Distributed Denial of Service (DDoS) attacks can be prevented through implementation of security best practices and advanced preparation:
- Harden against attacks: Patch, update, and change settings to harden resources against attacks.
- Deploy Anti-DDoS Architecture: Design resources so that they will be difficult to find or attack effectively, or if an attack succeeds it will not take down the entire organization.
- Deploy Anti-DDoS Tools: Enable features and add tools to protect against or mitigate the effects of DDoS attacks.
- Design a DDoS Response Playbook: Prepare for how a security or operations team will respond to a DDoS attack and take additional measures for defense.
- Deploy DDoS Monitoring: Watch for signs of an attack and document attacks for future improvements.
DDoS attacks are security threats that seek to cripple a corporate resource such as applications, web sites, servers, and routers, which can quickly lead to steep losses for victims. However, DDoS attackers sometimes even target the specific computers (or routers) of unwary people – often to harass video gamers, for example.
Some organizations may not be able to prepare defenses against DDoS attacks using internal teams due to urgency or because of resource constraints. For outsourced help with DDoS Monitoring and Defense also see: Top 8 DDoS Vendors.
1. Hardening Against DDoS Attacks
The standard security best practices for generic and layered cybersecurity defense can provide reasonable protection against DDoS attacks. Yet some specific measures, such as vulnerability patching and IT hardening, can provide even better protection.
Patch & Update All Resources
All resources should be patched and fully updated. For effective DDoS defense, priority for patching and updates should be placed on devices between the most valuable resources and the internet such as firewalls, gateways, websites, and applications.
IT teams also need to perform vulnerability scans and address any discovered issues such as missing updates, patches, or mitigations. Some vulnerabilities will arise from overlooked patches or rolled-back patching because of conflicts with other systems. Other vulnerabilities may be discovered in fully updated devices that are simply misconfigured.
Another common problem is the discovery of weak authentication schemes such as Transport Layer Security (TLS) versions 1.0 and 1.1 that may remain enabled. Vulnerability scans ensure that the organization can locate weaknesses promptly — and hopefully fix them before an attacker notices the opportunity.
Applications and websites can be hardened using application security tools or penetration tests to probe for vulnerabilities or coding oversights. Specific attention should be given to attacks that might enable various types of DDoS attacks.
For example, a website might embed PDF files for clients to download, but a botnet could execute a HTTP GET Attack to send a large number of requests to download the file and overwhelm the server. The website code might be changed to challenge users with captcha or other features that force more sophisticated interaction or to verify access from humans.
Harden IT Infrastructure
Servers, gateways, firewalls, routers, and other IT infrastructure can be hardened against attack by changing settings, adjusting configurations, elimination of unnecessary features, and installing optional features that provide additional network security.
Hardening includes, but is not limited to:
- Block unused ports on servers and firewalls
- Limit some protocols to devices on the internal network
- Set or lower rate limit thresholds to drop packets when the other computer fails to reply or makes repetitive requests such as:
- Transmission Control Protocol (TCP) packets: Synchronization (SYN), synchronization-acknowledgement (SYN-ACK), or acknowledgement (ACK)
- Internet Control Message Protocol (ICMP) or ping requests
- User Datagram Protocol (UDP)
- Enable time-outs for half-open connections
- Detect and drop spoofed, improperly formatted, or malformed packages
For example, many corporations do not need to use peer-to-peer (P2P) applications, so they should block all traffic on ports 4662 and 4672 for all corporate devices. For larger organizations that use P2P to distribute operating system (OS) updates, whitelists should be used so that P2P traffic can only come from authorized locations.
As another example, DNS servers can be specifically targeted by attackers and are vulnerable to various types of attacks. If the organization does not use it, UDP access to port 53 (DNS) should be blocked. For more information, see How to Prevent DNS Attacks.
2. Deploy Anti-DDoS Architecture
In addition to hardening, the IT architecture can also be designed for more resiliency and security against DDoS attacks. IT teams that overprovision infrastructure, obscure potential DDoS targets, and isolate vulnerable devices can limit the effectiveness of DDoS attacks and strengthen overall resilience.
When designing and building out systems, estimate bandwidth and other needs and then design for 200–500% of the baseline needs. While this can become expensive and does not directly stop DDoS attacks, the additional resources buy time to react to an attack.
Redundant devices or backup devices will generally be required for a resilient architecture and can be used to restore systems quickly after a DDoS attack. However, these resources should not be simply launched automatically because that may expose them to the ongoing DDoS attack.
Small businesses should consider separating firewalls from routers so one device does not carry the full load. More sophisticated IT teams can consider moving resources to the cloud or using load balancing to distribute traffic across multiple data centers because they have the skills and resources to manage the increased configuration and security needs.
If redundant data centers reside in different countries, or at least in different regions of the same country. the data centers connect to different networks and will avoid bottlenecks or single points of failure vulnerable to DDoS. Of course, then the weak point may become the load balancer, so that system will need to be hardened against DDoS attacks.
Obscure the Target
Obscurity alone cannot protect any system, but it can help to make attacks more difficult for attackers. Security teams must police that no one publishes IP addresses or internal network architecture maps that might provide hackers with a target.
Attackers often use the ICMP or ping protocol to locate targets. Servers configured to drop ICMP packets will fail to send a reply and appear to be unavailable or offline.
Another way to obscure resources is to put them behind other security. For example: companies can use Virtual Private Network (VPN) vendors or secure web gateways (SWGs) to place their internal systems behind a larger provider’s security architecture.
An organization that anticipates or has already suffered DDoS attacks might consider a content distribution network (CDN) or Anycast network that distributes resources to different locations and IP addresses. With a distributed network, DDoS attacks will be less effective and typically cannot adapt to the distribution of resources.
While a single user’s PC can technically be targeted by a DDoS attack, most attackers will want to to cause more damage and select targets of more impact such as web servers, key applications, or DNS servers. IT can protect these likely targets through isolation using fundamental technology such as network segmentation, access control lists (aka: whitelisting), or segregated hosting.
Any separation prevents a successful DDoS from impacting other key resources. For example, by moving a webserver to third-party hosting, successful DDoS attacks on the web server will not cripple email, VoIP (voice over Internet Protocol), and other services like DNS and Active Directory that are needed by the corporation to function or to respond to the DDoS attack.
3. Deploy Anti-DDoS Tools
In addition to hardening and design, organizations can obtain tools or enable features that specifically protect against DDoS attacks. In this section we will discuss enabling features and implementing additional tools.
However, security teams have several different options when it comes to implementing anti-DDoS tools in the context of the IT architecture. See also Three Fundamental DDoS Defense Strategies: Pros & Cons below for a more thorough overview.
Enable Anti-DDoS Features
DDoS-specific features on installed infrastructure such as servers can be enabled to defend against DDoS attacks. For example, the mod_reqtimeout module within Apache 2.2.15 may be enabled to protect against application-layer attacks such as the Slowloris attack.
Routers and gateways also may have advanced features that can be enabled to defend against DDoS or DoS attacks. Often these will be off by default, but administrators can navigate to the features and enable them as needed.
A Response Rate Limiter (RRL) can be added to or adjusted on servers, routers, and firewalls to provide granular control to defend against various DDoS attacks. For example:
- After a certain number of identical requests from the same IP in a row without response, the website can block that IP address to avoid attacks such as HTTP GET or HTTP Post attacks.
- After a certain number of TCP requests without any response, further requests will be dropped to avoid attacks such as SYN Flood attacks that send many SYN (TCP protocol synchronization) packets and ignore server responses.
As a caution, hardening for security should not go so far as to destroy the functionality of the useful protocols. As noted above, incoming ICMP packets from outside the network may be blocked to prevent several types of DDoS attacks and to obscure the server’s availability.
However, ICMP plays a critical role in troubleshooting for network and connectivity issues. Instead of blocking or dropping the packets from all sources, the ICMP can be limited to allow-listed IP addresses internal to the organization to enable the functionality while also blocking external DDoS attacks.
Additional DDoS Protection: Firewalls, Appliances & Services
Can firewalls stop DDoS attacks? Some can, but for others they need help.
Firewalls traditionally formed the initial defense against external attacks, and modern firewalls can stop many of the older and simple DDoS attacks such as IP Null attacks or ACK Fragmentation Floods. However, firewalls cannot stop attacks that appear to be normal traffic (HTTP GET, HTTP POST, etc.) and also can simply be overwhelmed with volumetric attacks.
Read more about: the Types of DDoS Attacks.
Extra protection should be applied to protect exposed or critical resources such as application servers exposed to the internet or DNS servers and services. Various vendors offer software that adds anti-DDoS features to firewalls or hardware to specifically guard against DDoS attacks.
Many of these solutions are available from established and trusted firewall appliance vendors including Check Point, Cisco, Fortinet, NetScout, and Radware. These anti-DDoS appliances install in front of firewalls and block DDoS attacks before they can take effect and can use traffic behavioral baselining to block abnormal traffic or traffic with known attack signatures.
However, local appliances only defend local networks and as fixed-sized appliances can also be limited in their capacity. Many organizations instead engage cloud-based DDoS Solution providers such as Akamai, Cloudflare, and Amazon Web Services to provide enterprise encompassing solutions.
Read more about DDoS solutions.
4. Design a DDoS Response Playbook
After establishing a hardened and updated IT infrastructure protected with anti-DDoS architecture and tools, the IT and security teams need to create a DDoS playbook. A formal document can assist responding teams should a DDoS attack occur.
The response plan may include:
- Contact information
- DDoS response team members
- Applicable vendor contact information:
- Internet service providers (ISPs)
- Hosting service
- Incident response
- DDoS vendors
- Corporate executives
- Legal counsel
- IT information, such as IP addresses, failover devices, network maps, etc.
- Steps to take in the event of a DDoS
- Decision trees for escalation
The plan should be practiced at least annually and checked to ensure all contact information, IP addresses, and processes remain current in the playbook. Some elements of the playbook may even be automated by some anti-DDoS tools, so basic security measures may be implemented to blunt the danger of the DDoS attack faster than people can react.
Also read How to Create an Incident Response Plan
5. Deploy DDoS Monitoring
With hardened infrastructure and an effective playbook in hand, the IT teams and security teams can then use network monitoring or security monitoring or vendors to watch for signs of a DDoS attack in progress. This monitoring will establish ‘normal’ traffic baselines so that abnormal traffic patterns generate alerts. The earlier a team can detect an event in progress, the faster the attack can be resolved.
Different resources will be monitored by different tools. For example, network monitoring tools such as DataDog, Munin, Zabbix can monitor networked resources, but may be less effective at monitoring applications.
Teams should select a tool appropriate for the resource and set up alerts for typical indicators of DDoS attacks such as sudden bandwidth demand increases, anomalous traffic increases, or unusual traffic sources. Alerts can be routed to security incident and event monitoring (SEIM) tools, security operations centers (SOCs), managed detection and response (MDR) services, or even DDoS security specialists.
While automated responses can create fast reaction times and automatically stop DDoS attacks, they should be used carefully. False positives might lead to operation disruptions, so some alerts will still need to be evaluated by the security team.
Monitoring also provides thorough documentation of events for future analysis. Even if the preventative measures fail to stop a specific attack, effective monitoring will provide the records to develop effective defense against that type of attack in the future.
When implementing DDoS defense, the strategies can be performed manually by IT teams, purchased through on-premise hardware or software, or implemented by cloud-based or off-premise tools and services. While some of these technologies can overlap or reinforce each other, many organizations do not have the resources to apply multiple solutions and must choose a single solution that fits their needs. Each of these options has significant pros and cons.
DIY DDoS Defense Pros And Cons
Do-it-yourself defense can certainly be deployed successfully against DDoS attacks. These defenses often consist of manually deployed settings on open source software, firewalls, and servers.
- Inexpensive from a cash flow and capital expense basis
- Usually compatible with many technologies
- Time consuming to execute and deploy
- Potentially requires expertise beyond the capabilities of a small IT team.
- Complex to execute, integrate, and secure.
- Difficult to scale
- Limited filtering capabilities
- Tend to be reactive. Humans move a bit slow
- Typically defends against the last DDoS attack, not the next one
- Often remain constrained by local infrastructure bandwidths
- Very vulnerable to modern large-scale attacks that reach 10 Gbps.
For example: IP Blacklisting. DIY solutions manually add IP addresses to black-listing or deny lists. Quick, easy, but often lags behind the constantly moving and evolving attacks. When facing botnets of thousands of endpoints, IP blacklisting can be overwhelming.
On-Premises Defense Tools/Services Pros And Cons
Organizations can buy appliances and software specifically to defend against DDoS attacks. These tools can be deployed in front of resources to be protected (firewalls, servers, etc.) or installed on the resource themselves.
- Pros of on-premises tools:
- Can perform significant filtering. Often have malware scanning and deep packet inspection to improve detection, filtering, and security.
- IT has full control over local installations
- Offers more support and ease of use than DIY solutions
- Typically deployed behind between the ISP and the organization and subject to limited bandwidths
- Even cloud deployments of virtual appliances or DDoS protection software can consume bandwidth allowances or force the deployment of additional, and possibly quite expensive, resources
- More expensive for capital expenses and cash flow; often large up-front expenses and significant labor to deploy and configure
- Limited scalability due to hardware and local network bandwidth issues
- Malware signatures and IP blacklists will need to be updated regularly
- Lag can be introduced by overloaded IT teams that have higher priorities than updating the anti-DDoS security lists
- Moderately difficult to use and integrate. Needs to be manually deployed. Appliances also require shipping time and physical implementation time that can further delay deployment.
- Often can only protect local network or specific resources (website, application)
One example is IP Blacklisting: An appliance or local firewall application may come pre-loaded with blacklisted IP addresses for well-known malicious botnets based upon the vendor’s experience. This blacklist will be much more comprehensive than a DIY list but will be part of a more expensive solution and will need regular updates.
Cloud-Based Defense Tools/Services Pros And Cons
Cloud-based DDoS protections tools provide more overarching security for the organization as a whole.
- Pros of cloud-based DDoS protection:
- Cloud-based DDoS tools protect more than a single local network or resource
- Some ISP providers offer inexpensive DDoS protection as a service and typically offer more limited coverage than DDoS specialists, but it will still block the traffic before it can limit the local network’s bandwidth
- Often less expensive than local appliances or software in the short term because they are offered as on-demand or SaaS solutions
- Rapidly implemented and integrated
- Managed SaaS DDoS protection does not require internal tech time to maintain
- Often deploy malware scanning and deep packet inspection to prevent a variety of attacks
- Virtually unlimited scaling with significant filtering, very easy to use and configure
- Typically offers better protection against internet-based attacks
- Offers little protection against attacks from within a network
- Subscription costs for SaaS products can still be expensive
- Offers less control and customization than local appliances or DIY customization.
Using the IP blacklisting example, SaaS DDoS tools generally are offered pre-loaded with blacklisted IP addresses for well-known malicious botnets based upon the vendor’s experience. This blacklist will be much more comprehensive than a DIY list and will be continuously updated by the SaaS provider.
Bottom Line: DDoS Prevention
DDoS attackers seek to prevent access to a resource for legitimate users. Depending upon the resource affected, denied access could be merely annoying or it could cause an entire enterprise to be disabled.
The Rand Group surveyed enterprises and reported that a single hour of downtime costs more than $100,000 for 98% of respondents. Over one-third of surveyed enterprises estimated downtime costs that exceed $1 million.
Effective DDoS prevention can avoid the worst possible scenarios and keep the business running even as components may be disrupted. When a DDoS attack succeeds, effective planning allows for quick recovery and limited damages. Large and small organizations will benefit from investing time and resources into protecting against DDoS attacks and IT infrastructure resiliency.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.