This article's tone or style may not reflect the encyclopedic tone used on Wikipedia. (January 2021) (Learn how and when to remove this template message)
DDoS mitigation is a set of techniques or tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target and relay networks. DDoS attacks are a constant threat to businesses and organizations by threatening service performance or to shut down a website entirely, even for a short time.
After the detection is made, the next process is filtering. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists, deep packet inspection, blacklisting/whitelisting, or rate limiting.
One technique is to pass network traffic addressed to a potential target network through high-capacity networks with "traffic scrubbing" filters.
Manual DDoS mitigation is no longer recommended due to DDoS attackers being able to circumvent DDoS mitigation software that is activated manually. Other ways to prevent DDoS attacks can be implemented on-premise or/and via cloud-based solution providers. Through on-premise mitigation the technology (most commonly a hardware device) is placed in front of the network, with the disadvantage that the filtering capacity is limited to the capacity of the filtering device. A middle option is to have a hybrid solution by combining on-premise filtering with cloud-base filtering.
Methods of attack
DDoS attacks are executed against websites and networks of selected victims. A number of vendors are offering "DDoS resistant" hosting services, mostly based on techniques similar to content delivery networks. Distribution avoids single point of congestion and prevents the DDoS attack from concentrating on a single target.
One technique of DDoS attacks is to use misconfigured third-party networks that allow amplification of spoofed UDP packets. Proper configuration of network equipment, enabling ingress filtering and egress filtering, as documented in BCP 38 and RFC 6959, prevents amplification and spoofing, thus reducing the number of relay networks available to attackers.
- Gaffan, Marc (20 December 2012). "The 5 Essentials of DDoS Mitigation". Wired.com. Retrieved 25 March 2014. CS1 maint: discouraged parameter (link)
- Paganini, Pierluigi (10 June 2013). "Choosing a DDoS mitigation solution…the cloud based approach". Cyber Defense Magazine. Retrieved 25 March 2014. CS1 maint: discouraged parameter (link)
- Geere, Duncan (27 April 2012). "How deep packet inspection works". Wired.com. Retrieved 12 June 2018. CS1 maint: discouraged parameter (link)
- Patterson, Dan (9 March 2017). "Deep packet inspection: The smart person's guide". Techrepublic.com. Retrieved 12 June 2018. CS1 maint: discouraged parameter (link)
- Tan, Francis (2 May 2011). "DDoS attacks: Prevention and Mitigation". The Next Web. Retrieved 25 March 2014. CS1 maint: discouraged parameter (link)
- Leach, Sean (17 September 2013). "Four ways to defend against DDoS attacks". Networkworld.com. Retrieved 12 June 2018. CS1 maint: discouraged parameter (link)
- Schmitt, Robin (2 September 2017). "Choosing the right DDoS solution". Enterpriseinnovation.net. Archived from the original on 12 June 2018. Retrieved 12 June 2018. CS1 maint: discouraged parameter (link)
- Siemons, Frank (2 November 2016). "Cloud DDoS protection: What enterprises need to know". SearchCloudSecurity.com. Retrieved 12 June 2018. CS1 maint: discouraged parameter (link)
- Christian Rossow. "Amplification DDoS".
- "Network Ingress Filtering: IP Source Address Spoofing". IETF. 2000.
- "Source Address Validation Improvement (SAVI) Threat Scope". IETF. 2013.