Protecting yourself from DDoS attacks

By Microsoft Security

Distributed denial-of-service (DDoS) attacks represent a significant threat for enterprise businesses. They start when an individual device (bot) or network of devices (botnet) is infected with malware. From there, the bot or botnet will flood websites or services with high volumes of traffic in an attack that can last anywhere from hours to days.

In recent years, we’ve even seen politically motivated attackers, also known as “hacktivists,” use DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. We saw this in February 2022 when anti-Ukraine hacktivist attackers launched what has been described as the largest DDoS attack in history against Ukrainian banking and government websites as a prelude to Russia’s invasion.

And while it’s impossible to avoid being a target of a DDoS attack entirely, proactive planning and preparation can help you more effectively defend against an attack. You just need to understand how they work.

What are DDoS attacks?

A DDoS attack starts by flooding a site or server with errant traffic to disrupt service or knock it offline. Thanks to the cybercrime as a service business model, these attacks can be ordered from a DDoS subscription service for as little as $500. There are new DDoS attack vectors emerging every day as cybercriminals leverage more advanced techniques, such as AI-based attacks, to disrupt everyday operations.

In general, DDoS attacks fall under three primary categories, with various cyberattacks within each. The categories are as follows:

1. Volumetric attacks: Primarily focused on bandwidth, volumetric attacks are designed to overwhelm the network layer with traffic. One common example is domain name server (DNS) amplification attack, which uses open DNS servers to flood a target with DNS response traffic.
2. Protocol attacks: This attack targets resources by exploiting weaknesses in the layer 3 and layer 4 protocol stack. One example of a protocol attack is synchronization packet flood (SYN), which consumes all available server resources—thus making a server unavailable.
3. Resource layer attacks: As the final category of DDoS, resource layer attacks are designed to disrupt data transmission between hosts by targeting web application packets. This can be seen in SQL injection attacks, which insert malicious code into strings that are later passed to an instance of SQL Server for parsing and execution.

It’s important to realize that threat actors can use multiple attack types, including ones from different categories, against a network. Luckily, there are strategies that you can implement to strengthen your protection.

How to help protect against and respond to DDoS attacks

Any website or server downtime can result in lost sales and customers, high recovery costs, or damage to your reputation. The impact is even more significant for smaller organizations as it can be harder for them to recover after an attack. Here are six tips when it comes to dealing with DDoS attacks:

1. Evaluate your risks and vulnerabilities: Start by identifying the applications within your organization that are exposed to the public internet. Also, be sure to note the normal behavior of your application so you can respond quickly if it begins behaving differently than expected.
2. Make sure you’re protected: DDoS attacks tend to spike during peak business seasons, such as the holidays. That’s why we recommend choosing a DDoS protection service with advanced mitigation capabilities that can handle attacks at any scale. Look for service features such as traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.
3. Create a DDoS response strategy: Having a response strategy is critical to help you identify, mitigate, and quickly recover from DDoS attacks. Your DDoS rapid response team should understand how to identify, mitigate, and monitor an attack and be able to coordinate with internal stakeholders and customers.
4. Identify potential weaknesses: We recommend running attack simulations to test how your services will respond to an attack. During testing, validate that your services or applications continue to function as expected and there’s no disruption to the user experience. Identify gaps from both a technology and process standpoint and incorporate them in the DDoS response strategy. We recommend that you perform such tests in staging environments or during non-peak hours to minimize the impact on the production environment.
5. Reach out for help during an attack: If you think you are experiencing an attack, reach out to the appropriate technical professionals, such as an established DDoS response team, for help with attack investigation during an attack, as well as post-attack analysis.
6. Learn and adapt after an attack: While you’ll likely want to move on as quickly as possible if you’ve experienced an attack, it’s important to continue to monitor your resources and conduct a retrospective analysis. Make sure you consider whether there was any disruption to the service or user experience due to a lack of scalable architecture. We also recommend evaluating which applications or services suffered the most and how effective your DDoS response strategy was. Finally, identify where there is room for improvement.

Of course, DDoS attacks are just the tip of the iceberg when it comes to emerging cyber threats. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.