How to Stop a DDoS Attack that is already in progress

The processes which you should ideally adopt to handle a DDoS attack once it has begun already depends on the type of DDoS attack you are experiencing. You will find that there are primarily two kinds of DDoS attacks, namely the low-level attacks and application layer attacks. The low-level attacks use ICMP and fake source addresses; these are less effective. But an application layer DDoS attack will seek to overload applications; it sends huge volumes of traffic which need a lot of processing power for the server to respond to them. While IP attacks will be the low-level attacks, application layer attacks target the applications.

How to Stop DDoS Attacks Already in Progress:

- To stop a DDoS attack which has begun already becomes challenging when the network becomes a target of many dynamic hosts which are spread all over the globe through many ISPs. Therefore, you must start by changing the network or server or by tweaking the DNS server name and the IP address. When you have been attacked by few hosts which do not change often, you may get in touch with your ISP or CERT to switch the machines off. The easiest way to resolve this attack once it has started is to call your Internet Service Provider or ISP, requesting them to re-route traffic or block sources. If you find the nature of the attack to be severe and long-drawn, you can also report it to the law enforcement authorities. You should ideally discuss security threats and response procedures with your ISP beforehand so that you know what they can do for you if something like this happens.

- Even if an incident may have passed, chances are that there will be more such incidents in the future. You can consider making use of a Content Delivery Network where the content gets distributed across many locations and they may be stored in servers which are physically closer to your end-users. It is harder for the attackers to penetrate such CDNs and these networks are equipped to stall such attacks.

- When you choose companies like Cloud Fare you can get DDoS protection as part of their packages. Their plans are typically not billed according to the size of the attacks and there is no limit on the degree of attacks they are equipped to handle. There is a mode which states "I'm Under Attack" which you must click on to get them to stop the DDoS attack in progress. This mode will trigger off extra protection to prevent the malicious traffic from moving into the server.

- With DNS settings from Cloud Fare, you will be able to get its security on per-record basis. When the cloud is orange, it indicates security is "On". When it is grey, it means security is "Off". So, you may enable security for all the record you use like SSH and FTP. You must use the original IP for such actions like FTP and SSH; you can delete wildcards unless these are necessary. You should also delete any mail records which can reveal your original IP. So, all records which get web traffic must be made orange.

- You should not limit connections from the IPs under Cloud Fare. Their IP addresses are all listed in their official web page and the page has links to text files which are meant for machine parsing. Cloud Fare will add the new ranges to this list almost a month ahead of using them.

- To stop DDoS attacks which are already happening, you can try to block the IP address for some countries as a whole. When you add any country or IP, security rules will become active after two minutes. The traffic will then get offloaded onto the server. You can even access list of visitors that have visited your site in the past 48 hours; this helps you to identify those IPs and you can add these manually to the block list.

Was this answer helpful? 7 6