How to prevent DDoS attacks

What is a DDoS attack?

DDoS attacks involve malicious actors creating a botnet — a network of infected computers and endpoints — and using a command-and-control server to direct web traffic or requests toward a specific targeted server or network.

Most DDoS attacks are volumetric, designed to generate more traffic or requests than a system, server or network can handle. DDoS attacks often occur at the infrastructure layer or application layer of the Open Systems Interconnection model, but such attacks can also target the transport layer, session layer or network layer. Examples of DDoS attacks include packet or request flooding, packet fragmentation and amplification attacks.

The goal of a DDoS attack is to make the targeted network, website or other resource unavailable to legitimate users. This results in customer loss, a negative reputational effect and high remediation costs to the target organization.

11 strategies to prevent a DDoS attack

There’s no one-size-fits-all solution to prevent DDoS attacks. Rather, organizations should implement some or all of the following strategies to reduce the chances of a successful attack.

1. Create a response plan

Build a DDoS response plan using the same methodology as an incident response, disaster recovery or business continuity plan. The document should outline specific steps for preventing and mitigating a DDoS attack. Key plan components include the following:

• A checklist of actionable steps for the security team and other stakeholders to follow.
• Contact information of DDoS response team members.
• The location of where data backups are secured from external attack.
• Escalation and/or triaging procedures.
• An attack communication plan.

2. Monitor for abnormal or suspicious traffic

Continuously observe network traffic using an intrusion detection system, firewalls and log monitoring tools. Monitor for early signs of a DDoS attack, such as anomalous spikes in web traffic, unusual traffic patterns, multiple connection requests from the same IP addresses and numerous requests directed toward a particular endpoint or system.

3. Keep up with patch management

Install the latest software patches and upgrades. Proper patch management makes it more difficult for attackers to exploit vulnerabilities.

4. Reduce the attack surface

Attack surface reduction enables organizations to strengthen prevention measures elsewhere. Close or limit external access to seldom-used ports and applications so malicious hackers have fewer target opportunities. Use load balancers and access control lists to prevent unauthorized external traffic from reaching and affecting specific ports and apps.

5. Scale up network bandwidth and server capacity

Implement a network control or policy that automatically scales up bandwidth or capacity to prevent a DDoS attack from taking down an entire server or network. While this is not a method every organization can afford, it provides security and networking teams time to stop a DDoS attack from affecting end users.

6. Use cloud infrastructure

Cloud infrastructure is also vulnerable to DDoS attacks, but it can help organizations prevent DDoS attacks by providing response scalability capabilities and service distribution. Using cloud services closer to the attack origins enables organizations to stop the attack more quickly and keep services functioning.

7. Use a scrubbing center

Scrubbing involves routing all traffic to a particular IP address to a high-bandwidth data center. The data center examines the traffic, removes malicious content and forwards only legitimate traffic to its intended destination. Organizations can continuously scrub traffic or use the service only during an active DDoS attack.

8. Implement rate limiting

Rate limiting restricts how many requests a web server accepts during a specific time frame. This helps prevent DDoS attacks by dropping excess or anomalous traffic. Rate limiting also helps protect against API abuse.

9. Use a content delivery network

A CDN is a group of globally distributed servers that caches content and helps protect websites by filtering and blocking malicious traffic. CDNs distribute website traffic across multiple servers to help prevent a main website server from becoming overwhelmed and crashing.

10. Deploy a web application firewall

A WAF is a firewall that analyzes HTTP traffic at the application layer. WAFs are network-, host- or cloud-based. Using a WAF enables organizations to do the following:

• Create sophisticated permutations and rules to inspect data packets at a granular level.
• Filter and block malicious network traffic destined for web applications.
• Develop a security model to monitor “good” and “bad” internet traffic across geographic regions.

11. Hire a DDoS mitigation provider

Organizations with limited budgets can outsource DDoS prevention and mitigation to a third party. Vendors, such as Cloudflare and Akamai, provide enterprise-grade prevention techniques to protect DNS, applications, APIs, web infrastructure and websites from extended downtime in the wake of a DDoS attack.

Ravi Das is a technical engineering writer for an IT services provider. He is also a cybersecurity consultant at his private practice, ML Tech, Inc., and has the Certified in Cybersecurity (CC) certification from ISC2.