Your eCommerce site has just gone down and the network is grinding to a halt. Your company is about to experience a DDoS attack that will end up costing it millions in lost sales and productivity.
That’s unless you have taken steps to mitigate the risk of a DDoS attack, and have a plan in place that you can swing into action as soon as the first signs of an attack appear.
What sort of plan? Read on for our top ten tips and best practices to protect your network from DDoS, so you can hold onto those millions.
What is a DDoS attack?
A DDoS — or distributed denial of service — attack is a very basic form of cyberattack, but its effects can be devastating. Essentially it involves organizing for a large amount of data traffic from numerous sources to converge on your computer systems, preventing legitimate traffic (such as customers seeking to make a purchase) from reaching you.
Based on the most recent data available, DDoS attacks have continued to scale to massive volumes. In 2022, Cloudflare reported mitigating a 2.5Tbps DDoS attack launched by a Mirai botnet variant, which targeted the Minecraft server, Wynncraft. This is the largest attack they’ve seen from the bitrate perspective, exceeding the previous record of Amazon’s 2.3Tbps attack in 2020.
In the same year, Google Cloud also reported blocking a massive Layer 7 DDoS attack that peaked at 46 million requests per second, marking it as the largest Layer 7 DDoS reported to date, at least 76% larger than the previously reported record.
The fact that the attack is distributed, meaning that it comes from many different sources, such as zombie computers which are part of a botnet, makes it very difficult for cybersecurity systems to trace and stop it. And because some attacks use amplification techniques, the attacker can use a relatively small volume of traffic to attack your systems with a far greater volume.
What is DDoS attack mitigation?
DDoS attack mitigation refers to the process of protecting a network or server from a DDoS attack. This involves detecting the attack, distinguishing it from normal traffic, and responding to it in a way that minimizes its impact. DDoS mitigation strategies can include a variety of techniques, such as rate limiting, IP blocking, and traffic rerouting.
Types of DDoS attacks
At the highest level, there are three forms of DDoS attack. These are:
- Volumetric attacks: These rely on the sheer volume of traffic hitting your network to bring it to a standstill.
- Protocol attacks: These use malicious connection requests and similar techniques that use up all the resources on your firewalls, load balancers, and servers.
- Application-level attacks: These use techniques such as opening large numbers of connections and initiating requests which use up all available disk space or memory on your web servers.
A DNS amplification attack is one form of volumetric attack. It involves querying DNS servers using a spoofed source IP address: your IP address. Since the DNS servers’ reply contains much more data than the original request, the attack is “amplified,” and this amplified traffic is sent to your network to overwhelm it.
A SYN flood is a very simple form of protocol attack. It works by sending SYN requests to your web server, but after sending out its SYN-ACK response the three-way handshake is never completed with an ACK. That means the server experiences a rapidly increasing number of half-open connections until it is overwhelmed and (probably) crashes. SYN flood attacks are the most common form of DDoS attack, according to Comparitech.
There are many other types of DDoS attacks, with names such as Ping of Death, Smurf Attack, Slowloris, and Fraggle Attack. Each one is a different means to the same end — to bring your systems to a standstill so that legitimate traffic is unable to interact with your network.
Best practices for DDoS mitigation
Here are ten best practices to implement when developing your DDoS mitigation strategy.
1. Have a plan
One of the most important measures you should have in place to mitigate a DDoS attack is a response plan or playbook that you can consult as soon as the attack is detected. This should include contact details for your ISP, hosting provider, or DDoS mitigation service so that you can quickly increase your bandwidth or other resources, divert your traffic, and take any other response measures.
One of the most effective ways of dealing with a large DDoS attack is to divert your traffic (using DNS or even BGP changes) to one of the huge cloud-based DDoS mitigation services — such as those operated by Akamai, Cloudflare, and AWS — which can “scrub” enormous volumes of DDoS traffic so that malicious traffic is dumped while legitimate traffic is allowed through to your network.
2. Understand your traffic
After setting up your emergency plan, the first step in DDoS mitigation is understanding your normal traffic patterns. This includes knowing the volume, sources, and destinations of your traffic. By understanding what is normal, you can more easily identify when a DDoS attack is occurring.
3. Design a resilient architecture
Ensure that your IT infrastructure doesn’t have a single point of failure that DDoS attacks can exploit. In practice this means ensuring that you have geographical and service provider diversity: locating servers in different data centers in different geographical areas, and ensuring those data centers are on different networks and have diverse paths.
This may seem unnecessarily complex or costly, but an added benefit of this approach is that it is also best practice for business continuity and disaster recovery purposes.
4. Implement redundancy
Redundancy is a key component of any DDoS mitigation strategy. This includes having multiple servers, data centers, and ISPs to ensure that if one is taken down by a DDoS attack, others can continue to operate.
5. Use rate limiting
Rate limiting can help prevent your servers from becoming overwhelmed during a DDoS attack. By limiting the number of requests a server will accept from a single IP address in a given amount of time, you can help prevent your servers from becoming overwhelmed.
6. Make sure you have plenty of bandwidth
DDoS attacks can scale to huge volumes of data so it is best to have plenty of bandwidth. However, the Cloudflare Report and the Google Cloud Layer 7 DDoS attack referenced earlier underscore the fact that trying to beat all DDoS attacks with bandwidth alone is impractical.
But ensuring you have plenty of bandwidth to your network is still a good cybersecurity measure because it can gain you extra time from the point when you detect a DDoS attack to the point where your systems would become unavailable, and you can use that time to mitigate the attack.
Having plenty of bandwidth available — either permanently or as burst capacity — is a good idea to help you deal with spikes in traffic or periods of very high demand for your services.
7. Take advantage of all other available technical measures
Ensure that you have configured your network hardware to take advantage of any anti-DDoS cybersecurity features that they come with. For example, many commercially available network firewalls, web application firewalls, and load balancers can defend against protocol attacks and application-layer attacks (such as Slowloris). Most also have settings that allow you to start closing out TCP connections once they reach a certain threshold, which can be an effective way of protecting against SYN flood attacks.
If you find yourself under attack, there are many countermeasures you can take to buy yourself more time, depending on the type of attack you are experiencing. These include rate limiting your router to prevent your web server from getting overwhelmed, adding filters to make your firewall drop packets from known attack sources, timing out half-open connections more aggressively, and setting lower SYN, ICMP, and UDP flood drop thresholds.
You should also consider deploying an anti-DDoS cybersecurity appliance that sits in front of your main firewall to try to detect and block some DDoS attacks before they begin to impact your operations. Even if an anti-DDoS appliance is unable to prevent an attack from succeeding, it may be able to spot some of the tell-tale signs that an attack is developing, allowing you to take early action to counter it.
8. Employ DDoS Protection Services
There are many DDoS protection services available that can help mitigate the effects of a DDoS attack. These services can detect and respond to DDoS attacks, often before they impact your network. See more about these below.
9. Know how to spot an attack
The earlier you can detect a DDoS attack the better. Typical warning signs include network slowdowns, intermittent website and intranet problems, and poor network performance.
Based on Best Practice #2 above, you should have a good understanding of your regular traffic. You should also be aware of any business activities which might change the incoming traffic profile.
That’s because many DDoS attacks start as sharp spikes in traffic, so you need to be able to tell the difference between a sudden surge of legitimate visitors (perhaps due to a promotion or some other business activities) and the start of a DDoS attack.
10. Regularly test your DDoS mitigation strategy
Regular testing of your DDoS mitigation strategy is essential. This can help you identify any weaknesses in your strategy and make necessary adjustments. Here’s how you can approach it:
Simulate DDoS attacks
One of the most effective ways to test your DDoS mitigation strategy is to simulate a DDoS attack on your own network. This can be done using various tools and techniques that generate high volumes of traffic to your network, mimicking the conditions of a real DDoS attack. This allows you to assess how your network would respond under such conditions and identify any potential vulnerabilities.
Review and update your plan
After conducting a simulated attack, it’s crucial to review the results and update your DDoS mitigation strategy accordingly. This could involve adjusting your rate limiting settings, updating your IP blocklists, or implementing new traffic rerouting strategies. It’s also a good time to ensure that your team is well-versed in the plan and knows what to do in the event of an actual attack.
Involve your DDoS mitigation service provider
If you’re using a DDoS mitigation service, involve them in your testing process. They can provide valuable insights and recommendations based on their expertise and experience with DDoS attacks. They may also be able to assist with the simulation of DDoS attacks, providing a more realistic testing environment.
Keep up with continuous monitoring
Regular testing should be complemented by continuous monitoring of your network traffic. This can help you detect any unusual activity that could indicate a DDoS attack. Early detection is key to minimizing the impact of an attack.
3 top DDoS attack mitigation services
There are numerous DDoS attack mitigation services available, each offering a unique set of features and capabilities. Here are three top services, each providing robust protection against DDoS attacks.
Cloudflare offers robust DDoS protection services that are designed to protect anything connected to the internet. Here are some key features and offerings, including three types of DDoS protection services:
- Web Services (L7) website DDoS protection: This service is unmetered and free in all Cloudflare website application service plans. It offers unlimited and unmetered DDoS attack mitigation and protection for websites (HTTP/HTTPS). The setup is easy from the Cloudflare dashboard or API.
- Spectrum (L4) application DDoS protection: This is a reverse proxy, pay-as-you-go service for all TCP/UDP applications (gaming, VOIP, etc.). It allows any TCP/UDP traffic to be proxied through Cloudflare Spectrum and offers integrated performance benefits. It also provides the ability to load balance Layer 4 traffic across multiple servers.
- Magic Transit (L3) network DDoS protection: This service is for on-premise, cloud, and hybrid networks. It combines DDoS protection, traffic acceleration, and more. It has over 197Tbps of network capacity and can mitigate most attacks in under 3 seconds. It integrates via BGP routing and GRE encapsulation and supports all IP services (TCP, UDP, IPSec, VoIP, custom protocols).
- Enterprise-only features: Enterprise customers get access to 24/7/365 support via chat, email, and phone; a 100% uptime guarantee with 25x reimbursement SLA; and predictable flat-rate pricing for usage-based products; as well as advanced cache controls, bot management, access to raw logs, firewall analytics, role-based access, and network prioritization.
Akamai is a global leader in Content Delivery Network (CDN) services, cloud security, and distributed network solutions. Their DDoS protection solutions are part of their broader security portfolio, designed to defend against both small-scale and large-scale DDoS attacks.
- Prolexic Routed: This service provides always-on DDoS protection for critical IP subnets, helping to absorb the full force of DDoS attacks at the network edge before they reach the application infrastructure. It can defend against all types of DDoS attacks and is backed by a robust SLA.
- Prolexic Connect: This is an on-demand DDoS protection service that can be activated when an attack is detected. It provides the flexibility to only route traffic through Akamai’s scrubbing centers during an attack, reducing the impact on normal operations.
- Kona Site Defender: This is a web application firewall and DDoS protection service that defends against application-layer DDoS attacks. It can be combined with Prolexic services for comprehensive DDoS protection.
- Akamai Intelligent Platform: Akamai’s platform is one of the world’s largest distributed computing platforms. It uses this platform to distribute content and applications, accelerating delivery and improving performance, but it also leverages this platform for security. The platform’s scale and distribution help to absorb and mitigate DDoS attacks.
- Security Operations Center: Akamai’s 24/7 Security Operations Center (SOC) monitors and mitigates attacks in real-time. The SOC is staffed by security experts who can provide immediate assistance during an attack.
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. AWS Shield provides automatic DDoS protection for all AWS customers at no additional cost with AWS Shield Standard. For higher levels of protection against larger and more sophisticated attacks, AWS Shield Advanced is available. Here are some key features and capabilities:
- DDoS cost protection: AWS Shield Advanced provides financial protection by covering extra data transfer costs that can be incurred during a DDoS attack.
- 24/7 DDoS Response Team (DRT) access: AWS Shield Advanced customers have access to the AWS DRT around the clock. The DRT has extensive experience in managing large-scale DDoS attacks and can assist in creating incident response plans, mitigating attacks, and answering technical questions.
- Advanced threat intelligence: AWS Shield Advanced customers receive detailed threat intelligence reports during and after attacks. These reports contain information about the attacker’s methods and strategies, which can be used to further improve defenses.
- Web application firewall integration: AWS Shield works seamlessly with AWS Web Application Firewall (WAF), providing comprehensive protection against DDoS and other complex attacks on web applications.
- Cost-effective scaling: AWS Shield and the broader AWS infrastructure are designed to scale automatically in response to traffic demands, including during a DDoS attack. This can help to ensure application availability without incurring unnecessary costs.
- Protection for non-AWS resources: With AWS Shield Advanced, you can also protect your non-AWS resources by deploying AWS Global Accelerator and associating it with Shield Advanced.
Bottom line: DDoS mitigation best practices in a changing threat landscape
In the face of ever-evolving cyberthreats, DDoS mitigation is not a one-time fix but a continuous journey. It demands constant vigilance, regular adjustments, and a proactive approach to stay ahead of potential attacks.
By following these ten best practices, you can significantly reduce the risk and impact of these attacks.
But remember, the key to effective DDoS mitigation is not just preparation and quick response, but also the ongoing commitment to adapt and evolve your strategies in line with the changing threat landscape. Cybersecurity professionals must remain vigilant and proactive, ensuring networks are not just protected today, but are ready to face the challenges of tomorrow.
Partner with one of the best DDoS protection services to rest assured your network is safe from these attacks.