Distributed Denial of Service (DDoS) Mitigation: What Nonprofits Need to Know

According to BDO’s recent Nonprofit Benchmarking Survey, 95% of organizations say they are concerned about cyberattacks and 48% say funders and donors are asking for more information related to cyber security strategies and/or material cyber risks. 

One of the most common cyberattacks is a Distributed Denial of Service (DDoS) attack where a website is flooded with fake traffic and is effectively shut down. Analysis shows that there were 13 million DDoS attacks in 2022. 

Following a disaster, nonprofits have continually faced heightened vulnerability to DDoS attacks due to increased media attention, a spike in online activities for donations and volunteer registrations, and the emotional turmoil that attackers exploit to undermine trust. Additionally, stretched resources and the rapid deployment of digital tools—often without comprehensive cybersecurity measures—leave these organizations exposed to disruptions and potential exploitation, impacting both their operations and those they serve. Attackers are often motivated by ideology and target organizations they disagree with politically, otherwise known as “hacktivism.” Nonprofits that perform work that could be considered political or controversial are at a higher risk for a DDoS attack. 

The good news is that there are steps to take for DDoS prevention. Selecting a cloud service provider that provides security and mitigation services, evaluating the importance of your website to ongoing operations, training staff, and developing an incident response plan are all ways to protect your organization from a DDoS attack. 


Select a cloud service provider with strong security and mitigation features

Websites hosted by a cloud service provider are more secure than websites hosted on premises, as cloud service providers specialize in protecting data centers and monitoring for suspicious activity. While most large cloud service providers will have many security and DDoS mitigation features built in, smaller cloud service providers may not provide as many. When choosing a provider, organizations should weigh the recurring hosting costs against the cost of a disruption they may incur from a DDoS attack. A successful DDoS attack could take down a website for a day or longer. If this would constitute a severe operational challenge to the organization or result in significant lost revenue, providers offering more robust protection may be preferred. 

For secure DDoS protection, select a cloud service provider that offers: 

  • DDoS mitigation services: This can help filter out traffic that resembles patterns typically seen in a DDoS attack. 
  • A content delivery network (CDN): A CDN distributes website content across multiple servers and locations, which can help absorb traffic spikes and filter malicious requests. 
  • Firewalls and intrusion detection systems: These security features can detect and block suspicious traffic. 
  • Rate limiting: When rate limiting is implemented on a website to restrict the number of requests from a single IP address, it can help mitigate the impact of a DDoS attack. 
  • Traffic analysis: Continuous monitoring and analysis of incoming traffic can identify unusual patterns and facilitate a quick response to incoming attacks.
  • Web Application Firewalls (WAF): WAFs can filter out malicious traffic and protect against common web application attacks that are often part of the DDoS attacks.
  • Regular updates and patching: Cloud service providers should frequently update software, plugins, and operating systems to patch known vulnerabilities. 
  • Anycast: Anycast is a network addressing and routing methodology that makes it harder for attacker to target a single point by providing multiple routing paths to endpoints, each with the same IP address. 


How important is your website, really?

Since DDoS attacks shut down websites, another way to mitigate the impact of an attack is to consider how critical your website is to your day-to-day operations. For instance, if your website is largely informational, it may not be completely disruptive to operations if your website is down for a day. However, if your website hosts program registrations, volunteer shift sign-ups, and a donation portal, a DDoS attack could cause a critical disruption to your organization. For some organizations, the day you anticipate the most donations is also the day when you are the most vulnerable to an attack. For example, an organization that provides services to immigrants may see an influx of donations on the day a controversial Supreme Court ruling on immigration is announced. However, that news may also inspire hacktivists to target organizations serving immigrants. 

For some organizations, the ability to accept donations via the website is critical to their fundraising efforts. Those primarily focused on large donor cultivation, government funding, or fee-for-service arrangements may depend less on their websites. It is up to each organization to determine how critical their website is to organizational operations and protect it accordingly.


Train staff and develop a sound response plan

After your cloud service provider, your next best defense against a DDoS attack is your staff. Educating staff on how to recognize the signs of a DDoS attack and respond accordingly can help your website get back up and running as quickly as possible. Although less common, DDoS attacks can also occur if actors gain access to the machines of internal employees and use them to conduct DDoS attacks to flood the internet connection and stifle internal performance. Employees should regularly receive thorough cybersecurity training to minimize their vulnerabilities and reduce the risk that their machine is compromised through a phishing email or public Wi-Fi connection. 

When an attack cannot be prevented, an organization should be ready to execute on their DDoS mitigation response plan. An effective response strategy should clearly define roles and responsibilities and instruct employees to document key data points to establish a record of loss. This includes business interruptions, time spent resolving the issue, and any expenses resulting from the attack.


Don’t wait until it is too late

From 2022 to 2023, there was a 171% increase in malicious web applications and API instances, many of which were linked to DDoS attacks, according to a Radware report. Especially for nonprofits that may be the target of “hacktivists,” it is important to get your DDoS protection and mitigation processes in place now — before an attack happens.