How to Stop DDoS Attacks in Three Stages

When under siege from a distributed denial of service (DDoS) attack, systems grind to a halt and often become entirely unresponsive. To stop the attack, defenders must move quickly and navigate three broad stages:

Although numbered, incident response teams will often find that some of these stages may need to be executed simultaneously. Additionally, as attackers observe the defender’s actions, they may also change tactics and require the defending team to iterate between these stages and the steps within them. 

Of course, the specifics of each stage will also be highly customized and will depend upon many factors starting with the type of DDoS attack, the resource under attack (router, website, app, server, etc.), and the DDoS protections or mitigations already in place. Additionally, the IT architecture, the resources of the defender, and the dedication of the attacker will also play significant roles in how the stages and techniques must be navigated.

Fortunately, Internet Service Providers (ISPs) and specialist vendors can provide professional DDoS Protection Services for immediate assistance for those in need. However, even these security professionals will perform the same tasks we cover here, only with more experience and potentially more sophisticated tools.

Stage I: Block the DDoS Attack

Once under a DDoS attack, resources perform sluggishly and even changes to protect them can be difficult to execute. Although attacks cannot be fully stopped without identifying the attack, identification cannot even be attempted when the systems are so locked up that they cannot be accessed.

The attack must be stopped — even temporarily — to recover internal resources such as the CPU capacity and memory. Organizations that send logs to other resources (segregated storage, SIEM solutions, etc.) may be able to work on Stage I: Block the DDoS Attack and Stage II: Determine the Type of DDoS Attack simultaneously.

Fundamental DDoS Response Tactics

Simple DDoS attacks can often be blocked using skilled internal resources. Yet, keep in mind that even basic DDoS attacks may need to be blocked upstream with the help of the host internet service provider (ISP) or else the blocked DDoS attack traffic can still threaten connection bandwidths and ISP infrastructure.

The number of potential tools, services, and techniques to block DDoS attacks exceed the number of possible types of attack. However, they can generally be categorized into the following categories of tactics.

These tactics will be presented in a rough order based on the likelihood of success and urgency, but should not be taken as more than a rule of thumb.  Even if an organization decides to embrace the first category, Call a DDoS Expert, experts may not be able to act right away and the organization will need to attempt other actions in the meantime.

Similarly, the last category, Implement New Technology, trails the list because it often requires significant research. However, if an organization had already done research that category of action could certainly be taken right away.

Any organization under attack should scan the categories and implement what they believe will offer the greatest chance of success based upon their immediate circumstances. Each category will list pros and cons to help with the decision-making process.

Call a DDoS Expert

Typical internet bot DDoS attacks reach 10–11 GB per second, but record DDoS attacks have reached 46 million requests per second or 3.47 TB per second. Even large enterprises struggle to block attacks of this scale without professional assistance.

Smaller organizations can call their ISP, which might provide DDoS specialists or enable additional functions to block DDoS attacks. However, ISP options may be limited so some organizations turn to consultants, incident response tools or specialists, managed detection and response (MDR) experts, and other security professionals to stop the attack, improve systems against future DDoS attacks, and recommend other needed tools and services.

Cloud-based DDoS protection services often provide the most comprehensive option to block DDoS attacks, so organizations often engage or migrate their infrastructure behind the protection of Virtual Private Network (VNP) providers (such as NordVPN, Perimeter 81, and Surfshark) or DDoS Protection service providers (such as Akamai, Cloudflare, and Imperva). Be sure to whitelist the connection between the service and the system being protected and block other connections so nothing bypasses the DDoS service, but keep in mind that even cloud providers cannot prevent DDoS attacks originating within the organization’s network.

  • Pros of DDoS response services:
    • Extremely effective
    • Leverages the scale of cloud resources
    • DDoS specialists use expertise to move faster
    • DDoS experts can block a large range of DDoS attacks in progress and can eliminate paths for future DDoS attacks
    • DDoS professionals keep records of DDoS botnets and can block many before they activate
  • Cons:
    • If an expert is not already in place, the organization must locate and qualify an expert while under pressure
    • This method will cost more than in-house solutions (but may be worth the investment)

DDoS IP Address Filtering

A quick look at log files will often reveal a specific set of IP addresses generating most of the DDoS traffic. Blocking these attacking IP addresses can provide temporary relief and allow time to pursue other tactics.

  • Pros of DDoS IP address filtering:
    • Quick to execute, inexpensive
    • Can buy time for other tactics
  • Cons:
    • Generally a temporary solution at best
    • Attackers can spoof IP addresses
    • Attackers can easily shift to a different botnet. This leads to a game of whack-a-mole where the defenders are constantly trying to keep up with the defenders.
    • Should also be applied at the ISP level or else the ISP bandwidth will be consumed with traffic that is blocked at the resource (application firewall, internet gateway, local firewall, etc.)

Migrate to a new IP Address

Instead of blocking attackers, defenders can move the resource out of the sights of the DDoS attackers and reroute legitimate traffic to a new IP address.

  • Pros of IP address migration:
    • Inexpensive, relatively quick
    • Can buy time for other tactics
  • Cons:
    • Generally a temporary solution because attackers will also find the new location
    • May require significant internal changes for other resources linked to the moved resource

Enable Unused or Strengthen Existing DDoS Protection Options

Organizations can check existing resources (server software, router firmware, etc.) for DDoS protection options that may not yet be activated. For example, enabling DDoS options on routers or adjusting request rate limits a host.

  • Pros
    • Inexpensive and quick
  • Cons:
    • May not be effective against the current attack
    • Attackers can switch methods easily
    • May not be possible to execute until the DDoS attack subsides

Enable Geo-Blocking

Examination of logs during a DDoS attack may reveal huge traffic spikes from countries that do not usually visit the website. Geo-blocking can block large botnets operating from other countries.

  • Pros:
    • Inexpensive, quick
    • Can be effective and buy time for other tactics
  • Cons:
    • A temporary solution since botnets exist within all major countries
    • Blocks legitimate traffic from the blocked regions (and possibly employees traveling to or working from those areas)

Shutting Down Services

Although it concedes some victory to the DDoS attackers,  sometimes shutting down the system under attack provides the best option. The service or resource can be isolated and hardened against further attack before it is brought back online.

If the specific type of attack is known, a specific service under attack may be shut down instead of an entire resource. For example, in an HTTP GET attack, the DDoS attack might be seeking to download very large PDF files so a defense might be to disable the link to PDF files or disable downloads temporarily without affecting the rest of the website.

  • Pros:
    • Inexpensive to execute, quick, effective
  • Cons:
    • Potentially disruptive, especially for full system shutdown
    • Although inexpensive to execute, associated business disruptions may be very costly to the organization

Implement New Technology

This response adds web application firewalls, secure web gateways, DDoS protection appliances or other technologies to protect assets. These tools can inspect and clean traffic before it can reach the resource.

  • Pros
    • Can be effective and likely protects against future attacks
  • Cons:
    • Can be expensive and time-consuming to deploy
    • May consume future resources for upkeep
    • May create delays for deployment because of solution research, shipping, and configuration
    • Does not eliminate issues for ISPs in between the internet and the inspecting tool
    • Inspecting tools cannot always scale quickly or handle the largest DDoS attacks

Non-Technical DDoS Responses

Even as the incident response team may be scrambling to cope with the DDoS attack, the organization must still deal with other stakeholders:

  • Executives need to be kept up to date
  • Employees may need to be notified about the availability of internal resources or alternative methods to accomplish work
  • Customers may need to be notified and informed about system status (often done using social media unaffected by the attack)
  • If the DDoS attack causes significant damages to the business, cybersecurity insurance companies, regulators (Security and Exchange Commission, etc.), and law enforcement may need to be notified

An organization’s management should be prepared to embed non-technical assistance into an incident response team to coordinate, manage, and execute written, verbal, and phone communication with stakeholders. The CFO may even want to embed someone on the team with the authority to authorize expenses or to coordinate the rapid authorization of purchases needed to recover from the DDoS attack.

Also read:

Stop Specific DDoS Attacks

The fundamental DDoS techniques above apply to all attacks, but each type of DDoS attack and affected architecture might only benefit from a few of the tactics. Below, we’ll provide focused tactics for specific resources under attack — just keep in mind that specific architectures could require specialized techniques.

In many cases, the fastest way to eliminate the attack will be to call in an expert, especially cloud-based DDoS protection and response services. However, they may not work effectively for internal attacks on servers, routers, or internal applications and may also be expensive. Some organizations will not be able to authorize immediate use of more expensive resources and other approaches may need to be tried first.

Stop External Application, Server, And Website DDoS Attacks

As assets intentionally exposed to the internet for utility, applications and websites often will be targeted by DDoS attackers because they are the easiest to affect. Servers hosting or supporting these resources will often be directly affected by the attack and will suffer CPU, memory, and bandwidth overload. Once an attack begins, the steps to protect each of these will be quite similar.

Step 1: Block the Initial Attack

Examine the log files and block the IP addresses or use geofencing to block traffic from countries producing the most traffic. While this may only be effective temporarily, it will help to buy time for more effective protection.

Step 2: Side-step the Attack

If blocking proves ineffective, try changing the server IP address or URL to move the server out of the path of the DDoS attack. As with blocking the attack, this may only be a temporary reprieve, but it can buy time to implement other tactics that take more time to execute.

Step 3: Stop the Service

If blocking or side-stepping the attack does not work, the organization may need to stop the service under attack (such as a PDF download, shopping cart, etc.).

Stopping a website or application in part or entirely will be so disruptive that this step should not be taken lightly. It should only be pursued if steps 1 and 2 cannot provide enough time to pursue other steps below.

Step 4: Enable Additional Protections

While part of the incident response team attempts to stop the existing attack, other members should be working on enabling other protection against DDoS attacks such as:

  • Call the ISP to get help or engage DDoS protection services
  • Add web application firewalls (WAF) or adjust WAF settings to block attacks
  • Apply stronger rate limits to firewalls, servers, and other resources protecting and servicing the website or application
  • Engage service providers or add tools such as:
    • DDoS protection appliances in front of existing firewall appliances
    • WordPress plugins (such as WordFence) to block DDoS traffic
    • Enterprise-level cloud firewalls (such as Google’s or FWaaS, Firewall-as-a-Service)
    • DDoS protection service from a vendor such as Cloudflare or Sucuri

However, be aware that additional protections often will affect existing architecture or performance. For example, load balancers may be bypassed by DDoS tools, or the packet inspection of DDoS protection appliances may introduce lag time for traffic.

Stop External Router DDoS Attacks

Router attacks will typically be suffered by individuals and small businesses that connect their router directly to the internet. Often, there is no IT professional regularly supporting the environment so DDoS attacks on routers can result in complete shutdown of internet access. For typical attacks, defenders will:

Step 1: Reset the IP Address

The fastest method to dodge a DDoS attack is to reset the IP address. There are several ways to accomplish this:

  • Fastest method: Unplug the router and sometimes also the modem. For internal routers, IP address reset can be quick, but for routers attached to the internet, it can take as short as 5 minutes to assign a new IP address or as long as 24 hours, depending upon the ISP.
  • Best method: Contact the ISP. Some ISPs limit changes in IP address and need to be contacted directly. ISPs can also implement additional security or offer additional services to block DDoS attacks.
  • Admin console: Log into the router as an admin via a web browser and change the IP address under Network Settings. Check the user manual for instructions for the specific router.
  • Command Prompt: Power users can release and renew the IP address using the command line prompts of ipconfig (Windows, MacOS) or ip (Linux) commands. Mac users can also use advanced system preferences to select TCP/IP and “Renew DHCP Lease.”

Of course, this renders the internet or network unavailable until the router is restarted, and attackers can still search for the new IP address to attack the router.

Step 2: Activate DDoS Defense Options on the Router

Check the manual or the admin console menus to see if there are additional DDoS protection options that can be enabled on the router. These can be activated quickly, but may affect performance.

Older routers or consumer-grade routers may lack features to protect against modern DDoS attacks and other common threats. Consider upgrading to more capable devices with more security features or capacity.

Step 3: Add Layers of Protection

To block future attacks against routers, IT teams can add additional layers of protection. For external attacks, firewalls, VPN Services, Secure Web Gateways (SWG), and DDoS protection appliances can be added between the router and the internet. The best choice will depend upon the budget and resources of the organization.

Stop Internal DDoS Attacks On A Server Or Router

Although bot-driven internet DDoS attacks often capture the headlines, attackers can also harness vulnerabilities or use malware to turn devices within the network into a botnet to attack internal resources. In these situations, cloud-based services will not be able to help because the traffic originates within the trusted network beyond where the cloud provider can offer much help.

Internal attacks can be directed at internal routers to cause business disruption or distractions to enable other malicious activity such as ransomware or data theft.  To counter these internal attacks, incident response teams may need to first stop the specific style of attack to enable network navigation.

Step 1: Block the Initial Attack

Examine the log files. If the traffic originates from specific devices or network segments, block those IP addresses or power down compromised devices. While this may only be effective temporarily, it will help to buy time for more effective protection.

However, there may be circumstances that do not permit shutdown of the DDoS attackers. For example, if an attacker turns the respirator machines of the hospital into a botnet, the hospital cannot simply turn off the respirators without severely affecting patient health.

Step 2: Side-step the Attack

If blocking proves ineffective, try changing the server or router IP address to move the resource out of the path of the DDoS attack. As with blocking the attack, this may only be a temporary reprieve, but it can buy time to implement other tactics that take more time to execute.

Step 3: Stop the Service

If blocking or side-stepping the attack does not work, the organization may need to stop the service under attack. However, stopping a website or application in part or entirely will be so disruptive that this step should not be taken lightly. It should only be pursued if steps 1 and 2 cannot provide enough time to pursue other steps below. In extreme cases, the network cables can be physically unplugged from the server or devices to disrupt the attack.

Step 4: Enable Additional Protections

While part of the incident response team attempts to stop the existing attack, other members should be working on enabling other protection against DDoS attacks such as:

Keep in mind that a forensic or security investigation will become part of the recovery process for internal attacks. The initial infection, access points, malware, and changes to systems introduced by attackers will need to be located and removed to prevent future DDoS attacks or worse.

See the Best Digital Forensics Tools & Software for 2022.

Stop Video Game System DDoS Attacks (PS4, PS5, XBox, Etc.)

Attackers need an IP address against which they can launch their DDoS attack. Official networks such as Steam or official game servers (for Xbox, Playstation, etc.) generally hide user IP addresses, but many third-party servers serving games such as Minecraft or Team Fortress 2 may leave IP addresses visible.

Although typically a consumer problem, the increased popularity of video games has created an industry of DDoS-susceptible businesses such as professional video game teams, internet cafes, and video game tournaments. Additionally, many companies do not monitor for video game platforms (Xbox, Playstation, etc.) or software (Blizzard, Steam, etc.) installed on local networks or systems.

Companies with public WiFi hotspots for customers will also be highly vulnerable. An attack against a locally-attached game system can cause spill-over effects on the network, router, and other IT systems in the environment.

Step 1: Reset the IP Address

As with a router attack, the fastest method will be to reset the system and the IP address.

  • Fastest method: Unplug the game system. If the game system is the only device on the local network, also unplug the router or modem connecting the game system to the internet. For internal routers, IP address reset can be quick, but for devices attached to the internet, it can take as short as 5 minutes to assign a new IP address or as long as 24 hours depending upon the ISP.
  • Best method: Contact the ISP. Some ISPs limit changes in IP address and need to be contacted directly. ISPs can also implement additional security or offer additional services to block DDoS attacks.
  • Router IP Address Reset: Log into the router console as an admin via a web browser and change the IP address under Network Settings. Check the user manual for instructions for the specific router.
  • Router IP Address Reset: Power users can release and renew the IP address using the command line prompts of ipconfig (Windows, MacOS) or ip (Linux) commands. Mac users can also use advanced system preferences to select TCP/IP and “Renew DHCP Lease.”

Of course, this renders the internet or network unavailable until the router is restarted, and attackers can still search for the new IP address to attack the router.

Step 2: Activate DDoS Defense Options

On the router, check the manual or the admin console menus to see if there are additional DDoS protection options that can be enabled on the router servicing the game console. These can be activated quickly, but may affect performance.

Some game consoles have privacy and online safety options available in the menus that can be used to minimize public information. In Xbox, this is called ‘private mode’ and is available under More Options>Xbox Settings>Privacy and Online Safety.

Step 3: Add Layers of Protection

  • Adding a VPN network service is easy enough, but it can add ping because of extra network hops. Look for VPN services that cater to gamers or advertise low-latency connections and secure IP addresses.
  • Upgrade or add professional-grade routers, next-generation firewalls. To avoid ping increases from packet inspection look for low-latency devices or devices that can be configured to ignore game-system traffic for inspection.

Professional gaming environments will also need to guard against insider threats where a user might collect internal IP addresses in an internet cafe or tournament and leak that information to external attackers. Additional DDoS protection hardware and DDoS protection services can be used to block external threats and microsegmentation, network monitoring, and managed detection and response (MDR) teams can be used to protect each gamer and monitor for malicious behavior.

Stage II: Determine the Type of DDoS Attack

Some attacks become obvious because everything grinds to a halt, but often there will be a period in which the resource “acts funny” as it struggles with the early stages of a DDoS attack. In either case, the attack cannot be completely stopped unless it is identified.

In best-case scenarios, security and incident response teams receive sufficient alerts from resources to provide advance warning to cut off the worst of the DDoS attack or to easily analyze the attack. In the worst-case scenarios, log and alerts can only be generated after the resource crashes.

Signs Of DDoS Attack

The first signs of attack will be delays. Applications will be slow to proceed, websites will be slow to load, servers will be slow to respond to requests, etc.

Users behind an internet connection under attack may find themselves cut off from the internet or unable to use local resources. Network operations centers, firewall monitoring tools, cloud usage tools, and other monitoring solutions may catch spikes in network or internet traffic.

Deep into the attack, resources will simply become unavailable — even to run diagnostic tools or to access log files and other reports. Teams should respond as quickly as possible or ensure resources prioritize sending logs out for analysis.

Examine And Analyze Logs, Alerts, And Records

Log files and other records will keep track of the application performance, network bandwidth, CPU usage, memory usage, and other key factors related to the DDoS attack. Often, the DDoS attack will be a surge in unusual behavior such as sudden increases in web traffic, requests for specific documents, etc.

TIP: Document everything. These records from the DDoS attack will be valuable for calculating damages for cybersecurity insurance, for forensic analysis regarding the attacker, and for the post-mortem analysis of how to prevent similar attacks in the future.

Ideally, the first indicators of trouble will come from alerts set up on monitoring software checking for bandwidth, memory, or CPU issues. Alerts can help a response team jump into action and prevent the DDoS attack before it takes down resources.

Without alerts, an organization may have to rely upon customer or internal complaints which may be delayed because they may also travel through the congested resource (application, server, etc.) crippled by the DDoS attack.

Attack Characterization

Attack characterization helps to discriminate attack traffic from legitimate traffic and to profile the attack itself. Low-level attacks using protocols to disable infrastructure will require a different style of response than an application-level attack attempting to target a specific function in an application.

With so many different types of possible DDoS attacks, it can be difficult to determine exactly which one may be deployed. However, the response team will use their analysis of the logs to provide clues regarding the attack and potential defenses.

Forensic investigation may be required for internal network DDoS attacks to determine how the attack entered the network, infected systems, and launched the DDoS attacks. Specialized forensic investigators will often be required to gather evidence and ensure more sophisticated attackers have been removed from the network.

Attack Traceback

DDoS attack traceback seeks to locate attack sources regardless of the spoofed source IP addresses during or after the attack. During the attack, if the attacks originate from a small number of IP addresses, the attack can be blocked through IP Blocking; however, this will not be typical for a modern DDoS attack.

Stage III: Recover from the DDoS Attack

Organizations that can quickly eliminate a DDoS attack may suffer no more than inconvenience. Organizations that are not so fortunate will need to assess the damage, make any needed adjustments required from the DDoS remediation, determine what immediate steps to take for preventing recurrence of that DDoS attack, and consider other preventative measures.

DDoS Attack Damage

Damage from DDoS attacks will vary from organization to organization and will depend upon the resources affected. In customer surveys:

After a significant DDoS attack, organizations will need to document their costs and damages for two key purposes:

  • The damages may be covered by cybersecurity insurance
  • The damages create an estimate that can be used to budget for tools and services to prevent future DDoS attacks.

DDoS Remediation Adjustments

In the mad dash to block the DDoS attack, the organization may make architecture or software changes that break connections or cause other issues. Part of the recovery process requires examining the infrastructure to detect and fix those broken components or links.

For example, when moving a website behind a DDoS filtering service provider such as Cloudflare typically only moves the main domain. Sub-domains may not migrate automatically and will require manual adjustments.

Similarly, integration with other third-party tools may require adjustments. For example, a publishing website could discover that their Drupal web content management system no longer correctly connects to the published content protected by the DDoS provider and that a separate Edit sub-domain may be required.

For DDoS attacks launched within the network, individual computer systems may need to be sanitized to remove malware or an attacker’s ability to access the device for future attacks. Sometimes this may also trigger data and system recovery needs.

DDoS Attack Lessons Learned

Generate a lessons-learned report that explains the DDoS attack and determines mitigations to protect against similar attacks. Mitigation should be enacted immediately, but if that is not practical, the mitigation should be planned and proposed for budgeting.

The costs to remediate the DDoS attack and any business losses from the downtime will provide a rough target for comparison with the mitigation budget.

If the attack was significant in size or impact, report the incident to law enforcement or industry organizations such as CERT. Reporting attacks can help law enforcement build profiles of major attackers and possibly take steps such as:

Prevent Future DDoS Attacks

After executing the three critical stages to stop a DDoS attack, an organization will find themselves in a better position.  However, recovery alone cannot prevent future DDoS attacks because they only address the last attacks. The best way to stop a distributed denial of service (DDoS) attack will always be to be prepared for one in advance.

IT and security teams can deploy many options in preparation for a DDoS attack that will help to control and manage the future impact when a DDoS attack occurs. Vendors, tools, and planning can combine to create a robust and layered approach to limit risks associated with DDoS and lessen the damage from successful DDoS attacks.

When selecting vendors, it is important to work with DDoS specialists, but these vendors, like any other IT measures, should fit into the overall IT and security strategies. While a significant threat, anti-DDoS measures should not be so optimized that they compromise other priorities for operations and security.

An organization also cannot lose sight of the possible motivations of the attackers. Organizations need to understand that some DDoS attacks may be used as a distraction or cover-up for other attacks such as espionage, ransomware, or business email compromise. Any DDoS playbook should also include activating a more general incident response to check for other attacks and compromises.

The five key steps to prevent against DDoS attacks include:

  1. Harden against attacks
  2. Deploy Anti-DDoS Architecture
  3. Deploy Anti-DDoS Tools
  4. Design a DDoS Response Playbook
  5. Deploy DDoS Monitoring

Further reading: How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention

Bottom Line

With the increasing sophistication and capabilities of attackers, defenders must be on alert. Not only will stopping DDoS attacks become increasingly difficult, but attackers will continue to increase the speed at which they exploit windows of opportunity. Organizations should prepare now for future DDoS attacks and take advantage of the capable tools and services available to help them.

Chad Kime
Chad Kime
Chad Kime combines his Electrical Engineering and MBA degrees to translate between technical language and common English. After managing over 200 foreign language eDiscovery projects, Chad values practicality over idealism. He has written on cybersecurity, risk, compliance, network security hardware, endpoint monitoring software, anime DVDs, industrial hard drive equipment, and legal forensic services.

Top Products

Related articles