DDoS attacks (distributed denial of service) occur when a targeted system’s resources or bandwidth is flooded with such a multiplicity of traffic that the system is unable to handle it and shuts down. Most of the time these attacks are a calculated effort to overwhelm the system with multiple compromised systems.
Is this something you need to worry about? Here are some stats: one third of all downtimes can be traced to a DDoS attack, a week-long DDoS attack can cost less than $200 on the black market, and every day more than two thousand attacks take place.
These attacks work through a series of compromised computers in which the user does not even know that their computer is being controlled remotely. This network of computers (called botnets) can be made up of thousands to millions of machines. Once directed at a single target, huge flood of traffic is generated to overwhelm and incapacitate a system.
It is important to realize that every site is at risk and is vulnerable. The attacks can be random and it is far better to be well prepared than caught off-guard. Make sure your applications, supporting services, and DNS are all current and up-to-date. The common weak spots in corporate networks are the server, the internet pipe, and the firewall. It is helpful to already have an existing communication with your internet service provider so that in case of an emergency contacting them is one less thing to worry about.
It can take some time to realize that your system is under attack and not just experiencing a failing server or application. Knowing what your query load is will help alert you to the presence of an attack. BIND’s built-in statistics support, for example, keeps record of stats for later observation. Getting an idea of what is normal is important.
One of the most basic ways to prevent attacks is by overprovisioning your bandwidth. This is fairly inexpensive and helps you to accommodate sudden surges in traffic. This will not completely prevent DDoS attacks, but will give you a few extra minutes.
From there, rate limit your router, which will stop your web server from being overwhelmed. Use filters so that your router knows to drop packets from obvious attack sources. Set your timeouts to shut down half-open connections at a more aggressive pace. All these things will gain you time while you contact your internet provider. Their strategy usually involves black holing you for a bit, so that the DDoS does not consume bandwidth and affect other customers on the server. Then the provider is able to stop the attacking traffic from reaching the network, divert the traffic elsewhere so that your site can get back online, and then identify malicious packets for a mitigation specialist to take care of.
It is best to have a plan already set before the action is needed. Talk to your provider about their strategies and ask for their advice for your particular site.
