What to Do Before, During and After a DDoS Attack

DDoS. If the sight of that acronym doesn’t make you nervous, it should.

It stands for Distributed Denial of Service, and it’s a popular weapon used by hackers to take down websites large and small. How popular are we talking? Well, last year, 124,000 DDoS attacks were perpetrated each week.

This matters to you because you’ve spent a great deal of time optimizing your website’s content, user experience, website loading speed and performance. A DDoS attack takes all this hard work and, within a few moments, brings it to a screeching halt.

There are many kinds of DDoS attacks. But their common thread is that they deny service to anybody wanting to view the attacked website. One DDoS example is when a server receives so many requests to view the site that it becomes overloaded and shuts down. No server means no website – which can be devastating for any business.

While DDoS attacks commonly last for an hour or even a couple days, it’s not unprecedented for an attack to last a month or more. Because DDoS attacks are so noticeable and obvious, it’s a temptation that’s hard for hackers to resist.

DDoS attacks are common, and they’ve been around for a while. But the good news is that there are measures you can take to protect your site from falling prey. There are also some best practices to consider during and even after a DDoS attack. Here are a few such measures.

Preparation Before a DDoS Attack

Don’t wait for an attack to happen before taking action. As with anything else in life, failing to plan is planning to fail. Protect your site by doing the following:
Use a CDN – The very first measure you should employ to protect your website from DDoS attacks is to deploy a security enriched CDN.

When there’s only one server housing your website, that server is vulnerable. But a CDN is a whole network of servers that are spread all over the world. All of these scattered servers store cached versions of your website, meaning your website is technically stored in many locations simultaneously.

A CDN acts as a secured proxy that conceals your origin server’s IP and constantly filters the traffic coming in to it. The network of servers block harmful DDoS traffic that seeks to take down your site, while allowing authentic traffic – your website’s visitors – to reach your website without skipping a beat.

Consider Bandwidth Overprovision – It’s wise to make sure your server is equipped with more bandwidth than it will ever need in “real life.” When it can manage a sudden spike in traffic, it buys you time to detect a DDoS attack so you can take action before your site shuts down.

Establish Web Traffic Thresholds – Chances are, your web team already keeps track of the number of visitors your website receives every hour (and maybe even every minute.) This means you already know how much traffic your website receives in normal circumstances and during special events like new product launches or PR activities.

Some based on this general information, your web team should be able to establish traffic thresholds so they can be alerted to unusually high numbers. When an unexplained or unplanned traffic surge starts happening, it’s time to call a web-security company or CDN provider.

Use Whitelists and Blacklists (Smartly) – It’s certainly good DDoS planning to use whitelists and blacklists to control who accesses your network. Just be careful not overreact. I.e., don’t permanently blacklist every IP address that causes an alert, because false positives do happen.

To blacklist effectively, temporarily cut off dubious traffic and then observe the results. When some of the traffic attempts to reconnect a few moments later, it’s probably from legitimate users. Malicious traffic often switches IP addresses.

Practice for a DDoS Incident – Coordinate with your web team to plan DDoS drills. Simulate an attack to determine the preparedness of your organization. This can be done during a time of “scheduled maintenance” so your customers aren’t caught off guard or inconvenienced by the simulated DDoS attack.

You could let your service desk know when you’ll run these simulated drills, or you might decide to keep them unaware as well. Either way, these tests are a good way to prepare your organization.

Actions to Take During a DDoS Attack

If you’re noticing sudden surges in traffic that can’t be explained, or worse – your site is down – here are some things to do in response.

Notify Your Web Hosting Provider – They might have seen the DDoS already, but you should contact them regardless. They may be able to stop the malicious traffic. Also, ask the company to provide you with a new IP address.

Automate Client Communications – In the midst of a DDoS attack, you can bet with near certainty that your company’s service desk is going to be barraged by communications. Emails, phone calls and social media complaints invariably accompany major service disruptions. To manage this heavy influx, you’ll want to automate your communications.

In situations like these, it’s wise to set up a status page that shows whether your website is running or not. You should also consider creating DDoS communications that are sent automatically to customers who contact you. The communications should tell your customers that your service is down for the moment, and that your team is working hard to restore the site as fast as possible. Also, link them to the status page mentioned above.

Clear Your Logs Immediately – During an attack, your servers, unified threat management devices, and firewalls are straining to log every single DDoS request. All these platforms can quickly fail under the sheer volume of the malicious activity. When one fails, it can cause a domino effect across all linked systems. Before this happens, dump your logs as soon as you know you’re under a DDoS attack – especially if the logs are no longer providing you with any meaningful information.

What to Do After the DDoS Attack

Be Transparent with Your Customers – Write a document that serves as an “incident report” to your customers. They deserve to be kept in the loop. The report you create should openly and honestly explain everything that happened, and the steps your company took to respond. It should also spell out how you’ll be more prepared to prevent further DDoS attacks.

At first, this incident report should be written in layman’s terms that anybody can understand. Then, you can get into the more technical details later in the report for those customers who might want such depth.

Ask Some Important Post-Event Questions – When the smoke of the DDoS attack clears, the next step is to find some answers.
Do you know who likely carried out the attack? Perhaps it was done by hacktivists who want to make a statement, or maybe it was just a case of cyber vandalism. In some cases, DDoS attacks are carried out by competitors, or even personal rivals of the business’ founder.

Also, it’s important to answer the how question. How did the hackers hit your site? What kind of DDoS attack was this? The more you can find out, the easier it will be to prevent future attacks.

The Time is Now!
Your business doesn’t have to be a “sitting duck,” vulnerably waiting to be hit by a DDoS attack. A bit of foresight and planning can prevent a bad situation from becoming catastrophic.

In case your website does happen to fall prey to hackers, even with all your preparation, it’s important to remember: If you panic over the situation, your thinking and decision-making skills will not be as clear as usual.

If you find yourself in the middle of a DDoS battlefield, take a step back. Breathe deeply and gain some perspective. It’s not a life-or-death situation, nor is it a permanent one. Unexpected problems are just the cost of doing business. And this is no different.

Preparing for an attack beforehand will lessen the blow should hackers strike. Making smart decisions and working with your hosting company during an attack will resolve the situation as quickly as possible. And being honest and transparent afterward will help you regain trust.

How ready are you for a possible DDoS incident? The time to prepare is now.

Leave a Reply