Watch your back, and back-end servers. According to Cloudflare, ransom distributed denial-of-service (DDoS) attacks saw a 60 percent year-over-year increase in 2023.
Knowing this, companies can — and should — take technical precautions, like using DDoS protection services and adopting clear business plans in anticipation of attacks.
What Is a Distributed Denial-of-Service (DDoS) Attack?
Here’s how to stop a DDoS attack, plus everything to know about them to help you prepare.
How to Identify a DDoS Attack
When a DDoS attack occurs, the effects in traffic can be used to signal when and what type of attack is being carried out. For a user trying to navigate to a website under attack, the page may never load — it can hang for a long time, then simply time out due to the crowding of requests.
Look out for IP addresses sending multiple connection requests over a short time, abnormal spikes in site traffic, unusually slow site performance and significant site outages. You can even use DDoS detection software to help automatically scan traffic and alert of any suspicious activity.
How to Stop a DDoS Attack
How to Stop a DDoS Attack
- Locate and block DDoS traffic
- Reroute DDoS traffic
- Use additional firewalls and defense software
- Stop the services under attack
1. Locate and Block DDoS Traffic
After identifying abnormal user traffic, consult system log files to seek out where DDoS traffic is originating from.
Then, block attacker traffic using tactics like IP address filtering, which can block service access from individual IP addresses, or geo-blocking, which can block access from entire geographical regions. IP filtering is most effective for blocking known, specific traffic locations, while geo-blocking is most effective for blocking all country traffic where specific locations are unknown.
2. Reroute DDoS Traffic
If blocking traffic isn’t an option, you can reroute legitimate traffic to a new IP address and change the Domain Name System (DNS), so targets become out of public sight from attackers. Internet service providers can also be contacted to help reroute DDoS traffic. Though a temporary solution, migrating traffic may stop small-scale DDoS attacks and can buy time for other defense measures.
3. Use Additional Firewalls and Defense Software
Apply additional firewalls and DDoS protection services where possible. Some applications, like the Google Cloud Platform, come with firewall rules built in that can be configured any time. Web application firewall plugins can also be installed immediately as an extra measure, like the Wordfence plugin for WordPress sites.
4. Stop the Services Under Attack
In extreme cases, you can completely shut down the services being attacked to prevent immediate damage. While this will stop attacker traffic, it stops all user traffic in its entirety. Stopping services can make businesses lose potential customers and revenue, making it a last resort effort to stop DDoS attacks.
How to Prevent a DDoS Attack
To avoid becoming a victim of a DDoS attack, companies can take these preventative steps.
How to Prevent a DDoS Attack
- Scale up connection servers
- Protect important endpoints
- Build websites in pieces
SCALE UP CONNECTION SERVERS
In the Pluralsight course “Ethical Hacking: Denial of Service,” instructor Troy Hunt explains that DDoS does its damage by taking up all the network connections or bandwidth the company should be spending on legitimate users. Quickly scaling up servers to handle more connections and bandwidth can mitigate the issue — but can also be expensive. Companies that host their sites on cloud providers usually have easy access to this option.
PROTECT IMPORTANT ENDPOINTS
Hunt explains in his course that another strategy is for companies to place endpoints that perform resource-intensive functions behind some kind of protection, making it difficult for bots to get to them. For instance, companies can prevent bots from quickly tying up server resources by placing endpoints with intensive database queries or large file downloads behind login pages. The ubiquitous CAPTCHA test, with its wavy words or images for users to decipher, is another way of protecting resource-hungry endpoints from bots.
BUILD WEBSITES IN PIECES
The way companies architect their websites is also important, Hunt says. Coding a website as interconnected components, instead of an interdependent monolith, would allow other sections of a site to remain functional even if one section is affected by a DDoS attack.
DDoS Attack Recovery
DDoS can damage a company’s reputation, negatively impact revenue and require substantial expenses to remedy the attack. Hunt explains in his Pluralsight course that legitimate users and customers aren’t able to access the targeted site, preventing business from operating normally and cutting off purchases and ad revenue from the site.
DDoS attacks cannot directly steal information from a target, but attackers have been known to use DDoS to distract companies from concurrent cyberattacks — while the organization is busy trying to manage the DDoS, attackers go after their true objectives. And DDoS attacks that go on for an extended period of time can be used to extort their targets, similar to ransomware attacks.
If a company has suffered from a DDoS attack, or if it’s not yet encountered one, there’s a few measures it can take to be prepared for the future.
CREATE A RESPONSE PLAN
Hunt explains in his course that the best way to respond to a DDoS attack is to already have a plan in place when it occurs. It’s a good idea to prepare a company statement that would be released to the public and a subsequent clean-up process in the event of an attack.
In the case of how to immediately respond, attempt to challenge or block the flow of traffic from the DDoS source or sources. Once traffic is filtered safely, attempt to identify and stop site access from the offending machines. Some of these responses can be more easily carried out through the help of a DDoS protection service, as explained later.
ESTIMATE COST OF ATTACKS
Companies should also think about the costs associated with a DDoS attack on their particular sites and use that estimate to determine what they’re willing to pay to resolve an attack.
Trying to make a cost-benefit calculation in the middle of a crisis isn’t a good idea, Hunt says, especially if the attack is costing the company revenue every minute.
USE DDOS PROTECTION SERVICES
It can be difficult for individual companies to handle attacks involving multiple types of DDoS, especially because some varieties are more challenging to detect than others. Cloudflare CTO John Graham-Cumming told Built In the hardest types for companies to detect are application layer attacks, where DDoS attacks can look like regular requests, aside from the volume.
This is where DDoS protection as a service comes in for support.
Cloudflare is one of the largest of these DDoS protection services. It uses some of the same techniques that individual companies use to protect against DDoS, but as stated on the company’s blog, its biggest weapon is a large network of servers around the world that intercept web traffic on behalf of customers.
Even when a DDoS attack is directed at a customer, Cloudflare is able to absorb the onslaught of data by spreading it across Cloudflare’s network and splitting the work across many servers. At each server, Cloudflare checks for each type of DDoS attack and filters requests accordingly. Some of this analysis is helped along by machine learning, Graham-Cumming said.
Graham-Cumming recommended that customers using DDoS protection services set up filtering on their traffic — so their servers only accept traffic coming from the service’s IP address — to further mitigate any risks.
With business-side strategies prepared in advance and technical protective measures in place, companies won’t be caught off guard and can survive a DDoS attack.
How Does a DDoS Attack Work?
The core of a DDoS attack is denial of service, which was first seen in the 1990s, when most people with computers browsed the internet using a dial-up connection, explains Tom Scott on Computerphile. Dial-up is slow — it taps out at 56,000 bits per second, less than 1 percent the speed of modern broadband connections. As stated in a blog post by SolarWinds, those speeds make watching videos in real time impossible, and even loading a single page on a modern website would take more than a minute on average.
In the Computerphile video, Scott explains that attackers who had access to faster internet speeds, such as the broadband available to business and university computers, would select a target and send a flood of data at it, leaving the target unable to make additional connections. The most important factor in a successful attack was having a faster internet connection than the target, so the target would run out of bandwidth for handling other requests.
Scott says that, although this type of cyberattack doesn’t steal any information or permanently harm systems, it poses a problem for websites, which are prevented from serving their users due to the attackers crowding out all the legitimate requests.
These days, Scott points out, this type of denial-of-service flood attack is less popular, because it’s hard to have one computer with enough bandwidth to take down a website on its own. But attackers are pretty creative, and there are flavors of denial of service that get around that issue.
Types of DDoS Attacks
Types of DDoS Attacks
- Slowloris Attack
- Application Layer Attack
- SYN Flood Attack
- Amplification Attack
Graham-Cumming says these days it’s common for attacks to use multiple types of DDoS in a single attack: “It’s just an attempt to overwhelm the network, so they’ll try to send as many different things as possible,” he said.
The attacks tend to fall into four categories.
1. SLOWLORIS ATTACK
Instead of sending as much data as possible through the attacker’s computer, a Slowloris attack extends the length of time of each request indefinitely by taking advantage of how web servers and clients communicate.
This method ties up connections to the server and eventually monopolizes all traffic to the targeted server. For attackers, the advantage of Slowloris attacks is that they don’t take a lot of bandwidth, but the attack is only effective on servers that have difficulty handling a large number of concurrent connections.
2. APPLICATION LAYER ATTACK
An application layer attack works like denial-of-service flood attacks, just on a larger scale, according to Cloudflare’s website. Bots send a torrent of traffic at a target, crowding out other users trying to access the target server.
Attackers typically direct the traffic at time-intensive endpoints on the target — think requests that require large database queries or generate big files. These types of endpoints don’t require a lot of resources on the part of the attacker to hit, but they are bandwidth-intensive for the target to respond to. That means the target may quickly burn through its resources.
3. SYN FLOOD ATTACK
This type of DDoS attack targets the way that internet protocols — the rules that facilitate how computers communicate over the internet — are supposed to work.
An example outlined by Cloudflare is the SYN flood attack, which targets the transmission control protocol (TCP). In a normal TCP transaction, the client and the server establish a connection by exchanging a standardized series of messages known as a “handshake” to communicate acknowledgements. This handshake tells both sides that a connection is successfully established.
Similarly to a Slowloris attack, a SYN flood attack sends only the first of the three-part handshake to the target server. The server then responds with the second, but the attacker does not send the final acknowledgement, leaving the server waiting and unable to use that connection to respond to additional requests for a while. Having a botnet do this multiplies the effect on the target.
4. AMPLIFICATION ATTACK
Amplification attacks take advantage of a variety of internet protocols to multiply the size of each request sent from an attacker, Cloudflare notes. For instance, the DNS amplification attack uses the DNS protocol, which computers normally use to look up the IP address that corresponds to a given website URL, a step that makes navigating the internet possible. Clients normally send a request containing the website URL they want to look up to a DNS server, and get back a response with the corresponding IP address.
Cloudflare explains that the attacker carries out DNS amplification by “spoofing” where the request came from — making the DNS server think the request was sent from the target rather than the attacker. The request will usually ask the DNS server for a large amount of data, which the DNS server then sends along to the target. The amplification effect comes from the comparatively small bandwidth it takes for the attacker to send the request, relative to the bandwidth required for the target to receive the response, and from the attacker’s ability to send requests to multiple DNS servers. As with all distributed attacks, this is multiplied by the number of bots in the botnet carrying out the attack.