DDoS Attack
How to detect - the signs to watch out for
- The problem is that there are no tell-tale signs or warnings.
- You can monitor your traffic and server load, but usually, customer complaints show that something went wrong.
- In the server logs, you can see a spike in traffic.
- Your server responds with a 503-error message due to service outages.
- The TTL (time to live) on a ping request times out.
- If you use the same connection internally, your employees will notice slowness.
How to react - the reflexes to adopt
- The best reaction is prevention.
- Schedule alerts to a 503 event in the Event Viewer to send a notification e-mail to the system administrators.
- Automate ping alerts: if the ping time becomes too long or times out, the service sends an alert to your team, so they can start using mitigation techniques and troubleshoot the issue.
- Use log management systems, so you can identify an ongoing attack and send alerts to your administrators.
- Try to filter out the malicious traffic requests by setting alerts based on a combination of events and traffic spikes.
- Work with the company you bought your domain from and change TTL to 1 hour.
- Move your site to a DDoS mitigations service.
- Follow CIRCL’s recommendations to mitigate the attack (see below).