You're Under DDoS Attack. Here are the 4 Signs You Missed

A common way criminals can take down servers is by flooding them with traffic, so they become overwhelmed and unable to respond to legitimate requests. This is known as a Distributed Denial of Service, or DDoS attack, and it's an easy way for a hacker to wreak havoc with a website - or even act as cover for a wider data breach.

DDoS attacks are more than just an annoyance - they're a serious and growing problem. According to Netscout, 2.9 million DDoS attacks were reported in the first quarter of 2021, a 31% increase from the same period in 2020. And this can result in significant downtime for businesses that leads directly to lost income and reputational damage among customers.

4 key signs you're under DDoS attack

It's clear that DDoS can have a major impact on your productivity and profitability. Most employees won't typically be spending time on your website, so it may well be that the first people to notice connection difficulties are your customers - by which time, it’ll be too late to prevent an attack.

Even if you’re experiencing difficulties, how can you tell them from a legitimate spike in traffic that may be short-lived? Here are a few things to look out for:

1. IP addresses make repeated requests

One of the biggest telltale signs that you're under a coordinated attack is if you suddenly see repeated, structured requests coming from the same IP addresses. However, it's not enough to simply filter out the addresses. An effective botnet can control many thousands of IP addresses, so simply blocking any that show up repeatedly won't be effective.

Another sign to look out for is patterns in how requests are being made. For instance, if an IP address is making a set number of requests within a specific time frame (e.g. x requests every y seconds), this is a clear sign the traffic isn’t legitimate. These IP addresses can then be routed to specific null destinations that don’t impact your servers, while allowing through genuine traffic.

2. Your servers respond with 503 events

If your website responds to a request from a user with a 503 message, this indicates a server outage - and if there's no other reasons for a server to be unavailable, this is often a sign that it's being overloaded with requests by DDoS attack. However, instead of trying to see this manually, you can set up an alert in Windows Event Viewer. This can be configured to send an email to an administrator if it identifies a 503 event - though if you're managing a large number of services, more advanced automation tools may be required.

3. Ping requests time out

Sending ping requests to servers to measure their response rate is another key early warning your infrastructure is under pressure from DDoS. If the time to live (TTL) times out, it's a clear sign the server has been knocked out. Again, this is a process that can be automated, with a variety of tools available that can allow you to configure how often to run ping tests and ensure you're alerted should an issue be discovered.

4. Traffic logs show unusual spikes

Reviewing traffic logs can also help you identify a DDoS attack from a legitimate surge in traffic - provided you know what to look for. Factors to consider include:

• The servers being affected
• The times of day when traffic is occurring
• Where the requests originate from
• The errors that are being shown to users

You can configure monitoring tools to look for and flag up highly specific patterns of behavior, using a combination of events and traffic, which can be vital in reducing the number of false alerts. Filtering these out effectively is essential as otherwise, your IT staff may become overwhelmed by messages, which may lead to them ignoring actual DDoS attacks.

Learn more: How to Detect Bot Traffic and Protect Your Site from Web Scraping

Protecting your business against DDoS attacks

It's not practical to have employees manually monitoring these areas for signs of attack, and by the time you get around to doing this after you start encountering an issue, it's too late. Therefore, an essential part of DDoS prevention for many organizations should be automated monitoring tools that can keep an eye on the above metrics and respond accordingly when they spot the telltale signs of an attack, without waiting for human intervention.

When it comes to DDoS attacks, however, prevention is better than cure. Improving your website's resilience by using solutions that can scale up automatically to cope with surges in traffic may be a good solution for many firms. Meanwhile, content delivery networks (CDNs) can also help protect against DDoS attacks by spreading the load across many different servers.

Further reading:

• How to Create a Successful Cybersecurity Plan
• A Guide to Replacing Antivirus with Advanced Endpoint Security
• The Hybrid Workplace is Here. But What are the Potential Security Risks?