DDoS attacks are increasing by 31% year after year.
Unlike other types of cyber attacks, DDoS attacks do not attempt to breach your security perimeter or steal data. They aim to make your website and servers unavailable. They can also serve as a smokescreen for other malicious activities.
DDoS attacks can be brief or repeated, with an impact on your website that can last for days, weeks, or even months. How can you avoid them? Before answering this question, let’s go back to the definition of this attack.
DDoS stands for Distributed Denial of Service. This attack seeks to disrupt a website or network by flooding it with traffic.
To better understand how this works, imagine yourself waiting for a call from a friend. Suddenly, thousands of numbers start calling you simultaneously for no reason. The chances of receiving your friend’s call decrease considerably… Moreover, your phone line will be totally saturated, and unusable, during all this time.
At the computer level, a DDoS attack infiltrates a web server, to send so many requests to serve a page, that it collapses under the demand, or a database that receives too high a volume of requests. The result is that the available Internet bandwidth, CPU and RAM capacity are exceeded. The impact can range from minor inconvenience due to service disruption to taking websites, applications or even entire companies offline.
Denial of service attacks use malware to create a botnet, which can be thought of as an army of “zombie” computers. This army is sent to the front lines, in a network, to attack a web site or online service.
In many cases, the owner of a “zombie” PC is not aware of the malware infection. He himself is a victim of the script that will launch the DDoS attack.
There are several types of DDoS attacks classified into 3 main categories:
Volumetric cyber attacks
Volume-based DDoS attacks remain the most common. Hackers use a large number of computers and Internet connections (often spread around the world) to flood a website with traffic. The goal? To clog up the available bandwidth.
So legitimate traffic can’t get through, and the hackers manage to take the site down. An example of a volume-based attack is the User Datagram Protocol (UDP) flood. The hacker sends packets of information and protocols unknown to the network to destabilize it and bring it down.
Unlike volume-based attacks, protocol-based attacks aim to exhaust server resources rather than bandwidth. They specifically target intermediaries between the server and the website, such as firewalls and load balancers. Hackers overwhelm web pages and resources by making false protocol requests in order to consume all available resources.
An example of this type of attack is the Smurf DDoS or bounce attack. The targeted network responds to attacks by targeting itself, which increases its overhead.
L7 or application attacks
In general, L7 attacks require fewer resources than the previous two, yet are the most sophisticated. They target vulnerabilities within applications (hence the name) such as Apache, Windows and OpenBSD.
They bring down servers by making a large number of seemingly legitimate requests by mimicking the behavior of user traffic. L7 attacks seek to disrupt specific functions or features of a website, such as online transactions. However, unlike other attacks, they can go undetected.
DDoS attacks are evolving every day. A new trend is “blended attacks”. Hackers launch a protocol attack to create a distraction and then an L7 attack. These types of threats are becoming more frequent, complex and sometimes difficult to combat.
How do you know if you’re under a DDoS attack?
A denial of service attack generates a lot of traffic to your site, which creates a tricky situation. How do you know if your site is doing well or if you are currently under attack by hackers?
Check the origin of your traffic to begin with. If you see a sudden increase in the number of visitors, look for the cause: a marketing campaign, the mention of your company on TV, a promotional emailing, the publication of a post on social networks (by your brand or an influencer), etc.
In case there is no marketing action underway to explain the sudden spike, wait a few minutes. If an outage occurs due to a legitimate traffic spike, it’s usually a short delay until the site is back up and running.
Finally, to fully answer the question of how to tell if you’re under a DDoS attack, know that there are several clues that should tip you off:
- The website is unavailable for several minutes, for no apparent reason.
- Access to the website takes a long time.
- The same IP address makes a lot of requests in a few seconds.
- Your server responds with a 503 error due to a service interruption.
- The TTL (time to live) of a ping request is exceeded.
- You observe slowdown problems on your other internal tools, connected to the same network as your website.
How to avoid DDoS attack?
In cybersecurity, prevention is always better than cure. This is even more true in the case of DDoS attacks. You don’t want your site to be inaccessible for hours or days. You risk losing revenue…
So how do you counter a DDoS attack? Here are some best practices to adopt now:
Implement solutions to prevent DDoS attacks
Equip your network, applications and IT infrastructure with layered protection strategies. This can be prevention management systems that combine firewalls, VPNs, anti-spam, content filtering and other security layers.
Their goal will be to monitor activity and identify traffic inconsistencies that are symptoms of DDoS attacks.
Using a Content Delivery Network (CDN)
A modern and effective way to deal with DDoS attacks is to use a content delivery network (CDN). Since DDoS attacks work by overloading a server, CDNs can help by sharing the load evenly across a number of servers, geographically distributed and closer to the users.
Thus, if one server goes down, others remain operational and take over.
Assessing your network vulnerability
With the help of your IT manager, identify weaknesses in your networks so you can shore up vulnerabilities and counter a DDoS attack before it happens.
To do this, conducting an inventory of all devices on the network is necessary. This is an opportunity to identify those that are obsolete or useless, in order to remove them. For those to be kept, specify their function, system information and any vulnerabilities associated with them. The corrective measures will appear to you by themselves.
This audit of your network’s vulnerability must be carried out on a regular basis in order to anticipate all cybersecurity threats.
Moving to the cloud
There are several benefits to migrating your data to the cloud. Cloud providers offer high levels of cybersecurity, including firewalls and threat monitoring software. This can help protect your assets and network from DDoS attacks.
The cloud also has more bandwidth than most private networks, allowing it to withstand the pressure of DDoS attacks. In addition, providers offer network redundancy, duplicating copies of your data, systems and equipment.
If your service is corrupted or unavailable due to a DDoS attack, you still have backed-up versions of your website, application and tools.
How to block a DDoS attack?
A DDoS attack can bring your website to a halt, reduce your search engine rankings and of course result in the loss of your data. Even with protective measures, there is no such thing as zero risk.
Here’s how to block a DDoS attack:
One of the quick ways to stop a DDoS attack is to expand your bandwidth as soon as you notice a sudden and unexplainable increase in traffic volume to your site.
Most web hosts allow you to quickly expand your bandwidth and handle an additional traffic spike. This will buy you time to find the origin of the attack and counter it completely.
Protect your network perimeter
In the first few minutes after a DDoS attack, there are a few technical measures that will help you mitigate the effects. For example, you can:
- Limit the throughput of your router to prevent your web server from being overwhelmed.
- Add filters to tell your router to drop packets from obvious attack sources.
- Time out half-open connections more aggressively.
- Drop spoofed or malformed packets.
- Define lower thresholds for SYN, ICMP, and UDP flood removal.
Contact your hosting provider
Depending on the strength of the DDoS attack, the hosting company may have already detected it or it may even be the target.
Its data center probably has larger bandwidths and higher capacity routers than your company’s. Their staff also has experience in dealing with cyber threats. So don’t hesitate to notify them as soon as the attack begins.
The hosting company can “route block” your traffic to prevent packets from reaching your site.
Our tip to counter DDoS attacks
After a DDoS attack, analyze your logs to identify the targeted services, assess the damage and the patterns used. This will allow you to recognize your weak points to strengthen your protection. File a complaint with the police station and inform the CNIL if personal data has been stolen.
In order to counter and block DDoS attacks before they happen, call a cybersecurity expert!