How to protect your site from DDoS attacks – before it’s too late

March 27, 2025 TH Author

On March 10, X experienced multiple outages, with tens of thousands of users reporting the social site was down for them. Later that day, after multiple failures, X came back online. What caused this?

While the pro-Palestinian hacking collective known as Dark Storm Team claimed responsibility on Telegram for a distributed denial of service (DDoS) attack against X, we can’t be sure they’re responsible.

Also: Microsoft’s new AI agents aim to help security pros combat the latest threats

CloudFlare, an internet security company specializing in blocking DDoS attacks, notes that “Spoofing source IP addresses is not technically challenging. Every machine connected to the internet can transmit any bytes of their choosing — including setting arbitrary values in the source IP address field.” In fact, spoofing source IP addresses is one way of carrying out a DDoS attack.

How was the attack done?

Regardless of who was responsible, we have a good idea of how this DDoS assault was accomplished.

The attack, Beaumont explained, appears to have come from “a Mirai variant botnet made of compromised cameras. They specifically targeted a Twitter ASN [Autonomous System Number] which had origin servers not behind [CloudFlare].”

Also: Why AI-powered security tools are your secret weapon against tomorrow’s attacks

Since 2016, when Mirai was first used in the biggest DDoS assault ever on the Dyn-managed DNS service, Mirai has appeared repeatedly in DDoS attacks. This is just the latest example.

Beaumont added, “The botnet has been used to target a bunch of telcos and video game companies. No idea who runs it. Smells of APTs — advanced persistent teenagers.”

Teenagers are behind this attack? Really?

Yes, it really could be such a group. DDoS attacks are simple to start. In fact, for years now, you can find DDoS-as-a-service vendors on the dark web. Heck, according to the security company Heimdal, “cybercriminals offer discounts, loyalty programs, memberships, and subscriptions.”

While the X attack was unlikely from a DDoS service provider, it didn’t take much technical expertise either. The attack was successful because a critical X ASN — a unique identifier for a group of IP networks that share a network routing policy — was left unprotected by X’s existing CloudFlare DDoS protection. As Beaumont pointed out, Once the “various services attacked … had been firewalled from [the] public internet,” the attacks ended.

How do you protect your ASN?

Blocking traffic from known bad ASNs can enhance security by preventing malicious activities such as spam, botnets, or DDoS attacks. This can be achieved through firewalls, security information and event management systems (SIEMs), or DNS configurations.

Also: Navigating AI-powered cyber threats in 2025: 4 expert security tips for businesses

What’s a bad ASN? According to content delivery network (CDN) company Akamai, malicious ASNs are more likely to contain IPs used to host phishing websites, malicious files, bots, and scanners. “Likely malicious” ASNs face a 1 in 7 or higher probability of encountering a malicious IP. While likely malicious ASNs make up fewer than 2% of all IPv4 addresses online, they receive more than 5% of internet traffic.

Furthermore, ASNs in the “potentially malicious” category comprise less than 5% of all internet IPv4 addresses. Yet, they receive more than 18% of internet traffic, highlighting that malicious and legitimate traffic can be served by the same ASN.

Locking them away via firewalls or SIEMS makes your site far less likely to be struck down.

What can you do to block DDoS attacks?

There are several steps you can take to protect yourself.

Resilient network architecture: Protect your sites by practicing DDoS prevention 101; for example, make network architecture as resilient as possible. You can do this by placing servers in different data centers and clouds, ensuring these are located on different networks, and ensuring your data centers, clouds, and their networks have no bottlenecks or single points of failure.

By spreading out your network, you avoid any single bottleneck that can be blocked by a DDoS attack.

Safe routers: Make sure your routers practice safe networking. For example, they should drop junk packets and block unnecessary or unsafe external protocols such as Internet Control Message Protocol (ICMP), File Transfer Protocol (FTP), and Telnet at your network’s edge.

Robust firewalls: You should also have robust firewalls and intrusion prevention systems (IPS) to block malicious traffic. Your firewalls should be configured to handle large volumes of traffic without compromising performance.

Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic — like Network Time Protocol (NTP) or DNS — your ISP should just toss garbage traffic into the bit bin.

Besides ordinary firewalls, you should also look into using specialized defenses against Layer 7 attacks, which target web applications. Web Application Firewalls (WAFs) are essential for blocking malicious traffic targeting your web applications.

DDoS mitigation: To protect your web presence, you should also look to DDoS mitigation companies. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. If you do one thing to protect yourself against DDoS attacks, partner with one of these firms. They know more about preventing the dangers of DDoS than you ever will.

You can also mitigate some DDoS attacks by using multiple DNS providers. To do this, use DNSSEC to secure your DNS infrastructure and prevent DNS amplification attacks.

In addition, Netflix‘s open-source program Denominator can support managed and mirrored DNS records. This works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but adding your own or other DNS providers is not hard. This way, even when a DDoS knocks out a single DNS provider, you can keep your sites up and running.

Relying on any single DDoS defense is not enough. You need multiple levels of defense. That way, if one attack gets through, the other walls will stop it.

Red team attacks: You should also analyze your defenses. If one of your barriers is proving too porous, you need to work out why it’s not doing its job and fix it. One way to do this is to have a red team attack your network with tools like GoldenEye, hping3, and HTTP-Unbearable-Load-King (HULK) to see how vulnerable your network is to common DDoS attacks. Armed with this information, you can firm up your defenses before a real attack comes your way.

Stay ahead of security news with Tech Today, delivered to your inbox every morning.