DDoS mitigation
{{Short description|Methods of reducing impact from distributed denial-of-service attacks}}
DDoS mitigation is a set of network management techniques and tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. DDoS attacks are a constant threat to businesses and organizations, delaying service performance or shutting down websites entirely.{{cite news | last =Gaffan | first =Marc| title =The 5 Essentials of DDoS Mitigation| newspaper =Wired.com| date =20 December 2012 | url = https://www.wired.com/insights/2012/12/the-5-essentials-of-ddos-mitigation/| accessdate =25 March 2014 }}
DDoS mitigation works by identifying baseline conditions for network traffic by analyzing "traffic patterns" to allow threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. This process involves comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and browser fingerprints.
After the attack is detected, the next process is filtering. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists, deep packet inspection, blacklisting/whitelisting, or rate limiting.{{cite news | last =Geere | first =Duncan| title =How deep packet inspection works| newspaper =Wired.com| date =27 April 2012 | url = https://www.wired.co.uk/article/how-deep-packet-inspection-works/| accessdate =12 June 2018 }}{{cite news | last =Patterson | first =Dan| title =Deep packet inspection: The smart person's guide| newspaper =Techrepublic.com| date =9 March 2017 | url = https://www.techrepublic.com/article/deep-packet-inspection-the-smart-persons-guide//| accessdate =12 June 2018 }}
One technique is to pass network traffic addressed to a potential target network through high-capacity networks, with "traffic scrubbing" filters.{{cite news | last =Paganini | first =Pierluigi | title =Choosing a DDoS mitigation solution...the cloud based approach | newspaper =Cyber Defense Magazine | date =10 June 2013 | url =http://www.cyberdefensemagazine.com/choosing-a-ddos-mitigation-solution-the-cloud-based-approach/#sthash.XIwsFI8a.dpbs| accessdate =25 March 2014 }}
Manual DDoS mitigation is no longer recommended due to the size of attacks often outstripping the human resources available in many firms/organizations.{{cite news | last =Tan | first =Francis | title =DDoS attacks: Prevention and Mitigation | newspaper =The Next Web | date =2 May 2011 | url =https://thenextweb.com/media/2011/05/02/ddos-attacks-prevention-and-mitigation/#!tIvKh| accessdate =25 March 2014 }} Other methods to prevent DDoS attacks can be implemented such as on-premises or cloud-based solution providers. On-premises mitigation technology (most commonly a hardware device) is often placed in front of the network. This would limit the maximum bandwidth available to what is provided by the Internet service provider.{{cite news | last =Leach | first =Sean | title =Four ways to defend against DDoS attacks | newspaper =Networkworld.com | date =17 September 2013 | url =https://www.networkworld.com/article/2170051/security/tech-primers-four-ways-to-defend-against-ddos-attacks.html | access-date =12 June 2018 | archive-date =12 June 2018 | archive-url =https://web.archive.org/web/20180612140247/https://www.networkworld.com/article/2170051/security/tech-primers-four-ways-to-defend-against-ddos-attacks.html | url-status =dead }} Common methods involve hybrid solutions, by combining on-premises filtering with cloud-based solutions.{{cite news | last =Schmitt | first =Robin | title =Choosing the right DDoS solution | newspaper =Enterpriseinnovation.net | date =2 September 2017 | url =https://www.enterpriseinnovation.net/article/choosing-right-ddos-solution-1971721868 | accessdate =12 June 2018 | archive-url =https://web.archive.org/web/20180612145227/https://www.enterpriseinnovation.net/article/choosing-right-ddos-solution-1971721868 | archive-date =12 June 2018 | url-status =dead }}
Methods of attack
DDoS attacks are executed against websites and networks of selected victims. A number of vendors offer "DDoS-resistant" hosting services, mostly based on techniques similar to content delivery networks. Distribution avoids a single point of congestion and prevents the DDoS attack from concentrating on a single target.
One technique of DDoS attacks is to use misconfigured third-party networks, allowing the amplification{{cite web |author=Rossow |first=Christian |title=Amplification DDoS |url=http://christian-rossow.de/articles/Amplification_DDoS.php}} of spoofed UDP packets. Proper configuration of network equipment, enabling ingress filtering and egress filtering, as documented in BCP 38{{cite web|url=https://tools.ietf.org/html/bcp38 |title=Network Ingress Filtering: IP Source Address Spoofing |year=2000 |publisher=IETF |last1=Senie |first1=Daniel |last2=Ferguson |first2=Paul }} and RFC 6959,{{cite journal |url=https://tools.ietf.org/html/rfc6959 |title=Source Address Validation Improvement (SAVI) Threat Scope |year=2013 |publisher=IETF|last1=McPherson |first1=Danny R. |last2=Baker |first2=Fred |last3=Halpern |first3=Joel M. |doi=10.17487/RFC6959 |doi-access=free |url-access=subscription }} prevents amplification and spoofing, thus reducing the number of relay networks available to attackers.
DDoS attacks are typically categorized into three types: volumetric, protocol-based, and application-layer attacks.{{Cite web |last=Nakutavičiūtė |first=Jomilė |date=2023-07-27 |title=DDoS attack: Meaning, types, and protection |url=https://nordvpn.com/blog/what-is-a-ddos-attack/ |website=NordVPN}}
Volumetric attacks
These attacks aim to consume bandwidth by flooding a network or service with massive volumes of traffic.{{Cite web |title=What is a DDoS Attack? DDoS Meaning, Definition & Types |url=https://www.fortinet.com/resources/cyberglossary/ddos-attack |access-date=2025-05-16 |website=Fortinet |language=en}}
- UDP floods target random ports with UDP packets, causing the host to repeatedly search for non-existent applications and reply with ICMP errors.{{Cite web |title=What is a UDP Flood {{!}} Mitigation & Prevention Techniques {{!}} Imperva |url=https://www.imperva.com/learn/ddos/udp-flood/ |access-date=2025-05-16 |website=Learning Center |language=en-US}}
- ICMP floods overwhelm the target with ping requests, exhausting available processing power and bandwidth.{{Cite web |title=What is a Ping Flood {{!}} ICMP Flood DDoS Attack {{!}} Imperva |url=https://www.imperva.com/learn/ddos/ping-icmp-flood/ |access-date=2025-05-16 |website=Learning Center |language=en-US}}
- DNS amplification involves exploiting open DNS resolvers to send amplified traffic to the victim using spoofed requests.{{Cite web |date=2019-12-18 |title=UDP-Based Amplification Attacks {{!}} CISA |url=https://www.cisa.gov/news-events/alerts/2014/01/17/udp-based-amplification-attacks |access-date=2025-05-16 |website=www.cisa.gov |language=en}}
Protocol attacks
These focus on exhausting resources of network infrastructure by misusing communication protocol behavior.
- SYN floods exploit the TCP handshake by initiating multiple half-open connections, overwhelming the server's connection table.{{Cite web |title=SYN flood DDoS attack |url=https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/ |access-date=2025-05-16 |website=www.cloudflare.com |language=en-us}}
- Ping of Death uses oversized or malformed ping packets to crash or destabilize systems.
- Smurf attacks send spoofed ICMP requests to broadcast addresses, prompting all devices on the network to respond to the victim’s IP.
Application layer attacks
These attacks mimic legitimate traffic to deplete application server resources, making them particularly difficult to detect.{{Cite web |date=2024-11-01 |title=Think Topics {{!}} IBM |url=https://www.ibm.com/think/topics |access-date=2025-05-16 |website=www.ibm.com |language=en}}
- HTTP floods send large numbers of GET or POST requests, overloading servers with processing demands.{{Cite web |title=HTTP flood DDoS attack |url=https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/ |access-date=2025-05-16 |website=www.cloudflare.com |language=en-us}}
- Slowloris maintains many open connections to a web server by sending partial requests slowly, exhausting server threads.
- DNS query floods overwhelm DNS servers with rapid requests, preventing legitimate domain resolution.{{Cite web |title=What is a DNS Flood {{!}} DDoS Attack Glossary {{!}} Imperva |url=https://www.imperva.com/learn/ddos/dns-flood/ |access-date=2025-05-16 |website=Learning Center |language=en-US}}
Methods of mitigation
- Use of Client Puzzle Protocol, or guided tour puzzle protocol
- Use of content delivery networks
- Blacklisting of IP addresses
- Use of intrusion detection systems and firewalls
See also
References
{{Reflist}}
{{DEFAULTSORT:DDoS mitigation}}
Category:Computer network security