How to Prepare for a Distributed Denial-of-Service (DDoS) Attack

When it comes to distributed denial-of-service attacks (DDoS attacks), the old adage about an ounce of prevention being worth a pound of cure holds true. As we’ve previously discussed, DDoS attacks are growing in size, scale, and frequency, so it is best to be prepared.

Plan Now

DDoS are more frequent than ever before. A survey in September found that frequency of DDoS attacks increased by 40% in 2018, and that organizations who faced an attack had a one in five chance of being hit again within 24 hours. In 2018, DDoS attacks increased in size by 500%. Blame the proliferation of low-security Internet of Things devices. The average cost of a successful DDoS attack to businesses? $2.5 million.

These sobering stats ought to hammer home the fact that your business or organization needs to come up with a comprehensive DDoS mitigation plan now if you haven’t already. When it comes to DDoS attacks, it’s not a question of if, it’s a question of when.

Work with Partners

Onsite protections like load balancers and firewalls are important, but the scale and sophistication of DDoS attacks are such that it’s important to work with companies that offer DDoS mitigation. If you have a 20 Gbps connection and you’re hit with a 100 Gbps attack, you’re overwhelmed. That kind of attack must be fought upstream at the network provider level.

Many content delivery networks (CDNs) offer DDoS mitigation services. Though better known for improving availability and performance of content by using a network or a combination of data centres and proxy servers, CDNs can provide perimeter defences and absorb HTTP/HTTPS DDoS attacks.

Another important factor to consider is rapid deployment. A DDoS attack can knock a service offline in minutes, so it’s important to have a plan and partner who can begin mitigation efforts as soon as possible.

When planning DDoS mitigation, it pays to include your network provider, cloud provider, or even a specialized IT security company.

Detection and Monitoring

The first step to good DDoS mitigation is detection. Whatever measures you put in place, they will have to accurately determine when you’re being hit with a DDoS attack and identify the methods being used, but also remain inactive when you aren’t being attacked. Defending against legitimate traffic can be as bad as not defending against malicious traffic.

Plan for Multiple Types of DDoS Attacks

In our last post we discussed three broad methods of DDoS attack and provided examples of each. However, there are dozens of methods of launching a DDoS attack, so your plan will have to take this into account.

For example, an HTTP flood can be countered by identifying malicious IP addresses and blocking them. Remember, this type of attack is analogous to an avalanche of phone calls on a pizza place’s phone line. The restaurant would start to keep a blacklist, cutting down on their malicious calls. Of course, the analogy breaks down when it comes to scale. An HTTP flood might involve tens of thousands of malicious IP addresses, all of which will have to be identified and blocked.

Or consider DNS amplification. One mitigation effort might be to construct a firewall that recognizes the pattern of an incoming DNS attack and just drops that traffic. Or you could host your architecture on multiple servers. That way, if one goes down, others are available. Recalling our past article, this is the attack analogous to requesting mass amounts of information from a supplier and getting them to call the pizza place, thus overloading the restaurant’s capacity. Attacked this way, the pizza place could train employees to drop calls that look a certain way. Or they could get multiple phone lines, so one tied-up line doesn’t stop the whole operation

In the case of a SYN flood, mitigation efforts might include reducing the SYN-RECEIVED timer (i.e., shortening the handshake), using SYN cookies (i.e., generating a secret number included in the SYN-ACK packet that verifies an ACK is received), or using SYNPROXY (i.e., putting proxies in each connection while generating SYN cookies). A SYN flood is analogous to a pizza place getting orders for pickup and making the pizzas, but then never completing the transaction, thus filling up with product. These solutions might be similar to the pizza place taking a credit card number before making the order.

The point here is that DDoS attacks can be complex and that mitigation efforts will be even more complex. It’s important to plan for that kind of complexity, but it’s also important to have a team or solution provider in place that can respond to new methods of attack as they happen.

Expect a Double Tap

Security researchers say that one in five targets will be hit with another DDoS attack within twenty-four hours of the first. Why? It makes sense to strike when damage from the first attack is still being scrutinized.

Beware of Secondary Attacks

Sometimes a DDoS attack is just a distraction. By launching a low-level DDoS attack, cybercriminals may be trying to occupy an organization’s IT staff while they do something more nefarious, like inject malware.

Start Now

It’s important to come up with a plan, shore up perimeter defences, and employ DDoS mitigation services right away. DDoS attacks are becoming stronger and more inexpensive, making them a primary tool for cybercriminals.

To learn more about protecting your business from DDoS attacks, click here.