Surviving DDoS Attacks
That said, there are steps that can be taken to mitigate the effects of a DDoS attack. As mentioned in the previous section, the first thing to start is the investigative process. Determine which core router (a router that handles Internet backbone traffic) is passing the packets to your border router (a router that connects your network to the Internet). Contact the owners of the core router, likely a telecom company or the ISP, and inform them of your problem. Ideally, there will be a process in place which can expedite your requests for help. They, in turn, need to determine where the malicious traffic reaches their network and contact the source. By that point, it's out of your hands. So what can be done in the meantime? Since it's not likely that you'll be able to quickly stop the DDoS flood,there are a few steps which might help mitigate the attack temporarily. If the target is a single machine - a simple IP address change can end the flood. The new address can be updated on internal DNS servers and given to a few crucial external users. It's not an elegant solution, but a quick one which works. This is especially useful for key servers (i.e. mail or database) under attack on your network. There is a chance that some filtering techniques can help. If the attack is unsophisticated, there might be a specific signature to the traffic. A careful examination of captured packets sometimes reveals a trait on which you can base either router ACLs (access control lists) or firewall rules. Additionally, a large amount of traffic may originate from a specific provider or core router. If that's the case, you might consider temporarily blocking all traffic from that source, which should allow a portion of legitimate activity through. Keep in mind, however, that you'll also be blocking "real" packets, or legitimate traffic, but this may be an unavoidable sacrifice. A final option, one which might be available to larger companies and networks, is to throw more hardware or bandwidth at the flood and wait it out. Again, it's not the best solution, nor the least expensive one, it may provide a temporary fix nevertheless. It's important to stress that the investigative process should begin immediately. Without a doubt, there will be multiple phone calls, call backs, emails, pages and faxes between your organization, your provider and others involved. It's a time consuming process, so get the ball rolling. It's taken some very large networks with plenty of resources several hours to halt a DDoS, so plan accordingly.