How to recover from a DDoS attack – and what they can teach businesses

Concept art showing DDoS attacks on global network infrastructure sites on a digitized map of the globe.
(Image credit: Getty Images)

Distributed denial of service (DDoS) attacks have been around since the early days of the internet, but they’re becoming increasingly devastating. Today, attacks are getting longer and more expensive. They are also surging in number, with 5.2 million HTTP DDoS attacks and 8.7 million network-layer DDoS attacks mitigated by Cloudflare alone in 2023.

DDoS has a huge financial and operational impact, with adversaries requesting ransom payments and using AI technology to ramp up attacks. DDoS attacks are also getting easy to access, with DDoS-as-a-service type offerings available to purchase for as little as $100.

Many firms have become a victim of DDoS, including Google, GitHub, and Cloudflare. So, what should you do if you become a victim and what can be learned from other high-profile DDoS attacks to help you recover quickly?

The impact of DDoS attacks

Anyone can be a target for DDoS attacks. Laurie Iacono, associate managing director in cyber risk practice at Kroll describes how the retail, finance and healthcare sectors are specifically targeted “because they have a lot to lose if their customer-facing websites are unavailable.”

None one is immune, even large multinational firms. In October 2016, internet domain name services provider Dyn was the victim of three consecutive distributed DDoS attacks perpetrated through a botnet consisting of IoT devices such as printers, IP cameras and baby monitors infected with the Mirai malware. The attacks on Dyn were devasting, impacting popular websites including Amazon, CNN, BBC, PayPal, Netflix, and The New York Times.

Two years earlier, attackers hit Cloudflare with a powerful DDoS attack involving a volume of traffic estimated at 400 Gbps. “Notably, the attack targeted a single CloudFlare customer, but it had a significant impact on the company’s network,” says Sergei Serdyuk, VP of product management, Nakivo.

It’s clear that attacks such as these can have a huge impact, but it’s possible to recover quickly if you follow the right protocols and strategy. In 2018, the online software development platform GitHub was the target of a 1.35 Tbps DDoS attack, at the time the largest ever recorded, per Wired.

Within 10 minutes, GitHub invoked Akamai Prolexic’s DDoS mitigation service, which began routing all of its incoming and outgoing traffic and filtering out malicious packets. “The attackers persisted for a total of 20 minutes before ending their assault and GitHub was able to recover immediately,” says Serdyuk.

How to recover quickly from DDoS attacks

To be able to get business operations back on track in the aftermath of a DDoS attack, every company needs to have a proper DDoS protection strategy for all their business-critical services, says Andreas Schneider, field CISO EMEA at Lacework Schneider.

This requires an understanding of the organization’s online presence and knowing which systems and services are essential parts of the key business processes. “All of those need to be protected against DDoS attacks, no matter if they are provided by internal IT or external parties,” says Schneider.

For the critical parts, he says you need to have a plan B “in case the DDoS shield is not protecting or working as expected”.

Schneider describes how he’s dealt with “plenty of DDoS attacks”, with the largest and most impactful lasting over a month.

RELATED WHITEPAPER

One major challenge he faced was marketing landing pages. “These are typically externally hosted and they’re essential to generate leads and revenue. Those services were hosted outside our environment and were badly hit by the DDoS attacks that targeted us. This brought down several smaller web hosters across Europe – they almost went out of business.”

If a business’ defenses are breached and a DDoS attack is suspected, it's crucial leaders confirm the attack by “meticulously analyzing traffic patterns and gathering data”, says Lewis Graham, a consultant at Pentest People.

After that, the recovery process can commence. An important step is to deploy an alternative or backup website on a separate domain, he advises. “This ensures uninterrupted access to your services or information, mitigating losses for the business.”

Effective communication and teamwork are integral during a DDoS attack, Graham adds. “Making sure there are transparent channels for communication, sharing threat data, and coordinating response strategies will enable organizations to confront future attacks more effectively and lessen the potential impact.”

When dealing with DDoS, businesses will also need to be mindful of creating more issues than they fix. For example, IT teams might inadvertently open security holes when cutting off volumetric attacks.

Surviving DDoS attacks in the long term

After recovering from DDoS, it’s a good idea to examine what happened and work out how you can better deal with the next one. Every attack, including DDoS, will challenge an organization’s defense. The key is to learn from every identified failure or gap, says Schneider.

He recommends performing a “post-mortem” exercise where “key learnings are discussed and used to improve processes and technologies”. Security personnel should also join expert groups, meetups and conferences and speak about their lessons to help others, he says.

It’s important to analyze the attack in as much detail as possible, says Rozenberg. This information will come from your security provider or your internal network. “Interrogate which assets were attacked, what protocols and patterns were used, how long the attack lasted, and whether it impacted the network layer or the application layer. It’s only when you have a full picture of what happened that you can give your business the best chance of preventing future attacks.”

Centralization and consolidation are important, as well as the need to segment and differentiate systems, says Muhammad Yayha Patel, lead security engineer at Check Point. “If a government’s website is down for a while, it would be annoying. But there would be more serious consequences if, for example, services related to benefits or subsidies were down, or emergency services could not be contacted.”

Following an attack, it’s crucial to take stock of the damage and get a handle on how it has impacted your business and customers or users, says Rozenberg. “By understanding the internal ‘cost’ of an attack, you can decide how much you’re willing to spend to make sure it doesn’t happen again.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.