How to stop a DDoS attack? (Updated 2018)

How to stop a DDoS attack? cystack

After having an overview of what is a DDoS attack, and its many consequences, the natural question to ask is: How to stop a DDoS attack?

There are many methods to mitigate the impact of a DDoS attack to the point of almost being harmless. However, before we start giving you our recommended solutions, it’s best that you know the different varieties of DDoS attacks. Only then can you decide on the most suitable method for each case.

The types of DDoS attacks

Broadly divided, DDoS consists of two main types: bandwidth depletion and resource depletion. There are many subtypes but within the context of this article, we will very quickly go over 10 most notable types.

How to stop a DDoS attack? (Updated 2018)
How to stop a DDoS attack? (Updated 2018)

1. Direct flood attack (UDP flood and ping flood):

  • Goal: Overwhelm the target network with traffic from different sources to block legitimate access from real users.
  • Method: Flood target with UDP and ICMP packets.
  • Prevention: Increasing bandwidth, using load balancers, reflect the attack, use IP spoofing prevention mechanism or reroute traffic to a DDoS protection service provider.

2. Reflection attack:

  • Goal: Consume resources by spoofing source IP of the packet to appear as if coming from the victim.
  • Method: Send spoofed IP to many machines and then have them reply to the spoofed address.
  • Prevention: anti-spoofing techniques.

3. Smurf and Fraggle attack;

  • Goal: exploit the router’s broadcast address and make the network inoperable.
  • Method: send spoofed ICMP traffic to the target router’s broadcast address OR send spoofed UDP traffic to the target router’s broadcast IP address.
  • Prevention: Configure your router to ensure no one can exploit its IP broadcasting facility.

4. (TCP) SYN Flood Attack:

  • Goal: Exhaust the server’s resource and prevent it from taking any new connection requests.
  • Method: Take advantage of TCP three-way handshake process: Send a SYN request to the server to initiate a SYN-ACK packet in reply, but do not send an ACK packet back, causing the server resources engaged for listening to the ACK messages that never come.
  • Prevention: filtering, increasing backlog, reducing SYN-RECEIVED Timer, SYN caching, firewalls…

5. (HTTP) Flood (Web Spidering):

  • Goal: exhaust server’s resources
  • Method: using web spider to crawl websites
  • Prevention: allowing only trusted bots like Google’s

6. PUSH and ACK attack:

  • Goal: exhaust server’s resources
  • Method: similar to SYN Flood attack but send TCP packets by setting PUSH and ACK bit to a value of one. When the number of TCP packets with PUSH and ACK bit on exceeds the capacity of the buffer of the target, the machine will crash.
  • Prevention: similar to SYN Flood attack

7. Land attack:

  • Goal: Crash the system
  • Method: IP packet is created where the source address and source port number remains the same as the destination address and destination port number, making the target reply to its own packets.

8. DNS amplification attacks:

  • Goal: Overwhelm the target with responses from open DNS resolvers
  • Method: use spoofed IP address of the victim’s machine to send DNS queries to many DNS resolvers. The resolvers send responses, which can be 50 times greater than the size of the requests, to the victim’s IP.
  • Prevention: anti-spoofing techniques, load balancers or redirection of the attack traffic to other servers.

9. Layer 7 attacks:

  • Goal: target specific functions of a web application.
  • Method: An example is when web servers keep opening new thread for each connection request and each new connection consume server’s capacity to handle more traffic. At some point, server becomes unable to receive new connection; denying new visitors want to visit to webpages.
  • Prevention: increasing capacity, cloud computing solutions, optimizing web server’s performance and using front-end proxy.

10. Multi-vector attacks:

This attack simply combines many types of DDoS attacks at the same time to make it more difficult to mitigate the consequences.

How to stop a DDoS attack?

It is clear that there are many types of DDoS attacks. What might be not so clear is that you can equip yourselves with just as many ways to mitigate the consequences.

  1. If you can identify the IP of the computers in the attack: you can put an ACL (Access control list) in your firewall to block those IP, or even block IPs from a particular country if needed.
  2. Monitor your traffic: this way, you can investigate the small DDoS attacks used to estimate your network strength that attackers use before the real attack.
  3. Buy more bandwidth, deploy more servers and use good load balancing solutions.
  4. Optimize your webserver to handle more visitors.
  5. Enable anti IP spoofing features in your firewall.
  6. Hire a third-party DDoS service to protect your site, or hire a DDoS expert
  7. Block ICMP in your router.

Many of these aforementioned solutions involve the use of a firewall service to set up a protecting layer and filter out the unwanted traffic from a DDoS attack. Our recommendation for a quick and reliable firewall solution comes from CyStack Platform with the Protecting feature: for 20$ a month, you can secure yourself against DDoS attacks and benefit from other advantages of having a firewall for your website like hacking prevention and safety from security exploits.

CyStack