DDoS attack – How Would You Respond?

Thursday, 9:31am

For Elliot Wicks, IT Manager at top UK wig retailer Hairy Mary, it’s just another Thursday. The sun is shining outside the office in central Manchester, the smell of coffee wafts through the air, life is good.

All of a sudden, Elliot receives hundreds of error messages popping up on his screen. Something is wrong with the website, it looks like it’s going to crash. The system is being hit with a DNS reflection attack, flooding the servers with tens of thousands of requests every second.

Due to their business being predominantly online, the attack has stopped letting legitimate user traffic in, such as customers looking to buy a new wig. The website can usually handle around 1,000 requests per second, but this was on a whole new level. In the last 2 minutes the requests had started to increase to hundreds of thousands, hitting 200,000 per second by the time Elliot starts notifying his security team.

After a few minutes, the flow seems to slow down, and the staff are able to get the website up and running again. The security team have notified their DDoS mitigation provider, so everyone is ready if there’s another attack today.

After 37 minutes it happens again. Another wave of requests has come in, crashing the website for a second time. The mitigation system starts rerouting the traffic to scrub it for attacker sessions, eventually allowing the website to get back online.

Thursday, 11:48am

After a break, another attack hits the servers. This attack seems to be much stronger, and Elliot is seriously worried about the customer-facing areas of their system. This time it’s a TCP attack, hitting hard with over 300,000 SYN requests per second.

Despite the mitigation system trying to reroute the attack, the malicious traffic prevails and is able to hit the system, shutting off the website to the rest of customers. It is another 25 minutes before the system fully recovers and legitimate traffic can access the site again.

Thursday, 1:03pm

Finally, the attack is over. Elliot and the security team are relieved and continue with their usual work.

The next day, the team receive a report on how they did and what they can learn. But how can that be?

The attack was fake! It was a test for the members of the security team, their system and their external DDoS mitigation provider. It allowed Hairy Mary’s workers to practice their procedure in how to handle an attack.

What Hairy Mary learnt from the attack

From the attack, Hairy Mary learnt some good and bad things about their systems;

  • Their mitigation system was able to detect different types of attack
  • The significant amount of downtime experienced means they wouldn’t be able to deal with a larger scale attack
  • Their mitigation system takes too long to reroute the traffic
  • This was only a simple, network layer attack. For a more complex attack such as to the application layer, it is not known how the system will respond

Why is DDoS mitigation testing so important?

So why should you test your DDoS mitigation? Well, if what Hairy Mary learnt from the test isn’t enough, below is a list of other important reasons why you should test your systems:

  • First and foremost, there are huge consequences with leaving your systems unprotected or your mitigation untested. You could be end up being subject to;
  • Loss of service availability (downtime) for a period of time
  • Another attack in concert with the DDoS attack hitting your system, that could penetrate your network and/or steal data
  • Loss of revenue through reputation damage and loss of sales during any downtime
  • Mitigation systems can be a substantial investment and testing it is a way to make sure you’re getting what you pay for.
  • Staff members are continually changing, as is the threat landscape. It is crucial to ensure your staff are following the correct procedure and that they (and your mitigation) can keep up with the evolving threats.

A DDoS test can help you to discover what a DDoS attack looks like on your network and what your system can handle, so that in the future you can react quickly, minimize damage and efficiently spend money on the right mitigation for you.

activereach DDoS Testing

activereach is a leading provider of the DDoS testing service. We provide a pre-test consultation to establish what is needed, progress updates throughout the test, and a post-attack analysis to help you understand what the results mean.

We would recommend any business to conduct a DDoS test; DDoS attacks are on the rise and it’s more important than ever that you are prepared.

If you would like to find out more about DDoS testing from activereach, please see our page on DDoS testing or give us a call on 0845 625 9025.