The dos and don’ts of dealing with DDoS attacks

Distributed denial of service (DDoS) is one of the most serious and prevalent cyber threats to the education and research sector. It can also be one of the most difficult to detect and prevent.

DDoS attacks may be relatively unsophisticated but they are incessant, and can overwhelm IT systems without warning, seriously impairing their ability to function. Students and staff, who need constant access to systems, are blocked – often for prolonged periods – and business availability is jeopardised.

Like all internet-connected organisations, the tertiary education sector must continually defend itself against these opportunistic attacks, so implementing basic security controls must form the foundation of every institution’s security strategy.

The DDoS risk is rising

Globally, a third of all downtime incidents are attributed to DDoS attacks. And they are increasing in size, duration and frequency. In the first half of 2023, NETSCOUT observed a staggering total of around 7.9 million DDoS attacks – that's about 44,000 a day and represents a 31% rise year-on-year.

Across UK education and research, Jisc detected, confirmed and successfully mitigated 983 DDoS attacks against our members in 2023.

Even with preventive measures in place, the potential disruption, reputational damage and financial repercussions of this type of attack mean that DDoS must be on any institution’s risk register.

Vigilance, preparedness and a complete understanding of what DDoS entails are critical to staying protected.

What exactly is a DDoS attack?

In a DDoS attack, cyber criminals attempt to disrupt computer and internet resources by using vast volumes of traffic to flood the connection on which an institution relies. The attacker enlists the help of thousands of internet users (or, more commonly, automated net bots) to each generate a small number of requests which, added together, overload the target’s underlying systems.

The most commonly used method is volumetric attacks, where attackers send as much traffic as possible to one site in order to overload an organisation’s bandwidth and prevent genuine traffic from flowing. If a volumetric DDoS is large enough, it will fill your connection to the internet, stopping all inbound and outbound services to your organisation.

Another common tactic is state exhaustion, where the aim is to drastically disrupt your servers and networks. State exhaustion attacks will consume your edge network or security infrastructure resources, causing interruptions to your organisation’s internet connection.

The most complex and aggressive attacks are usually aimed at layer seven - the top layer of behind-the-scenes software which provides users with functionality. Cyber criminals will target specific services or servers with many queries, often blending in with normal traffic levels and behaviours. The result can be total inability to respond to legitimate requests.

We’re also seeing a significant spike in DNS flood attacks, which involve a large number of rapid DNS requests. If your primary DNS infrastructure goes down, this could affect access to websites or email systems – detrimental at any time but especially damaging at busy times such as clearing.

What can you do to mitigate against DDoS attacks?

Do be prepared. Cyber exercises, where incidents are simulated in a safe environment, are proving to be a particularly valuable tool. They can be tailored to suit different levels and ensure that everyone in the organisation – from IT teams to senior leaders and support staff – knows exactly what to do in the event of an attack.

Do activate the foundation DDoS mitigation that’s included in your Jisc membership. Also included in membership is access to Jisc’s full incident response capability, with dedicated CSIRT experts who have gained certification to NCSC Cyber Incident Response (CIR) Level 2 and can provide advice and guidance.

Do implement basic security controls and monitoring. Both volumetric and state exhaustion attacks are usually visible through latency and connectivity monitoring. Keeping a close eye on your server health is a good way of identifying layer seven attacks, and some security appliances can also identify them.

Do use firewalls – they can block attacks to a certain extent. While firewalls come with default settings, you’ll need to set your own thresholds so that protections are applied when these are exceeded, and any DDoS features or rate limiting capabilities on firewalls need to be baselined against your ‘normal’ traffic levels.

Don’t, however, rely on firewalls alone. Taking a layered approach to cyber security is the best way to achieve defence in depth.

Don’t forget to explore further protection options. Jisc’s foundation DDoS mitigation plus provides automated detection and protection against large volumetric and state exhaustion attacks at all times, while critical services protection safeguards business-critical services by providing out-of-hours coverage. Deploying multiple layers of protection acts like an insurance policy, giving you peace of mind that your organisation is protected at all times.

Don’t underestimate the likelihood of an incident. Make sure that DDoS attacks are on your organisation’s risk register. A formalised incident response plan is essential, and it should be tested regularly to identify areas of weakness against DDoS.

Don’t miss out on the opportunity to share threat intelligence and best practices: join the cyber security community group and keep up-to-date with the latest cyber security insights from across the education and research sector.

Further information

• Take advantage of the key cyber security services included with your Janet connection.
• Assess your cyber security posture using Jisc’s list of 16 questions (pdf).
• Analyse and improve your security posture with Jisc’s cyber security assessment service.