How to Mitigate, Block & Fix DDOS (Denial of Service) Attacks | DDOS attack protection & prevention

17 Steps For DDOS Protection, Prevention & Mitigation. Learn how to block and fix DDOS attacks by botnets.

6
54775

In case you are looking to learn a perfect DDOS mitigation solution how to block and fix Zombie DDOS attacks, here’s the bad news. None of these DDOS protection techniques seemed to work during the recent Mirai botnet DDOS attacks thru IOT devices

There is really no magic anti-DDOS pill to fix DDOS attacks. However,these 17 steps to block and fix DDOS attacks are the minimal steps you need to take for DDOS protection. Consider implementing these DDOS mitigation strategies to protect your website from denial of service attacks.

1Step 1 : Just Get More Bandwidth to mitigate DDOS attacks


You know how a simple “flood” DDOS attack works. Attackers just flood your website with requests and your website gets swamped. Bandwidth costs have come down and if you represent a large organization, you will have a big wallet. Just sign up for bandwidth or expandable bandwidth whenever you need it so that you can handle medium size attacks.

That doesnt mean that companies like Facebook and Whatsapp will never have to fix denial of service attacks. Recently, Twitter was taken down by an attack that didnt even target it. But, having bandwidth redundancy is a good way to mitigate ,block and fix DDOS attacks at the initial stage.

2Step 2 : Use a CDN for DDOS protection


Using a CDN, or a Content Delivery Network to service requests in a distributed way,is a good option for DDOS prevention. But for CDNs to be effective in DDOS prevention, the CDNs need to have high capacity and be fundamentally robust. Also, CDNs need to be able to withstand DDOS attacks at individual CDN servers.

3Step 3 : Use DDOS Mitigation Appliances


A DDOS mitigation appliance uses a hardware server to help mitigate and DDOS prevention.
Key features of a DDOS mitigation appliance:


  • Watch incoming requests to the server

  • Detect potential harmful denial of service requests
  • Scrub, block and fix DDOS attack threats
  • Security for threats to Layers 3 to 7
  • Provide a GUI for IT Security experts to constantly watch potential DDOS threats. This alert mechanism enables the security experts to take appropriate action when needed

A DDOS mitigation appliance is good at blocking limited DDOS threats, but it has several limitations.

  • Firstly, if the DDOS attack is very severe,say above 1GBPS, the appliance is usually unable to fix the DDOS attack. As a result, even legitimate user requests are not fulfilled

  • You need an army of IT web Security experts to maintain the appliance and monitor potential DDOS alerts. IT web security experts are typically very expensive, and the service costs will be typically than the cost of the DDOS mitigation appliance
  • As a result, a DDOS mitigation appliance is just not enough to prevent or fix DDOS attacks

4Step 4 : Use Cloud Based Services to Block and fix DDOS attacks


akamai ddos prevention
Radware : Block DDOS attacks

A cloud based DDOS protection service is quite often what is needed to block DDOS attacks.
Key features of a cloud based DDOS protection service:

  • Distributed service using multiple servers located all around the world. High distributed bandwidth ensures that even an enormous DDOS flood attack can be mitigated and controlled.
  • Multiple scrubbing centers location around the world for DDOS protection
  • Security centers manned 24/7 to constantly monitor global DDOS threats across the network.
  • Immediate detection and response to DDOS attacks

Akamai, Cloudfare, Radware and Encapsula are some of the companies offering cloud based DDOS protection services.

5Step 5 : Use A Hybrid DDOS Mitigation Approach to block and fix DDOS attacks


A hybrid DDOS mitigation approach uses a combination of a DDOS mitigation appliance and a cloud based DDOS protection tool. This is a good idea, since you can rely on DDOS mitigation appliance to block minor denial of service attacks, and switch to a cloud based service when the DDOS attack is severe.

The key advantage of a hybrid DDOS mitigation strategy is that you do not become entirely dependent on the cloud services. Retaining a degree of knowledge on battling DDOS threats within the organization is quite important. Also, the alerts generated by DDOS mitigation appliance can also be used for traffic analysis, especially using data intelligence.

6Step 6 : Protect your DNS by moving DNS resolution to the cloud

DNS servers are particularly vulnerable to DDOS amplification and spoofing attacks. The recent Mirai botnet DDOS attacks targeted the DYN DNS servers. Creating DNS server redundancy is a good way to protect DNS servers from “amplification” attacks.

You can even use a “cloud” DNS service.Google Cloud DNS is a popular service.This will ensure that name resolution is done by thousands of distributed servers. This prevents website outage if a single server goes down.

7Step 7 : Proper Configuration of network devices to Block Spoofing DDOS attacks : Ingress Filtering and Egress Filtering


“Amplification” of “spoofing” attacks are alternatives to flood attacks.A couple of ways to mitigate such DDOS attacks are :

  • Ingress filtering: Ingress filtering is a good way to mitigate spoofing DDOS attacks. Ingress filtering implies authentication of the IP addresses of the incoming network requests and rejecting requests with a fake IP address. This blocks amplified spoofing DDOS attacks.
  • Egress Filtering : Egress filtering implies having restrictions on the flow of network packets from one network to the other. Typically, this is implemented using a firewall that restricts flow of data using a set of policies. This implies limiting protocols and also port accesses. This can result in denial of service protection

8Step 8 : Proper patch management of all servers for DDOS protection

Amazingly, most DDOS protection techniques are of no use, due to bad auditing of servers in the corporate environment. Hackers typically exploit bugs that are fixed by patches only later. Many corporate IT environment fail to update their servers to the latest patches. This can happen either thru plain laziness or perhaps a budget cut (IT folks are usually the first to go!)

A proper audit approach to servers to ensure installation of latest patches can mitigate several denial of service attacks. This involves scanning the servers in the IT environment and ensuring patch updation. In summary, patching of all software is a simple anti-DDOS measure.

9Step 9 : Use Caching Servers so that static cached data is served to genuine visitors

The fundamental function of a web server is to service genuine users. If a majority of web requests can be serviced by cached data, then the potential traffic to the server can be limited. This is of great value to fix a DDOS attack. While you struggle to block an impending DDOS attack, it would be perfect if genuine users are not even aware of the threat.

10Step 10 : Analyze traffic patterns in a manual and automated manner

All right, you have installed a DDOS mitigation appliance. You also have a cloud based DDOS protection service. However, that doesnt mean that you stop analyzing traffic patterns.


Blocking and fixing DDOS attacks needs to go beyond looking for typically signatures of common DDOS attacks. Many organizations are using data intelligence tools to analyze traffic patterns “on the fly”. Study of the traffic patterns, combined with your knowledge of your web application can help you identify anomalies faster and reduce false positives.

11Step 11 : How to Fix DDOS attacks : Use a DDOS protecting hosting provider


Another way to protect your web server is to use a DDOS protected hosting provider.These hosting providers typically use a mix of the steps mentioned in the article to block DDOS attacks.


These web hosts typically sign up with a CDN to service user requests using distributed servers, a cloud based service for multiple redundant DNS servers and a DDOS mitigation appliance to detect, prevent and block DDOS attacks.

12Step 12 : Authorization & Authentication System For All Network Operations

Your anti-DDOS measures are of no use if you allow open access to multiple ports. An authorization system that allows specific network operations and restricts several operations is important. An ACL (access control list) is often used to restrict access. This will prevent easy access to the network for potential DDOS botnet attacks. An authentication system will allow access to parts of the system only to specific IPs/ or a set of IPs. All these anti-DDOS systems serve as an extension of “ingress” and “egress” filtering that we learnt in Step 7.

13Step 13 : Use Network Based Firewalls for basic DDOS protection


Firewalls were often touted as a basic element in the prevention of DDOS attacks. There is no doubt that there is a merit in restricting network access to specific ports, protocols and applications.
However, Firewalls have inherent flaws in handling DDOS attacks.

  • Firewalls need to definitely provide access to ports such as 80 for normal http access. DDOS attacks often take place using these standard ports.
  • Firewalls are unable to block and protect the website from “spoofing” DDOS attacks. This is because firewalls are unable to distinguish between legitimate and fake network requests at a specific port. Besides, since firewalls are stateful devices, their state tables often become a target of “flood” DDOS attacks.
  • Intrusion detection systems (IDS) are often touted as a wonderful mechanism to block and fix DDOS attacks.intrusion detectionBut these intrusion detection systems fail miserably in mitigation of DDOS attacks. This is because :
    • An IDS may be good at intrusion detection but may generate many “false positives”

    • Intrusion detection systems are very processing intensive, and can be submerged in a flood of DDOS attack traffic

    As a result, an IDS is essential for warding off application layer attacks but not good enough for DDOS attack prevention.

14Step 14 : Use Sinkholes to research and fix a dangerous DDOS attack

A sinkhole simply implies a redirection of potentially bad DDOS traffic to an alternate server. Essentially, a sinkhole is used when a target website is almost completely compromised by a DDOS attack. The key purpose of a sinkhole :

  • Study the DDOS attack, to prevent it recurring at other servers
  • Isolate the DDOS traffic so that the attack doesn’t spread to alternate servers. During the recent Mirai botnet DDOS attack, researchers employed sinkholes to learn more about the nature and source of the botnet attacks.

The key problem with sinkholes is that it is not a DDOS mitigation tool per se, since sinkholes stop all traffic to a website. Once you start using sinkholes, it means that you have accepted defeat in protecting a web server from a DDOS attack. Sinkholes are not a simple anti-DDOS fix, they just help in fixing the DDOS attack thru research.

15Step 15 : Use Blackhole Filtering For a Strategic Retreat

During a war, a strategic retreat typically implies destroying all resources that may be useful to the enemy. When a deadly DDOS attack occurs on a specific server, a blackhole filtering mechanism can be applied to dump all such traffic. This prevents the attack from spreading to other connected servers.
Blackhole filtering techniques can be :

  • Source based Blackhole Filtering : A source based blackhole filter stops all incoming traffic based on the source of the traffic. If there is a list of potentially attacking sources of botnet traffic, source based blackhole filtering can be used. This is typically unlikely, but is possible when enough research has been done

  • Destination based Blackhole Filtering : A destination based blackhole filter is more commonly used. If there is no hope of preventing a DDOS attack on a particular server, a destination based blackhole filter is applied. You will not mitigate or fix this particular DDOS attack. But,this implies that you have raised a white flag to the attacking botnets and want to limit the damage. You will of course live to fight another day after finding the source of the DDOS attack and fixing all vulnerabilities

16Step 16 : Maintaining proper network level ACLs to block DDOS attacks

Maintaining Access Control Lists at the network level serves to strictly control access to specific ports and protocols. This may not work great at fixing DDOS attacks on port 80, but will prevent unnecessary ports from being open. For example, telnet ports can remain closed and this will protect you for some DDOS attacks

17Step 17 : Human collaboration during an DDOS attack to fix a DDOS attack


You can learn how to fix a DDOS attack through collaboration. Human collaboration among multiple ISPs and IT Security specialists is important during a massive DDOS attack. If a particular IT Security expert has found a way to block a DDOS attack, it will be great to share that information in real time.

If you are aware of more techniques for mitigation and protection from DDOS attacks, please Write To Us

6 COMMENTS

  1. Guess the easiest way for me to fix DDOS attacks is to shift to a better hosting provider. How do I go about choosing a hosting provider who can protect my website from DDOS attacks?

    • Albert, thats easier said than done. No hosting provider is really safe from a concentrated DDOS attack, such as the DDOS attack we saw on Dyn. However, if you have had any down time due to a DDOS attack, its best to change your hosting provider.

    • Julie

      Thanks for the nice comments. Even if one does everything on the list, it may be difficult to prevent DDOS attacks, but it is surely a good start.

Leave a Reply to Steve Lyle Cancel reply

Please enter your comment!
Please enter your name here