The distributed denial of service attack (better known as a DDos attack) is one of the most common and pervasive cyberattack methods known. These kinds of attacks happen all the time and can be very difficult to handle. However, there are numerous steps that you can take to protect yourself and your network. While prevention is the best medicine, prevention is not always possible. Here are some things that you should do when you find that you are being targeted with a DDos attack.
What Is A DDos Attack?
These attacks are very simple. They involve a large group of users (or perhaps a botnet) flooding a particular website or server at a specific time. Whenever you attempt to open a web page, a “connection request” is sent. This is normal, but any given server can only handle so many requests at once. When too many are sent at one time, the server or site has no choice but to shut down. The phenomenon is similar to the way a computer freezes up when you try to perform too many tasks at once.
1. Identify The Problem As Quickly As Possible
When you start to see a big spike in network traffic for no apparent reason, that’s a big red flag warning of DDos attack. Once you have noticed this spike, you can start acting to limit its effects. By looking at the IP addresses connected to the new requests, you can possibly find a common source. If nothing else, you can start blocking those addresses which have made repeated and frequent connection requests. This should be done at the network router level rather than the device or application level.
2. Trace The Source
If you don’t have some kind of network monitoring plan in place, that was your first mistake. You always need to keep an eye on your network activity. Even if you don’t catch the suspicious traffic initially, you can gather valuable information that will help you to deal with the consequences of an attack.
At a fundamental level, the internet is just a massive amount of information being exchanged between a massive number of machines. This information is chopped into small files called “packets.” The connection requests that we mentioned earlier represent one type of packet. In most cases, that packet will contain information that tells you from whence it came. Specifically, it will give you the IP address (i.e., location) of the machine that made the request. Packet capture software is, thus, highly essential for tracing the source of an attack.
3. Use Rate Limiting
The majority of DDos attacks are carried out using botnets. These are networks of hijacked machines that are working together for a single purpose. These are sometimes directed by an AI program, but not usually. More often, there is a particular person or persons hijacking machines and systematically adding them to the botnet. Unless that person has been very thorough in spoofing many different IP addresses, your packet capture software should show that many requests are coming from the same (or a closely similar) IP address.
Using this principle, people have made quite a few pieces of software that can identify and temporarily block IP addresses that show suspicious activity. Basically, if a particular IP (or range of IPs) is making frequent and repeated connection requests, that probably isn’t normal, organic traffic. Most botnets can be detected and stopped in this way. Likewise, networks can be configured to start dropping connection requests when a certain traffic threshold is reached, and this is the best way to go. Unfortunately, rate limiting is less effective against crowd-sourced attacks.
4. Have Your IT People Check On The Seedy Places
If you are dealing with a true crowd-sourced threat (such as a “hacktivist” group), the key is to find out where the attack has been coordinated. There are many message boards and chat sites where hackers (both amateurs and experts) gather. Your IT people should be able to find these, and should perform simple keyword searches. Make sure that they check both the surface web and the so-called “dark net.” Any time these sort of people are mentioning your company, it’s probably not a good thing. However, true crowd-based attacks require a means of mass communication, which is a glaring security hole. Once you know what they have done, you will know much better how to counter those actions.
5. Use A DDos Protection/Mitigation Service
DDos protection services use their own resources to augment your own. Thus, it becomes much harder for a group of users (or even a large botnet) to overwhelm the system. They also employ something that might be called a smart firewall. Unlike most firewalls, which simply block certain sources on request, a DDos protection will analyze the traffic and take action when suspicious activity is detected. Cloudflare is probably the best-known example of DDos protection software, but there are many others.
6. Take Your Important Data Offline
Sometimes DDos attacks are used as cover for larger attacks. In most cases, when someone does a DDos, they are simply trying to knock a particular website offline for as long as possible. These attacks, while annoying, don’t tend to create lasting damage. However, it is possible for people to use DDos attacks as a “foot in the door” technique, following up with some form of data theft.
So, how does it work? Well, this kind of thing is just a simple diversion technique. When a DDos attack is seen to be occurring, most (if not all) IT resources will be redirected towards dealing with that attack. Thus, they are likely to miss an attack from a different vector. It’s no different than feigning left so that you can attack the right, like so many great generals of the past. For this reason, sensitive data should be removed from the internet and/or compartmentalized immediately.
Thankfully, most DDos attacks are not that serious. The only real losses come from the network downtime incurred, but these are not permanent. The keys are vigilance, proper filtration of connection requests, and quick action. You must identify and cut off the source of the attack while placing your most important data out of reach. With that done, it’s a simple matter of blocking the relevant addresses and reporting them to the proper authorities.
If you would like to learn more about this (and other IT subjects), you can call PCH Technologies at (856) 754-7500. We provide all kinds of local managed IT services, and ours are considered to be the best IT services in New Jersey.