How to Prevent a DDoS Attack
What is a DDoS Attack?
A distributed denial of service attack or DDoS is a common type of cyber attack where a malicious actor floods a web server, service or network with traffic to disrupt its normal operations.
DDoS attacks are carried out by overwhelming the targeted web server or network with messages, requests for connections or fake packets. When the targeted server tries to accommodate all the requests, it exceeds its bandwidth limit and causes the server to slow down, crash or become unavailable. A common analogy is that of a traffic highway. As you approach an intersection, if many more cars join in, it will lead to a traffic jam and stop everyone in their tracks. This includes even other cars behind you.
If the server that is targeted is a critical system for your business, it can bring down the entire network infrastructure and bring your business operations to a halt. Moreover, during the server downtime, other types of attacks like ransomware and extortions can also be launched, all of which result in massive economic consequences for businesses.
Usually the traffic comes from a group of compromised systems and devices called botnets and contain malware. As more devices get connected to the internet, especially IoT devices, this type of cybersecurity threat has become more easy to launch.
Read our dedicated guide: What is a DDoS Attack?
History of DDoS Attacks
Cyber-attacks are not a new phenomenon. The first DoS attack was in 1974, perpetrated by the curiosity of a 13-year-old boy in Illinois. He forced 31 University of Illinois computer terminals to shut down simultaneously by using a vulnerability in what was then the new “ext” command. In the 1990s, Internet Relay Chat was targeted through simple bandwidth DoS attacks and chat floods. But the first major DDoS, or distributed denial of service attack came in 1999, when a hacker used a tool called “Trinoo” to disable the University of Minnesota’s computer network for 2 days. Other attacks followed, setting the groundwork for the larger, more widespread cyber-attacks we see today.
What Happens in a DDoS Attack
With all the damage that can be caused to your web property and business through DDoS attacks, it’s surprising how simple a premise they really are. Web, DNS, and application servers; routers; web application firewalls; and internet bandwidth handle huge amounts of connections on a daily basis. A DDoS attack occurs when a series of compromised systems send hundreds or thousands more connections than the servers can handle. This can easily happen through the use of a botnet or a linked network of hijacked systems. Some DDoS attacks transpire as a disguise to target the systems that control the sites and servers. This opens them up to the possibility of becoming infected by malware, oftentimes in the form of a Trojan virus. Then the system becomes part of the botnet that infiltrated it in the first place. Attackers may target different parts of a company’s network at the same time, or they may use these DDoS events to cover up other crimes, such as theft or fraud.
Types of DDoS Attacks
DDoS attacks can vary based on the attack vectors used and the way in which they are used. Some of the common types of DDoS attacks are:
Volumetric Attacks
Volumetric attacks are those that are aimed at a machine’s network to overwhelm its bandwidth. It is the most common type of DDoS attack and works by overwhelming its capacity with large amounts of false data requests. While the machine is occupied with checking these malicious data requests, legitimate traffic is not able to pass through.
User Datagram Protocol (UDP) floods and Internet Control Message Protocol (ICMP) floods are two common forms of volumetric attacks. In UDP attacks, attackers make use of the UDP format and its fast data transmission feature that skips integrity checks to generate amplification and reflection attacks. In ICMP floods, attackers focus on the network nodes to send false error requests to a target, which gets overwhelmed and becomes unable to respond to real requests.
Protocol Attacks
A protocol attack works by consuming server resources. It attacks network areas responsible for verifying connections by sending slow pings, malformed pings and partial packets. These end up overloading the memory buffer in the target computer and crashes the system. Since protocol attacks can also compromise web application firewalls (WAF), DDoS threats of this type cannot be stopped by firewalls.
The SYN flood attack is one of the most common types of protocol attacks. It works by initiating a TCP/IP connection without finalizing it. The client sends a SYN (synchronize) packet after which the server sends back an ACK (acknowledge) back to the client. The client is then supposed to respond with another ACK packet but doesn’t and keeps the server waiting, which uses up its resources.
Application Layer Attacks
These are attacks that focus on the L7 layer or the topmost layer in the Open Systems Interconnection (OSI) model. These focus mainly on web traffic and could be launched through HTTP, HTTPS, DNS or SMTP. They work by attacking vulnerabilities in the application which prevent it from delivering content to the user.
One of the reasons why application layer attacks are difficult to thwart is because they use much less resources, sometimes even just a single machine. This makes it look like just a higher volume of legitimate traffic and tricks the server.
It is also possible for hackers to combine these approaches to launch a multi-pronged attack on a target.
9 Ways to Prevent DDoS Attacks
Automation technology can partially help to prevent cyber-attacks, but it also requires human intelligence and monitoring to protect your website to the fullest extent. Traditional web structures aren’t sufficient. A multi-layered cloud security developed and monitored by highly experienced and committed engineers offers the best protection. Understanding how DDoS attacks work, and being familiar with the behavior of your network are crucial steps in preventing intrusions, interruptions, and downtime caused by cyber-attacks. Here are some tips to help prevent a DDoS attack:
1. Implement sound network monitoring practices
The first step to mitigating DDoS threats is to know when you are about to be hit with one. This means implementing technology that allows you to monitor your network visually and in real-time. Know the amount of bandwidth your site uses on average so that you can track when there are anomalies.
DDoS attacks offer visual clues, and if you are intimately familiar with your network’s normal behavior, you’ll be more easily able to catch these attacks in real-time.
2. Practice basic security hygiene
There are some simple steps every business can take to ensure a basic level of security against DDoS threats. These include best practices such as using complex passwords, mandating password resets every couple of months and avoiding storing or writing down passwords in notes. These might sound trivial but it is alarming how many businesses are compromised by neglecting basic security hygiene.
3. Set up basic traffic thresholds
You can partially mitigate DDoS attacks with a few other technical security measures. These include setting traffic thresholds and limits such as rate limiting on your router and filters on packets from suspicious sources. Setting lower SYN, ICMP and UDP flood drop thresholds, IP backlisting, geo-blocking and signature identification are other techniques you can adopt as a first level of mitigation. These are simple steps that can buy you more time but DDoS attacks are constantly evolving in their sophistication and you will need to have other strategies in place to fully thwart such attacks.
4. Keep your security infrastructure up to date
Your network is as strong as your weakest links. This is why it is important to be aware of legacy and outdated systems in your infrastructure as these can often be the entry points for attacks once they are compromised.
Keep your data center and systems updated and patch your web application firewalls and other network security programs. Additionally, working with your ISP or hosting provider, security and data center vendor for implementing other advanced protection capabilities is also a good idea.
5. Be ready with a DDoS response battle plan
When a DDoS attack hits, it will be too late to start thinking about the response. You need to have a response plan prepared in advance so that the impact can be minimized. A response plan should ideally include
- Checklist of tools – a list of all the tools that will be implemented, including advanced threat detection, assessment, filtering and software and hardware.
- Response team – a team of personnel with clearly defined roles and responsibilities to carry out once the attack is detected
- Escalation protocols – clearly defined rules on whom to notify, escalate and involve in the event of an attack
- Communication plan – a strategy for contacting internal and external stakeholders, including your ISP, vendors and customers and how to communicate the news in real-time.
6. Ensure sufficient server capacity
Since volumetric DDoS attacks work by overwhelming the network bandwidth, one way to counter them is by overprovisioning bandwidth. So ensuring that your server capacity can handle heavy traffic spikes by adding bandwidth, you can be ready for sudden and unexpected surges in traffic caused by DDoS attacks. Note that this may not stop a DDoS attack completely but it will give you a few extra minutes to prepare other defenses before your resources are used up.
7. Explore cloud-based DDoS protection solutions
It is also wise to explore cloud-based DDoS protection solutions as part of the DDoS mitigation strategy. The cloud provides more bandwidth and resources compared to private networks. The cloud data centers can absorb malicious traffic and disperse them to other areas and prevent them from reaching the intended targets.
8. Use a Content Delivery Network (CDN)
One effective modern way to deal with DDoS attacks is to use a content delivery network (CDN). Since DDoS attacks work by overloading a hosting server, CDNs can help by sharing the load equally across a number of servers that are geographically distributed and closer in proximity to users. This way, if one server goes down, there will be more that are still operational. CDNs can also provide certificate management and automatic certificate generation and renewal.
9. Get professional DDoS mitigation support
Don’t hesitate to call in a professional. DNS providers, and companies like CDNetworks can help you protect your web property by rerouting visitors as needed, monitoring performance for you, and distributing traffic across a number of servers should an attack take place.
Steps to Take if You’re Attacked
While early detection is key to preventing devastating outcomes, there are steps you can take if you are the target of a DDoS attack. The first step is to ensure you have a cloud-based DDoS mitigation system in place that can handle attacks. Additional steps include:
- Setting up new IP addresses for your systems
- Ensuring DNS records are set for maximum security
- Blocking countries recognized as DDoS attack hubs
- Having a dedicated server exclusively for email
- Recording connections to your servers
CDNetworks offers security solutions that not only protect your business or organization, but also your company and clients’ intellectual property stored on your system and its servers. A proactive approach can prevent the damaging effects of DDoS attacks. For more information on our products, please fill in the form to contact us.