10 steps to mitigate a DDoS attack in real-time

Get your contingency plan in place before you suffer a DDoS attack, says Gary Newe, suggesting that you prioritise revenue generators and work through the plan calmly and systematically.

10 steps to mitigate a DDoS attack in real-time
10 steps to mitigate a DDoS attack in real-time

The threat posed by DDoS attacks is ever-growing and is something that continues to be a topic which interests and concerns businesses in equal measure.

As the lines between the professional and social use of technology fade, it is even more important for us to recognise the significance of this type of attack, its probability and the damage it can do.

The reduced number of bots now available means that hactivists and other cyber criminals are finding new ways in which to amplify their attacks and, as a result, DDoS attacks are becoming a more popular vector.

To the uninitiated, the nature of a DDoS attack can be a scary, stressful ordeal. It's not surprising either; slow network performance or website downtime can be costly for businesses such banks, which are typically targeted with attacks like this. However, try not to panic. Follow these steps to maximise success in fighting an attack:

1.     Verify that there is an attack – Rule out common causes of an outage, such as DNS misconfiguration, upstream routing issues and human error.

2.     Contact your team leads – Gather the operations and applications team leads needed to verify which areas are being attacked and to officially confirm the attack. Make sure everyone agrees on which areas are affected.

3.     Triage your applications – Make triage decisions to keep your high-value apps alive. When you're under an intense DDoS attack and you have limited resources, focus on protecting revenue generators.

4.     Protect remote users – Keep your business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Populate the list throughout the network and with service providers as needed.

5.      Classify the attack – What type of attack is it: Volumetric? Slow and low? Your service provider will tell you if the attack is solely volumetric and may already have taken remediation steps.

6.      Evaluate source address mitigation options – For advanced attack vectors your service provider can't mitigate/ determine the number of sources. Block small lists of attacking IP addresses at your firewall. Block larger attacks with geolocation.

7.      Mitigate application layer attacks – Identify the malicious traffic and whether it's generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with distinct countermeasures, which may be provided by your existing solutions.

8.     Leverage your security perimeter – Still experiencing issues? You could be confronting an asymmetric layer 7 DDoS flood. Focus on your application-level defences: login walls, human detection, or Real Browser Enforcement.

9.      Constrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit is a last resort – it can turn away both good and bad traffic. Instead, you may want to disable or blackhole an application.

10.  Manage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you're being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.

With the growth of the internet and the fast-developing digital era that we're entering, the DDoS threat has never been greater. As the threats increase, and as more sophisticated attacks take place, it's important to increase awareness and understanding and put necessary steps, like these, in place to protect against them.

Contributed by Gary Newe, senior systems engineering manager, UK, Ireland and South Africa, F5 Networks