can be either direct (a customer chooses to abandon you as a result of a cyberattack) or indirect (potential customers who cannot open your website, causing you to lose business).
  • SLA obligations make it mandatory for certain applications and services bound by service commitments to refund customers, grant service credit, or even face lawsuits. A potential downtime caused by DDoS attacks can lead to a breach of SLA.
  • Productivity loss for organizations that heavily rely on online services, including email, CRM or databases, scheduling services, and so on. This results in loss of availability, which, in turn, results in loss of productivity and hinders workflow.

We hope this article helped you understand how to stop DDoS attacks effectively. Admittedly, things will be slightly trickier in the beginning, but once you get the hang of things, you’ll be able to identify and mitigate DDoS risks faster and more effectively.

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of 6sense

Incredible companies use Nira