Your eCommerce site has just gone down and the network is grinding to a halt. Your company is about to experience a DDoS attack that will end up costing it millions in lost sales. That’s unless you have taken steps to mitigate the risk of a DDoS attack, and have a plan in place that you can swing into action as soon as the first signs of an attack appear.
What is a DDoS Attack?
A DDoS — or distributed denial of service — attack is a very basic form of cyberattack, but its effects can be devastating. Essentially it involves organizing for a large amount of data traffic from numerous sources to converge on your computer systems, preventing legitimate traffic (such as customers seeking to make a purchase) from reaching you. 73% of all attacks last under an hour, according to Cloudflare, while nearly 9% last more than 24 hours.
The fact that the attack is distributed, meaning that it comes from many different sources, such as zombie computers which are part of a botnet, makes it very difficult for cybersecurity systems to trace and stop it. And because some attacks use amplification techniques (more on that later), the attacker can use a relatively small volume of traffic to attack your systems with a far greater volume.
Types of DDoS Attacks
At the highest level, there are three forms of DDoS attack. These are:
- Volumetric attacks – these rely on the sheer volume of traffic hitting your network to bring it to a standstill
- Protocol attacks – these use malicious connection requests and similar techniques that use up all the resources on your firewalls, load balancers and servers
- Application-level attacks – these use techniques such as opening large numbers of connections and initiating requests which use up all available disk space or memory on your web servers.
A DNS amplification attack is one form of volumetric attack. This involves querying DNS servers using a spoofed source IP address – your IP address. Since the DNS servers’ reply contains much more data than the original request, the attack is “amplified”, and this amplified traffic is sent to your network to overwhelm it.
A SYN flood is a very simple form of protocol attack. It works by sending SYN requests to your web server, but after sending out its SYN-ACK response the three-way handshake is never completed with an ACK. That means that the server experiences a rapidly increasing number of half-open connections until it is overwhelmed and (probably) crashes. SYN flood attacks are the most common form or DDoS attack, according to Comparitech
There are many other types of DDoS attacks, with names such as Ping of Death, Smurf Attack, Slowloris, and Fraggle Attack. Each one is a different means to the same end — to bring your systems to a standstill so that legitimate traffic is unable to interact with your network.
5 Ways to Mitigate DDoS Attacks
Tens of thousands of DDoS attacks are recorded every day. Evidence from 2020 shows that the attacks are growing in size, frequency, and duration. So what can you do to mitigate the threat of a DDoS attack? Here are five measures that you should ensure you have in place:
Design a resilient architecture
One key cybersecurity strategy to pursue is to ensure that your IT infrastructure doesn’t have a single point of failure that DDoS attacks can exploit. In practice this means ensuring that you have geographical and service provider diversity: locating servers in different data centers in different geographical areas, and ensuring those data centers are on different networks and have diverse paths.
This may seem unnecessarily complex or costly, but an added benefit of this approach is that it is also best practice for business continuity and disaster recovery purposes.
Take advantage of all available technical measures
Ensure that you have configured your network hardware to take advantage of any anti-DDoS cybersecurity features that they come with. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against protocol attacks and application-layer attacks (such as Slowloris). Most also have settings that allow you to start closing out TCP connections once they reach a certain threshold, which can be an effective way of protecting against SYN flood attacks.
If you find yourself under attack, there are many countermeasures you can take to buy yourself some more time, depending on the type of attack you are experiencing. These include rate limiting your router to prevent your Web server from getting overwhelmed, adding filters to make your firewall drop packets from known attack sources, timing out half-open connections more aggressively, and setting lower SYN, ICMP, and UDP flood drop thresholds.
You should also consider deploying an anti-DDoS cybersecurity appliance that sits in front of your main firewall to try to detect and block some DDoS attacks before they begin to impact your operations. Even if an anti-DDoS appliance is unable to prevent an attack from succeeding, it may be able to spot some of the tell-tale signs that an attack is developing, allowing you to take early action to counter it.
Know how to spot an attack
An anti-DDoS appliance can help, and the earlier you can detect an attack the better. Typical warning signs include network slowdowns, intermittent website and intranet problems, and poor network performance.
It’s a good idea to familiarize yourself with your typical inbound traffic profile, because the more you know about what your normal traffic looks like, the easier it is to spot when its profile changes. You should also be aware of any business activities which might change the incoming traffic profile.
That’s because many DDoS attacks start as sharp spikes in traffic, so you need to be able to tell the difference between a sudden surge of legitimate visitors (perhaps due to a promotion or some other business activities) and the start of a DDoS attack.
Make sure you have plenty of bandwidth
DDoS attacks can scale to huge volumes of data: Amazon sustained a 2.3 Tbps DDoS attack last year, while GitHub experienced a 1.34 Tbps attack in 2018. That means that trying to beat all DDoS attacks with bandwidth alone is impractical.
But ensuring you have plenty of bandwidth to your network is still a good cybersecurity measure because it can gain you extra time from the point when you detect a DDoS attack to the point where your systems would become unavailable, and you can use that time to mitigate the attack.
Having plenty of bandwidth available — either permanently or as burst capacity — is a good idea anyway to help you deal with spikes in traffic or periods of very high demand for your services.
Have a plan
One of the most important measures you should have in place to mitigate a DDoS attack is a response plan or playbook that you can consult as soon as a DDoS attack is detected. This should include contact details for your ISP, hosting provider or DDoS mitigation service so that you can quickly increase your bandwidth or other resources, divert your traffic, or take any other response measures.
One of the most effective ways of dealing with a large DDoS attack is to divert your traffic (using DNS or even BGP changes) to one of the huge cloud-based DDOS mitigation services, such as those operated by Akamai, Cloudflare, AWS, and Neustar, which can “scrub” enormous volumes of DDoS traffic so that malicious traffic is dumped while legitimate traffic is allowed through to your network.
Read next: Best Practices for Securing Edge Networks