How To Stop A DDoS Attack

Overwhelmed by garbage — that’s basically what happens when your company is targeted by a distributed denial of service (DDoS) attack. Although there are different types of DDoS attacks, they all aim to flood the attack target(s) — which could be a website, network or service — with large amounts of malicious traffic, to the point where normal access becomes impossible.

Think of the attack target as a city alleyway, in which people place their collected garbage and recyclables, and the legitimate requests for access to it as the city garbage trucks that normally conduct pickup. The DDoS attack is then like someone strewing lots of additional garbage and obstacles throughout that alleyway, preventing those trucks from completing their circuits

So how can you stop a DDoS attack and prevent the substantial financial and reputational damage it can cause? The stakes for doing so are high.

According to Netscout, there was a 15% year-over-year increase in observed DDoS attacks in 2020, for an estimated 9 million incidents for the year. Moreover, each one can cost its target between five and seven figures in lost business revenue, per reports from Corero and Kaspersky Lab.

To mitigate DDoS threats, including volumetric, protocol-based and application layer attacks, we must first understand how these different DDoS attacks work on a technical level.

Let’s look at the three primary DDoS categories along with tips for reliably preventing a DDoS attack.

The three main types of DDoS attack — and how to mitigate each one

Before we dive all the way in, we should note that all types of DDoS attack leverage botnets, which are collections of computing devices under the attacker’s direct control. For example, a DDoS attacker might infect numerous PC and Internet of Things devices with malware and then remotely instruct them to send web traffic to a target.

Quick primer: How can you know if you’re under attack?

On the recipient’s end, the activities of a DDoS botnet usually manifest themselves in several ways:

• A website or service suddenly becomes unreachable.
• Tons of its traffic originates from the same IP address, or within a tight IP address range.
• Web traffic comes from users with similar geographical locations and device types.

If some or all of these signs are apparent, you’re likely facing a DDoS attack. The type and complexity of the attack will in turn determine the appropriate mitigation steps.

Volumetric attacks

This is one of the older types of DDoS attack, and it is designed to overwhelm the target with junk traffic. Typically, a large number of botnet devices will send a bunch of small requests to unsecured infrastructure such as Domain Name System (DNS) servers, using a spoofed version of the attack victim’s IP address. All of these requests get returned to the victim, who isn’t expecting them. Eventually, their entire network bandwidth becomes saturated.

Another way to understand volumetric DDoS threats: Imagine someone orders a bunch of products online but sends them to your home address, creating a huge and neverending pileup. The overall process converts something small into something larger (and unwanted), greatly inconveniencing the victim.

DNS amplification, Network Time Protocol (NTP) amplification and memcached DDoS attacks all fit into this category. In each case, the target has no control over the infrastructure being exploited, while attackers send User Datagram Protocol (UDP) packets to exposed DNS, NTP and/or memcached servers. UDP packets are handshake-less, meaning data gets sent without the sender and recipient agreeing upon the transfers beforehand.

How to stop a volumetric DDoS attack

Most of the steps for stopping a volumetric DDoS attack are up to internet service providers (ISPs) or external makers of DDoS mitigation solutions, rather than the targeted website or organization. Some mitigation strategies include: 

• Blackholing victim-bound traffic: The ISP prevents DDoS web traffic from reaching its target. This has the unfortunate side effect of making the site temporarily unavailable.
• Updating NTP servers: This closes known vulnerabilities that enable NTP amplification DDoS attacks.
• Implementing ingress filtering: ISPs can take this step to verify the source of internet traffic and filter out spoofed requests.
• Disabling UDP: Depending on the memcached server and mitigation tools in place (e.g., firewalls), UDP might not be needed.
• Using a firewall and other built-in protections on a high-capacity network: A provider like Telesystem can offer integrated DDoS mitigation for services that pass through our network.

Protocol attacks

DDoS protocol attacks are designed to consume all of the resources of Layer 3 and Layer 4 infrastructure such as servers, firewalls and load balancers. Basically, these components receive so many junk inquiries that they become unable to respond to legitimate requests.

SYN floods are one of the most common types of protocol attacks. They exploit the normal three-way handshake that the Transfer Control Protocol (TCP) uses to establish connections between client and server. In normal circumstances, the client sends a SYN (synchronize) message to the server, which returns SYN-ACK (synchronize-acknowledge), setting up the client to send back ACK to complete the connection.

But in a SYN flood, the final ACK never arrives. Accordingly, the request is left half-open. At scale, large amounts of such requests can render the server incapable of handling legitimate requests. It’s similar to a stock room filling up with requested inventory that never gets released.

How to stop a protocol DDoS attack

Stopping protocol attacks like SYN floods may involve multiple concurrent techniques, including:

• Allowing the operating system of the attack target to accommodate a larger number of half-open requests in its backlog.
• Using SYN cookies to drop SYN requests from the backlog and then reconstruct them only if the final ACK arrives.
• Placing a DDoS mitigation network between the attack target (in this case a server) and the source of the SYN flood to handle all handshaking before any web traffic reaches the victim.

Application layer attacks

Application layer DDoS attacks involve Layer 7, the highest layer of the Open Systems Interconnection Model, where users actually interact with webpages. This type of attack exploits the imbalance between the costs of generating a request on the client side (cheap) and responding to it on the server side (expensive).

An HTTP flood is a type of application layer attack in which a botnet overwhelms the server with requests to load and render a page, straining its resources so that it can no longer serve legitimate requests. Imagine hitting the refresh button on thousands of Chromebooks trying to reach the same site, over and over again.

How to stop application layer DDoS attacks

Application layer attacks can be particularly tricky to deal with because you have to be able to precisely separate legitimate requests from junk traffic. Unlike in volumetric or protocol attacks, botnet traffic in an application layer attack is much likelier to seem “normal.” Some of the common approaches to mitigation include:

• Configuring CAPTCHAs and computational challenges to limit the flow of requests to a server.
• Setting up a web application firewall (WAF) to limit traffic based on specified rules and function as a reverse proxy between the client and the server. WAFs can filter, monitor and block HTTP requests, stemming the efficacy of HTTP floods.
• Diffusing the traffic to another network or blackholing it.

DDoS attacks may also be multi-vector, meaning they combine multiple attack types into one campaign. These attacks are especially difficult, but not impossible to deal with.

Overall, you will need the help of an external service provider to ensure the best possible DDoS protection. Telesystem offers a combination of a network core with in-line DDoS mitigation, plus an appliance for stopping malicious traffic in real time before it takes its target(s) offline.

Telesystem DDoS mitigation for services passing through our network core is included at no additional charge to the customer. Connect with the Telesystem team today, to learn more about our methodology on how to stop a DDoS attack and keep your business-critical services and sites up and running, even under pressure.