Key Points
- Identify all assets that are exposed to the internet, set specific availability goals, and choose which services should always be protected by CDN and WAF, and which ones you will only protect during a DDoS attack.
- Set up your mitigation workflows ahead of time, write down what triggers their activation, and adjust routing, caching, geo and ASN filters, bot blocking, and rate limits to block bad traffic before it reaches your servers.
- Monitor your systems in real-time with health checks and dashboards that highlight traffic spikes, unusual request patterns, and more errors than usual. This helps you quickly identify issues and respond promptly.
- Conduct tabletop drills every quarter and run technical tests twice a year to ensure your activation steps are effective. Track how quickly you go from detecting a problem to stopping it, and collect proof for audits and updates to stakeholders.
- After every incident, review what happened, change rate limits and bypass lists as needed, update your escalation steps, and save all logs, graphs, alerts, and configuration changes. Tools like NinjaOne can help you keep your monitoring and records organized.
Defense against DDoS attacks requires a layered approach of both proactive and reactive measures. As an IT administrator or a managed service provider (MSP), you need to protect a range of public-facing IT infrastructure from DDoS attacks to prevent downtime and further network intrusion, and prove your readiness and compliance to stakeholders and clients. When an incident does occur, you need to be able to act swiftly and record evidence of their effective response.
This guide provides a practical playbook on how to prepare for DDoS attacks. It discusses different mitigation methodologies, event monitoring, and recording outcomes so that gaps can be identified, and a defensive posture can be demonstrated to clients.
What is the best solution for a DDoS attack?
A DDoS attack is a type of cyberattack where a hacker attempts to flood your website or servers, or other infrastructure, with traffic, causing them to crash or malfunction. The goal is to either take your site offline or cause it to behave in an unexpected way that could be exploited to grant the attacker further access to your IT infrastructure.
Due to the variety of services that can be targeted by DDoS attacks and the different kinds of attack methods, a layered defense is required. Upstream scrubbing, web application firewalls (WAF), content delivery networks (CDN), monitoring, and platform-specific controls should all be leveraged for the best possible DDoS mitigation.
By following this guide, you’ll recognize the following best practices for preventing DDoS attacks:
| Best practice | Purpose | Value delivered |
|---|---|---|
| Pre-enroll upstream mitigation | Reduced DDoS response time | Faster activation and fewer outages |
| Front public apps with CDN and/or WAF | Absorbs and filters traffic surges to the origin | Better performance and resilience |
| Monitor volume and patterns | Detect early signs of attack and triage correctly | Shorter time to mitigation |
| Regular drills | Removes uncertainty and assigns ownership | Predictable response across MSP clients |
| Archive evidence monthly | Prove readiness and compliance | Increased credibility with stakeholders and compliance documentation |
What you need to block DDoS attacks
DDoS campaigns are diverse and may use one or more attack vectors depending on the intention of the attacker. They can range from simple attempts to take down a website with a flood of traffic to targeted attempts to undermine security.
To begin planning and implementing your defense against DDoS attacks, you’ll need:
- An inventory of internet-facing services, DNS records, and current service providers
- Established baselines for normal traffic volume, request mix, and error rates
- An upstream mitigation service, such as a CDN and WAF
- A shared documentation repository for storing logs, incident playbooks, emergency contacts, and compliance evidence
Step 1: Classify public assets and set availability targets
The most effective way to mitigate distributed denial of service (DDoS) attacks is to understand your infrastructure, and plan accordingly. Catalog all public facing services and categorize them by criticality and exposure. Identify which services can be protected using a CDN and/or WAF, and which must allow direct traffic. Decide on acceptable downtime and error budgets for each service, and use these to determine which protections must be constantly enabled, and which will be triggered when there are signs of a DDoS attack occurring.
Step 2: Establish upstream mitigation and activation paths
Critical applications should be protected with managed DDoS prevention services that combine CDN and WAF for network-layer and application-layer protection. This reduces traffic to your origin servers and filters out malicious requests. Fully document these measures during implementation, including configuration, activation triggers, and workflows. Follow your cloud provider’s documented best practices to ensure the best results.
Step 3: Prepare routing, caching, and rate controls
Configure your CDN to cache content, and set sensible rate limits in your WAF. Scoping requests to only expected geographic regions/ASNs and IP ranges can drastically reduce traffic. For example, a service that only serves North America can block traffic from elsewhere as it is of no value, or a company can block VPN connections from outside its operating country where there are no employees located. Malicious bots should also be blocked, a feature increasingly common on WAF and security platforms. Finally, make sure you test during calm periods to avoid noise and ensure accurate results, and balance mitigation measures with origin failover so that you can shed load without introducing new failure modes.
Step 4: Implement detection and triage
Configure ongoing monitoring and automated health checks for all public-facing infrastructure so that incidents are identified quickly. Feed this data into dashboards and use it to trigger alerts when there’s a sudden increase in traffic, abnormal request patterns, or an increase in failures.
Step 5: Run a playbook drill and capture evidence
Integrate DDoS readiness drills with your regular ITSM routines and include the results in reports for ownership and accountability. Tabletop drills should be performed at least quarterly to ensure coverage and ownership of each task, while in-depth technical drills can be performed biannually to fully stress test technologies and procedures. When running drills, check that upstream mitigation measures are correctly triggered and that stakeholders are notified immediately. Time each step from detection to mitigation, and capture configurations and communication to assess the effectiveness of your DDoS mitigation processes.
Step 6: Review incidents and regularly update controls
Store the evidence collected above in your IT documentation platform to prove readiness and effectiveness after an attack has occurred. Review what was blocked, which mitigation measures incurred side effects, and how quickly each step in the process was completed. Identify gaps and optimizations to improve your handling of the next DDoS incident. Document improvements such as rate-limit tweaks, refined bypass lists, and revised contract trees and escalation paths, and when they were implemented. These can be presented by MSPs at quarterly business reviews (QBRs) to enhance client relationships by showing the active measures being taken to protect critical IT infrastructure.
DDoS protection is also an important part of many data protection frameworks, which require that measures be documented to prove compliance.
NinjaOne centralizes monitoring and log analysis to enhance your defense against DDoS attacks
NinjaOne automates many of the tasks required to effectively protect against DDoS attacks: you can schedule periodic jobs that pull logs to establish traffic baselines, centralize error logs and reporting, and collect data from your CDN and WAF. This information can be used in dashboards, summarized and stored in NinjaOne Documentation for ready access alongside DDoS playbooks and escalation procedures, and presented to stakeholders for review.
Tying together your DDoS mitigation measures within NinjaOne’s MSP ecosystem improves oversight and ensures there are no gaps in visibility or responsibility, ensuring timely, coordinated responses to potential DDoS incidents.
