Six Steps to Dealing with a DDoS Attack

Sharon Holland

This month we are sharing a blog from our security partner Oracle Dyn that takes a look at dealing with DDoS attacks.

If a DDoS attack hasn’t happened to your organization yet, odds are one will eventually. So it’s crucial to familiarize yourself with DDoS attack mitigation best practices.

Verizon’s 2018 Data Breach Investigations Report placed DDoS attacks at the top of its Incidents by Pattern list, and thanks to the rise in Internet of Things devices, the number of attacks has increased a staggering 91%.

The following steps will help you with DDoS attack mitigation.

1. Don’t Panic

Your site is down. Your support team is inundated with calls, your organization is losing revenue, and everyone is looking to you for a solution … now. The most important thing you can do is remain calm and maintain control of the situation.

2. Have a Communication Plan

Transparency is key. Over-communicate. In the event that your site is down, redirect customers to a status page assuring users that the outage is only temporary and your team is working hard to get back online. Also, have this message prepared, and if possible automated, in response to customer inquiries to reduce stress on the support team.

3. Identify the Attack

There are a number of ways that a website can be taken offline or have its performance negatively affected. For example, something that may look like a DDoS attack may actually be a bot crawling your site and severely reducing availability, in which case the solution would be different. In order to find the right solution, you have to first find the actual problem.

Check your log data for these tell-tale signs of a DDoS attack:

  • A single IP address making a high volume of requests in a short window of time
  • Massive spikes in traffic

You can also attempt to ping your site through an external source with free online tools such as site24x7 or WebSitePulse to check availability and response time.

Additionally, some DDoS attacks happen quickly, and only take a site offline temporarily. Other attacks happen slowly and can last for months. That is why it is important to check logs and set up alerts to flag anomalies and know what your normal traffic patterns look like.

4. Clear Your Logs

During an attack, your system is trying frantically to log every malicious request. Logging puts a huge amount of strain on your resources and could potentially lead to a chain reaction of overloaded systems going down one after another, depending on how they are connected. After identifying the type of attack and determining that the logs are no longer needed or capturing useful data, you can clear them.

5. Mitigate Suspicious Traffic

Once you have determined which botnet(s), bot behaviours and (sometimes) IP addresses may be responsible for the attack, you can take action. It may be tempting to immediately block everything that appears to be suspicious, especially in the heat of the moment, but permanently blacklisting every IP address that causes an alert may result in blocking legitimate traffic because of false positives. It is best to temporarily cut off questionable traffic or redirect it to null routes where the behaviour can be observed. If that traffic immediately tries to reconnect, it is most likely from legitimate users. Malicious traffic will typically switch IP addresses once it realizes it has been discovered.

In this screenshot from Oracle Dyn Web Application Security, 99% of the traffic is blocked and confirmed as attack traffic. Only 1% of the traffic is legitimate:

Web App Security

6. Know and Use Your Resources

You should know your DDoS solution inside and out – not just the dashboards and reports you see on a daily basis, but also the tools that are offered during an attack. Some DDoS vendors also provide additional support from a team of experts who are trained specifically to deal with these types of attacks.

It’s not always enough just to have a DDoS attack mitigation service in place. Understanding the quality of your DDoS protection is key, because not all solutions provide the same calibre of mitigation. Ask your provider to present data showing the effectiveness of their product, such as the stability of traffic redirects and the effectiveness of their hand-off coverage.

Think your sites may not have the protection they need? Contact activereach or call us on 0845 625 9025 and we can help you.

This blog was first published on the Oracle Dyn blog on 20th December 2018 by Rebecca Carter.