How to Stop DDoS Attacks in Three Stages

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Table of Contents

A distributed denial of service (DDoS) attack is a cyberattack where malicious actors flood a target system or network with large amounts of data that overwhelm their intended target, making it unavailable to legitimate users.

When under siege from a DDoS attack, systems grind to a halt and often become entirely unresponsive. Defenders must move quickly to block the attack, which may require outside assistance or even temporarily shutting down the resource; determine the type of DDoS attack using logs, alerts, and other resources; and finally, recover from the attack by making changes to the security architecture and investing in tools to prevent future attacks.

Featured Partners: Cybersecurity Training Software

eSecurity Planet may receive a commission from merchants for referrals from this website

Stage I: Containment

Once under a DDoS attack, resources perform sluggishly, and even changes to protect them can be difficult to execute. Although attacks cannot be fully stopped without identifying the attack, identification won’t be possible if the systems can’t be accessed due to the system being flooded with malicious traffic.

The attack must be stopped — even temporarily — to recover internal resources such as the CPU capacity and memory. Organizations that send logs to other resources (segregated storage, SIEM solutions, etc.) may be able to work on blocking the attack while determining the type of DDoS attack simultaneously.

Initial DDoS Response Tactics

Simple DDoS attacks can often be blocked using skilled internal resources. Yet, keep in mind that even basic DDoS attacks may need to be blocked upstream with the help of the host internet service provider (ISP), or else the blocked DDoS attack traffic can still threaten connection bandwidths and ISP infrastructure.

The initial DDoS response options you can choose from include calling your service provider (like internet and web hosting), contacting cybersecurity experts, making changes to your network to block the attack and strengthen DDoS protection, shutting down your services to make changes before going back online, and/or implementing new technologies for better protection.

Contact Your Service Providers

In some situations, simply contacting your internet or web hosting provider and notifying them of the situation can be all you need to stop a DDoS attack in its tracks. They may already know and are working on blocking the traffic. Service providers can confirm the existence of an attack and implement some changes to stop the malicious traffic from reaching your network. Some of these include:

Increase bandwidth: Increasing the bandwidth can help you withstand a DDoS attack or mitigate it altogether, but may not be cost-effective.
Change IP addresses/ranges: Changing your IP address and DNS information can stop the attack temporarily until the attacker targets the new IP address. In addition, several internal systems would need to be changed to reflect the new IP address.

Although contacting your service providers is helpful, it may not be enough. Typical internet bot DDoS attack sizes can reach 100 to 500 Gbps, with some larger scale attacks reaching over 100 million requests per second. Even the largest enterprises will struggle to block attacks of this scale without professional assistance.

Hire Cybersecurity Experts

Utilizing a combination of skilled professionals and high-end tools and services is one of the most effective ways to defend against DDoS attacks as well as protect yourself from attacks in the future. These can include:

Cybersecurity professionals: Security consultants, managed detection and response (MDR) experts, and other professionals should be contacted to help stop the attack, improve systems against future attacks, and recommend other incident response tools and services.
Cloud services: Cloud-based DDoS protection services often provide the most comprehensive option to block DDoS attacks, so organizations will often migrate some or all of their infrastructure to a cloud provider like AWS, Microsoft Azure, or Google Cloud.

Be sure to update your access control lists to allow the connection between the services and the system being protected and block other connections so nothing bypasses the DDoS service. However, also keep in mind that even cloud providers cannot prevent DDoS attacks originating within the organization’s network.

Although having professional tools and services is worth the investment, it’s still an expensive one that surpasses any in-house solution and may not be an expense the company is ready to take on. In addition, finding a qualified professional while you’re actively being attacked may prove to be difficult and stressful.

Furthermore, security experts usually keep records of botnets and attack vectors, allowing them to act swiftly and even stop attacks before they’re activated.

Filter Targeted IP Addresses & Locations

Reviewing log files will often reveal valuable information regarding your network, including IP addresses and locations generating most of the DDoS traffic. You can then use this information to enable quick and inexpensive defenses on your network. Some options include:

IP filtering: IP filtering will allow you to block specific IP addresses.
Geo-blocking: Geo-blocking will allow you to block connections from a geographic location.

These can provide the much needed time for teams to develop and deploy other strategies, but are rarely a permanent solution since attackers can spoof their IP addresses or utilize botnets from unblocked regions, leading to a game of security whack-a-mole where defenders are constantly trying to keep up with attackers.

Also, any legitimate traffic from a blocked area won’t be able to access your resources, which can lead to financial losses and reputational damage in that region. Lastly, it’s usually recommended for these filters to also be applied at the ISP level to avoid being consumed with traffic that is being blocked.

Enable or Strengthen DDoS Protection Options

Organizations should check their existing resources (server software, router firmware, etc.) for DDoS protection options that may not yet be activated. Check your networking devices for the following security options:

DDoS protection on routers: Enabling this helps protect your network against DDoS by monitoring the number of traffic packets entering your network.
Rate limiting: Rate limiting is a security feature that limits the number of requests that can be made in a specific timeframe.

Since these features are already built into several network devices, it should be relatively easy and inexpensive to set up and get running on your network BEFORE an attack. They may not be effective during an attack, and you may not be able to deploy these features until after.

Shut Down Services

Sometimes shutting down the system under attack provides the best option. The service or resource can be isolated and hardened against further attack before it’s brought back online. Some examples are:

Stop specific requests: If you notice you are being bombarded with a specific network request (i.e., SYN flooding), you can rate-limit the incoming connection requests.
Block downloads: If a specific service is trying to download very large files, a defense might be to disable downloads temporarily without affecting the rest of the website.

This is a quick, inexpensive, and effective way to stop DDoS attacks on your service. But that downtime can also be disruptive and costly to the organization. Especially in the event of a full system shutdown.

Implement New Technology

This step requires the most planning and configuration and ideally should be implemented early on and not after an attack where decisions can be rushed and considerations can be overlooked. Some tools to consider include:

Firewalls: A firewall is a tool that monitors network traffic and enforces security policies to block suspicious network activity or malicious attacks.
Secure web gateways: This tool is similar to a firewall but primarily focuses on blocking suspicious web traffic.
DDoS protection appliance: A DDoS protection appliance is a dedicated device designed to analyze network traffic to detect and stop DDoS attacks.

The downside to these tools is that they can be expensive and time-consuming to deploy and require a significant amount of resources for upkeep. In addition, they don’t protect against external attacks and may not scale quickly to protect against larger attacks.

Any organization under attack should explore all options and implement what they believe will offer the greatest chance of success based upon their immediate circumstances.

Non-Technical DDoS Responses

Even as the incident response team may be scrambling to cope with the DDoS attack, the organization must still deal with other stakeholders. After the attack, follow the non-technical responses below:

Notify executives and stakeholders: All executives and stakeholders need to be notified and constantly updated in accordance with the organization’s incident response plan.
Establish internal communications: Inform employees about the availability of internal resources or alternative methods to accomplish their duties.
Coordinate public relations: Contact customers about system status in accordance with the incident response plan.
Contact your insurance provider: Cybersecurity insurance companies, regulators (Security and Exchange Commission, etc.), and law enforcement must be notified.

Management should embed non-technical assistance into an incident response team to coordinate, manage, and execute written, verbal, and phone communication with stakeholders. Executives may even want to embed someone on the team with the authority to authorize expenses or to coordinate the rapid authorization of purchases needed to recover from the DDoS attack.

Check out our full article on how to create an incident response plan, which includes a free template to start from.

Internal vs. External Attacks

The initial DDoS techniques mentioned above apply to all attacks. However, depending on the type of DDoS attack and the architecture affected, some techniques will be more useful than others. You will need to know the difference between protecting internal networks and external resources like video game systems from DDoS attacks.

Stop Internal & External Router, Server & Website DDoS Attacks

Assets exposed to the internet for utility, applications, and websites often will be targeted by DDoS attackers because they are the easiest to affect. Servers hosting or supporting these resources will often suffer CPU, memory, and bandwidth overload.

These attacks will be very different from internal DDoS attacks on servers and routers, which target the internal networking protocols and resources. Still, once an attack begins, the steps to protect each of these different resources will be quite similar.

1. Block the Initial Attack

Examine the log files and begin to block the IP addresses associated with the attack (internal or external), geofencing to block specific regions, or, for internal attacks, even power down compromised local devices generating traffic.

However, there may be circumstances that don’t permit shutdown of the DDoS attackers. For example, if an attacker turns the respirator machines of the hospital into a botnet, the hospital cannot simply turn off the respirators without severely affecting patient health.

Additionally, many attackers will be sophisticated enough to switch tactics and sources once they realize the attack has been blocked. Still, while blocking may only be effective temporarily, it will help to buy time for more effective protection to be implemented.

2. Side-Step the Attack

If blocking proves ineffective, try changing the server IP address, router IP address, or website URL to move the server out of the path of the DDoS attack. As with blocking the attack, this may only be a temporary reprieve, but it can buy time to implement other tactics that take more time to execute.

3. Stop the Service

If blocking or side-stepping the attack does not work, the organization may need to stop the service under attack (such as a PDF download, shopping cart, internal router, etc.).

Stopping a website, application, or internal network in part or entirely will be so disruptive that this step should not be taken lightly. It should only be pursued if steps 1 and 2 cannot provide enough time to pursue other steps below.

4. Enable Additional Protections

While part of the incident response team attempts to stop the existing attack, other members should be working on enabling other protection against DDoS attacks in these ways:

Call the ISP: The ISP can help with setting up external DDoS protection services for websites, applications, and publicly exposed devices under attack (firewalls, servers, routers, etc.).
Evaluate firewall protections: Installing WAF services or adjusting your current WAF settings and policies can bolster your network defenses to block the attacks, or you can reroute your internal traffic through next generation firewalls (NGFW).
Adjust rate limits: Configuring rate-limiting on your network devices can change request thresholds for existing firewalls, servers, and other related resources to limit the amount of traffic coming into your network.
Add tools: Adding or upgrading protection for networks and websites, network security products, network intrusion detection systems (IDS) and intrusion prevention systems (IPS), and cloud firewall solutions like FWaaS can protect you from future attacks.
Getting help: Hiring an incident response or managed IT security service (MSSP) vendor can help locate and remove the malware driving the DDoS attack.

However, be aware that additional protections can affect existing architecture or performance. For example, load balancers may be bypassed by DDoS tools, or the packet inspection of DDoS protection appliances may introduce lag time for traffic.

Also keep in mind that a forensic or security investigation will become part of the recovery process, especially for any attack that might trigger cybersecurity insurance claims. The initial infection, access points, malware, and changes to systems introduced by attackers will need to be located and removed to prevent future DDoS attacks or other types of attacks (ransomware, data theft, etc.).

Learn more about the best forensics tools used by experts, including their key features, pricing, and how they stack up against other tools.

Stop External Router or Video Game System DDoS Attacks

Smaller businesses, game servers, and streamers often connect their routers directly to the internet and attackers can find their IP addresses to target them. With no IT professional supporting the environment, attacks on these exposed systems can result in complete shutdown of internet access. Some ways to stop these attacks are changing your IP address, enabling defensive features in your equipment, and adding extra layers of security.

1. Reset the IP Address

The fastest method to dodge a DDoS attack is to reset the IP address. There are several ways to accomplish this:

Fastest method — Unplug: Unplug the router, game system, and sometimes also the modem. Router IP address reset can take as short as 5 minutes to assign a new IP address or as long as 24 hours, depending upon the ISP.
Best method — ISP Contact: Contact the internet service provider (ISP); some ISPs limit changes in IP address and need to be contacted directly, but ISPs can also implement additional security or offer additional services to block DDoS attacks.
Admin console IP Reset: Log into the router console as an admin via a web browser and change the IP address; check the router’s manual for instructions.
Command Prompt IP Address Reset: Release and renew the IP address using the command line prompts like ipconfig (Windows, MacOS) or ip (Linux); MacOS users can also use advanced system preferences to select TCP/IP and “Renew DHCP Lease.”

Of course, this technique renders the internet or network unavailable until the router is restarted, and attackers can still search for the new IP address to attack the router.

2. Activate DDoS Defense Options

You can also explore defensive options in the equipment you use. Some defense options are:

Router protection: Check your router administration consoles and manuals for additional DDoS protection options that can be enabled or strengthened. These can be activated quickly, but may affect performance.
Upgrade equipment: Older routers or consumer-grade routers may lack features to protect against modern DDoS attacks and other common network threats. Consider upgrading to devices with more security features or capacity.
Enable privacy mode: Some game consoles have privacy and online safety options available in the menus that can be used to minimize public information. For example, Xbox has a ‘private mode’ feature and is available under More Options>Xbox Settings>Privacy and Online Safety.

3. Add Layers of Protection

To block future attacks against routers, consider adding additional layers of protection:

Add appliances: Add network protection devices like firewalls, secure web gateways, and DDoS protection between the router and the internet.
Upgrade or add professional-grade devices: Consider purchasing newer routers and next-generation firewalls that provide more security.
Cloud-based protection: Add cloud solutions such as FWaaS or DDoS protection service from a vendor such as Cloudflare or Sucuri.
VPN network service: Use a Virtual Private Network (VPN) to obscure IP addresses; however, it can add ping because of extra network hops. Gamers and streamers can look for VPN services with low-latency connections and secure IP addresses.

The best choice will depend on the budget and technical capabilities of the organization or person as well as how quickly the solution needs to be put into place.

Stage II: Analysis

Some attacks become obvious because everything grinds to a halt, but often there will be a period in which the resource “acts strange” as it struggles with the early stages of a DDoS attack. In either case, the attack cannot be completely stopped unless it’s recognized, the logs are reviewed to characterize the type of DDoS attack, and possibly trace the attack to the source.

Recognize the Signs of DDoS Attack

The first signs of a DDoS attack will be delays. Applications will be slow to proceed, websites will be slow to load, servers will be slow to respond to requests, etc.

Users behind an internet connection under attack may find themselves cut off from the internet or unable to use local resources. Network operations centers, firewall monitoring tools, cloud usage tools, and other monitoring solutions may catch spikes in network or internet traffic.

Deep into the attack, resources will simply become unavailable — even to run diagnostic tools or to access log files and other reports. Teams should respond as quickly as possible or ensure resources prioritize sending logs out for analysis.

Examine & Analyze Logs, Alerts & Records

Ideally, the first indicators of trouble will come in the form of logs and alerts from monitoring tools and software checking for bandwidth, application performance, memory, or CPU issues. Alerts can help a response team jump into action and prevent the DDoS attack before it takes down resources.

TIP: Document everything. These records from the DDoS attack hold valuable information for several teams and stakeholders, including the following:

Incident Response teams: Digital Forensics and Incident Response teams will use the logs to assist them in their analysis of the attack to better understand what happened and how to prevent future attacks.
Cybersecurity Insurance: Most cybersecurity insurance companies will require a copy of the logs with the reports when reviewing a claim to calculate damages.

Without alerts, an organization may have to rely upon customer or internal complaints, which may be delayed due to the congested resource (application, server, etc.), or until the entire network is crippled by the DDoS attack.

Attack Characterization

Attack characterization helps to separate attack traffic from legitimate traffic and to determine the type of attack. For example, attacks using protocols to disable infrastructure will require a different response than an application-level attack targeting a specific function in an application.

With so many different types of DDoS attacks, it can be difficult to determine exactly which one may be deployed. However, the response team will analyze the logs to find information regarding the attack and potential defenses.

A digital forensic investigation may be required for DDoS attacks to determine how the malware entered the network and launched the DDoS. Investigators will collect the evidence and ensure attackers and malware have been removed from the network.

Attack Traceback

DDoS attack traceback seeks to identify the source of the DDoS attack. For example, if the attack can be traced back to a range of IP addresses, the attack can be blocked through IP Blocking. However, tracing can be extremely challenging and may not lead back to the actual attacker.

Stage III: Recovery

Organizations that can quickly eliminate a DDoS attack may suffer no more than inconvenience. Organizations that are not so fortunate will need to assess the damage, make any needed adjustments required from the DDoS remediation, determine what immediate steps to take for preventing recurrence of that DDoS attack, and consider other preventative measures.

DDoS Attack Damage

Damage from DDoS attacks vary from organization to organization and will depend upon the resources affected. However, a recent survey from Corero estimates that DDoS attacks can cost organizations hundreds of thousands of dollars per hour and up to $1 Million for larger organizations, averaging a little over $6,000 a minute. However, none of these reports account for other costs or the loss of business and reputation.

After a DDoS attack, organizations will need to document their costs and damages for insurance and to create an estimate to budget for tools and services to prevent future DDoS attacks.

DDoS Remediation Adjustments

In the scramble to stop the attack, organizations may make changes to the architecture or software that inadvertently causes other issues. Part of the recovery process requires examining the infrastructure to detect and fix those broken components or links. For example, moving a website behind a DDoS filtering service provider may only move the main domain. Sub-domains may need to be migrated manually.

Similarly, integration with other third-party tools may require additional configuration. For example, a publishing website could discover that their web content management system no longer correctly connects to the published content protected by the DDoS provider and that changes may be required to reconnect to it.

For DDoS attacks launched within the network, individual computer systems may need to be sanitized to remove malware or an attacker’s ability to access the device for future attacks. Sometimes this may also trigger data and system recovery needs.

DDoS Attack Lessons Learned

Generate a lessons-learned report that explains everything that happened and clearly explains how to protect against similar attacks. Mitigation should be enacted immediately, but if that is not practical, the mitigation should be planned and proposed for budgeting as soon as possible.

The costs to remediate the DDoS attack and any business losses from the downtime will provide a rough target for comparison with the mitigation budget.

If the attack was significant in size or impact, report the incident to law enforcement or industry organizations such as CERT. Reporting attacks can build profiles of major attackers and help in taking down major botnets like 911 S5 and Raptor Train.

Navigating the 3 Stages

Incident response teams often find themselves executing these stages simultaneously. Additionally, as attackers observe the defender’s actions, they will often change tactics and require the defending team to iterate between these stages and the steps within them.

Of course, the specifics of each stage will be highly customized and will depend on many factors, starting with the type of DDoS attack, the resource under attack (router, website, app, server, etc.), and the DDoS protections or mitigations already in place.

Additionally, the IT architecture, the resources of the defender, and the dedication of the attacker will also play significant roles in how the stages and techniques must be navigated.

Fortunately, ISPs and vendors can provide professional DDoS protection services for those in need. However, several tasks they perform are similar to what we covered, with the difference being potentially more experience and more sophisticated tools.

The OSI Model & DDoS Attacks

All communication on a network is sent as network packets. As each computer or firewall receives the packet, the device will check for the contents and handle the packet according to the instructions in the header. DDoS attacks abuse these packets and attempt to exploit potential weaknesses to overload systems. The different layers of the OSI model can be used to determine the type of DDoS attack:

#	Layer Name	Traffic Type	DDoS Attack Types
1	Physical	Bits crossing hardware	No attacks at this level
2	Datalinks	Frames for addressing	No attacks at this level
3	Network	Packets for delivery	UDP reflection attacks, Ping of Death, etc.
4	Transport	Segments for reliable communication	ACK floods, SYN floods, etc.
5	Session	Data for Interhost communication	Telnet exploits (should be obsolete)
6	Presentation	Data representation and encryption	SSL abuse
7	Application	Data for application use	DNS query floods, HTTP floods

However, knowing which layer is under attack does very little to help block or stop the attack. At their essence, all attacks generally fall into two categories:

Infrastructure Layer Attacks (Layers 3, 4): These DDoS attacks affect firewalls, servers, and routers with volumetric or malformed packet attacks. ISPs and hosting partners can typically help with these attacks if they are external.
Application Layer attacks (layers 6, 7): These attacks target websites and applications by overloading information requests. They can be stopped by web application firewalls but may require additional features like adding captchas to block automated requests.

After executing the three critical stages to stop a DDoS attack, an organization will find themselves in a better position. However, recovery alone cannot prevent future DDoS attacks because they only address the last attacks. The best way to stop a DDoS attack will always be for organizations to be proactive and add defensive measures before they’re attacked.

5 Steps to Prevent Future DDoS Attacks

IT and security teams can deploy many options in preparation for a DDoS attack that will help to control and manage the future impact when one occurs. Some of these include:

Harden against attacks: Update, patch, and change settings to protect resources against attacks.
Deploy anti-DDoS architecture: Configure resources and implement policies that protect resources from potential attacks and minimize the impact of a successful attack.
Use anti-DDoS tools: Enable features and add tools to detect and protect against or mitigate the effects of DDoS attacks.
Design a DDoS Response Playbook: Create a plan for how security, operations, and management teams will respond to a DDoS attack.
Install DDoS Monitoring: Install monitoring to watch and alert staff of signs of an attack.

An organization also should consider the possible motivations of the attackers. Some DDoS attacks may be used as a distraction or cover-up for other attacks such as espionage, ransomware, or business email compromise. Any DDoS playbook should also include activating

Learn more on how to prevent DDoS attacks in five steps, as well as three fundamental defense strategies.

Top 3 Anti-DDoS Vendors

While a significant threat, anti-DDoS measures should not be so optimized that they compromise other priorities for operations and security. The best web application firewall options that will help mitigate DDoS attacks include AppTrana, Cloudflare, and F5.

AppTrana

AppTrana is a fully managed web application firewall (WAF) powered by AI, that includes web application scanning for getting visibility of application-layer vulnerabilities; instant and managed risk-based protection with its WAF, Managed DDOS and Bot Mitigation service, and several other features. All backed with a 24×7 Managed Security Expert service to provide custom rules and policy updates with zero false positive guarantee and promise.

Visit AppTrana

AppTrana offers a 14-day free trial of their WAF, and pricing starts at $99 a month for their Advanced tier. Customers can request a demo and get pricing for their premium and enterprise offerings.

Cloudflare

Cloudflare is a web infrastructure and cybersecurity company specializing in protecting websites and organizations from cyberattacks. The Cloudflare WAF uses threat intelligence and machine learning to defend against cyber threats.

Visit Cloudflare

Cloudflare does offer a free plan. However, its functionality is very limited compared to their other plans that start at $20 a month for the pro license and increase to $200 a month for the business license (when paid annually).

Cloudflare inteface. — Source: Cloudflare

F5

F5’s award-winning WAF offers features like behavioral analytics and machine learning to in-browser data encryption and more to inspect and block any malicious activity. Their SaaS-delivered WAF is quick to set up and deploy, and easy to manage.

Visit F5

Pricing is not available on the F5 website. However customers can contact them for a trial or demo, or they can use F5’s Distributed Cloud pay as you go service, available on the AWS marketplace.

When choosing vendors for anti-DDoS tools or services, it is important to work with DDoS specialists. However, these vendors, like any other IT measures, should fit into the overall IT and security strategies that provide fundamental defense against DDoS attacks on websites (web application firewalls, etc.), applications (application security, etc.), or networks (firewalls, etc.).

Types of DDoS Protection Solutions

When considering tools for protection, the solutions often break down into three classifications: Do-it-yourself (DIY), on-premises appliances, and off-premises tools. Each style has inherent pros and cons:

DIY tools: These are typically created from Open Source Tools, which means they are usually free or have a lower cost than commercial tools. The drawback is that they tend to require expertise to integrate and have limited filtering capabilities and scalability.
On-premises appliances: On-prem tools can be installed locally, have good filtering capabilities, and are simpler to use and integrate. However, these tools can be expensive, have limited scalability, and are only compatible with specific infrastructure.
Off-premises protection: These tools are cloud-hosted tools, often referred to as Software-as-a-Service, or SaaS. Cloud based tools are usually easy to use and integrate and the scalability and compatibility. The one downside to cloud based protection is cost.

Ultimately, the tradeoffs revolve around price, speed, and control. DIY tools will always cost the least and offer full control but won’t respond quickly or scale easily to handle large attacks. Scaling represents capacity but also directly affects speed since a device that is over its capacity lengthens the time for recovery.

On-premises appliances can enable more speed and full control but will cost more and have limited scale. Cloud-hosted tools will always react faster and can deploy nearly unlimited scale, but will cost more and also lie outside of the direct control of the organization.

Bottom Line: Prepare Now or Suffer Later

With the increasing sophistication and capabilities of attackers, defenders must be on alert. Not only will stopping DDoS attacks become more difficult, but attackers will also continue to increase the speed at which they exploit windows of opportunity. Organizations should prepare now for future DDoS attacks and take advantage of the capable tools and services available to help them.

Learn about the best tools to defend against bots that cause DDoS attacks. In the article, you’ll find their features, pros and cons, and more.