How to recover from a DDoS attack

Author: Phil Muncaster

Preventing and recovering from the next distributed denial of service (DDoS) attack is likely to be top of mind for many IT teams—DDoS attacks continue to be the most common attack types with regard to security incidents in Verizon’s long-running Data Breach Investigations Report (DBIR). With the right incident response and DDoS mitigation in place, your organization can weather the worst of the incoming storm and bounce back with minimal financial and reputational impact. Here's how to recover from a DDoS attack.

DDoS vulnerabilities

As organizations migrate more services to the cloud, they inevitably become more exposed to online interruptions. Launching attacks to exploit this fact has never been easier, as data from the 2022 DBIR shows.

There were 8,456 DDoS incidents recorded by the DBIR in 2022, with 6,248 incidents recorded in the 2023 DBIR, spread across a range of industries, including information services, retail, manufacturing, government and professional services.

According to Info-Security Magazine there was a 74% YoY increase in the number of DDoS attacks in 2022.  This is partly attributed to both the rise of botnets and hacktivists developing tools for politically motivated actions that were eventually adopted by for-profit criminals.

The DDoS threat

Botnets of compromised machines are typically rented out on the cyber crime underground to overwhelm targeted systems with traffic to take down business-critical services. Botnets can be rented out "as a service" for as little as $5 an hour. However, the impact on victim organizations can be many times greater. The average cost of an attack in the U.S. is estimated at $218,000, not including any potential ransom demands. Alongside the prospect of lost sales and staff productivity, the victim organization may face customer churn, long-term reputational damage and diminished competitive advantage as it works to recover from a DDoS attack.

And attacks are getting bigger. The median DDoS from 2013 clocked in at just 422 Mbps, according to the DBIR. Three years later it had reached 1.1 Gbps, and it had risen again to 1.3 Gbps by 2022, and 2.2 Gbps in 2023. The report speculates that malicious campaigns are increasingly built on "more formalized and repeatable" infrastructure, potentially making it more challenging to stop a DDoS attack.

How to recover from a DDoS attack

While attack infrastructure is becoming more professionalized, so are responses. With a calm head and a measured, data-driven approach, IT leaders should be able to ride out and then rapidly recover from a DDoS attack—even if it comes with no warning.

What to do during the attack

During the attack, ensure that you:

  • Stay calm.
  • Inform all relevant stakeholders immediately, such as the chief information security officer, line of business managers, security operations center leads, etc.
  • Share key metrics with these stakeholders, such as when the attack started, which assets are impacted, what type of attack it is and how it impacts customers.
  • Inform them what the next steps are to recover from a DDoS attack.
  • Contact your third-party security provider to see how it can help stop a DDoS attack. Ideally, it will already be monitoring traffic and know that an attack is underway.
  • Find a way to inform customers about what's happening, such as through social media or email channels. The platform used to do so will need to be insulated from the DDoS threat.
  • Direct your security partner to take active steps to mitigate the attack:
    • Rate limiting can help to minimize the impact of app-layer attacks, altho]ugh it also penalizes legitimate customers.
    • IP blocks may also work if the attackers are using a relatively small number to launch their DDoS attack.
    • However, the most effective method is a dedicated appliance or cloud-based DDoS detection and mitigation service that can proactively detect and initiate mitigation before someone in the company even realizes an attack is underway.
    • Continuously monitor the attack to extract as much intelligence about the threat as possible. This will help to stop a DDoS attack attempt in the future.

What to do after a DDoS attack

Following an attack, there will likely be tremendous pressure to get services back up and running as normal. That means reconnecting network devices in an orderly way to avoid overloading the system and ensuring customer connections are brought back online without creating another unintentional DDoS. But if you want to know how to recover from a DDoS attack the next time, it's also important to answer some key questions to properly assess the damage and identify and resolve any gaps in protection.

Among these questions are:

  • What was the target of the attack?
  • What kind of attack was it (volumetric, protocol or app-layer)?
  • What techniques did it use to try to bypass mitigation (i.e., bursts, dynamic IP spoofing, SSL encryption)?
  • How long was the outage, and what services were impacted?
  • How much did it cost in lost revenue, productivity, etc.?
  • How badly impacted were your customers?
  • Did any malicious traffic get through your filters, and how?
  • Did your security partner meet its service-level agreement?

How to stop a DDoS attack with Verizon's DDoS Shield

Based on the answers to these questions, it may be time to upgrade or replace your security service so it's better able to stop a DDoS attack. DDoS Shield is a global, cloud-based DDoS attack detection and mitigation service (WRONG LINK - SHOULD POINT TO ENTERPRISE SIDE) designed to handle even the largest and most sophisticated attacks.

It works by redirecting inbound traffic to "scrubbing centers," returning only clean traffic to the network to ensure critical applications and services remain operational. Your organization could benefit from a service that's:

  • Highly scalable, able to block even the largest-ever recorded DDoS volumes.
  • Proactive to detect and respond to DDoS attacks.
  • Carrier agnostic, so it protects traffic whatever your internet service provider.
  • Flexible in offering monthly flat fees plus add-on extras.
  • Customer-centric, with 24x7 security operations center support available by phone or email.

Find out more about how Verizon's DDoS Shield can help you mitigate the effects of unexpected and unpredictable DDoS attacks.

The author of this content is a paid contributor for Verizon.