How to prepare for distributed denial-of-service (DDoS) attacks


Network security has gained critical importance over the past ten years due to the rise in new attack methods used against computer networks. Many of these attacks aim to compromise a computer network by flooding it with data, which frequently causes devices to shut down sluggishly or expose the network to fresh vulnerabilities.

Common names for these attacks include distributed denial-of-service attacks (DDoS). For the past 20 years, the method for creating this kind of attack has been developing. The primary security risk in the cloud is DDOS, which targets cloud services and infrastructure to prevent authorized users from accessing them. The attacker’s motivation could range from a simple intellectual challenge to simple amusement, or it could be done to help a rival.

A common outcome of the attack is the shutdown of a personal network or a business website. Extreme cases of these attacks have included holding a company’s website hostage until a ransom is paid or using them to render servers vulnerable to subsequent attacks. DDoS attacks have also been used to steal data in conjunction with other attacks.

A DDOS attack may take many different shapes and employ many tactics, but it is typically classified as either a semantic attack or a brute-force attack. Semantic DDOS attacks, also referred to as low-rate DDOS, take advantage of cloud service boundaries by generating malicious traffic at a low rate targeted at the user’s protocol or service. As this type of traffic is very similar to the typical traffic of an authorized user over the cloud, it is very challenging to trace or capture.

Attacks that affect the quality of the service offered to the legitimate user are included in the category of low-rate DDOS attacks. These attacks include shrew attacks, reduction of quality attacks, economic denial of sustainability attacks, and low-rate DDOS attacks against application servers. On the other hand, brute-force attacks, also called high-rate DDOS or flooding attacks, bombard the victim with numerous requests to overwhelm them. Flooding uses an application or network level to use all available bandwidth on a network or resource.

DoS vs. DDoS

Denial-of-service (DoS) attacks are a type of cyberattack that target a particular website or application to deplete its resources, rendering the target unreachable or inaccessible and preventing legitimate users from using the service. A distributed denial-of-service (DDoS) attack is a DoS attack in which multiple attacking machines overload a target system. From the viewpoint of the targeted entity, DDoS attackers frequently use a botnet—a collection of seized internet-connected devices—to carry out massive attacks that seem to originate from numerous attackers.

How to prepare for DDoS attacks

  • Understand your critical assets and services.

Determine the services you have made available to the general internet and their vulnerabilities. Set asset priorities based on availability requirements and mission criticality. By committing to good cyber hygiene, implement strategies to reduce the risk of an attack (e.g., server hardening and patching). Check to see if your web application firewall (WAF) is configured with a Deny state and is protecting your critical assets.

  • Understand how your users connect to your network.

Determine the ways your user base connects to your company’s network, either locally or remotely, using virtual private networks (VPNs). Determine any potential network chokepoints and any potential mitigations to help keep key personnel disruptions to a minimum.

  • Enroll in a DDoS protection service.

Although many internet service providers (ISPs) have DDoS defenses, a specialized DDoS protection service may have stronger defenses against more powerful or sophisticated DDoS attacks. Enroll in a DDoS protection service to safeguard your systems and services. This service can keep track of network traffic, confirm the existence of an attack, pinpoint the source, and alleviate the situation by diverting malicious traffic away from your network. After reviewing their most important assets and services, organizations should sign up for a DDoS protection service.

  • Understand service provider defenses.

Talk to your ISP and cloud service provider (CSP) to learn about their current DDoS protections. Examine service agreements to ascertain the defenses your service providers provide to reduce DDoS attacks and any risks presented by gaps or coverage limitations. Consult your service providers for advice on hosting web servers while utilizing their DDoS defenses.

  • Understand your dedicated edge network defenses.

Discuss specific managed services that protect against DDoS attacks with a managed service provider (MSP). MSPs that provide various “edge” technologies can help with edge defense customization. Edge defense services can minimize DDoS attack-related downtime. Edge defense, detection, and mitigation services significantly increase the likelihood that legitimate users will access your websites and web applications while lowering the likelihood that malicious traffic will reach its target.

  • Design and review (High-Availability/Load-Balancing/Colocation) designs.

Eliminate single points of failure, such as high-value assets (HVA) hosted on a single node, by reviewing system/network designs. Ensure HVAs can have load-balancing (LB) across multiple nodes and/or high availability (HA). Colocating HVA services is an effective method for maintaining business continuity. However, using upstream service provider defenses or DDoS protections in your local data center to thwart the attack is the best way to protect against DDoS.

  • Develop an organization DDoS response plan.

Your organization should follow the response plan as it helps you recognize, stop, and quickly recover from DDoS attacks. Your organization’s internal stakeholders, service providers, and network defenders should know their respective roles and responsibilities during a DDoS attack. At the very least, the plan should cover identifying a DDoS attack, verifying it, deploying mitigations, monitoring, and recovery. Please note that your organization’s disaster recovery plan should include a DDoS response strategy.

  • Develop an organization DDoS business continuity plan and consider how a DDoS attack will impact physical backups for your network.

Determine alternatives for your essential applications in the plan, particularly for communication. In particular, ensure the plan contains a means for leadership to quickly inform internal network defenses or outside service providers of decisions if a DDoS attack overwhelms your network. Analyze how your organization would continue to operate if a DDoS attack prevented hardware connections.

  • Conduct a DDoS tabletop exercise and/or regularly test your DDoS response plan.

The following benefits will occur if your company regularly exercises its DDoS response plan with all internal and external stakeholders, including service providers:

  • Ensure that every participant knows their responsibilities and roles during the DDoS attack.
  • Assist in spotting problems and gaps before an actual event.
  • Provide the urgency and cadence that stakeholders will require during a real event.
  • Increase trust in the strategy.

After each tabletop exercise or test, conduct an after-action review (AAR) and update the DDoS response plan in light of the lessons learned.

What to do if you are under an attack?

Step 1

Confirmation of a DDoS attack. DDoS attacks vary in length of time. One or more of the following could serve as DDoS incident indicators:

  • Network latency is an abnormally slow network response time when opening files or visiting websites.
  • Poor application response times.
  • High memory and processor usage.
  • Unusual amounts of network traffic.
  • The absence or impossibility of accessing websites.

You must contact the appropriate technical experts for assistance if your business is subjected to a DDoS attack.

Step 2

Get in touch with them to find out if your ISP’s network is experiencing issues or if their network is being attacked and you are an unintended victim. They might be able to advise you on the best course of action. Share the information and collaborate with service providers to better understand the attack.

Step 3

Understand the nature of the attack.

  • What is IP address ranges being used to spread the attack?
  • Keep an eye out for a specific attack against active services.
  • Relate network traffic logs, application availability, and server CPU/memory utilization.
  • Implement mitigations once you have a better understanding of the attack.
  • Directly capture the DDoS activity packets (PCAPs) or collaborate with security/network providers. Verify the firewall prevents malicious traffic while letting legitimate traffic through by analyzing PCAPs.

Step 4

Deploy mitigations. Keep collaborating with the service providers to block DDoS attacks. Response and recovery may be aided by additional mitigations like configuring the current environment differently and starting business continuity plans. Discuss mitigation strategies in detail while “testing and monitoring.” The roles of each stakeholder in the response and recovery processes should be clear to them.

Step 5

Monitor other network assets. Keep an eye on your network’s hosts, resources, and services while under attack. Threat actors have been seen using DDoS attacks to divert attention from their intended target and taking advantage of the opportunity to launch additional attacks on other network services. As you mitigate the situation and restore the attacked assets to operation, keep watching them. Keep an eye out for additional anomalies or signs of compromise during the recovery phase. Verify that the DDoS was not merely a diversion from other malicious activity in your network.