In the past year, Distributed Denial of Service (DDoS) attacks have overwhelmed some of the largest websites, forcing Reddit, Twitter, and Netflix offline.
DDoS attacks, which ambush businesses with huge amounts of traffic, slow websites to a crawl and force crucial services offline. Half of DDoS attacks last between 6-24 hours, causing an estimated $40,000 per hour, according to data from DDoS prevention firm Incapsula.
The number of DDoS attacks is increasing by 125 percent year-on-year with a 35 percent jump in attack duration, according to a 2016 report from content delivery network company, Akamai.
DDoS attacks target businesses of every size, as well as individuals like live streamers. As cyber criminals continually try to develop more destructive DDoS techniques, every business and individual that uses the internet must learn how to reduce the risks of a DDoS. Here are twenty ways to shut down a deadly DDoS attack.
1. Ensure you have extra bandwidth
Overprovisioning your bandwidth provides extra time to identify and deal with a DDoS attack. Extra bandwidth also allows your server to accommodate unexpected spikes in traffic, cushioning you against an intense attack.
Overprovisioning alone will not stop a large DDoS attack, but it could buy you critical time before your resources are completely overwhelmed.
This technique works well against volumetric DDoS attacks, and many organisations use this strategy to simply scale bandwidth to soak up large volumes of traffic. However, because of the arms race between scalable bandwidth and attack power of DDoS attacks, this is mainly an option for large enterprises willing to pay for the bandwidth needed.
But if an attacker is unable to muster enough traffic to overwhelm this, a volumetric attack is generally ineffective.
2. Make your architecture as resilient as possible
To withstand an attack, it’s crucial to make your architecture as resilient as possible. It’s not just crucial for DDoS attacks, it’s highly beneficial for any kind of business continuity in response to a general outage or disaster.
Priorities for architecture should be geographic and provider diversity. By spreading your resources across multiple data centres, you’ll ensure that if one service is knocked offline, you’ve got a backup. Popular cloud providers, like Microsoft Azure or Amazon AWS, often provide the option to host your services in geographically separate data centres, ensuring you have a backup if you’re struck.
3. Create a DDoS action plan
Your business must start planning to defend from DDoS attacks, before you’re hit. It’s much harder to respond after an attack is already under way. While DDoS attacks can’t be prevented, steps can be taken to make it harder for an attacker to knock you offline.
DDoS attacks can strike whenever, so don’t wait for an attack to bring your business to its knees. Create a system that can help you survive a DDoS attack, enabling you to mitigate the risk if one does occur.
A DDoS action plan might include using automated reports to send an internal alert when your traffic increases beyond normal levels (you should do this as best practice anyway!) and documenting your IT infrastructure to create a network topology diagram with an asset inventory.
For more information on creating your own plan, take a look at this DDoS incident response cheat sheet from GIAC security expert Lenny Zeltser.
4. Improve the security of your Internet of Things (IoT) devices
DDoS attacks are on the rise and hackers are now leveraging massive worldwide botnets composed of Internet of Things (IoT) devices. The Internet of Things, the worldwide network of connected devices like fridges and DVRs, is heralded as the next industrial revolution – but it’s also the best thing to happen to DDoS attackers.
Why? IoT devices typically lack security and hackers are now able to manipulate armies of connected devices to launch traffic at victims of their choosing.
To reduce the attack power of DDoS attacks, consumers and businesses must boost the security of their devices. One quick and effective way to do this is by updating from default factory-set passwords – easily guessed by hackers using bruteforce techniques. Pick a strong password and change it regularly.
This will also reduce the risk of these devices being used against you, as one university experienced when attacked by their own internet-connected vending machines.
5. Monitor traffic levels
DDoS attacks cause huge traffic spikes, but this could be hidden amidst real traffic. To disguise an attack, smart cyber criminals launch DDoS attacks when websites and services are usually busy, like Christmas or Black Friday.
The best way to detect a DDoS attack is to look out for these abnormal spikes in traffic to your website. Stay alert, monitor traffic and set thresholds for automated reports when these are exceeded.
6. Use a Content Delivery Network (CDN)
One of the best defences against a DDoS attack is by using a content delivery network (CDN). CDNs work by identifying traffic launched as part of a DDoS attack and diverting it to a third-party cloud infrastructure.
CDNs, however, are not cheap and a typical monthly plan can edge into the five figure mark. The value proposition will be hard to swallow for small businesses, well worth it for large enterprises that cannot risk being knocked offline by a DDoS attack.
Organisations can invest in security forever and there’s no end to the money that could be spent. Some organisations won’t be able to afford a CDN, luckily, it’s not the only option.
7. Practice for attacks
Practice makes perfect and by simulating DDoS attacks on your network you can gauge how well your service withstands an attack as well as the effectiveness of your action plan.
These faux-attacks could be performed as part of a penetration test, a safe hacking attack performed by a skilled ethical hacker. These simulations find hidden security flaws and monitor how well businesses could withstand DDoS attacks. Regardless, you should be conducting regular penetration tests on your business to ensure you’re as secure as you think you are.
Run a DDoS attack simulation during planned maintenance to spare your end users the inconvenience, and if you have a CDN you should warn the provider that it’s a test.
8. Buy a dedicated server
Purchasing a dedicated server will give you more bandwidth and greater control over security. Unlike co-location severs, dedicated servers’ hardware and infrastructure will be managed by a third-party provider. Dedicated servers can also be purchased with automatic DDoS attack mitigation in the event of an attack and you’ll receive support from your provider.
9. Educate your customers to be cyber secure
DDoS malware is hidden on innumerable computers across the globe. Cyber security is a global problem and it’s every businesses responsibility to improve security awareness.
Customer education is an important part of DDoS protection. DDoS attacks will be significantly reduced in strength if the number of users unknowingly running DDoS malware was reduced.
Proactively guard your customers against cyber bullies by encouraging them to follow security best practices to secure their devices.
10. Train your staff in incident handling and recovery
Knowledge is power and you’ll need it to prevent and recover from a DDoS attack. Whoever is responsible for your IT infrastructure should understand proper incident handling procedure, so in the event of a DDoS attack, they can respond effectively and mitigate any further attacks.
If your businesses is serious about resisting and recovering from DDoS attacks, consider training a member of your team in one of the myriad security certifications available.
The Global Information Assurance Certification (GIAC) offer a number of qualifications designed to boost practical cyber security knowledge. One example, GIAC’s GCIH certification, provides the incident handling knowledge needed to respond to DDoS attacks.
11. Use secured Virtual Private Server (VPS) hosting
Virtual Private Server (VPS) hosting offers more power than shared hosting but less than dedicated hosting.
With a secured VPS, your website has its own portioned space, unique IP address and operating system, effectively isolating it from cyber attacks on the remainder of the virtual server. Plus, some providers also provide specialist DDoS-protection VPS hosting.
12. Hardware upgrades
A lot of network hardware is capable of mitigating certain types of DDoS attacks. For example, many commercially available network firewalls and load balancers can protect a business against layer 4 attacks (protocol attacks) and application-layer attacks.
Hardware upgrades are also effective to protect against SYN flood attacks. Most modern hardware will generally have a setting to close out TCP connections once they reach a certain threshold.
13. Update everything, regularly
If you use open source platforms like WordPress users, installing updates as soon as they’re available reduces the risk of attack. Updates could fix vital security flaws, and failing to update could open you to security loopholes and any potential new DDoS prevention tools or techniques.
14. System hardening
Hardening is the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions.
Configure both your operating systems and your applications to be more resilient to application layer DDoS attacks. For an introduction to system hardening, take a look at this popular Stack Exchange post.
15. Drop packets from obvious sources of attack
Ongoing DDoS attacks, typically lasting 6-24 hours, can create havoc. You need to stop the malicious traffic at all cost; instruct your router to drop packets from IPs that are the obvious sources of the attack.
Experts also recommend rate limiting your router to add another layer of protection. However, with the overwhelming size of DDoS attacks, this is another ‘buying time’ strategy if you are hit.
16. Call your ISP or hosting provider
If you’re under attack, call your ISP or hosting provider and ask for help. You should keep emergency contacts for these hosting services readily available.
Depending on the strength of the attack, the ISP or hoster may already be affected by it. If the attack is large enough, your ISP may ‘null route’ your traffic, resulting in all traffic being dropped before it reaches your web server. The ISP can then employ ‘scrubbing’ techniques to divert the malicious traffic.
It’s important to let your ISP or hosting provider know quickly in the event of a DDoS attack, they’ll likely have techniques and procedures which will enable you to get back online faster.
17. Block spoofed IP addresses
Spoofing is an impersonation of a user, device or client on the internet, often used during a cyber-attack to disguise the source of an attacker’s traffic.
During a DDoS attack, IP spoofing is used to mask botnet device locations and to stage what is known as a reflected attack.
There are a number of services available to block spoofed IP address. Modern solutions require deep packet inspection (DPI), which analyses packets rather than just source IP addresses. However, DPI is expensive and resource intensive, so you’ll likely need to outsource this service to a third party provider.
18. Blacklist and Whitelist
Use blacklists and whitelists to control who can access your network and APIs. However, be careful: it’s important not to automatically blacklist IP addresses that trigger network alerts. Your safeguards could be overreacting, and this is an effective way to infuriate your customers.
To gauge whether it’s real or malicious, temporarily block traffic and see how it responds. Legitimate users will usually try again after a few minutes whereas illegitimate traffic tends to switch IP addresses.
19. Automate customer communication
If a DDoS attack strikes, there’s no use trying to cover it up. Your customers will know and your service desk or customer service will get buried with emails, phone calls and social media messages.
To respond to any potential DDoS-inflicted outages, create a status page that automatically displays whether your service is online (or not). Consider creating template communications, like automated emails that you can auto-send to users who contact you.
20. Create an incident report
Businesses that do suffer from DDoS attacks must quickly re-establish credibility. Do this by drafting an incident report to explain what happened, why and how you responded. Then discuss how your business will effectively prevent future attacks.
Publicly discuss your approach; if you contracted a CDN after your attack, let your customers know. Educating them will help re-establish your authority and should go some way to allaying future fears. Be sure to open the report with non-technical language and include a technical section for CIOs if needed.
For a great example, take a look at Dyn. When the largest DDoS in history, targeting Dyn, knocked Reddit, Twitter and Netflix offline, the domain name service responded by releasing an in-depth incident report.
For a more technical view of how to protect against DDoS attacks, take a look at this DDoS research paper composed by a SANS GIAC member.