How to stop a DDoS attack

| By:
Bryson Medlock

How to stop a DDoS attack

If left unchecked, DDoS attacks can cause significant network damage and result in substantial financial loss for organizations worldwide. The creation of hacking-for-hire service providers has only made the issue worse. 

MSPs can no longer ignore these types of attacks and need to be ready with a protection plan. Fortunately, the team here at ConnectWise is here to outline the details of DDoS attacks, why they shouldn’t be taken lightly, and what you can do to stop them.

The impact DDoS attacks can have

A successful DDoS infiltration can cost businesses 6, sometimes 7, figures in damages. The reason for such a large sum is that DDoS attacks are often used as a distraction while hackers perpetrate other, more significant attacks.

Particular industries suffer worse damage from DDoS attacks than others. E-commerce businesses, for example, can suffer significant financial losses. Not only do potential customers lose the ability to purchase merchandise, but the internal staff is also unable to provide customer service. It’s hard to put a price on DDoS protection, but for these businesses, it could be worth $20,000 to $40,000 per hour.

Discover real-world examples of how hackers use DDoS attacks to disrupt the crypto industry in our threat report, DDoS, crypto, and ransomware, oh my!


Preparing ahead for DDoS attacks

It’s important that your team doesn’t conflate DDoS attacks with other potential threats like phishing. DDoS is very much its own type of threat and you could be covered for many other issues and still run the risk of significant exposure of your client’s system to DDoS attacks.

To truly protect your organization against DDoS attacks, these attacks need to be fought head-on with their own unique defense methods. Follow these best practices for mitigating DDoS attacks below.

Shift all mission-critical apps to a different public subnet or the cloud

Moving mission-critical data to the cloud can throw off attackers since you don’t have to keep your data on-premise, making it harder to locate. The cloud also affords you extra bandwidth to accommodate things like continuous monitoring software.

Continuous monitoring software can give you crystal-clear insight into real-time analytics, metrics, and reporting. This constant oversight also reveals privacy and cybersecurity insights in real-time that can help you stop a DDoS attack in its tracks.

Use another IP address to store any public resources

Spoofing is a popular technique cybercriminals use when launching DDoS attacks. By changing their IP address, they can easily overload servers by submitting a “flood” of data queries.

Depending on the type of DDoS attack, this also offers a protective option that MSPs can use. By changing the IP address of a public resource under attack, this gives your team the opportunity to get systems back online, until attacks switch to that IP. This method won’t necessarily fix the issue by itself. However, it does give your team breathing room in a pinch to deploy some of the other tactics we mention here.

Configure client firewalls to protect against SYN flood attacks

For data to transmit among servers, and continue to function how it needs to in today’s society, simultaneous signals must undergo a “three-way handshake” at each TCP port. A SYN flood attack is a more specific DDoS attack that aims to overwhelm your client’s network by preventing this essential function from happening.

A solid line of defense against these types of attacks is proper firewall configuration. Use these firewall settings to help combat SYN floods:

  • Expand your backlog queue. Your operating system creates a SYN backlog by reserving a certain amount of memory for half-open port connections. MSPs can increase this backlog storage to allow for legitimate queries/connections to come through, thus helping to prevent SYN attacks.
  • Use SYN cookies. Enabling SYN cookies may cause you to lose some query details, but can go a long way to prevent a SYN flood attack. If your data request is from a legitimate connection, the system will receive an ACK, or acknowledgment packet, back. Any illegitimate requests will have their ACK packet dropped out of the backlog queue.
  • Enable firewall filtering. Set a network firewall rule to identify and categorize SYN packets. Depending on the firewall that’s in use, they can protect against a wide range of DDoS attacks like unauthorized port scanning, flooding, and packet sweeps.
  • Delete the oldest half-open connection. Deleting old half-open connections creates more room in backlog queue memory and allows for newer connections to form. New connections ensure that system resources remain available during flood attacks. While this defense method is effective, it’s not a good choice for high-volume SYN flood events.

Adjust web server configurations to withstand DDoS attacks

Your web server should come equipped with DDoS protection settings that can be adjusted as you see fit. Certain web hosting providers provide robust DDoS protection already built-in to their standard offerings, so configuration may not be required. But it’s good to be aware of these configurations and how to adjust them if necessary. In some cases, this is the ground level of greater organization-wide changes you can make.

There are a few ways that you can approach this practice. One good step here is giving your web server more workers to handle incoming connections and reduce timeouts. This ensures connections aren’t held open as long. It’s also a good idea to cache any dynamically generated content you have to ensure the server accesses a static page, at least during the attack.

One other thing to focus on is looking at the nature of the attack itself, specifically any patterns. Some DDoS attacks use a less common User Agent that you can block. In other cases, they may be targeting a certain URL. In this case, blocking the URL or moving it provides a temporary window to keep the site up. As we mentioned earlier, if you keep that URL static versus dynamic, it can also reduce the overall system resources for attack mitigation. 

Host resources behind a CDN with DDoS protection

Placing your clients' system resources behind a content distribution network (CDN) helps to minimize the potential attack surface area cybercriminals can access. As an extra layer of protection, the CDN also keeps traffic from directly reaching important parts of your client’s infrastructure like their databases or mission-critical files. 

Once these protections are in place, it’s up to MSPs to remain current on the most popular and latest types of DDoS attacks and learn how to spot the signs before they become too damaging. Occasionally, MSPs and IT techs can use access control lists (ACLs) to accomplish the same goal, controlling which traffic goes where inside client systems.

In some cases, you may have unique questions about the different types of DDoS attacks or the quality of your existing response plan. Our cybersecurity center also has advanced insight on how to cater your prevention approach for each type. Or, if you need advice for your specific needs, reach out to a skilled cybersecurity professional from the ConnectWise team. To learn more about the varying types of DDoS attacks to watch out for, visit the ConnectWise cybersecurity glossary

How to identify DDoS attack signs

There are a few signals MSPs can look for to prevent a DDoS attack before it starts. Your client may be experiencing a DDoS infiltration if you notice the following:

  • Multiple connection requests from the same IP address in rapid succession
  • Unusual spikes in the amount of website traffic
  • Site speed drops drastically
  • Large-scale site outages

It may seem like you need to keep a constant watch over site traffic to spot a DDoS attack. Fortunately, there are automated DDoS attack tools MSPs can use to remain ever-vigilant. These tools will continuously scan incoming traffic and flag any suspicious activity.

What to do if you experience a DDoS attack

A hacker’s DDoS attack was successful. What now?

Unfortunately, some attacks will be successful. With 2,200 cyber attacks per day, 1 attack every 39 seconds, it’s not a matter of “if,” it’s a matter of “when.”

This is all the more reason that MSPs need to be prepared. Possessing the skills to prevent DDoS attacks is great, but you also need to know how to handle attacks that find their way through your client’s defenses. Some steps you can take to mitigate the attack as it unfolds are:

  1. Contact your client’s data provider and see if they can help filter incoming traffic to isolate the attacking IP addresses. 
  2. Make sure your clients have a secondary way to contact their customers. They won’t be able to send out any communication from their primary system during the attack, so make sure they have an auxiliary communication handy to keep customers aware of what’s happening.
  3. Communication is key. In addition to customers, inform third-party vendors and other business partners of what’s happening. Most people working in the digital world today know attacks are commonplace. Just communicate swiftly and clearly as you move through your response plan.

Ultimately, the best thing you and your team can do is remain calm. It’s easy to let the situation take control of you and overreact in the moment. Stick to your threat response plan, ensure other internal stakeholders stay calm, and know you’ll get through this. The end is in sight.


Recovering from a DDoS attack

What you do after DDoS attacks may be the most important part of the process. This is where you and your team can synthesize learnings from the event to better prepare you for next time.

Ask yourself questions like:

  • What was the hacker targeting?
  • Did your third-party cybersecurity vendors prove helpful during the attack?
  • How long was the network down?
  • What attack method did the hackers use?

These questions will give you the necessary information to strengthen your defenses for next time. As always, ConnectWise is here to help in any way we can. Contact us today to see how our software tools can help you protect your clients moving forward.


A DDoS attack is when hackers overwhelm a website with traffic in an effort to consume all its resources. By occupying all of a site’s bandwidth, attackers can cause the site to crash, creating a “doorway” into the network to commit more sophisticated cybercrimes.

Stopping a DDoS attack requires a combination of prevention and defensive countermeasures. Educating employees on what to look for before an attack occurs can help minimize damage. But education alone won’t protect your client’s system infrastructure. Some more effective DDoS-specific measures you can take are the following:

  • Shift all mission-critical resources to a different public subnet or the cloud
  • Use another IP address to store any public resources
  • Configure firewalls to protect against SYN flood attacks
  • Adjust web server configurations to withstand DDoS attacks
  • Host resources behind a CDN with DDoS protection

The length of a DDoS attack will depend on its severity. Some attacks can be over in less than 24 hours. With that said, it’s not uncommon for some attacks to last days or weeks if undetected.