How to mitigate DDoS Attacks?

Zyxel_Kevin

Over the past few days, users have been subjected to a significant DDoS (Distributed Denial of Service) attack, causing widespread outages. The following signs will help you recognize if this is the case:

If you have experienced the following problems in the past few days you have likely been subjected to a DDoS attack: 

• High CPU / RAM utilization;
• Firewall freezing / unresponsive;
• Increased load on the network;
• The traffic load on connection ports has increased;

Understanding the Situation

A DDoS attack floods a network, service, or server with excessive traffic from multiple sources, rendering it inaccessible to legitimate users. This recent attack highlights the need for robust defense mechanisms and rapid response strategies.

To verify if you have been subjected to a DDoS attack, log into your device's WebGUI and check the followings:

(Please unplug the WAN port if the WebGUI is unavailable)

Log & Report > Log / Events

-If you notice a very large number of logs attempting to access the internal server within one second, it indicates possible DDoS attack.

Security Policy > Policy Control

-Looking at rules hits of WAN to Internal policies. The hit count will increase significantly.

Reassurance and Action Plan

While a DDoS attack can cause disruption, it is not fatal. However, it's important to be aware and take proactive steps to protect your devices and network. Here are some recommended actions:

We will collect relevant IP addresses and include them in the IP Reputation Blocking Filter database with our vendor to eliminate all possible sources of attack as quickly as possible.

However, for operational protection of your device, you can block these addresses manually. The IP address table below will be updated accordingly

Apply Security Policy:

Security Policy > Policy Control

- Implement Policy Control to block known attacker IP addresses. This will help prevent DDoS packets from flooding devices and avoid performance issues or system hangs.

3.38.109.148/32 38.52.178.0/32 38.56.83.250/32 45.154.205.251/32 45.190.248.0/22 45.191.184.0/22 123.209.81.0/24	137.74.182.133/24 138.121.107.185/32 138.204.149.0/24 149.56.205.7/32 170.246.180.149/32 170.233.113.0/24 173.27.116.193/32	177.54.147.0/24 185.76.206.0/22 185.119.254.0/23 185.171.202.0/23 195.119.254.0/23 199.36.158.100 213.109.200.220/32  178.215.236.244/32

Link to the list of updated IP addresses

Enable DoS / ADP Prevention:

[uOS]Security Policy > DoS Prevention > DoS Prevention Policy

[ZLD]Security Policy > ADP

- Enable DoS Prevention with Low Sensitivity. If the attack is severe, we suggest increasing the sensitivity and block duration

Enable External Block List

[uOS]Security Services > External Block List > IP Reputation

[ZLD]Security Services > Reputation Filter > IP Reputation > Block List

(You must have Gold Security Pack License)

-The Source URL is https://threatfeed.blob.core.windows.net/threatfeed/iplist/webattackip.txt that collected from our backend data. It is recommended that you update every hour.

(ZLD recommends updating daily)

Enable Custom IPS Rule (ZLD ONLY)

[ZLD]Security Services > IPS

(Gold Security Pack License required)

-Create Custom Signature Rules, Block SYN Flag with payload greater 50 Bytes.

Final Thoughts

The recent DDoS attack underscores the necessity of maintaining vigilant cybersecurity practices. By taking the recommended actions, you can significantly reduce the risk of further disruptions and protect your network from potential threats. If you have any questions or need any more help, please do not hesitate to reach out to our support team. Stay safe and vigilant.