2020 was the year of the DDoS attack. Distributed Denial of Service (DDoS) attacks spiked over the last year, driven by the pandemic and the fact that so many people were locked down, working from home, and using online services to get through the pandemic.
According to a report from NETSCOUT, more than 10 million DDoS attacks were launched last year, targeting many of the remote and essential services people were using to make it through the lockdown. Healthcare, remote learning, e-commerce, and streaming services were all hit hard by DDoS attacks, which often interrupted business operations or caused some businesses to fall victim to extortion by the criminal behind the attack.
Despite the rise in DDoS attacks, they’re not inevitable. Read on for best practices on how to prevent DDoS attacks.
What is a distributed denial of service (DDoS) attack?
A distributed denial-of-service (DDoS) attack is an attempt to disrupt the traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic. By sending too many requests for information to a server, site, or network, a DDoS can effectively shut down a server — leaving it vulnerable and disrupting the normal business operations of an organization.
How does a DDoS attack work?
A DDoS attack aims to infect a network. This is done by infecting IoT devices with malware, creating botnets that can remotely carry out an attack. The bots in a botnet will overload a network by sending disruptive requests to the IP address of the network, which can eventually result in a denial-of-service.
What are the common types of DDoS attacks?
When looking across the scope of DDoS attacks, the most common types of attacks include:
- Volumetric DDoS attacks
- Protocol DDoS attacks
- Application DDoS attacks
Volumetric DDoS Attack
The most common type of DDoS attack, volumetric attacks flood a machine’s or a network’s bandwidth with false data requests on every available port. This overwhelms the network, leaving it unable to accept its regular traffic. There are subcategories of volumetric attacks as well. The most common type of volumetric attack is a UDP (User Datagram Protocol) flood, which is often used to send forged UDP packets with false addresses — like the IP address of the victim — to servers for UDP-based applications, generating a flood of reply traffic. Rachel Kratch of Carnegie Mellon’s Software Engineering Institute likens it to calling every pizza place in town and ordering several pizzas to be delivered to someone you don’t like. ICMP (Internet Control Message Protocol) floods, on the other hand, sends false error requests to a target, tying it up so that it can’t respond to normal ones.
Protocol DDoS Attack
Protocol DDoS attacks target the protocols used in transferring data to crash a system. One of the most common is an SYN flood, which attacks the process of making a TCP/IP connection by sending a flood of SYN packets asking the victim to synchronize instead of acknowledging a connection, tying up the system while it waits for a connection that never happens. SYN floods are like telling a knock-knock joke that never ends: knock knock, who’s there, knock knock, who’s there, knock knock…
Application DDoS Attack
Similar to protocol attacks, application attacks target weaknesses in an application. These attacks focus primarily on direct web traffic and can be hard to catch, because a machine may think it’s dealing with nothing more than a particularly high level of Internet traffic.
Why is it important to prevent DDoS attacks?
It is essential to put measures in place to prevent your network from becoming overloaded or unusable for periods of time, especially in times when you need it most.
While implementing a strong mitigation strategy against DDoS attacks can be time-consuming, having that strategy in place means you can have stronger peace of mind. More importantly, mitigation and catching early warning signs are ways to improve the strength of your organization’s cybersecurity posture.
10 ways to prevent a DDoS attack
While DDoS attacks come in many shapes and sizes, there are measures you can take to protect your organizations from these threats. There is no one solution to preventing DDoS attacks, but using the following tips in conjunction can lessen the potential for one:
- Know your network’s traffic
- Create a Denial of Service Response Plan
- Make your network resilient
- Practice good cyber hygiene
- Scale up your bandwidth
- Take advantage of anti-DDoS hardware and software
- Move to the cloud
- Know the symptoms of a DDoS attack
- Outsource your DDoS protection
- Continuously monitor for unusual activity
Let’s take a closer look at the best practices your organization can take to prevent DDoS attacks.
1. Know your network’s traffic
Every organization’s infrastructure has typical Internet traffic patterns — know yours. When you understand your organization’s normal traffic pattern, you’ll have a baseline. That way, when unusual activity occurs, you can identify the symptoms of a DDoS attack.
2. Create a Denial of Service Response Plan
Do you know what will happen when and if a DDoS attack happens? How will your organization respond? By defining a plan in advance, you’ll be able to respond quickly and efficiently when your network is targeted.
This can take some planning; the more complex your infrastructure, the more detailed your DDoS response plan will be. Regardless of your company’s size, however, your plan should include the following:
- A systems checklist
- A trained response team
- Well-defined notification and escalation procedures.
- A list of internal and external contacts that should be informed about the attack
- A communication plan for all other stakeholders, like customers, or vendors
3. Make your network resilient
Your infrastructure should be as resilient as possible against DDoS attacks. That means more than firewalls because some DDoS attacks target firewalls. Instead consider making sure you’re not keeping all your eggs in the same basket — put data centers on different networks, make sure that not all your data centers are in the same physical location, put servers in different data centers, and be sure that there aren’t places where traffic bottlenecks in your network.
4. Practice good cyber hygiene
It goes without saying that your users should be engaging in best security practices, including changing passwords, secure authentication practices, knowing to avoid phishing attacks, and so on. The less user error your organization demonstrates, the safer you’ll be, even if there’s an attack.
5. Scale up your bandwidth
If DDoS is creating a traffic jam in your network, one way to make that traffic jam less severe is to widen the highway. By adding more bandwidth, your organization will be able to absorb more to absorb a larger volume of traffic. This solution won’t stop all DDoS attacks, however. The size of volumetric DDoS attacks is increasing; in 2018, for example, a DDoS attack topped 1 Tbps in size for the first time. That was a record… until a few days later, when a 1.7 Tbps attack occurred.
6. Take advantage of anti-DDoS hardware and software
DDoS attacks have been around for a while and some kinds of attacks are very common. There are plenty of products that are prepared to repel or mitigate certain protocol and application attacks, for example. It is also important to harden IT infrastructure by adjusting settings, removing unused ports, and enabling timeouts for partly open connections.
7. Move to the cloud
While this won’t eliminate DDoS attacks, moving to the cloud can mitigate attacks. The cloud has more bandwidth than on-premise resources, for example, and the nature of the cloud means many servers are not located in the same place.
8. Know the symptoms of an attack
Your network slows down inexplicably. The website shuts down. All of a sudden, you’re getting a lot of spam. Other common signs or symptoms of a DDoS attack include:
- Slow performance
- High demand from a single page or endpoint
- Outages or crashes
- Poor connectivity
- Any other signs of unusual traffic originating from a single IP address
9. Outsource your DDoS protection
Some companies offer DDoS-as-a-Service. Some of these companies specialize in scaling resources to respond to an attack, others bolster defenses, and still, others mitigate the damage of an ongoing attack.
10. Continuously Monitor for unusual activity
Once you know your typical activity and the signs of an attack, continuously monitor your network for odd traffic. By monitoring traffic in real-time, your organization will be able to spot a DDoS attack when it starts from there, take action to mitigate it.
How can SecurityScorecard help prevent DDoS Attacks?
Bad actors will always go after the most vulnerable part of an organization, system, or network. To help monitor your internet traffic, consider a solution that monitors your networks continuously, giving you an outside-in view of your company’s security. Our easy-to-read security ratings, based on an A-F scale, enable you to provide your leadership with the necessary documentation to prove governance over your vendor risk management program.
DDoS Attacks FAQ
While there is no way to completely prevent a DDoS attack, having a DDoS strategy that utilizes intrusion prevention and threat management in place, implementing mitigation strategies and continuous monitoring can make it harder for malicious actors to go through with a DDoS attack.
There is no single best attack method for DDoS. Instead, it is vital to use a mix of prevention strategies like those discussed above that can help reduce the potential for a DDoS attack and help mitigate the attack if it does occur.
Yes, malicious actors can use all three types of DDoS Attacks including, Volumetric, Protocol, and Application in order to overload a specific target.
Slow performance, high demand from a single endpoint, outages or crashes, poor connectivity, and any other signs of unusual traffic originating from a single IP address can indicate a DDoS attack is in progress.
The answer varies based on organization and industry. But at a minimum, the plan should be reviewed at least annually to ensure that the information is still up to date and applicable to any DDoS attack scenario.
While a firewall may block some traffic, in most cases firewalls will need extra support from other tools like the ones mentioned above in order to stop a DDoS attack.
A DDoS botnet is a collection of bots, or in this case IoT devices, that have been affected by malware. A bad actor will use these bots to send traffic to servers, attempting to overload them and carry out a DDoS attack.
DDoS resistance is when an organization increases bandwidth in order to handle intense traffic spikes that come with DDoS attacks. While this won’t prevent an attack, it can help prevent downtime when used in conjunction with other tactics.