What is a DDoS Attack?
An attack known as “Denial of Service” (DoS) is an attempt to obstruct legitimate users from accessing a targeted system such as a website, application, or website. Attackers typically generate large numbers of requests or packets that eventually overwhelm the target system. Distributed Denial of Service (DDoS), where the attacker uses multiple compromised sources or controlled sources to create the attack.
DDoS attacks can generally be separated by the layer of Open Systems Interconnection’s (OSI) model that they attack. They are most prevalent at Layers 3 and 4 (Transport (Layer 4), Presentation (6), and Application (7 (Layer 7).
Open Systems Interconnection (OSI) Model:
|#||Layer||Application||Description||Example of Vector|
|7||Application||Data||Application through the network||HTTP floods, DNS query floods|
|6||Presentation||Data||Data representation and encryption||SSL abuse|
|4||Transport||Segments||Reliability and end-to-end connections||Floods of SYN|
|3||Network||Packets||Path determination and logical address||Reflections on UDP|
|1||Bits||Media, signal, and binary transmission|
DDOS Attack Classification
When considering mitigation strategies against these attacks it is helpful to classify them as Infrastructure Layer (Layers 3-4) and Application Layer (6 and 7) attacks.
Infrastructure Layer Attacks
Layer 3 and 4 attacks are often referred to as Infrastructure layer attacks. These attacks are the most popular type of DDoS attack. They include vectors such as synchronized (SYN), floods, and reflection attacks such as User Datagram Packet floods. These attacks tend to be large and overburden the network or application servers. These attacks are easy to detect and have clear signatures.
Attacks at Layer 6 or 7 are often called Application layer attacks. These attacks are more common but also more complex. These attacks are usually smaller than the Infrastructure layer attacks, but they tend to target expensive parts of an application making it unavailable to real users. A flood of HTTP requests to a login webpage, an expensive search API, or WordPress XML RPC floods (also known under the name WordPress pingback attack).
DDoS Protection Techniques
Reduce Attack Surface Area
DDoS attacks can be mitigated by minimizing the attack surface. This will limit the attackers’ options and allow you to put protections in one place. We want to make sure that our application and resources are not exposed to protocols, ports, or applications from places they don’t expect communication. This will reduce the potential points of attack and allow us to focus our mitigation efforts. You can restrict internet traffic to specific parts of your infrastructure, such as your database servers, by placing your computation resources behind Content Distribution Networks or Load Balancers. In other cases, you can use firewalls or Access Control Lists (ACLs) to control what traffic reaches your applications.
Two key factors in mitigating large-scale volumetric DDoS attacks at a large scale are bandwidth capacity (or transit) and server capacity to absorb or mitigate attacks.
Traffic capacity. Make sure you have enough redundant Internet connectivity to support large traffic volumes when designing your applications. Since the ultimate objective of DDoS attacks is to affect the availability of your resources/applications, you should locate them, not only close to your end users but also to large Internet exchanges which will give your users easy access to your application even during high volumes of traffic. Additionally, web applications can go a step further by employing Content Distribution Networks (CDNs) and smart DNS resolution services which provide an additional layer of network infrastructure for serving content and resolving DNS queries from locations that are often closer to your end-users.
Server capacity. Many DDoS attacks involve volumetric attacks, which use a lot of resources. It is important to be able to quickly scale up and down your computation resources. This can be achieved by using larger computing resources, or networks that have more advanced interfaces or support higher volumes. Load balancers are used to shift loads among resources to avoid overloading.
Learn about normal and unusual traffic
When we see high levels of traffic hitting a host’s system, our baseline is to only accept traffic that the host can handle. This will not affect availability. Rate limiting is a term that describes this concept. Advanced protection techniques can be advanced enough to intelligently accept legitimate traffic by analyzing individual packets. This requires you to be familiar with the characteristics of good traffic and to be able to compare every packet against that baseline.
Firewalls to Protect Sophisticated Applications
A good practice is to use a Web Application Firewall (WAF) against attacks, such as SQL injection or cross-site request forgery, that attempt to exploit a vulnerability in your application itself. Additionally, due to the unique nature of these attacks, you should be able to easily create customized mitigations against illegitimate requests which could have characteristics like disguising as good traffic or coming from bad IPs, unexpected geographies, etc. Sometimes, it can also help in mitigating attacks because they get experienced support to analyze traffic patterns and design customized protections.