How to stop a DDoS attack after initiation

Can you explain how to stop a distributed denial-of-service (DDoS) attack once it has been initiated? What is the best way to resolve the threat, and if possible, find who initiated it? What are the best methods of ensuring it doesn't happen again?

Procedure on how to stop a DDoS attack once it has been initiated depends on what kind of DDoS attack you're dealing with. There are at least two basic types of DDoS attacks: low-level IP attacks or application-layer attacks. A low-level IP attack is a classic Smurf attack that uses ICMP and forged source addresses. This type of attack is less effective then it previously was because of various ingress and egress filtering techniques now employed by many enterprises. Probably the most common example of a DDoS is a botnet that may use many different types of attacks to cause a DDoS. Conversely, an application-layer attack tries to overload an application by sending the application a large amount of traffic or sending requests that require significant processing to respond. IP and application-layer attacks differ by the part of a system that is attacked. IP attacks are typically lower-level attacks on the operating system or network resources and application-layer attacks attack the application.

Stopping an initiated DDoS attack is decidedly more difficult if your network is being attacked by a large number of dynamic hosts (greater than a hundred or thousand) spread geographically around the world via many different ISPs. To start off, change the IP used by the server (or network) or change the DNS name of the server and IP. If you're being attacked by a more reasonable number of hosts that infrequently change, you could contact the ISPs, CERT, or an Information Sharing and Analysis Center (ISAC) yourself to get the machines turned off.

The best way to resolve the threat, no matter what type of DDoS, is to call your ISP and ask them to block the sources or re-route traffic. Depending on the severity, length of time, and nature of the DDoS, you may also want to report the crime to law enforcement or relevant industry organizations like CERT. You should have already spoken with your ISP about security incident response procedures to ensure you know what their capabilities are and you know what they need when you contact them (which is basic incident response planning). If your ISP can't help you to resolve the threat, you can try to use a network device that blocks DDoS attacks.

Once an incident has passed, if it's likely that you may experience another one, consider using a content distribution network (CDN) where content is distributed from many different locations closest to your client computers. It's much harder for a DDoS to affect these content distribution networks and the CDNs already know how to stop DDoS attacks. You could also switch to an ISP or hosting company that provides this type of service.