Cyber Risks: DDoS Attacks

In a DDoS attack, a cybercriminal overwhelms your Internet-facing resources with so many demands that they slow to a crawl or stop responding entirely. Defending against DDoS attacks often requires expert help, and we can connect you with the experts you need to prepare for and manage the attack.

The stages of an attack

Reconnaissance

Sophisticated attacks may start with social engineering in order to get information about an organization’s website set-up and resources, the size of the IT team, the capacity to pay a ransom, and other sensitive information.

Exploratory attacks

But in a typical attack, one cybercriminal starts with a limited DDoS attack against a web target. Then they engage in further larger attacks until they identify the attack size needed to make the target completely inaccessible. That cybercriminal may then continue or, more often, sell the details on the dark web for another cybercriminal to exploit later.

An organization may believe the attack was all over, while in fact another cybercriminal could purchase the attack details and launch it at any time. In some cases, it may be months or years before the attack occurs.

You should interpret consecutive and progressive DDOS attacks as a warning sign. Even if no significant DDoS attack happens or it happens for a short time, you should be prepared for worse.

The main attack

Attacks are typically motivated by money (for ransom) or simply the desire to harm (for political, activist, or competitive reasons), and may be timed to occur before a major event (such as Black Friday). Typically, the cybercriminal uses a network of compromised systems to generate the traffic involved in the attack. Social engineering may continue during such an attack, with cybercriminals posing as service providers who can assist with containment and recovery relating to the attack.

Broadly speaking, DDoS attacks are an attempt to bring down a system or a resource, by flooding it with excessive demands intended to consume the available bandwidth or exhaust an application server.

Possible phased attack

Sophisticated attacks may occur in stages intended to overwhelm the organization’s IT team. The cybercriminal may target the organization’s website, and then other website components such as login pages or contact forms, in order to disrupt the website. The attack may also serve as cover for other activity separate from the DDoS attack, such as targeting backups, stealing data, or launching ransomware.

Demand

The cybercriminal demands a ransom in order to stop the attack and allow the organization to recover. In attacks motivated by political or terrorist goals, however, disruption may be the sole goal, with no ransom demand.

How to protect against DDoS attacks

Understand and document your critical assets

Protection starts with an understanding of your Internet-facing systems and determining what needs to be protected.

Get help with network design and tuning

Many resources are available to help prevent DDoS attacks but they need to be set up properly and tested under stress. Load balancers spread network traffic to reduce overloads. Web application firewalls (WAFs) can restrict the types of traffic that go to application servers, while input validation can reject web requests that are intended to cause delays. Major cloud providers and expert vendors also offer specialized networks or infrastructure designed specifically to mitigate DDoS.

Understand and test the security functionality of your systems and software

Work with your Internet service provider (ISP) to understand what protections against DDoS they provide as part of your service. Consider a cloud security assessment to test for vulnerabilities in your cloud services.

Cloud-based DDoS mitigation service

Consider providers like Cloudflare or Akamai that offer DDoS protection for both network-layer and application-layer attacks. Reducing and controlling these attacks is much more efficient if that fallback infrastructure is set up ahead of time. We can help by making introductions with the right vendors before an incident occurs.

How to respond to a DDoS attack

When facing a DDoS attack, swift and strategic action is crucial. We encourage everyone to get in touch with our teams right away. If you are already working with our teams, you'll have an incident response plan that should be activated. This ensures all relevant team members are notified promptly and that all necessary steps are taken.

If you're going solo, implement traffic filtering mechanisms to mitigate the attack, such as deploying firewalls or using specialized DDoS mitigation services. Keep communication channels open with your internet service provider (ISP) to collaborate on filtering malicious traffic. Monitor the situation closely to adapt your defenses as the attack evolves. Finally, document all actions taken for post-incident analysis and future prevention strategies. Swift, coordinated response and adaptive defense mechanisms are key to minimizing the impact of a DDoS attack.

We can't stress the need for speed enough. If you're already a client, don't hesitate to contact us. If you're not, let's discuss IR planning and playbook development to make sure you have the steps outlined, and get you on an IR retainer to speed our ability to respond on your behalf.