How to Know If You’re Under DDoS Attack

How to Know If You’re Under DDoS Attack

Nowadays, the term DDoS raises the heart rate of most webmasters. Though many don’t know exactly what a DDoS attack is, they might be familiar with the effects of getting DDoSed: an extremely sluggish, shut down, or dysfunctional website.

In this article, we’ll focus on how to know if you’ve been DDoSed, how to spot denial-of-service, and how to protect your website from future DDoS attacks.

Contents:

What is a DDoS attack?

DDoS stands for Distributed Denial of Service. Like the name implies, a DDoS attack is a malicious attempt to disrupt or damage a service by overwhelming system resources with traffic.

At a basic level, DDoS attacks are something like gridlock at a busy intersection — if enough traffic arrives all at once, then the heavy congestion turns into a jam and nobody can get through to the other side.

What services do DDoS attacks target?

Denial of service attacks can target a wide range of services, including:

  • a website
  • an internet service provider (ISP)
  • the Nasdaq Stock Market
  • a NASA probe
  • a game server

Practically anything connected to the internet is a potential target for DDoS.

The same goes for the source of DDoS attacks: Common culprits include hacked web servers and “internet of things” devices like smart appliances, routers, and even CCTV cameras.

Causes can be accidental or intentional. But a large criminal industry has grown around offering DDoS attacks as a service. There’s a market for attacks on sites, including competitors looking to tarnish others’ reputations and those denying online presence for political reasons.

A DDoS attack simply works like this: An attacker uses a number of machines across the internet (or what’s called a “botnet”). Those machines send a high volume of fake traffic as requests to the target site, all in an attempt to overload server resources and bring the site down.

There are many types and sizes of DDoS attacks and they can be devastating regardless of their size. Even an attack from a single system (DoS) can paralyze a site, so consider the ruthless efficiency of a multi-system attack through DDoS. A powerful DDoS can be as tiny as one request per second, and it can still have devastating effects on a website.

Some services are specifically targeted. Interestingly though, the process is largely automated, and most sites affected are randomly selected. Of course, this doesn’t matter if you’re a target. Regardless of the reason, the results can be detrimental, especially for an ecommerce website.

If you want to know more about the types of distributed denial of service attacks, read our guide on what a DDoS attack is.

How to tell if you’re being DDoSed

Symptoms of a DDoS attack can mimic issues you might find on your computer — slow access to website files, inability to access websites, or even problems with internet connection.

However, there are a few main indicators that you might be facing a denial of service attack and leveraging website monitoring tools can help you spot them.

If you’re experiencing one or more of these signs, you might be under DDoS attack:

  1. A sudden influx of requests to a specific endpoint or page.
  2. A flood of traffic that originates from a single IP or range of IP addresses.
  3. A sudden spike of traffic that occurs at regular intervals or at unusual time frames.
  4. Problems accessing your website.
  5. Files load slowly or not at all.
  6. Slow or unresponsive servers, including “too many connections” error notices.
  7. A flood of traffic coming from a single device type, geolocation, or web browser version.
  8. 500 internal server errors status codes.
  9. 503 errors on your website.
  10. You receive a ransom or extortion demand from some attackers.

More specific DDoS symptoms will vary depending on the type of attack. But any large-scale or unexpected website latency issues mean it’s time to investigate.

Example of connectivity issues when a website is getting DDoSed
Example of a connection timeout you may encounter during a DDoS attack.

Is it legitimate traffic or a DDoS attack?

Since a DDoS attack generates lots of traffic toward your site, it creates a tricky predicament. How can you tell if your site is just suddenly doing really well (traffic-wise) or if you are currently experiencing a DDoS attack?

If a site goes down due to a spike in legitimate traffic, then the time frame would generally only be for a short while until you’re back up and running again. Sustained spikes in traffic are rarely random, and you’d likely be able to identify reasons for it in legitimate cases. Say, a major advertising campaign or a piece of viral content. Checking the referer of the requests might confirm a legitimate reason for a spike in traffic (an influencer just tweeted some praise about your product?)

But more subtle attacks aren’t as simple to discern. Let’s say an online retailer with blackhat-hacking skills wants to keep people away from a competitor’s website without them being aware of it. The hacker can DDoS the competitor’s website a few times a day – potentially at random periods throughout the day just to make the competitor’s customers upset with how slow the website is. If the hacker’s server threw 500 hits per day (nothing out of the ordinary), the site wouldn’t be down for more than a few seconds, in intervals. Even mild DDoS attacks like this one hurt the victim’s business and reputation.

In some cases, you can examine potential DDoS attacks through a website monitoring tool. Try leveraging netstat to check entries and see if a specific traffic source continues to query a certain set of data long after the Time To Live (TTL) for the site has elapsed. (This is the time frame that you set for your site to discard held data and free up resources.) If that’s the case, you’re likely looking at a DDoS attack, since legitimate traffic won’t behave in this way.

Live example of a site getting DDoSed

To give you an idea of what getting DDoSed looks like, we developed this live example of a website getting DDoSed. You can watch how the server resources are depleted and how this disrupts the website’s performance in a matter of minutes.

After watching the video, you’ll be able to better recognize the traits of an attack on your own website.

After watching the video, you’ll be able to better recognize the traits of an attack on your own sites.

How to stop a DDoS attack

Here are four steps you can take to stop a DDoS attack on your site:

1. Monitor your website’s activity.

Track your network activity carefully so you can recognize when anything is amiss. You can regularly compare your baseline traffic to current volumes to help you identify traffic spikes and figure out if an attack is taking place.

Catching a DDoS attack early makes all the difference in reducing impact and downtime for your website. If you are running your own web servers, ensure you have services that can help you monitor when you are coming under DDoS attack.

2. Use a web application firewall.

Web application firewalls can help filter incoming traffic and drop traffic that appears to be part of a DDoS attack. It can also rate-limit traffic so that only a certain number of requests can come from a specific IP address during a specific time period.

How a web application firewall filters traffic and mitigates DDoS attacks

As an example, the DDoS mitigation feature of the Sucuri website firewall automatically blocks fake traffic and requests from malicious bots, without interfering with your legitimate traffic. Our cloud-based network can mitigate large network attacks (Layer 3 & 4), and we specialize in handling Layer 7 attacks against web applications.

Block off all unused ports and services; a webserver likely only needs port 80 and 443 open to the public. Furthermore, consider leveraging UFW for a very easy way to control access to ports on a Linux webserver.

3. Implement caching for your website.

Caching can help reduce the amount of traffic that needs to be handled by your web server. This allows you to store frequently accessed content in a temporary location like the web browser or dedicated servers, preventing your website from being overwhelmed by a large number of requests.

4. Leverage a CDN.

A content delivery network (CDN) can help distribute traffic across different servers to deliver content to your website visitors. This reduces the load on your own website’s server and prevents it from being overwhelmed, while ensuring it stays accessible to legitimate users.

5. Lean on a website security provider.

If you don’t want to deal with the challenge internally, you can partner with a DDoS protection service to help block and prevent denial of service attacks.

What happens as a result of a DDoS attack?

Since attacks can cause server outages, DDoS attacks can place significant stress on dev or IT resources trying to bring the website back online. Even worse, they can severely disrupt website traffic, user experience, and ultimately the purchase process. That can mean lost revenue for a website due to downtime and technical issues.

For example, an attack on an e-commerce business during the busy holiday shopping season can impact the entire company’s profitability for the year.

In the end, the cost of protecting yourself against a DDoS attack is usually much smaller than the financial impact of a DDoS against your site (or any other hacking attempt).

How do I protect my site after getting DDoSed?

While distributed denial of service attacks may be a common occurrence, it doesn’t mean you need to accept it as a part of your company’s online presence.

Limiting the number of requests your web server accepts over time is one way of mitigating DDoS attacks. Unfortunately, rate limiting is often not sufficient at effectively handling complex attacks.

Using a web application firewall, however, can significantly help mitigate a layer 7 DDoS attack. Since the firewall filters traffic between the internet and the origin server, it can act as a reverse proxy and protect the website from malicious traffic.

The Sucuri Web Application Firewall leverages an Anycast distributed network, which scatters traffic across a number of distributed servers. Since this approach is effective at diffusing disruptions and helps large volumes of traffic become more manageable, websites can take advantage of this service to further reduce the impact of an attack.

When it comes to attacks against your website or livelihood, it’s always better to take a proactive approach than reactive one.

Chat with Sucuri

You May Also Like