Fighting Back Against DDoS Attacks

Engineering resilience into your applications and services

John James
May 9, 2019 · 7 min read

If you search for DDoS (Distributed Denial of Service) attacks online, you will be surprised at how common they have become. 2018 saw the largest DDoS attack to date on Github at 1.35Tbps; fortunately, it only affected availability of their service for around ten minutes. The Danish Railway was less fortunate when a DDoS took out their ticketing system for two days, affecting around 15,000 commuters.

There are many companies with services and software designed to combat DDoS attacks and protect your site. However, relying solely on these companies is not enough. Especially against an application layer DDoS attack, where the requests coming in look just like your site’s normal traffic. I will show you five areas where software engineers can develop resiliency into their applications and services in order to better defend against an attack. These are:

  • How to trust your traffic
  • Rate limiting your requests
  • Boundary checking your APIs
  • The importance of an effective circuit breaker strategy
  • Being quick to fix

What is a DDoS attack?

World view showing the origins of an actual DDoS attack on Vrbo

What can engineers do?

1. Trust the right traffic

2. Rate-limit your requests

  • Known vs anonymous users/clients
  • Session
  • Brute force requests with invalid identifiers or parameters
  • Network identifiers such as IPs/ASNs
  • Per client or at the account level
  • By bot classification

This is not a foolproof system, but can be a good defensive tool to have at your disposal. Warning: Rate limiting can potentially affect your business, so it’s not necessary to keep it turned on at all times. Try utilizing runtime configs or even your A/B test framework to enable rate limiting quickly when under attack.

Finally, with the increasing popularity of front end API simplification technologies like GraphQL and Falcor, each client request can be magnified into N requests on the server. This highlights the importance of securing and rate-limiting these endpoints.

https://http.cat/429

3. Boundary-check your APIs

4. Use an effective circuit breaker strategy

  • What is the user experience when your services circuit breakers trip?
  • Which other services are affected when the circuit breaker trips?
  • What is your fall back or corrective action strategy?
  • Is your circuit breaker fine-grained enough to limit the impact?
  • Are you measuring how often your circuit breakers are tripping?

In a recent DDoS attack, a circuit breaker for a service which powered a critical API for an externally-connected customer tripped. Only one customer was targeted, but unfortunately, all partners were affected when the circuit breaker tripped. Having a more finely-grained circuit breaker strategy in this case would have resulted in a better user experience, limiting the blast radius.

5. Be quick to fix

Photo by Mike Bird from Pexels

Final thoughts

  1. Trust your traffic by measuring against business KPIs
  2. Rate limiting your requests when under attack
  3. Boundary check your APIs against poison pills
  4. Deploy an effective circuit breaker strategy
  5. Always be quick to fix

When engineers take responsibility for defending their architecture against a DDoS attack, they make any attack’s impact less effective. Remember that a layered defense is the best defense.

HomeAway Tech Blog

Software and data science revolutionizing vacations

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store