DDoS Attacks & Mitigation Strategies

What Is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack floods a target with so much traffic that legitimate users cannot access the service. Unlike a simple DoS attack from a single source, DDoS uses thousands of compromised machines (a botnet) to generate traffic simultaneously.

Attack Categories

Volumetric Attacks

Overwhelm bandwidth with sheer data volume:

• UDP Flood — Sends massive volumes of UDP packets to random ports.
• DNS Amplification — Exploits open DNS resolvers to multiply traffic 50-70x.
• NTP Amplification — Abuses NTP monlist command for 500x amplification.

Protocol Attacks

Exploit weaknesses in network protocols:

• SYN Flood — Sends TCP SYN packets without completing the handshake, exhausting connection tables.
• Ping of Death — Sends malformed ICMP packets that crash vulnerable systems.
• Smurf Attack — Sends ICMP to broadcast addresses with a spoofed source IP.

Application Layer Attacks

Target specific services with seemingly legitimate requests:

• HTTP Flood — Sends valid but resource-intensive HTTP requests (e.g., search queries, login attempts).
• Slowloris — Opens connections and sends partial HTTP headers very slowly, tying up server threads.

Mitigation Strategies

Basic Server-Side Defenses

# Enable SYN cookies (prevents SYN flood)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Limit new connections per IP
iptables -A INPUT -p tcp --syn -m connlimit \
  --connlimit-above 50 -j DROP

# Rate limit ICMP
iptables -A INPUT -p icmp --icmp-type echo-request \
  -m limit --limit 1/s --limit-burst 4 -j ACCEPT

CDN-Based Protection

The most effective DDoS defense for most organizations is placing services behind a CDN like Cloudflare or AWS CloudFront. These networks absorb attack traffic across hundreds of global points of presence before it reaches your origin server.