If your website disappears off the Internet and orders dry up on what is usually your busiest day of the year, you may have become the victim of a distributed denial of service (DDoS) attack.
You aren't alone. High profile victims of DDoS attacks in 2015 included organizations as diverse as cloud hosting company Linode, games company Valve, Microsoft's Xbox Live network, the BBC, Rutgers University and even the Internet's DNS root servers.
A basic denial of service attack involves bombarding an IP address with large amounts of traffic. If the IP address points to a Web server, then it (or routers upstream of it) may be overwhelmed. Legitimate traffic heading for the Web server will be unable to contact it, and the site becomes unavailable. Service is denied.
A distributed denial of service attack is a special type of denial of service attack. The principle is the same, but the malicious traffic is generated from multiple sources -- although orchestrated from one central point. The fact that the traffic sources are distributed -- often throughout the world -- makes a DDoS attack much harder to block than one originating from a single IP address.
DDoS Attacks More Frequent
DDoS attacks are becoming increasingly commonplace, according to research published by Akamai at the end of 2015. It reported a 180 percent increase in the total number of DDoS attacks compared to the same period a year earlier.
Despite this increase in frequency, the average DDoS attack duration has actually gone down 16 percent, from 22 hours to 19 hours, and the average peak DDoS attack bandwidth has decreased by 66 percent. This is likely due to the way some attackers mount attacks using "booter-stresser" tools, which only allow attacks lasting 20 to 60 minutes. This has brought down the mean (average) DDoS attack time.
The online gaming sector is currently the most susceptible to attack, accounting for 50 percent of all DDoS attacks, according to Akamai's research. Software and technology companies suffered about 25 percent of all DDoS attacks, with Internet and telecoms companies suffering just 5 percent of DDoS attacks, down from 13 percent the previous quarter.
"The barrier to entry of DDoS attacks in terms of cost has largely gone," says Tim Pat Dufficy, managing director of ServerSpace, a hosting company and Internet service provider (ISP). "That means anyone can launch an attack: organized crime, a group of blackmailers, or just a disgruntled ex-employee or a competitor. And anyone can be the victim. One of our customers is a very small company that does training for people in the construction business, yet they came under attack for two weeks."
It used to be technically difficult to launch a DDoS attack, but now it's possible to rent a botnet of tens or even hundreds of thousands of infected or "zombie" machines relatively cheaply and use these zombies to launch an attack. And as the Internet develops, home or office computers that have become zombies can make use of increasingly high bandwidth Internet connections.
There are also pre-packaged or Web-based DDoS toolkits like Low Orbit Ion Cannon and RussKill that anyone with a minimal amount of know-how can use.
So how can you stop a DDoS attack?
Identify a DDoS Attack Early
If you run your own servers, then you need to be able to identify when you are under attack. That's because the sooner you can establish that problems with your website are due to a DDoS attack, the sooner you can start to do something about it.
To be in a position to do this, it's a good idea to familiarize yourself with your typical inbound traffic profile; the more you know about what your normal traffic looks like, the easier it is to spot when its profile changes. Most DDoS attacks start as sharp spikes in traffic, and it's helpful to be able to tell the difference between a sudden surge of legitimate visitors and the start of a DDoS attack.
It's also a good idea to nominate a DDoS leader in your company who is responsible for acting should you come under attack.
It generally makes sense to have more bandwidth available to your Web server than you ever think you are likely to need. That way, you can accommodate sudden and unexpected surges in traffic that could be a result of an advertising campaign, a special offer or even a mention of your company in the media.
Even if you overprovision by 100 percent -- or 500 percent -- that likely won't stop a DDoS attack. But it may give you a few extra minutes to act before your resources are overwhelmed.
Defend at Network Perimeter (if You Run Your Own Web Server)
There are a few technical measures that can be taken to partially mitigate the effect of an attack -- especially in the first minutes -- and some of these are quite simple. For example, you can:
- rate limit your router to prevent your Web server being overwhelmed
- add filters to tell your router to drop packets from obvious sources of attack
- timeout half-open connections more aggressively
- drop spoofed or malformed packages
- set lower SYN, ICMP, and UDP flood drop thresholds
But the truth is that while these steps have been effective in the past, DDoS attacks are now usually too large for these measures to have any significant effect. Again, the most you can hope for is that they will buy you a little time as a DDoS attack ramps up.
Call Your ISP or Hosting Provider
The next step is to call your ISP (or hosting provider if you do not host your own Web server), tell them you are under attack and ask for help. Keep emergency contacts for your ISP or hosting provider readily available, so you can do this quickly. Depending on the strength of the attack, the ISP or hoster may already have detected it, or they may themselves start to be overwhelmed by the attack.
You stand a better chance of withstanding a DDoS attack if your Web server is located in a hosting center than if you run it yourself. That's because its data center will likely have far higher bandwidth links and higher capacity routers than your company has itself, and its staff will probably have more experience dealing with attacks. Having your Web server located with a hoster will also keep DDoS traffic aimed at your Web server off your corporate LAN, so at least that part of your business -- including email and possibly voice over IP services -- should operate normally during an attack.
If a DDoS attack is large enough, the first thing a hosting company or ISP is likely to do is "null route" your traffic -- which results in packets destined for your Web server being dropped before they arrive.
"It can be very costly for a hosting company to allow a DDoS on to their network because it consumes a lot of bandwidth and can affect other customers, so the first thing we might do is black hole you for a while," says Liam Enticknap, a network operations engineer at PEER 1 hosting.
Tim Pat Dufficy, managing director of ISP and hosting company ServerSpace, agrees. "The first thing we do when we see a customer under attack is log on to our routers and stop the traffic getting on to our network," he says. "That takes about two minutes to propagate globally using BGP (border gateway protocol) and then traffic falls off."
If that was the end of the story, then the DDoS attack would be successful. To get the website back online, your ISP or hosting company may divert traffic to a "scrubber" where the malicious packets can be removed before the legitimate ones are be sent on to your Web server. "We use our experience, and various tools, to understand how the traffic to your site has changed from what it was receiving before and to identify malicious packets," explains Enticknap.
He says PEER 1 has the capacity to take in, scrub and send on very high levels of traffic -- as much as 20Gbps. But with levels of traffic comparable to those experienced by Spamhaus, even this scrubbing effort would likely be overwhelmed.
Do have a DDoS plan in place with your ISP or hoster so that it can begin mitigation or divert your traffic to a mitigation specialist with the minimum delay.
Call a DDoS Specialist
For very large attacks, it's likely that your best chance of staying online is to use a specialist DDoS mitigation company. These organizations have large scale infrastructure and use a variety of technologies, including data scrubbing, to help keep your website online. You may need to contact a DDoS mitigation company directly, or your hosting company or service provider may have a partnership agreement with one to handle large attacks.
"If a customer needs DDoS mitigation then we divert their traffic to (DDoS mitigation company) Black Lotus," says Dufficy. "We do this using BGP, so it only takes a few minutes."
Black Lotus's scrubbing center can handle very high levels of traffic indeed, and sends on the cleaned traffic to its intended destination. This does result in higher latency for website users, but the alternative is that they can't access the site at all.
DDoS mitigation services are not free, so it's up to you whether you want to pay to stay online or take the hit and wait for the DDoS attack to subside before continuing to do business. Subscribing to a DDoS mitigation service on an ongoing basis may cost a few hundred dollars a month. If you wait until you need one, however, expect to pay much more for the service and wait longer before it starts to work.
DDoS mitigation specialists include:
- Arbor Networks
- Black Lotus
- F5 Networks
Create a DDoS Playbook
The best way to ensure that your organization reacts as quickly and effectively as possible to a DDoS attack is to create a playbook which documents in detail every step of a pre-planned response when a attack is detected.
This should include the actions detailed above, with contact names and telephone numbers of all those who may need to be brought in to action as part of the playbook's plan. DDoS mitigation companies can help with this by running a simulated DDoS attack, enabling you to develop and refine a rapid corporate procedure for reacting to a real attack.
An important part of your planned response to a DDoS attack that should not be overlooked is how you will communicate the problem to customers. DDoS attacks can last as long as 24 hours, and good communication can ensure that the cost to your business is minimized while you remain under attack.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.
This article was originally published on April 30, 2013, and updated on Jan. 25, 2016.