How to Recover from a DDoS Attack
They say nothing lasts forever – and neither do DDoS attacks. Recovering from a DDoS attack is no simple matter, but once an attack is over, it is time to assess the impact, evaluate your defenses, and better prepare for the next incident.
Whereas the previous parts in this series focused on how to prepare for a DDoS attack before it happens, and what you should do during an attack, this part will discuss what you should do after the DDoS attack is over.
In order to enhance your defenses and minimize impact for the next time, here are a few recommended key steps.
Analyze the Attack
Once the attack is over, try to analyze it in as much detail as possible.
You can get most of this information either from your security provider, or from your internal network and application system logs.
[You may also like: 5 Steps to Prepare for a DDoS Attack]
Some of the key questions to ask include:
- What assets were attacked? Was it targeted at your entire network, or did it target specific servers or services?
- What were the attack characteristics? Was it a single sustained flood, or did it employ sophisticated attack methods such as multi-vector attacks, dynamic IP spoofing, or burst attacks?
- What attack protocols and patterns were used?
- What was the peak amount of network traffic, both in terms of data (bits per second) as well as requests (connections per seconds)?
- Did the attack impact the network layer, or also the application layer?
- Did the attack include encrypted traffic or protocols?
- How long did the attack last?
Getting this information will help you get a full picture of what happened.
Assess Damages
Apart from analyzing the attack itself, you need to understand how it impacted you.
This is a key step in understanding your internal “cost” of a DDoS attack, and as a result – how much you may be willing to spend in the future to prevent this from happening again.
[You may also like: What to Do When You Are Under DDoS Attack]
Some of the key questions to ask include:
- Was the attack stopped, or did it get through (either entirely, or in part)?
- Which services were impacted, to what extent, and for how long?
- What were the direct monetary damages (i.e., in lost revenue, lost productivity time, etc.)?
- Were there any indirect damages, such as bad press, damage to reputation, customer complaints, etc.?
- Did users experience any impact as a result of the attack, either as a result of the attack itself, or as a result of defensive measures (false positives)?
Identify Weak Spots
The next step after identifying damages is to identify any weak spots in your defense – that is, why was attack traffic able to get through?
- Did any attack traffic get through? If so, how much?
- Were there any specific attack vectors that were more successful than others? In particular, were there some patterns that were stopped, while others were able to get through?
- Were there any targeted resources that were impacted more than others? For example, were there some resources (networks, servers, applications, etc.) that were able to fend off the attack, while others were impacted?
- Did legitimate users experience any false positives? What was the ratio of legitimate traffic to malicious traffic that was stopped (or allowed to go through)?
By identifying weak spots, you should try to understand not only what resources were impacted, but also why they were impacted. Was there a particular type of attack that was able to get through, or – conversely – were there specific services that were impacted while others were not?
Another key element to look at is false positives. If your protections are deployed too broadly, this can lead to false-positives which prevent legitimate users from accessing services. Even though not a result of the attack itself, for end customers the experience is the same…
Identifying weak spots in your armor helps you to address them in the next steps.
Verify Security Vendor SLA
If you have a pre-existing DDoS mitigation service in place, now is the time to check that they met their SLA commitments.
When it comes to protection against DDoS attacks, there are a number of key metrics that can be verified and measured:
Any DDoS protection service worth its while will commit to all six of these metrics.
[You may also like: DDoS Protection Requires Looking Both Ways]
A particularly important KPI is the ‘Time-to-Detect’ metric, since it measures how quickly the attack is detected, and as a result – from when does the mitigation clock begin. Not including this metric effectively allows the DDoS service provider to define for themselves the time when mitigation should begin.
Another important metric is ‘Consistency of Mitigation’. This metric tests the ratio of bad traffic that is allowed to go through versus bad traffic that is stopped. In effect, this is a measurement of the effectiveness of mitigation, since it verifies that malicious traffic is actually being stopped, and defense are not just deployed ineffectively.
Consider Upgrading Your DDoS Defenses
Consider Upgrading Your DDoS Defenses
Once you have completed an assessment of the attack, the damages, any potential weak spots, and the effectiveness of your existing defenses, now is the time to ask yourself whether you should upgrade your protection in anticipation of next time?
A high-grade DDoS protection service should provide you with technology, capacity and service guarantees to ensure full protection against any type of DDoS threat.
Look at the results of your analysis, based on the points above, and ask yourself the following questions:
- Did my defenses stop the attack?
- Was all attack traffic stopped, or did some of it get through?
- Were my users able to escape the impact of the attack (either directly, or as false-positives)?
- Did my security vendor provide me with all the relevant service guarantees, and was able to meet them?
If the answers to those questions is yes, then great – you are well protected. But if the answer to one (or more) of these questions is no, then maybe you should start looking at alternatives.