DDoS Attack Prevention and Response Tactics

Developing an effective response to distributed denial-of-service (DDoS) attacks requires taking specific steps for prevention, detection, verification, containment, eradication and recovery. This piece explains how the DDoS threat is evolving and provides a step-by-step playbook to ensure your organization is protected against DDoS attacks. 

DDoS Attack Trends 

A DDoS attack is an attempt by attackers to keep users from accessing a networked system, service, website, application or other resource by flooding the target with packets/requests and slowing down or completely halting its operation. SYN attacks remain the most popular attack vector used by DDoS attackers, but RST, UDP and DNS amplification attacks are also common. 

Types of DDoS Attacks

DDoS attacks come in three forms: 

• Network volumetric DDoS: This is the most common DDoS attack. This attack floods the network target and consumes all available network bandwidth. 
  
• Protocol DDoS: This attack works by filling up firewall and router connection tables so that networking tools can’t handle the number of packets being sent to them. 
  
• Application DDoS: This attack is intended to consume web, DNS or other kinds of application server resources. Forcing the application to deal with a flood of illegitimate requests prevents legitimate requests from getting through. 
  

DDoS Attack Prevention

DDoS prevention starts with preparing measures to ensure effective and efficient response to incidents. To recap the recommendations outlined in IANS’ DDoS Protection Checklist, ensure you: 

• Enable DDoS protection on network hardware: Ensure routers, load balancers and firewalls have specific protection policies enabled and are configured for high availability and redundancy. 
• Enable DDoS protection on network intrusion detection/prevention systems (IDS/IPS): Enable rules that protect against DDoS and block rules for unapproved protocols often used in these attacks, such as NTP and ICMP. 
• Enable DDoS protection on web application firewalls (WAFs): Enable anomaly detection and any client classification rules that detect or block known malicious or redirected traffic. 
• Update incident response plans with your ISPs: Ensure protections are in place with your ISPs and build a playbook for detection and response that includes contact numbers, service-level agreements (SLAs) and escalation paths. 
• Deploy DDoS protection tools/appliances: These tools can offer solutions for packet scrubbing, DNS redirection, DNSSEC, geographic blocking, web application firewall (WAF)/ filtering, caching and flow monitoring. For cloud environments, consider evaluating/implementing cloud DDoS protection such as AWS Shield or Akamai. 
  

In addition to the aforementioned DDoS prevention steps, create an incident response plan that: 

• Defines the resources, tools and procedures required to minimize the risk and costs of a DDoS incident. 
• Includes critical topics such as risk assessment, roles and responsibilities, mitigation strategies, monitoring, attack recovery and communications planning.
  

During the planning phase, you should also make sure you understand where single-points-of-failure are located and how you could mitigate threats to them. For high-impact assets, consider employing multiple ISPs. 

DDoS Attack Detection and Verification 

A DDoS attack is a complex challenge for a business to face, because often, it’s difficult to determine whether a spike in traffic is legitimate or an attack, especially if the proper tools aren’t in place. 

Detection can be automatic or manual. Manual detection usually occurs when people or customers complain about slow performance or inability to access resources, but there are also network monitoring tools from Cisco and SolarWinds that can automatically detect and alert that an attack is under way. Obviously, automatic detection is better because it occurs faster than a manual process ever could. 

If you suspect an attack is in process, you can also: 

• Try a ping request: If a TTL (time to live) count on a ping request times out, this may indicate a problem. The most obvious symptom of a DDoS attack is a site or service suddenly becoming slow or unavailable. 
• Review the logs: If accessible, log tools may show large spikes in traffic. A single or range of IP addresses might make up a very high number of requests, which could indicate an attack. 
• Review system errors: Look for problematic system responses. An example would be a web server that responds with a 503 error. 
• User or customer complaints: User reports of slowness is still the No. 1 way many people find out about an attack. 
  

Any of these signs may be indicative of an attack in progress. Once confirmed, it’s time to invoke the incident response plan. The immediate goal is always to mitigate business impact and get systems available again as soon as possible. 

DDoS Attack Containment, Eradication and Recovery   

Once an attack has been identified, it must be stopped or mitigated. If enough effort has been put into the planning phase, you should have good strategies in place with business systems prioritized. Some strategies for containment, eradication and recovery are more expensive than others, so be sure to factor in business criticality and impact. Key areas to consider include: 

• Leverage business continuity: Identify alternative courses for business or network operations. For example, you may choose to coordinate with your business continuity group to fail over to another site. Having more than one ISP is critical. 
• Set up alternative networks: Using a separate management network allows for greater security and possibly the ability to recover because it is a type of out-of-band access that may survive a failure in the production network. Using out-of-band networks or dial-up modems that provide dial-up access to key systems that may not be reachable on the network in the event of an outage can help you respond to and manage an incident. Make sure these devices or management networks are protected and have strong access control. 
• Deploy intelligent routing: Many DDoS mitigation solutions such as Cloudflare or Akamai use intelligent routing to break traffic into manageable chunks, preventing denial-of-service. 
• Set up allow-list network access: Create a list of priority IPs and services that must be allowed through and block everything else. 
• Coordinate with your ISP: Don’t fail to take the very basic step of coordinating with your ISP. It is often better positioned to respond to and mitigate an attack. 
• Try data scrubbing: With this method, the traffic destined for a particular IP address range is redirected to a data center, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination. Although most scrubbing service providers offer strong DDoS mitigation capabilities, enterprises should evaluate the provider’s infrastructure capacity and service levels to ensure it will be sufficient. A good rule of thumb is to look for mitigation networks with at least two or three times the capacity of the largest attacks you’ve seen against your network. 
• Buy enough network bandwidth: The most basic way to make an organization resilient to DDoS attacks is to have ample network bandwidth for very high loads right from the beginning. However, this is not always the most efficient way of dealing with these attacks, because it requires purchasing more bandwidth than you would need on average. 
  

DDoS Attack Mitigation 

Usually, no single strategy alone will fully mitigate a DDoS attack. It’s important to take a multi-strategy approach based on your business risk. And the more strategies you use, the more important it is to test them to ensure they will work as expected when a real attack occurs. 

Tabletop and other simulated exercises can help test both tools and processes, and verify they perform as expected. It’s also critical to learn from these activities and adjust the plans, as necessary. 

Defending Against DDoS Attacks 

DDoS attacks remain an ongoing threat for many companies, but with the right preparation and incident response processes, the business impact of these attacks can be mitigated. To ensure you have the best defenses in place, make sure you: 

• Plan in advance: The more that can be done in the planning phase, the more smoothly the other phases will go. Make sure you understand the potential business impact of a DDoS attack and plan your security controls accordingly. 
• Use multiple DDoS mitigation strategies: Strategies including traffic allow-listing and alternate ISPs can be used together to create a comprehensive DDoS response strategy. 
• Fit your strategies to your specific risk profile and business: This helps avoid going overboard on spending. 
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.