How to Detect a DDoS Attack

Media Division | June 28, 2017

They’ve shut down “half the internet.”  They’ve hit news agencies, security professionals, and even popular video games.  They are such a hot topic in cyber security and so common, it seems like anybody who’s anybody has been hit with a DDoS (distributed denial of service attack) at some point.

If they are not all that effective, they just slow things down a bit and you hardly notice. Customers can’t access your service or products, or access is slowed, and no one may have even reported it to you.

When they are highly effective they can cost valuable time and money, in lost revenue and in recovery time.

Here’s what you need to know about a DDoS attack, including how to detect one.

What They Are

Fortunately, networks are much more difficult to overwhelm than they used to be. In days gone by, you could have some ne’er-do-well with four computers in a basement target your system and you’d experience major slowdowns.

Unfortunately, to keep up with the increased bandwidth and rerouting measures of today’s systems, nefarious actors have gotten more sophisticated as well.  They infect hundreds, sometimes even thousands (or more!) internet-ready devices with malware which allows them to remotely begin targeting your system on command.

Internet-ready devices have likewise grown. Routers, streaming devices and Blu-ray players, ATMs, and even baby monitors, all comprise a growing market of the internet of things (IoT).

The IoT, once infected, becomes a botnet army.

How to Detect a DDoS Attack

Even before you go and pull the server logs (more on that later) during a DDoS attack, you’ll likely experience one or more of the following phenomena:

  • Intermittent 503 “Service Unavailable” errors
  • Server crash
  • Services become too slow to operate, such as taking several minutes to render a page or submit a form

Any of these clues would be sufficient reason to open a Windows command prompt and type “netstat -an,” which should give you an output from the server.  Under normal circumstances, that output would show multiple IP addresses connecting to a variety of specific ports.

Not so under a DDoS attack.  Suddenly that server output would show a long list of contiguous ports and connections timing out (usually displaying the IP address, port, and TIME_WAIT). You may see hundreds, thousands, or even hundreds of thousands of such timed-out connections.

That alone confirms you are under a cyber attack.

What to Do in the Event of an Attack

Ideally, part of your corporate cyber security action plan includes what to do in the event of a DDoS attack. Once you’ve confirmed an attack, as described above, you can pull the server logs and determine when your attack began.  You will also have the IP address for at least one attacker.

At the very least, report the attack to the abuse report email of an ISP. (The ISP name is in the server log). Email “abuse@<>.”  Just don’t expect an immediate reply.  That measure helps ensure the attacker cannot continue to use that IP address for attacks.

That won’t be enough.

You will also need to block and/or nullify the attacks to return to normal business operations.  For that, you should have a game-plan you’ve worked out with a professional cyber security team.  You can reach out and inform your team of the attack and any known data, such as information on the server logs.

But implementing such measures at the time of an attack is exactly why you have a cyber security action plan. Enact your plan of response quickly, and you’ll back to normal operations in no time.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.