What to do if you are experiencing a DDoS attack?


In today’s interconnected world, the Internet is essential to our personal and professional lives. It enables communication, access to information, and the functioning of businesses worldwide. However, with this reliance on the digital realm comes the risk of cyberattacks. One particularly disruptive cyberattack is a Distributed Denial of Service (DDoS) attack. These attacks can cripple websites, online services, and networks, causing downtime and financial losses.

If you’ve ever wondered what to do if you suspect you are experiencing a DDoS attack, this article is for you. We’ll guide you through the steps to take when faced with this menacing threat, from confirming the attack to deploying mitigations and protecting your network.

Confirmation of a DDoS Attack

DDoS attacks vary in duration and severity, but they all share common indicators that can help you confirm an attack is in progress. Here are some telltale signs:

  • Network Latency or Slow Performance: It could be a sign of a DDoS attack if you notice unusually slow network performance when accessing websites or opening files.
  • Sluggish Application Performance: Applications running on your network may become sluggish or unresponsive during an attack.
  • High Processor and Memory Utilization: Increased utilization of your server’s resources, such as CPU and memory, can signify a DDoS attack.
  • Abnormally High Network Traffic: Watch for a sudden surge in network traffic, especially if it’s unrelated to your regular traffic patterns.
  • Website Unavailability: If your website becomes unavailable or inaccessible to users, it may be under a DDoS attack.

If you suspect a DDoS attack based on these indicators, it’s crucial to act swiftly.

Contact the Appropriate Professionals

Once you’ve identified the signs of a DDoS attack, the next step is to contact the right technical professionals for assistance. Here’s what you should do:

  • Contact Your Internet Service Provider (ISP): Reach out to your ISP to check if there’s an outage on their end or if they are the target of the attack, making you an indirect victim. They can guide the best course of action.
  • Collaborate with Service Providers: Communicate your findings to service providers and work closely with them to better understand the attack. Their expertise can be invaluable in mitigating the threat.

Understanding the Nature of the Attack

Understanding the nature of the DDoS attack is crucial to effectively combat it. Here are steps to gain insights into the attack:

  • Identify Attack Patterns: Determine the range of IP addresses used in the attack and look for specific attacks against particular services or servers.
  • Correlate Data: Correlate server CPU and memory utilization with network traffic logs and application availability to pinpoint the attack’s impact.
  • Packet Captures (PCAPs): If possible, directly capture packets of the DDoS activity or collaborate with security/network providers to obtain PCAPs. Analyzing these can help verify if your firewall is blocking malicious traffic and allowing legitimate traffic.

Deploy Mitigations

Once you clearly understand the attack, it’s time to deploy mitigations. Work closely with your service providers to block the DDoS attacks. Consider these steps:

  • Provide Attacking IP Addresses to ISP: Share the attacking IP addresses with your ISP; they can implement restrictions to prevent further malicious traffic.
  • Firewall Logging: Enable firewall logging to track accepted and denied traffic, helping you identify the attack’s source.
  • Network Time Protocol (NTP) Filtering: To prevent your organization from becoming a reflector in a DDoS attack against others, disable the monlist command in NTP or ensure requests come from valid source addresses.
  • TCP Keepalive and Maximum Connection Configurations: Configure strict TCP Keepalive and maximum connection settings on all perimeter devices to enhance security.
  • Firewall Configuration: Configure firewalls to block inbound traffic from reserved, loopback, private, unassigned DHCP, TEST-NET, multicast, and experimental IP address ranges.

Remember to monitor network traffic after implementing firewall blocks to ensure legitimate traffic isn’t blocked.

Monitor Other Network Assets

During a DDoS attack, you must not lose sight of other network hosts, assets, or services. Attackers may use DDoS as a distraction to conduct secondary attacks. Continue monitoring attacked assets and be vigilant during recovery for any anomalies or signs of compromise.

A DDoS attack can disrupt your online presence and cause significant damage. However, by following these steps, you can effectively respond to and mitigate the impact of such an attack. Always remember that timely communication with your ISP and collaboration with service providers is key to defending against DDoS attacks and ensuring your network’s and online services’ resilience.