DDoS attacks are security threats that seek to cripple network resources such as applications, websites, servers, and routers, which can lead to heavy losses for victims. However, they can be prevented through implementation of security best practices and advanced preparation, like hardening your networks, provisioning your resources, deploying strong protections, planning ahead, and actively monitoring your network.
1. Protect Against DDoS Attacks
The standard security best practices for generic and layered cybersecurity defense can provide reasonable protection against DDoS attacks. Yet some specific measures, such as vulnerability patching and IT hardening, can provide even better protection.
Patch & Update Resources
All resources should be patched and fully updated. For effective DDoS defense, priority for patching and updates should be placed on devices between the most valuable resources and the internet, such as firewalls, gateways, websites, and applications. IT teams should also perform the following actions:
- Perform vulnerability scans: Routinely use vulnerability scanning tools to discover any issues such as missing updates, patches, or misconfigurations. Vulnerabilities can arise from overlooked patches and outdated software.
- Implement patch management: Create a process to regularly prioritize, test, and deploy updates and patches to your devices and applications to ensure they are kept up to date with no errors or conflicts.
Harden Applications
Applications and websites can be hardened by making changes to your network, using application security tools, or penetration tests to probe for vulnerabilities, misconfigurations, or coding oversights. Specific attention should be given to attacks that might enable various types of DDoS attacks.
For example, adding captchas to verify human interaction on your website can defend against attackers using bots to send a large number of requests that can overwhelm and crash a server.
Lock Down IT Infrastructure
Servers, gateways, firewalls, routers, and other IT infrastructure can be hardened against attack by changing settings, adjusting configurations, eliminating unnecessary features, and installing optional features that provide additional network security.
Hardening includes, but is not limited to:
- Block network ports: Block unused ports on servers and firewalls.
- Restrict access: Limit some protocols to devices on the internal network.
- Enable rate limiting: Set or lower rate limit thresholds to drop packets when the other computer fails to reply or makes repetitive requests.
- Block half open connections: Enable time-outs for half-open connections.
- Set firewall rules: Configure your firewall to detect and drop spoofed, improperly formatted, or malformed packages.
For example, DNS servers can be specifically targeted by attackers and are vulnerable to various types of attacks. If the organization doesn’t use it, UDP access to port 53 (DNS) should be blocked.
Read our article for more information on how to prevent DNS attacks, including general best practices to follow and tips for specific DNS servers and types.
2. Deploy Anti-DDoS Architecture
In addition to hardening, the IT architecture can also be designed for more resiliency and security against DDoS attacks. IT teams that overprovision infrastructure, back up their systems, create redundancy, obscure potential DDoS targets, and isolate vulnerable devices can limit the effectiveness of DDoS attacks and strengthen overall resilience.
- Overprovision your infrastructure: When building out your network and equipment, estimate your bandwidth and then design for 200–500% of the baseline needs. While this can be expensive, the additional resources buy time to react to a DDoS attack.
- Back up critical components: Redundant devices or backup devices are required for a resilient architecture and can be used to restore systems quickly after a DDoS attack. Update the data regularly and only bring them online after the attack has been stopped.
- Add redundancy: Consider redundancy options like separating firewalls from routers, moving resources to the cloud, and distributing traffic across multiple data centers to avoid bottlenecks or single points of failure vulnerable to DDoS.
- Obscure the target: Obscurity makes attacks more difficult. Protect your internal networks by blocking ICMP or ping requests and adding additional layers of security like Virtual Private Networks (VPNs) or secure web gateways (SWGs) to hide IP addresses.
- Isolate resources: Content distribution networks (CDN) or Anycast networks send resources to different locations and IP addresses, making DDoS attacks less effective. You can also utilize network segmentation and access control lists.
3. Install Anti-DDoS Tools
In addition to hardening and design, organizations can obtain tools, download and install patches, or enable features that specifically protect against DDoS attacks based on their needs and budget. Some of these include:
- Anti-DDoS features: Check with your device’s manufacturer for any DDoS-specific features or patches to install on appliances like servers to defend against attacks; like the mod_reqtimeout module in Apache 2.2.15 that defends against the Slowloris attack.
- Routers and gateways: Oftentimes, routers and gateways have advanced features that can be enabled to mitigate DoS attacks. Network administrators or security teams can find these features in the device’s admin console and enable them as needed.
- Rate limiting: Response Rate Limiters (RRL) can be configured on network devices to stop various DDoS attacks, like blocking several identical requests from the same IP address or dropping several TCP requests with no response.
As a caution, hardening for security should not go so far as to destroy the functionality of the useful protocols. For example, make sure the updates and patches don’t conflict with another system on the network, or instead of blocking or dropping the packets from all sources, the ICMP can be limited to allow-listed IP addresses internal to the organization to enable the functionality while also blocking external DDoS attacks.
Additional DDoS Protection: Firewalls, Appliances & Services
While some firewalls can stop a DDoS attack alone, others need help. Firewalls traditionally formed the initial defense against external attacks, and modern firewalls can stop many of the older and simple DDoS attacks, such as IP Null attacks or ACK Fragmentation Floods. However, firewalls cannot stop attacks disguised as normal traffic (HTTP GET, HTTP POST, etc.) and can be overwhelmed with volumetric attacks.
Extra protection should be applied to protect exposed or critical resources such as application servers exposed to the internet or DNS servers and services. Various vendors offer software that adds anti-DDoS features to firewalls or hardware to specifically guard against DDoS attacks.
In addition, organizations can engage in cloud-based DDoS Solution providers such as Akamai, Cloudflare, and Amazon Web Services to provide enterprise encompassing solutions.
See our list of the best DDoS solutions and see how they compare to other vendors, strengths, weaknesses, and the cost to implement them in your organization.
4. Design a DDoS Response Playbook
After establishing a hardened and updated IT infrastructure protected with anti-DDoS architecture and tools, the IT and security teams need to create a DDoS playbook. A formal document can assist responding teams should a DDoS attack occur.
The response plan may include:
- Who to call: Contact information for the response team members, applicable vendors like internet service and hosting providers, professional incident response and security vendors, executives, and legal counsel.
- Infrastructure information: Network details such as IP addresses, failover devices, network maps, etc.
- Action plan: Steps to take in the event of a DDoS attack.
Practice the response plan at least once a year and routinely check to ensure all contact information in the playbook is still accurate. Some elements of the playbook may even be automated by some anti-DDoS tools, so additional security measures may be implemented to blunt the danger of the DDoS attack faster than people can react.
Read our guide on how to create an incident response plan and get our free template.
5. Deploy DDoS Monitoring
With hardened infrastructure and an effective playbook in hand, the IT teams and security teams can then use different monitoring tools to watch for signs of a DDoS attack in progress. Here are some tools you can use for monitoring your assets:
- Network monitoring: Network monitoring tools are hardware or software applications that track the behavior, traffic, and health of endpoints, firewalls, routers, switches, and servers.
- Security monitoring: Security monitoring tools collect and analyze network and device information to detect suspicious behavior and trigger alerts to IT and security teams.
These monitoring tools will establish ‘normal’ traffic baselines so that abnormal traffic patterns generate alerts. The earlier a team can detect an event in progress, the faster the attack can be resolved.
Teams should select a tool appropriate for the resource and set up alerts for typical indicators of DDoS attacks such as sudden bandwidth demand increases, anomalous traffic increases, or unusual traffic sources. Alerts can be routed to security incident and event monitoring (SEIM) tools, security operations centers (SOCs), managed detection and response (MDR) services, or even DDoS security specialists.
While automated responses can create fast reaction times and automatically stop DDoS attacks, they should be used carefully. False positives might lead to operation disruptions, so alerts still need to be evaluated by the security team.
Featured PartnersFeatured Cybersecurity Software
eSecurity Planet may receive a commission from merchants for referrals from this website
Three Fundamental DDoS Defense Strategies: Pros & Cons
When implementing DDoS defense, the strategies can be performed manually by IT teams, purchased through on-premise hardware or software, or implemented by cloud-based or off-premise tools and services. While some of these technologies can overlap or reinforce each other, many organizations don’t have the resources to apply multiple solutions and must choose a single solution that fits their needs. Each of these options has significant pros and cons.
DIY DDoS Defense Pros & Cons
Do-it-yourself defense can certainly be deployed successfully against DDoS attacks. These defenses often consist of manually deployed settings on open source software, firewalls, and servers.
| Pros | Cons |
|---|---|
| Inexpensive from a cash flow and capital expense basis | Time consuming to execute and deploy |
| Usually compatible with many technologies | Complex to implement, integrate, secure, and scale |
| Usually created from Open Source tools | Vulnerable to large-scale DDoS attacks |
For example, manually adding IP addresses to deny lists can be easy, but often lags behind the constantly moving and evolving attacks; especially when facing botnets of thousands of endpoints, making manual IP deny-listing overwhelming.
On-Premises Defense Tools/Services Pros & Cons
Organizations can buy appliances and software specifically to defend against DDoS attacks. These tools can be deployed in front of resources to be protected (firewalls, servers, etc.) or installed on the resource themselves.
| Pros | Cons |
|---|---|
| Can perform significant filtering, malware scanning, and deep packet inspection to improve detection and security | Typically deployed between the ISP and the organization and subject to limited bandwidths and only local network protection |
| IT has full control over local installations | More expensive and significant labor to deploy and configure |
| Offers more support and ease of use than DIY solutions | Limited scalability and malware signatures and IP deny-lists will need to be updated regularly |
Using the previous example, an appliance or local firewall application may come pre-loaded with a list of well-known botnet IP addresses based upon the vendor’s experience. This blacklist will be much more comprehensive than a DIY list but will be part of a more expensive solution and will need regular updates.
Cloud-Based Defense Tools/Services Pros & Cons
Cloud-based DDoS protections tools provide more overarching security for the organization as a whole. Cloud hosted tools are often referred to as Software-as-a-Service, or SaaS. If possible, cloud-based tools are the best option of the three.
| Pros | Cons |
|---|---|
| Protects multiple local network or resources and offers better protection against internet-based attacks | Offers little protection against attacks from within a network |
| Often less expensive than local appliances or software in the short term because they are offered as on-demand or SaaS solutions | Subscription costs for SaaS products can still be expensive |
| Rapidly implemented and integrated, easily maintained and scalable | Cloud tools usually have less control and customization than local appliances or DIY customization |
Using the IP deny-listing example, SaaS DDoS tools generally are pre-loaded with IP addresses for well-known malicious botnets that are much more comprehensive than a DIY list and will be continuously updated by the SaaS provider.
Bottom Line: DDoS Prevention Tools Are a Must-Have
DDoS attackers seek to prevent access to a resource for legitimate users. Depending upon the resource affected, denied access could be merely annoying or it could cause an entire enterprise to be disabled. When a DDoS attack succeeds, effective planning allows for quick recovery and limited damages. Large and small organizations will benefit from investing time and resources into protecting against DDoS attacks and IT infrastructure resiliency.
For a better understanding of DDoS attacks and the different characteristics, check out our complete guide on the types of DDoS attacks.
