DDoS Mitigation

DDoS Mitigation: Detection, Scrubbing, Rate Limiting, and CDN Protection

Distributed Denial of Service (DDoS) attacks flood services with traffic to exhaust resources and block legitimate users. Modern DDoS attacks have grown in scale (terabits per second), sophistication (multi-vector), and affordability (DDoS-for-hire services). Effective mitigation requires a layered defense strategy.

Attack Types

Volumetric attacks overwhelm network bandwidth with massive traffic volumes. Common vectors include UDP floods, ICMP floods, and DNS amplification. The attacker uses botnets or reflection techniques to generate more traffic than the target's network capacity.

Protocol attacks target network infrastructure at layers 3 and 4. SYN floods exhaust connection state tables by sending TCP SYN packets without completing handshakes. ACK floods and fragmented packet attacks consume firewall and load balancer resources.

Application-layer attacks target the application itself with seemingly legitimate requests. HTTP floods request resource-intensive pages repeatedly. Slowloris opens many connections and sends partial requests, tying up server threads.

Detection

Baseline normal traffic patterns before an attack. Track requests per second, bandwidth utilization, connection counts, and error rates. DDoS attacks typically show sudden traffic spikes, unusual geographic concentration, and abnormal request patterns.

Deploy network flow analysis (NetFlow, sFlow) to detect volumetric attacks at the network layer. Use application performance monitoring (APM) for application-layer anomaly detection. Configure alerting thresholds that balance sensitivity against false positives.

Traffic Scrubbing

Scrubbing centers filter incoming traffic, removing malicious packets while forwarding legitimate requests. Major cloud providers (Cloudflare, AWS Shield, Akamai) operate global scrubbing networks. During an attack, traffic is routed through scrubbing centers via BGP announcements or DNS changes.

Scrubbing uses multiple techniques: IP reputation filtering blocks known malicious sources. Rate limiting drops excessive requests from individual IPs. Challenge-response mechanisms (CAPTCHAs, JavaScript challenges) distinguish bots from humans.

Rate Limiting

Rate limiting is effective against application-layer attacks. Per-IP rate limits prevent individual sources from overwhelming the service. Per-endpoint limits protect expensive API calls. Token bucket and sliding window algorithms provide granular control.

Tiered rate limiting applies different thresholds based on authentication state. Anonymous users get conservative limits. Authenticated users get higher limits. Internal and admin traffic bypasses rate limiting entirely.

CDN-Based Protection

Content Delivery Networks (CDNs) absorb DDoS traffic through their distributed infrastructure. Cloudflare, Fastly, and Akamai operate networks with Tbps-scale capacity. Their anycast networks distribute traffic across global points of presence, diluting attacks.

CDN protection includes automatic DDoS detection, always-on mitigation for known attack patterns, and on-demand scrubbing for large-scale attacks. Most CDNs include DDoS protection in their standard plans.

Layered Defense

A single defense layer is insufficient. Combine BGP-based network filtering, CDN traffic absorption, rate limiting at the application layer, and Web Application Firewall (WAF) rules. Each layer catches attacks that bypass the previous one.

Develop an incident response playbook. Document who to contact when an attack is detected, how to enable enhanced protection, and how to communicate with users. Test the playbook with tabletop exercises.

Cloud providers offer DDoS protection services: AWS Shield Standard (included) and Advanced (managed protection with cost protection), Google Cloud Armor (integrated with GCLB), Azure DDoS Protection (integrated with VNet). Choose based on your cloud provider and protection requirements.