As a business owner, cyber security should be one of your top priorities – cyber attacks can lead to loss of intellectual property, confidential customer data, and revenue. This guide will explain how to survive a DDoS attack, and what you can do to mitigate the risk of it happening again.
Chapter 1
What is a DDoS attack?
DDoS stands for distributed denial of service.
A DDoS attack is an attempt to disrupt a server, service, website or network by overwhelming it with requests, to the point where regular traffic can’t get through. This usually leaves customers unable to access services or buy products.
Different types of DDoS attack target different layers of a network connection:
Application layer attack
This targets vulnerabilities in the application part of a network connection, where web pages are generated on the server and delivered to the user. Users then cannot access the content they want to view.
Protocol attack
This targets vulnerabilities in internet communications protocols, disrupting the service for the user. Internet protocols are the ways in which data is sent from one device to another on the internet. Many protocols are in use across the world, which means updating them to remove the targeted vulnerabilities can be a slow process. Cyber attackers will often investigate the updated protocols for new weaknesses to exploit.
Volumetric attack
This uses a large amount of malicious traffic to consume all the available bandwidth within your network, or all the available bandwidth between your network and the general internet. Either way, your network becomes overwhelmed and unable to service legitimate requests. Volumetric attacks can be carried out alone, or used as a cover for additional DDoS attacks which may be more difficult to spot.
Different types of DDoS attack target different layers of a network connection.
How does a DDoS attack happen?
Cyber criminals carry out DDoS attacks by infecting digital devices like computers with malware and then controlling them remotely. An individual device is known as a bot; a group of bots is known as a botnet. During the attack, each bot sends requests to your server or network, overwhelming it and preventing legitimate users from getting through.
Why do DDoS attacks occur?
There are multiple reasons a DDoS attack might be carried out. Let’s take a look at the most common ones.
01
Financial gain
Some threat actors may hold your network hostage, requesting a large sum of money in exchange for returning it to normal.
02
Competition
Despite the fact DDoS attacks are illegal, less scrupulous competitors in your field may target your network so that any lost traffic is more likely to head their way instead, resulting in you losing both money and customers.
03
Malice or disagreement
For some threat actors, DDoS attacks are a way of expressing disapproval. Cyber attackers may disagree with your stance on a specific topic, or you may be the target of a person seeking revenge (a former employee, for example).
04
Political gain
DDoS attacks can happen between governments or political parties.
05
Distraction
Some attackers may carry out a DDoS attack as a cover for other malicious cyber activity. While you’re busy tackling the DDoS attack, they’re launching an even more harmful attack on your network.
06
Amusement
Sometimes attackers are simply entertaining themselves, or breaching your cyber security to test their skills.
Why is a DDoS attack dangerous for businesses?
At the start of 2023, the UK had 66.11 million internet users (97.8% of the total population). Over 80% of the UK’s population shop online, a number that’s expected to reach 90% by 2025. And over 90% of UK consumers said they avoided buying from companies whose reviews averaged out at less than four stars. What’s clear from these figures is that an online presence and an impeccable reputation are essentials for any business.
However, with this digital dependence comes a higher risk of cyber attacks being effective. Your reputation and bottom line will inevitably be affected if you can’t use the applications you need to manage your daily operations, or your customers can’t access your products or services.
The most recent Cyber Security Breaches Survey shows that 32% of businesses reported a cyber attack in the last year, with the figure rising to 59% for medium sized businesses and 69% for large businesses. Despite this:
Over 80% of the UK’s population shop online, a number that’s expected to reach 90% by 2025.
Only 29% of businesses had undertaken cyber security risk assessments
Only 30% used cyber security monitoring tools
Only 37% were insured against cyber security risks
A relaxed approach to cyber security makes your business vulnerable to cyber attacks. It’s important to have a crisis plan in place for when the worst happens. But in terms of prevention, the single most important thing you can do is ensure that your people are trained to be vigilant and report suspicious activity. Reporting is key – for example, many people will delete a suspect email without alerting their IT security teams.
Chapter 2
What to do in the event of a DDoS attack
Your first step is to identify that your website is experiencing a DDoS attack and not a legitimate increase in traffic. For example, if you’ve just introduced a new product or service a traffic increase is normal and cutting off genuine customers will affect the bottom line. But if you notice unexpected activity, it’s time to err on the side of caution.
How to identify a DDoS attack
It can be difficult to identify a DDoS attack because:
- The signs are very similar to legitimate issues you might experience, such as slow page loading times.
- Threat actors are developing more sophisticated and complex methods.
- Businesses welcome increases in web traffic, so may not be suspicious at first.
The more sophisticated the attack, the more difficult it will be to differentiate from legitimate traffic.
However, you can make use of web analytics tools (such as Google Analytics and Ahrefs) to monitor traffic. This is a good habit to get into anyway, as these tools enable you to track visitor behaviour and identify patterns so you can improve the user experience. Being familiar with what’s normal for your site can help you spot anything unusual.
Indicators of a DDoS attack:
- A lot of traffic from one IP address (a unique set of numbers identifying a device on a network).
- A lot of traffic from one IP range (a set of consecutive IP addresses).
- A large, unexplained increase in requests on a page.
- A large, unexplained increase in traffic from users who appear to have the same type of device, are in the same location, or are using the same web browser.
- Strange patterns in traffic behaviour, such as a spike in traffic at set intervals.
- A network can no longer connect to the internet.
- You can no longer access your website.
- The server is slow or unresponsive.
Pay close attention to the length of time a spike in traffic causes disruptions. Issues caused by legitimate traffic spikes can normally be solved relatively quickly, while traffic spikes caused by a DDoS attack can take hours or days to solve.
The more sophisticated the attack, the more difficult it will be to differentiate from legitimate traffic.
How to respond to a DDoS attack
Let your stakeholders know what’s happening
Keep it simple — explain what’s happening, when it started, and what you’re going to do to minimise its impact. Send regular updates as the attack and your response progress, so that everyone stays informed and can provide help if possible.
Let your security provider know what’s happening
They’ll be able to help you take on the attack.
Put your defences into action
You have the best chance of mitigating the impact of a DDoS attack if you use a combination of responses. Cyber attackers will often adapt their methods to get around your defences, so the more multifaceted they are, the better your chances of keeping them at bay:
You have the best chance of mitigating the impact of a DDoS attack if you use a combination of responses.
Anycast network diffusion
An Anycast network is a way of rerouting incoming requests. In the event of a DDoS attack, it can be used to divert the malicious traffic across multiple servers, reducing the attack’s impact. The servers are less likely to be overwhelmed, meaning your network and website are both more likely to stay online.
Firewall
A Web Application Firewall (WAF) is placed between the internet and your business’s servers to protect them during a DDoS attack. Filters allow legitimate traffic through but keep malicious traffic out. These filters can be updated with new rules as the patterns of the DDoS attack are identified.
Rate limiting
Rate limiting will restrict the number of requests your server will accept within a specified time period. It’s not normally enough to prevent a DDoS attack on its own, but can be an effective blocker when used in conjunction with other mitigation methods.
Black hole routing
Once it’s established that a DDoS attack is underway, your network administrator or internet service provider can set up a ‘black hole route’ (sometimes called a ‘null route’) that will redirect all traffic – both legitimate and otherwise – away from your websites and networks. A black hole route can be set up by your network administrator or internet service provider. All traffic to your website or network is directed here, meaning neither genuine customers nor cyber criminals are able to access your website and network.
This is a relatively simple mitigation method, but it’s not an ideal solution. The attackers achieve their goal of making your website or network inaccessible, and you lose out on legitimate visitors.
Risk assessment
Unlike other mitigation methods, a risk assessment takes place before you suspect a DDoS attack, and involves analysing your security to identify weak spots. Once you know what these are you can strengthen them. While preventing a DDoS attack isn’t a guarantee, it can limit the damage should one occur (and better security is always beneficial).
Chapter 3
Recovering and preventing further DDoS attacks
You’ll feel relieved when a DDoS attack is over, but don’t rest just yet. The recovery process is the ideal time to assess the damage and reflect on how you can prepare for – or prevent – further attacks:
Analyse the DDoS attack
Get as much information from your security provider as you can. Find out:
- if the attackers targeted your entire network, or specific servers, services or applications;
- what kind of DDoS attack it was;
- if there are any noticeable patterns in the way you were attacked;
- the highest amount of traffic during the attack;
- the highest number of requests during the attack; and
- how long the attack lasted.
As well as providing you with information about the DDoS attack, your security provider should also be able to show you:
- how long it took them to identify the attack;
- how long it took them to let you know about the attack;
- how long it took them to divert the malicious traffic;
- how much of the malicious traffic was blocked, versus how much initially got through;
- how long it took them to stop the attack completely; and
- whether their service was available for the entire duration of the attack.
By assessing your provider’s response, you can make a decision as to whether or not you need to upgrade your security.
Get as much information from your security provider as you can.
Take stock of any damage caused
Assess the damage so you can understand the true cost of the DDoS attack. It’s also useful to have this information when discussing security measures with your stakeholders; you’ll be in a better position to make an informed decision about how much to invest in prevention methods.
As well as finding how much monetary and reputational damage was caused, you’ll need to know how much of the attack was successful and how much of it was prevented, how your services were affected, and whether the user experience (UX) of your website or network was affected.
Identify the vulnerabilities
Perhaps the most important question to ask yourself is: why? Why were the attackers able to target your network or website? Why were they able to get through your defences? Investigating this will help you identify the vulnerabilities so you can focus on removing them.
Update your protection where needed
Once your analysis is complete, you can make an informed decision about what to do next. It may well be that your security needs to be upgraded. If that’s the case, here are some key things to look out for:
- Is the provider qualified and certified?
- Is it up to date on current cyber security threats? Does it have access to the relevant intelligence?
- Does it have the capacity to offer a quality service to your business?
- Is it open about how much its services cost and how your money is used?
- Does it have a plan in place for different cyber attack scenarios, including DDoS attacks?
To keep its protection methods secure, the provider may not always be able to go into great detail. That said, a reputable cyber security company will still be able to answer these questions and clearly explain what its services will do for your business.
Dealing with DDoS attacks can be frustrating. But by following the steps in this guide, you can minimise the effects and keep on top of your business’s cyber security protection measures.
A reputable cyber security company will clearly explain what its services will do for your business.
Chapter 4