DDoS Protection
Types of DDoS attacks, mitigation strategies: rate limiting, CDN absorption, anycast routing, auto-scaling, and WAF rules.
Understanding DDoS Attacks
A Distributed Denial of Service (DDoS) attack aims to make your service unavailable by overwhelming it with traffic from many sources simultaneously. Unlike a DoS attack from a single IP (easily blocked), DDoS uses botnets — networks of thousands or millions of compromised devices — making simple IP blocking ineffective. DDoS attacks are categorized by the OSI layer they target, which determines the appropriate mitigation strategy.
| Layer | Attack Type | Example | What's Exhausted | Mitigation |
|---|---|---|---|---|
| 3 (Network) | Volumetric flood | UDP flood, ICMP flood | Network bandwidth | CDN scrubbing, anycast |
| 4 (Transport) | Protocol attack | SYN flood, ACK flood | TCP connection table, firewall state | SYN cookies, stateless LB |
| 4 (Amplification) | Reflection/amplification | DNS amplification (70x), NTP (556x) | Victim's bandwidth | BCP38, RRL, anycast |
| 7 (Application) | HTTP flood | Slowloris, GET flood | Web server connections/CPU | WAF, rate limiting, CAPTCHA |
| 7 (Application) | Slow-and-low | Slow POST, slow read | Server thread pool | Timeout tuning, connection limits |
Defense Strategy: Layered Mitigation
No single control defeats all DDoS types. Effective protection requires defense in depth across multiple layers, each protecting against a different attack category.
CDN and Anycast Absorption
The most effective defense against volumetric attacks is absorbing traffic at the edge before it reaches your origin. CDNs like Cloudflare (100+ Tbps network), Akamai, and AWS CloudFront have distributed Points of Presence (PoPs) worldwide and vastly more aggregate bandwidth than any single origin. Anycast routing allows the same IP address to be announced from multiple PoPs simultaneously — each attacker packet is routed to the nearest PoP, distributing the load globally and ensuring no single location is overwhelmed.
Keep Your Origin IP Secret
If attackers discover your origin IP (via DNS history, certificate transparency logs, or email headers), they can bypass your CDN and attack the origin directly. Keep your origin IP private: use firewall rules to only accept traffic from your CDN's IP ranges, and never use the origin IP for anything that would expose it publicly (e.g., direct email sending).
Layer 4 Defenses: SYN Cookies and Connection Limits
SYN Cookies solve the SYN flood problem by eliminating server-side state for unestablished connections. Instead of allocating a connection table entry on receiving a SYN, the server encodes the connection parameters into the ISN (Initial Sequence Number) of the SYN-ACK using a cryptographic hash. If the client completes the handshake with the correct ACK, the server reconstructs the state. If not (as in a flood), no resources were consumed. Linux kernels have supported SYN cookies since 1996.
Layer 7 Defenses: WAF and Bot Detection
HTTP floods and Slowloris attacks bypass network-layer defenses because they send valid TCP connections. Defenses include: rate limiting per IP (as covered in the previous lesson), WAF rules detecting bot signatures (missing Accept-Language header, unusual User-Agent patterns, abnormal request timing), CAPTCHA challenges for suspicious traffic, and behavioral analysis that flags IPs sending requests in perfectly metered intervals (a bot pattern vs human variability).
Auto-Scaling: Useful but Limited
Auto-scaling is effective against Layer 7 application floods that genuinely stress your compute resources. If attackers send expensive database queries or CPU-intensive operations, adding more application servers distributes the load. However, auto-scaling has limits: it takes time (typically 2–5 minutes to launch a new instance), attackers scale their attack in response, and at some point, the cost of defending becomes prohibitive. Auto-scaling is never sufficient alone — it must be combined with upstream filtering.
Managed DDoS Protection Services
- Cloudflare Magic Transit: Anycast-based L3/L4 DDoS mitigation that can absorb terabit-scale attacks. Routes all your IP traffic through Cloudflare's network.
- AWS Shield Standard: Automatically included for all AWS customers. Protects against common L3/L4 attacks (SYN floods, UDP floods) at no extra cost.
- AWS Shield Advanced: $3,000/month. Adds L7 protection, attack forensics, 24/7 DDoS response team (DRT), and cost protection (AWS absorbs auto-scaling costs from DDoS events).
- Cloudflare DDoS Protection: Included in all Cloudflare plans. Rate limiting, bot management, and WAF available as add-ons.
- Akamai Prolexic: Enterprise-grade scrubbing centers. Used by major financial institutions requiring 99.999% uptime during attacks.
Interview Tip
In an interview, describe a layered approach: CDN/anycast for volumetric L3/L4 attacks, SYN cookies for protocol attacks, WAF + rate limiting for L7 floods, and auto-scaling for legitimate traffic spikes. Mention that keeping your origin IP private is a prerequisite — attackers who can bypass your CDN render all edge defenses irrelevant.