The fundamentals of anti-DDoS protection

The fundamentals of anti-DDoS protection Build • Luiza del Giúdice de Carvalho • 30/12/24 • 5 min read

DDoS Protection: Key Principles and Mechanisms

Distributed Denial-of-Service (DDoS) attacks are attempts to disrupt the activity of a service, server, or network by continuously flooding it with requests. The origin of these requests is a network of systems purposefully infected by malicious software. This botnet network acts in tandem to flood the victim’s bandwidth or compute resources. The distributed nature of the flood makes it harder to stop the attack, as the threat is coming from several sources at once.

According to the MIT Technology Review , the first recorded attack dates back to 1999, when a malicious script caused a network of 114 computers to send superfluous data packets to a computer at the University of Minnesota, rendering it inaccessible for two days. In the following month, this practice began to spread, incurring attacks on major websites of the time such as CNN, Amazon, and Yahoo.

In the following 20 years, this type of cyberattack became a popular tactic among hacktivists and businesses targeting competitors, as it proved to be a powerful weapon of activity disruption and resulted in important financial losses.

According to Cloudflare [1] , an exponential increase in the number of DDoS attacks and their dimension, was observed from 2010 to 2024. At the beginning of the 2010s, the total transferred data in the largest known attacks was measured in Gbps, whereas now the data is measured in Tbps, meaning that the space it takes up has increased by 1000 times (Figure 1). In only the last six months, NETSCOUT [2] observed a 12,8% increase in the number of attacks compared to the last semester of 2023.

Figure 1. Largest known DDoS attacks from 2010 to 2024 measured in bits/second, packets/second, and requests/second respectively with data. Source: Google and Cloudflare

These numbers help us understand the importance of investing in protection and security measures against DDoS attacks. Since the sources of the attack are distributed, however, it is hard to act on the attack once it has already started. This is why prevention is key when dealing with DDos.

But before knowing how to prevent these attacks, we need to understand how they work.

Types of DDoS Attacks

There are 3 types of DDoS attacks: Volumetric , Protocol , and Application-Layer . These types are defined according to which layer of the network connection [3] they attack and the distributed method used to render the victim's system inoperable.

Volumetric attacks

Volumetric attacks flood the victim’s network capacity with excessive traffic, causing bottlenecks in bandwidth and throughput. Large amounts of data are sent to the target by a botnet, a network of internet-connected devices compromised by malware that is, as a consequence, under the control of the attacker. Since many large packets are sent at once, the system cannot process all requests at once, resulting in packets being buffered and then dropped.

The goal is to create enough congestion that all the available network capacity is consumed, render the system unavailable to receive legitimate traffic, and make it vulnerable to other threats.

Protocol attacks

Protocol attacks benefit from protocol weaknesses in the transport and network layers of the network connection framework. These layers correspond to layers 3 and 4 of the OSI model .

In this type, service disruption is caused by the exhaustion of server and/or network resources. Usually, the attacker will make requests to the victim’s server that will not behave according to the established protocol, causing the server to allocate resources and memory to handle malicious requests that have no intention of being completed.

A common method used is a SYN flood, in which attackers send numerous SYN requests to a server but do not complete the expected TCP handshake with the ACK response. While the handshake is not completed, the server will keep the incomplete sessions running. Many concurrent incomplete sessions may render the system inoperable.

Application-layer attacks

This type of DDoS attack targets layer 7 of the OSI model : the application layer. This is where web services are accessible to clients, and where HTTP requests are received and responses delivered. Behind this, the server infrastructure is activated, implicating memory and computing power to query databases and load files, for example. In cloud-native applications, such requests may trigger autoscaling features.

A high volume of requests can incur high costs. Meanwhile, for the attacker, a simple HTTP request requires little effort and cost.

Since the application layer is the last of the OSI model and the first the client comes into contact with, the network footprint of the attack is smaller. This, paired with the difficulty in distinguishing a legitimate request from a malicious one, can render this attack type one of the hardest to identify and mitigate.

Multi-vector attacks

The three types of attacks described above can also be combined in what is called a multi-vector attack.

Multi-vector attacks have been observed since 2010 [4] . As a reflection of the advancement of DDoS technologies, they have become more popular with the proliferation of IoT devices and cheap, streamlined DDoS attack tools.

The combination of all three techniques makes an already complex identification and mitigation process even more complicated to deal with.

Why your infrastructure needs protection

As mentioned before, the main and most immediate impact of DDoS attacks on a system is rendering services unavailable or inoperable. Different parts of a service’s infrastructure may depend on and/or be controlled by the server being attacked, so the consequences may go further than just impacting one single server.

Service downtime can cause customer frustration, impacting the business’ reputation and incurring potential financial losses.

Furthermore, when a system is overwhelmed, it becomes vulnerable to other cyberattacks. While the server is busy handling the load of the DDoS attack, it will certainly have a harder time mitigating a second attack.

Protection solutions for your infrastructure

When it comes to DDoS attacks, prevention is key.

Implementing DDoS identification mechanisms is equally important, but when faced with a multi-vector attack, for example, you’ll likely not know where the threats are…