How to Stop a DDoS Attack & Prevent Future DDoS Attacks

DDoS attacks are a growing threat for websites. But do you know how to mitigate them in their tracks? We’ll cover some essential fundamentals on stopping a DDoS attack and preventing them from happening in the future.

Specifically, as a webmaster, keeping your site online during large traffic spikes is what you strive for. We simply want to make sure the traffic spikes are legitimate and harmless.

What is a DDoS Attack?

We have created a helpful guide that details what DDoS attacks are, the many types of variants, and the motivations behind them.

Here are a few things to understand about DDoS attacks that highlight their impact;

It costs at little as $150 for criminals / attackers to buy a week-long DDoS attack on the black market.
A small DDoS attack could cost as little as $10 for the attacker.
More than 2,000 DDoS attacks occur worldwide every single day.
The cost of a DDoS attack for the victim can spike to thousands or millions, plus there are some unmeasurable costs—like time, and bandwidth charges.

Types of DDoS Attacks

There are a number of different types of DDoS attacks. These threats prevent legitimate users from accessing your website by sending bogus requests or more traffic to the server than it can handle.

Here are a few of the most common types of DDoS attacks.

Volume-Based DDoS Attacks

The goal of a volume-based DDoS attack is to overload the website’s bandwidth or cause CPU or IOPS usage issues. If the attacker overloads your resources, the attack has been successful.

Some examples of volume-based DDoS attacks include:

UDP floods
ICMP floods
Ping floods

Protocol-Based DDoS Attacks

The goal of a protocol-based DDoS attack is to exploit weaknesses in Layer 3 and Layer 4 protocol stacks to consume server or networking hardware resources, resulting in service disruption. If the attacker sends more bandwidth than your network ports can handle or more packets than your server can handle, the attack has been successful.

Some examples of protocol-based DDoS attacks include:

Ping of death
SYN flood

Application Layer DDoS Attacks

The goal of an application layer attack is to target CPU, memory, or resources that focus on the web application layer, including hitting the web server, running PHP scripts, or contacting the database to load just a single web page.

Some examples of application layer DDoS attacks include:

Attacks targeting the DNS server
Layer 7 HTTP flood cache bypass
Layer 7 HTTP flood attack

So let’s position yourself against these threats. The cost for being unprepared to mitigate a DDoS attack can affect loss of traffic for an indeterminable amount of time; but also that time can lead to loss of reputation and sales. These can have the greatest impact on your business.

How to Prevent a DDoS Attack

Here are some main checklist items to hit on how to prevent DDoS attacks from impacting your business.

Activate a WAF

A Web Application Firewall (WAF) is a layer of protection that sits between a website and the traffic it receives. We dive deeper into the topic in this article about what is a WAF.

There are several WAF solutions that will offer automated mitigation of DDoS threats, but one of the best ways to define which WAF works the best for your application is to analyze how effective the protection is—whether it’s within the budget or if your team can properly configure it.

Activate Country Blocking

Country-based blocking is typically effective at minimizing risks. It can also help in complying with some organizational policies whose intention is indeed to “block hackers”. Here are a couple of things to note:

Regional origin is irrelevant to computers; a website firewall can only see IP addresses. Inferring geography from IP addresses relies on big tables that are never completely up to date.
Working around these blocking systems is trivial for attackers. It suffices to use some form of anonymous proxy or proxying from outside of the blocked country list, and this happens “naturally” when using Tor, which is a free and open-source software for enabling anonymous communication.

It’s not to say that country blocking won’t help prevent DDoS threats; but be sure to understand the implication behind blocking out the entire world except your country. It may not be as black and white a solution as others may lead you to believe. Country blocking is a way to enhance an actual protection against DDoS attacks, such as a website firewall.

Nowadays, most botnets are made of thousands of hacked websites, compromised CCTVs, infected computers, and other internet of things devices. The attacks are distributed all over the world. Having said that, country blocking can prevent thousands of mindless bots from spamming the connection logs. Definitely a plus!

Monitor the Website Traffic

It is important to monitor the website traffic for peaks that can allude to DDoS attacks.

There are DDoS attacks made of huge amounts of traffic. These are called volumetric attacks. Most of the time, they are network-based (layer 3 and layer 4 attacks), but not all DDoS attacks are volumetric. We demonstrated during a free webinar how a live DDoS attack from a single machine targets the website’s search engine to take it down. The traffic can be low as 1 request per second as long as targeting a vulnerable endpoint.

It would be great if your website got millions of new visitors in one hour, but wouldn’t it be suspicious?

A dramatic increase in traffic is a red flag for DDoS attacks. We highly recommend you have monitoring tools in place and always check your logs. Have alerts set up in the event you exceed a threshold specific to the number of requests / visitors targeting your site.

Some other indications to consider:

The time of day these visits occur. Would your business see a spike at 2:00am local time?
Where these visits come from. Would you expect traffic from Indonesia if you’re a local bakery in Canada?
The time of year these visits occur. Ensure that you also adjust for expected legitimate surges. If you sell fireworks, then expect a surge in traffic leading up to New Year’s Eve and account for this within your monitoring tools.

Note: Googlebot makes repeated requests to your website, which can seem like suspicious behavior on the surface. Googlebot and other search engine crawlers are vital to having a website rank correctly in searches. After all, we all want to rank high! We have a post that helps highlight the difference between Googlebot legitimate crawling a website and a DDoS attack.

What to Do During a DDoS Attack?

It seems obvious—block them! However, there are few main checklist items that apply to any company when looking to prevent a DDOS attack, or respond during one. These items include:

Systems checklist. Develop a full list of assets you should implement to ensure proper DDoS identification and prevention. Using filtering tools will also ensure that components of hardware/software are properly configured.
Form a response plan. Define responsibilities for key team members to ensure an organized reaction to the attack happens; a 24/7 window of response.
Define alternate methods or solution. Make sure your team members know exactly whom to contact in case the attack exceeds your capabilities.
You should also develop communication workflows with your customer base to ensure they are aware of any potential degradation of performance as a result of the attack.

If you’re interested in knowing more about our solution’s capabilities against DDoS threats, two of our Firewall engineers showcase the effectiveness of our WAF against DDoS threats in a short video we created. We launched an attack on a site that is on a server with limited resources— both behind our Firewall and not.