Your Essential Guide to DDoS Attacks and its Mitigation


In the recent years, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have emerged as significant threats to organizations worldwide. These attacks involve crippling an organization's systems, particularly customer-facing websites, by overwhelming them with vast amounts of malicious digital traffic.

Although typically carried out by low-tier threat actors, the impact of DDoS attacks on an institution's reputation and customer service can be considerable. The range of actors deploying DDoS attacks spans from script kiddies to advanced threat actors, who use DDoS as a smokescreen for other stages of their attacks.

DDoS attacks have become a prevalent internet cyberweapon, used by everyone from hacktivists and governments to disgruntled video game players. At the turn of the century, DDoS attacks evolved from simple forms of vandalism to strategic tools with specific objectives. They're now used for various purposes, such as blackmailing organizations for money or protesting against a country or organization based on ideological motives.

As per a report from Cloudflare, ransom DDoS attacks increased significantly between 2020 and 2021, and the DDoS activity in 2021 surpassed that of previous years. Short attacks are more common, but longer attacks lasting ten days or more have been reported.

Understanding the different types of DDoS attacks

There are four basic types of DDoS attacks:

  1. Flooding Attack: These attacks exceed the maximum bandwidth available by flooding the system with traffic, making it impossible to gain access to a system or service. A special form of a flooding attack is the DNS-amplification attack, which spoofs look-up requests to hide the source of the exploit and direct the response to the target. Mitigation: To counteract flooding attacks, a bandwidth management solution should be in place that can distinguish between legitimate and malicious traffic. Cloud-based DDoS protection services can help absorb the excessive traffic associated with these types of attacks. DNS servers should also be secured against unauthorized use to prevent DNS amplification attacks.
  2. Protocol Attack: These attacks send data packets that take advantage of weaknesses in communication protocols and other protocols used mainly by network devices such as routers and firewalls. Well-known examples of protocol-attacks are SYN floods, fragmented packet attacks, Ping of Death, and Smurf-attacks. Mitigation: Keeping systems updated and patched regularly can fix vulnerabilities targeted in protocol attacks. Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) can serve as effective tools against these types of attacks. SYN flood attacks can be mitigated using SYN cookies or similar techniques that verify the requester before a connection is fully established.
  3. Application-Layer Attack: These attacks, named after the OSI-layers’ Application Layer (layer 7), target a specific function of a layer 7 protocol like HTTP and misuse that function to exhaust the service. Mitigation: Identifying normal traffic patterns can help detect anomalous behavior associated with application-layer attacks. Web application firewalls (WAF) can block malicious requests, and rate-limiting controls can limit the number of requests a server will accept in a certain time period from a single IP address.
  4. Combined Attacks: These attacks, which are becoming more frequent, use multiple methods at once, such as flooding and application-layer attacks, making their mitigation more complex. Mitigation: A multi-layered security approach can help combat combined attacks. This should include anti-DDoS technology, a secure network infrastructure, application-level security, and regular network auditing. Having a DDoS response plan in place is crucial for an organization to respond swiftly and effectively when an attack is detected.

Strategies to manage DDoS attacks

Organisations should establish a comprehensive strategy to manage potential DDoS attacks. This should include the following steps:

  • Develop an understanding to manage DDoS risk to systems, assets, data, and capabilities.
  • Implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
  • Implement suitable activities to identify the occurrence of a DDoS attack.
  • Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Maintain plans for resilience and implement activities to restore any capabilities or services that were impaired due to a DDoS event.
  • Determine whether the previous functions performed effectively.
  • Determine and implement changes based on the assessment made.
  • Implement a "DDoS mitigation scrubbing service" to filter out fraudulent traffic associated with DDoS attacks. This service is particularly useful against flooding and protocol attacks.
  • Develop and apply measures against application-level attacks. These can include application-level security products, application level key completion indicators, and filtering capabilities.
  • Simulate attacks on their environment to test the adequacy of these measures. Regularly test anti-DDoS measures, covering both the technical and the organisational aspects.
  • Establish security intelligence. Understanding the types of DDoS attacks and the actors and motivations behind them can help in implementing accurate measures and assessing the risk to the organisation.
  • Consult with upstream providers and local law enforcement agencies to ensure that their logging capabilities and monitoring solutions are sufficient for forensic readiness.

For all types of attacks, regular staff training on cybersecurity awareness is essential. An informed team can spot early signs of an attack and respond accordingly to prevent or minimize damage.

Scroll to Top