So how can you best mitigate against a DDoS attack? Here's what you need to know.
Basic safeguards with your router
Rather than over-provisioning, simple things such as bandwidth buffering can help handle traffic spikes including those associated with DDoS attack and give you time to both recognise the attack and react to it.
This requires getting a business-grade router, if you haven’t already. Then you can put into place other basic safeguards that can gain you a few precious minutes: rate-limiting your router, adding filters to drop obvious spoofed or malformed packets and setting lower drop thresholds for ICMP, SYN and UDP floods. All these will buy you time to try and find help.
Incident response planning
The first thing every organisation should do when suspecting a DDoS attack is confirm it. Once you've discounted DNS errors or upstream routing problems, then your security response plan can kick in.
What should be in that response plan? First, you need to put together an incident response team that includes managers and team leaders likely to be affected by an outage, as well as your organisation’s key IT and cyber security people. Only by talking to all the right people can you formulate a comprehensive response plan.
Then contact your ISP, but don't be surprised if it black-holes your traffic. A DDoS attack costs it money, so null routing packets before they arrive at your servers is often the default option. It may offer to divert your traffic through a third-party scrubber network instead; these filter attack packets and only allow clean traffic to reach you.
Be warned, this is likely to be a more expensive emergency option than had you contracted such a content distribution network (CDN) to monitor traffic patterns and scrub attack traffic on a subscription basis.
Prioritise, sacrifice and survive
Ensure the limited network resources available to you are prioritised – make this is a financially driven exercise as it helps with focus. Sacrifice low-value traffic to keep high-value applications and services alive. Remember that DDoS response plan we mentioned?
This is the kind of thing that should be in it, then these decisions aren't being taken on the fly and under time pressure. There's no need to allow equal access to high-value applications – you can whitelist your most trusted partners and remote employees using a VPN to ensure they get priority.
Multi-vector attacks, such as when a DDoS attack is used to hide a data exfiltration attempt, are notoriously difficult to defend against. It's all too easy to say that you must prioritise the data protection, but the smokescreen DDoS remains a very real attack on your business.
The motivation behind a DDoS is irrelevant; they should all be dealt with using layered DDoS defences. These can include the use of a CDN to deal with volumetric attacks, with web application firewalls and gateway appliances dealing with the rest. A dedicated DDoS defence specialist will be able to advise on the best mix for you.
DDoS mitigation services
It's worth considering investing in DDoS mitigation services if your network or digital channels are critical to your business – and particularly if you're likely to be a target of a DDoS attack (for example, if you're a well-known business) – or at least knowing about what's out there, just in case.
One of the biggest and best known is Cloudflare, which has made headlines offering DDoS mitigation services to the likes of Wikileaks as well as working to mitigate wider attacks like the WireX botnet and the 2013 Spamhaus attack.
Cloudflare isn't the only game in town, though, and many network and application delivery optimisation firms offer DDoS mitigation services.
Other well-known brands include Akamai, F5 networks, Imperva, Arbor Networks and Verisign. Less well known options that are also worth considering include ThousandEyes, Neustar and DOSarrest.
Some of these providers offer so-called emergency coverage, which you can buy when an attack is underway to mitigate the worst of it, while others require a more long-term contract.
If you're already using other products from any of these companies, you may want to look into adding DDoS protection to your package. Alternatively, if you use another network optimisation firm not mentioned here, it's worth seeing if it offers DDoS protection and how much it would cost.
As mentioned above, your ISP may also offer some form of DDoS protection, particularly in an emergency, but it's worth seeing quite how comprehensive this would be beforehand, as well as the processes involved and how much it will cost.
And even if you don't subscribe to any of these services, knowing who to turn to in an emergency should be part of your response plan.