What is a DDoS Attack and How to Protect Your Site Against One

What is a DDoS Attack?

A denial of service attack (Dos) is a malicious attempt to affect the availability of the attacked system, such as a website and application, to legitimize end users. Attackers often generate large volumes of packages or requests to eventually overload the target system. In the case of a distributed denial of service (DDoS) attack, the attacker uses multiple sources of vulnerability or controlled sources to generate the attack.

In general, DDoS attacks can be segregated based on the Open Systems Interconnection (OSI) model layer they attack. They are most common in the following layers: the network (layer 3), transport (layer 4), presentation (layer 6), and application (layer 7).

Classification of DDoS Attacks

While considering mitigation techniques against these attacks, it is useful to group them into attacks at infrastructure layers (Layers 3 and 4) and application layers (Layers 6 and 7).

Infrastructure Layer Attacks

Layer 3 and Layer 4 attacks are generally classified as infrastructure layer attacks. Furthermore, they are the most common DDoS attacks and include vectors such as Synchronized Floods (SYN) and other attacks such as User Datagram Packet Floods (UDP). These attacks are generally high in volume and aim to overload the capacity of the network or application server. But, fortunately, they are a type of attack that contains clear signatures and is easy to detect.

Application Layer Attacks

Layer 6 and Layer 7 attacks are classified as application-layer attacks. While these attacks are less common, they tend to be more sophisticated. These attacks are generally smaller in volume compared to infrastructure layer attacks but tend to target specific and costly parts of the application and make it unavailable to real users. For example, a flood of HTTP requests to a login page or an expensive search for an API or even WordPress XML-RPC floods (also known as WordPress pingback attacks).

DDoS Protection Techniques

Reduce the Surface Area Exposed to Attack

One of the first techniques to mitigate DDoS attacks is to minimize the surface of the area that can be attacked and therefore limit the options of attackers allowing them to build protections in one place. We want to make sure that we do not expose our application or our resources to ports, protocols, or applications from which they do not expect any communication. Therefore, minimizing potential attack points allows us to focus our efforts to mitigate them. In some cases, we can do this by placing our computing resources behind Content Distribution Networks (CDNs) or Load Balancers.and restrict direct Internet traffic to certain parts of our infrastructure, such as database servers. In other cases, you can use firewalls or access control lists (ACLs) to control what traffic reaches applications.

Plan for Escalation

There are two key considerations for mitigating large-scale volumetric DDoS attacks, bandwidth (or transit) capacity, and the server's ability to absorb and mitigate attacks.

Transit capacity. When designing your applications, make sure your hosting provider provides you with extensive and redundant Internet connectivity to handle high volumes of traffic. Since the end goal of DDoS attacks is to affect the availability of your resources/applications, you need to locate them, not only close to your end-users, but also to large internet exchanges that will give your users easy access to your application, even during high volumes of traffic. Additionally, web applications can go one step further by employing content delivery networks (CDNs) and intelligent DNS resolution services. They provide an additional layer of network infrastructure to serve content and resolve DNS queries from locations that are often closer to your end-users.

Server capacity. Most DDoS attacks are volumetric attacks that use a lot of resources. Therefore, it is important that you can quickly scale your computing resources. You can do this by running larger computing resources or those with features such as larger network interfaces or enhanced networks that support larger volumes. Furthermore, it is also common to use load balancers to continuously monitor and switch loads between resources to avoid overloading any resources.

Know What is Normal and Abnormal Traffic

Every time we detect high levels of traffic hitting a host, the foundation is being able to accept only the traffic that our host can handle without affecting availability. This concept is called speed limitation. More advanced protection techniques can go a step further and only intelligently accept legitimate traffic when individual packets are analyzed. To do this, you need to understand the characteristics of the good traffic that the target generally receives and be able to compare each packet against this baseline.

Deploy Total Security Software for Sophisticated Application Attacks

A good practice is to use total security software against attacks, such as SQL injection or cross-site request spoofing, that attempt to exploit a vulnerability in your own application. Also, due to the unique nature of these attacks, you should be able to easily create custom mitigations against illegitimate requests that could have characteristics such as masquerading as good traffic or coming from wrong IP addresses, unexpected geographies, etc. It can also sometimes be helpful in mitigating attacks as they can get experienced support to study traffic patterns and create custom protections.