What to do if you’ve had a DDoS attack

What is a DDoS attack?

DDoS stands for: Distributed Denial of Service attack. This is when a large amount of data is sent via the internet to either your website, or internet facing company perimeter, with the sole purpose of causing your systems to shut down, due to not being able to handle such large numbers of requests simultaneously.

A DDoS attack is often conducted by hundreds or thousands of compromised machines, typically sending data to your website, or network perimeter. These attacks often come from already compromised machines and run automatically.

A DDoS attack is quite often the mask or smoke to cover a separate attack on your systems, while you are concentrating your efforts to the DDoS attack.

Look out for:

  • Website down
  • No access to website management
  • Slow response, or loss of internet access

First steps:

  1. If you manage your website, put it into maintenance mode to prevent any loss of website data, and inform your company management team of the issue.
  2. Call your internet service provider (ISP) and tell them that you are under attack.
  3. Call any other 3rd parties that may be responsible for service delivery, or perimeter security management, and let them know that you are under attack.
  4. Capture as much information as possible:

    • Time of event
    • Traffic statistics, if possible to show traffic throughput
    • Server logs
    • Event characteristics e.g. is it late at night, early morning, all day, all night etc.
  5. Monitor all other systems, and be vigilant to any changes that might take place or are put on your systems, during or soon after the DDOS event.

Who to contact

  • Report to action fraud 0300 123 2040 as soon as possible
  • Contact ISP, Web hosting company
  • Contact any customers/clients if you have experienced a data loss
  • Inform ICO as necessary

Follow up action

  • Check all other critical systems and backend databases, taking note of any system changes or modifications
  • Look to mitigate the issue by having in place a temporary site that you can switch to if you find yourself under attack in the future

Next steps

  • Engage expert advice to help mitigate the issues, and implement a resilient solution that will limit any DDOS reoccurrence:

    • Cloudflare
    • Akami
    • DOS Arrest
    • Incapsula
  • Maintain a risk register and update any disaster recovery plan to include a DDoS survival plan

Further steps

Get Safe Online’s top tips for protecting your business from a DDoS:

  • Consider the likelihood and risks to your organisation of a DDoS attack, and put appropriate threat reduction/ mitigation measures in place.
  • If you consider that protection is necessary, speak to a DDoS prevention specialist.
  • Whether you are at risk of a DDoS attack or not, you should have the hosting facilities in place to handle large, unexpected volumes of website hits.