Protect your business from DDoS attacks

For more information on what a DDoS looks like and how to mitigate if you’re caught in one, see our attack guidance page.

Distributed denial-of-service (DDoS) attack

Preparing for a DDoS attack

Being prepared for a DDoS attack is important to ensure your business will be able to weather the storm and come out relatively unscathed.

DDoS attacks can be complex with lots of moving parts, however, we’re here to help you understand what’s vital to keep your business running in case of an attack and help you choose the right protection for your business.

Understand your businesses critical assets and services.

Being able to work with a DDoS service provider and choose the right protection for your business, means you need to understand your business’s technical environment.

Start by identifying the services you have exposed to the internet and the potential vulnerabilities they have. Create a list of all the external facing assets your business uses that could be exposed to an attack and list them by priority of how critical they are to running your business.

For example:

customer-accessible websites or services,
staff-dependent websites or services (such as web mail or VPN systems),
supporting infrastructure services (such as Domain Name System),
network equipment that sits at the public edge of your networks (such as firewalls and gateways), or
any systems you host on third-party networks (such as cloud-based).

Identifying your critical assets is the first part of developing a business continuity plan, in the event of an attack the plan tells you what needs to be back up and running and in what order of priority.

Talk to your managed service provider (MSP) or IT provider

If you have an MSP or IT provider, it’s helpful to have a conversation with them about if their service includes DDoS protection and to what level.

Some providers may charge more for DDoS protection or it can be included in your package. It may even be included but you haven’t enabled it through your provider.

There are specialist anti-DDoS protection services who will be able to provide more robust protection as well as additional protection against larger more advanced attacks. Anti-DDoS services are better able to monitor network traffic, confirm an attack, identify the source, and mitigate the situation. Further benefits of using an anti-DDoS service provider include rapid incident response, expert technical advice (including 24/7 support in most cases) and shared attack analytics, helping you understand how future attacks can be stopped.

If you don’t have an MSP

If you don’t have an MSP because you look after your online services yourself, you should still consider getting DDoS protection through an outside provider.

It’s unlikely you will be able to put all the mitigations in place in-house to stop a DDoS attack. Many MSP’s offer basic DDoS protection packages that can be tailored to suit your business.

Different types of DDoS protection

There are two main forms of protection: always-on and on-demand.

Always-on, as its name suggests, is protection in which the provider maintains continuous protection. Meaning, you should be guaranteed that if your service is hit by a DDoS attack, at any time day or night, your applications and website would be protected.

The drawback is that this service is the most expensive for you as a customer.

On-demand is the more cost-effective option. It allows you to activate protection only when you experience an attack. You call your service provider, and they switch on protection; turning it off again once the attack has been resolved.

The drawback of this approach is that protection is activated only when you notice an issue and raise it with your provider. You will also need to allow for the time it takes for the provider to implement protection. This may mean a substantial amount of time passes before the attack is blocked. There is also no guarantee that the attacker won’t come back to target you again when your guard is down.

What to expect of your service provider during an attack

Understanding what type of support your DDoS protection provider will provide you during an attack and what role you play in the response will help you better prepare for an attack.

Once abnormal activity is detected your provider should be able to diagnose what type of attack you’re experiencing. You can then work with them to get the DDoS attack mitigated and get your services running as normal.

They may block traffic from a particular country or type of device, or simply block all access until the attack has calmed down. External services will likely stay down but internal ones may keep going.

You will need to work closely and keep regular contact with your service provider during the attack and afterward to get your services back up and running.

What to do if you are experiencing a DDoS attack and don’t have protection

If you don’t have DDoS protection in place, it can be a lot harder to detect and mitigate an attack. If you think you might be experiencing a DDoS attack and don’t have protection or know how to get help, CERT NZ has advice on what steps you can take.

What to do during a DDoS attack on your business

Watch: What is DDoS?

Video transcript

[Audio / Visual]: As the screen opens, quiet music plays in the background. The music plays throughout the video. The screen opens displaying a person with their left side to camera, standing in front of bunches of bright flowers. They are watering them with their right hand. The background is blurred but there is a working station/desk and more flowers.

Narration starts immediately, as it does, the person moves about watering the bunches of flowers.

[Audio / Narration]: ‘Meet Marama, she’s a florist.’

[Visual]: Frame changes to a new scene with a person sitting on a dark green couch. They are looking down at a laptop in front of them which sits on a low coffee table. The couch has yellow accents with cushions and a throw rug. The room they are sitting in has grey carpet and the wall has colourful artwork. The coffee table has hexagon coasters sitting next to the laptop.

The person while looking at their laptop is waving their hands up in frustration and goes back to typing. They then pick up a cell phone, and the frame zooms in closer to a waist shot.

[Audio / Narration]: “She gets a call from one of her regular customers, Peter.’

‘Peter is trying to order flowers from Marama’s website, but the website won’t load, and is showing an error message – 503 Service Unavailable.”

[Visual]: As the call takes place, the frames swap back to the florist who is putting together a bunch of flowers at the service desk. The bunches they were watering in the opening scene are in the background, and more shelving with glass jars can also been seen. The florist is holding a phone in their left hand. As the call is taking place, the florist has a concerned / confused look on their face.

The scene changes back to a view of the caller’s laptop. Their hand is in frame, pushing buttons on the keyboard. The laptop screen has a 503 service unavailable error message. The scene pops back to the florist, and then back to the caller to illustrate the conversation on the phone. The last shot of the florist has them nodding their head as they are being told about what the issue might be.

[Audio / Narration]: “Marama is confused, and Peter suggests she might be being DDoSed, and working in cyber security, tells her more about it.”

[Visual]: A new scene with a person looking straight to camera appears. The person has the same authority and sounds the same as that who is narrating. They are standing at waist height in a teal long sleaved top with frilly details. They have a mic and red nail polish. The backdrop to this scene is a room with tables and chairs and green painted walls. There are inside plants scatter around and on the tables. As they are explaining what DDoS stands for, the screen displays words in white colouring “DDoS Distributed Denial of Service attack” to the top right-hand side of the screen.

[Audio]: “A DDoS stands for distributed denial-of-service attack, aimed at stopping online websites and tools from working, by overloading them.

Networks can only process a certain number of requests at once, so the attack works by flooding a website with false requests, blocking any genuine requests from getting through.”

[Visual]: The screen cuts to a bird's eye view of a busy motorway showing overhead bridges and offramps. Lanes are blocked with a lot of cars going one way and freely running on the other. The screen pans out / camera gets higher showing more and more of the motorway as the audio continues.

[Audio / Narration]: “Think of it like intentionally causing traffic jams on a motorway and shutting down a city, by adding thousands of cars to the roads.”

[Visual]: Scene cuts back to the narrator talking direct to screen.

[Audio] “When this happens, your customers may not be able to access your website, order goods or services from you, pay you, or even contact you.

You can spot a DDoS attack in a few ways, like being unable to load your website…

[Visual]: Narration continues, the scene pops back to the person on the couch looking frustrated and back to the laptop 503 error message view.

[Audio / Narration] “…your website being so slow that it’s unusable, your internet constantly disconnecting or timing-out, or 503 Service Unavailable Errors.”

[Visual]: Florist is back on screen

“So what do I do?” Marama asks Peter.

[Visual]: New shot showing screen mirroring of CERT NZ’s reporting tool. “Report an issue” is at the top of the page and the mouse moves through the reporting tool showing the steps required to take to report a DDoS incident. This includes drop down options to select the situation that best describes the issue the reporter is having. This example selects the following – (chosen options in square brackets):

I’d like to report something that happened [to me] [in the last week.]

I’ve had an issue with [a website.] I [think something is wrong with my website] because [there is an issue or an error on it.] [I don’t know what to do]. [The issue hasn’t been resolved.]

Along the bottom of the screen, a url link appears showing a direct link to the online reporting tool:

cert.govt.nz/individuals/report-an-issue/

Once all options are selected, the following text appears at the bottom: It sounds like someone has gained access to your website without your knowledge.

[Audio / Narration] “Report the incident with CERT NZ, through their website. Provide everything you know, as well as your contact details, so CERT NZ can provide confidential advice to help you through the attack.

[Visual]: New scene of florist sitting at a desk with desktop computer in front of them. They have their left hand up to their mouth and their right hand is placed on the mouse. The scene flicks to a closer head shot of the florist, with the camera panning left to right from behind their screen. The florists eyes indicates they’re looking at the form filling in the drop down selections.

[Audio / Narration] “and assist you in talking to your managed service provider or website host for more help.

[Visual]: The last scene brings back the narrator looking and talking direct to screen scene. A phone number 0800 CERT NZ slides on to the screen in the bottom right corner.

[Audio] ‘Head to the report an issue page on CERT NZ’s website to report or you can also call CERT NZ on 0800 CERT NZ.

[Visual]: Closing slide appears with slightly louder backing track. The screen is blue with the CERT NZ logo at the top. Underneath the logo, there is white text ‘For more cyber security advice, go to cert.govt.nz.’ The Digital Boost logo is in the bottom left corner and the New Zealand Government logo is in the bottom right corner.

Report it

Help and advice is available from CERT NZ through our online reporting tool, or our contact centre.

Report it

0800 CERT NZ

Read CERT NZ's latest Quarter Two Cyber Security Insights Report out now

Preparing for a DDoS attack

Understand your businesses critical assets and services.

Talk to your managed service provider (MSP) or IT provider

If you don’t have an MSP

What to expect of your service provider during an attack

What to do if you are experiencing a DDoS attack and don’t have protection

Watch: What is DDoS?

Report it