Improving Application DDoS Resiliency (3-part series)

Defending against DDoS attacks is no easy task. A layered defence is essential to being resilient to all forms of DDoS attacks. In this 3 part series we will discuss some methods you can use to improve your DDoS resiliency and add some additional layers to your DDoS defence.

Part 1: Being as Static as possible

It’s a common practice to include a Content Delivery Network (CDN) as part of your infrastructure when deploying a web application. There are many benefits to having CDN in front of your application as it helps to improve the load time of your application making it appear faster and more responsive. This offloads some of the work and resources it would have taken your origin server to serve the static assets, allowing it to process more requests and serve more customers. More importantly however, a CDN can act as the first line of defence against a DDoS attack (and can even make the static parts of your site still appear available if your origin server is successfully taken down).

With a CDN in place, attackers must find a way to bypass the CDN in order to have any sort of affect on your infrastructure. To do that, they need to find the parts of your site that are dynamic and can’t be handled by your CDN. This makes it important to minimize the attack surface as much as possible and one way of doing that is making your site as static as possible. To do this, you need to separate the dynamic data from the structure and function of application as much as possible. A perfect example of this is a single-page application where the majority of logic, and entirety of the structure and user interface (UI) is loaded and run on the client side, and the server handles returning dynamic data in a lightweight format (ex. AJAX queries that return JSON data). In this case, a CDN would be responsible for serving all of the HTML, CSS, JavaScript, templates and media assets, while the origin server only serves JSON messages.

Taking it a step further, in certain cases, some dynamic data can actually be cached in a CDN for a period of time without any perceived effect to the end users (ex. stock market prices could be cached for X seconds/minutes). This again can help decrease the number of requests your origin server has to handle and could possibly act as a throttle for how many requests it needs to process altogether. For example if you cache some dynamic data, even just for a minute, you throttle the number of requests your origin handles to 1 request per minute for that resource.

Of course CDNs are not a perfect defence and it’s important to understand when they won’t work for you and might leave you vulnerable. It’s important to ensure your CDN’s caching is tuned for your application allowing it to continue to function properly for its users, and to provide you the maximal resiliency possible.

In the next part of the series, we’ll look at controls you can implement in your application itself to help add more layers to your DDoS defence.