DDoS mitigation

From Wikipedia, the free encyclopedia
Jump to: navigation, search

DDoS mitigation is a set of techniques for resisting distributed denial of service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks.[1] This is done by passing network traffic addressed to the attacked network through high-capacity networks with "traffic scrubbing" filters.[2] DDoS mitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked browsers.[3] The process is done by comparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, http headers, and Javascript footprints.[3]

Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually.[4] Best practices for DDoS mitigation include having both anti-DDoS technology and anti-DDoS emergency response services.[4] DDoS mitigation is also available through cloud-based providers.[2]

Methods of attack[edit]

DDoS attacks are executed against websites and networks of selected victims. A number of vendors are offering "DDoS resistant" hosting services, mostly based on techniques similar to content distribution networks. Distribution avoids single point of congestion and prevents the DDoS attack from concentrating on single target.

One techniques of DDoS attacks is to use misconfigured third party networks that allow amplification[5] of spoofed UDP packets. Proper configuration of network equipment, enabling ingress filtering and egress filtering, as documented in BCP 38[6] and RFC 6959,[7] prevents amplification and spoofing, thus reducing number of relay networks available to attackers.

Tips to understand and protect your business from a DDoS attack[edit]

Your firewall will do nothing to prevent or stop a DDoS attack. Nothing more need be said.

Make sure DDoS mitigation is part of your business continuity/disaster recovery plan. You need to include procedures for DDoS mitigation in this plan.

Know the signs of an active attack.

  • Unusually slow network performance (opening files or accessing websites)
  • Unavailability of a particular website
  • Inability to access any website
  • A dramatic increase in the number of spam emails received

Know your customer location and lock out unexpected transactions. Most companies have a limited geography for where they do business. If you are a U.S. based online retailer, you likely should not be seeing people from, Russia or China to be placing orders via your website. It that is happening in anything more than a trivial volume, the presence of inbound traffic from those countries could be the start of an attack. If possible, your DDoS mitigation solution should allow you to block transactions that originate in locations where you don’t typically do business.

What would it cost your business to be offline for four or eight hours? Calculate the actual financial impact so management understands. Also, you should think about the additional IP Transit costs from high peak bandwidth utilization that results from DDoS attacks.

If you are the victim of a DDoS attack, look for data breaches or other criminal activity. Do a very thorough inspection of all system logs to determine if other malicious activities took place during the attack period.

Know who to call to stop an attack. If you don’t have an anti-DDoS solution in place, then at least know who to contact immediately if you suspect your company is under attack.

See also[edit]


  1. ^ Gaffan, Marc (20 December 2012). "The 5 Essentials of DDoS Mitigation". Wired.com. Retrieved 25 March 2014. 
  2. ^ a b Paganini, Pierluigi (10 June 2013). "Choosing a DDoS mitigation solution…the cloud based approach". Cyber Defense Magazine. Retrieved 25 March 2014. 
  3. ^ a b Chai, Eldad (21 October 2013). "Incapsula’s Five-Ring Approach to Application Layer DDoS Protection". Incapsula. Retrieved 25 March 2014. 
  4. ^ a b Tan, Francis (2 May 2011). "DDoS attacks: Prevention and Mitigation". The Next Web. Retrieved 25 March 2014. 
  5. ^ Christian Rossow. "Amplification DDoS". 
  6. ^ "Network Ingress Filtering: IP Source Address Spoofing". IETF. 2000. 
  7. ^ "Source Address Validation Improvement (SAVI) Threat Scope". IETF. 2013. 



  1. ^ Network Solution Experts, DDoS Mitigation Strategies
  2. ^ Network Solution Experts, Amplified DDoS Attacks - Smurf, Bang, DNS, NTP and More