What is a DDoS attack?
A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end users. Typically, attackers generate large volumes of packets or requests ultimately overwhelming the target system. In case of a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled sources to generate the attack.
In general, DDoS attacks can be segregated by which layer of the Open Systems Interconnection (OSI) model they attack. They are most common at the Network (layer 3), Transport (Layer 4), Presentation (Layer 6) and Application (Layer 7) Layers.
DDOS attack classification
While thinking about mitigation techniques against these attacks, it is useful to group them as Infrastructure layer (Layers 3 and 4) and Application Layer (Layer 6 and 7) attacks.
Infrastructure layer attacks
Infrastructure DDoS Attack is a DDoS attack that overloads the network infrastructure by consuming large amounts of bandwidth, for example by making excessive connection requests without responding to confirm the connection.
Application layer attacks
These types of attacks primarily exploit application vulnerabilities, with the most common being HTTP flood attacks. In these attacks, hackers continuously send various HTTP requests to a server using different IP addresses, often targeting open endpoints like health checks and login pages, among others.
Methods of doing DDoS attacks
UDP flood: Attacker can spoof a source IP address and generate User Datagram Protocol (UDP) packets to a targeted server.
ICMP (Ping) flood: Attacker attempts to overwhelm a targeted device with ICMP echo-request packets, causing the target to become inaccessible to normal traffic.
SYN flood: Attacker rapidly initiates a connection to a server without finalising the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.
Ping of Death: Attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.
Slowloris: Holding as many connections to the target web server open for as long as possible. It accomplishes this by creating connections to the target server, but sending only a partial request.
NTP Amplification: Attacker exploits publicly accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.
HTTP flood: Attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.
DDoS Protection Techniques
Reduce Attack Surface Area
One of the first techniques to mitigate DDoS attacks is to minimise the surface area that can be attacked thereby limiting the options for attackers and allowing you to build protections in a single place. We want to ensure that we do not expose our application or resources to ports, protocols or applications from where we do not expect any communication. Thus, minimising the possible points of attack and letting us concentrate our mitigation efforts.
Plan for Scale
Most DDoS attacks are volumetric attacks that use up a lot of resources. It is therefore important that you can quickly scale up or down on your computation resources.
Know the usual traffic pattern
It is important to know the usual traffic patterns on your application and mark the threshold limits. So that you can identify if there is any unusual spike and take necessary actions while the auto scaling on the resources helps to scale the application and not cause any interruption to legitimate traffic.
Firewalls and Rate Limiting
It is always best practice to build strong firewall rules which helps to regulate access to networks. With firewall rules, you can determine what is allowed in and out of your network. In addition to that implementing rate limiting helps to configure the max number of requests allowed from a single source IP. This can help in blocking the huge number of spam requests coming to the web application.
