DDoS mitigation is a set of

network management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managem ...

techniques and tools for resisting or mitigating the impact of distributed denial-of-service (DDoS) attacks on networks attached to the

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

by protecting the target and relay networks. DDoS attacks are a constant threat to businesses and organizations, delaying service performance or shutting down

website A website (also written as a web site) is any web page whose content is identified by a common domain name and is published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, educatio ...

s entirely. DDoS mitigation works by identifying baseline conditions for

network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main ...

by analyzing "traffic patterns" to allow threat detection and alerting. DDoS mitigation also requires identifying incoming traffic to separate human traffic from human-like

bots The British Overseas Territories (BOTs) or alternatively referred to as the United Kingdom Overseas Territories (UKOTs) are the fourteen dependent territory, territories with a constitutional and historical link with the United Kingdom that, ...

and hijacked

web browsers A web browser, often shortened to browser, is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's scree ...

. This process involves comparing signatures and examining different attributes of the traffic, including

IP addresses An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface id ...

cookie A cookie is a sweet biscuit with high sugar and fat content. Cookie dough is softer than that used for other types of biscuit, and they are cooked longer at lower temperatures. The dough typically contains flour, sugar, egg, and some type of ...

variations,

HTTP headers HTTP header fields are a list of strings sent and received by both the client program and server on every HTTP request and response. These headers are usually invisible to the end-user and are only processed or logged by the server and client ...

, and browser fingerprints. After the attack is detected, the next process is

filtering Filtration is a physical process that separates solid matter and fluid from a mixture. Filter, filtering, filters or filtration may also refer to: Science and technology Computing * Filter (higher-order function), in functional programming * Fil ...

. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists,

deep packet inspection Deep packet inspection (DPI) is a type of data processing that inspects in detail the data (Network packet, packets) being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep ...

blacklisting Blacklisting is the action of a group or authority compiling a blacklist of people, countries or other entities to be avoided or distrusted as being deemed unacceptable to those making the list; if people are on a blacklist, then they are considere ...

whitelisting A whitelist or allowlist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of ...

, or

rate limiting In computer networks, rate limiting is used to control the rate of requests sent or received by a network interface controller. It can be used to prevent DoS attacks and limit web scraping. Research indicates flooding rates for one zombie machin ...

. One technique is to pass network traffic addressed to a potential target network through high-capacity networks, with "traffic scrubbing" filters. Manual DDoS mitigation is no longer recommended due to the size of attacks often outstripping the human resources available in many firms/organizations. Other methods to prevent

DDoS In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...

attacks can be implemented such as on-premises or

cloud-based Cloud computing is "a paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand," according to International Organization for ...

solution providers. On-premises mitigation technology (most commonly a hardware device) is often placed in front of the network. This would limit the maximum bandwidth available to what is provided by the

Internet service provider An Internet service provider (ISP) is an organization that provides a myriad of services related to accessing, using, managing, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, no ...

. Common methods involve hybrid solutions, by combining on-premises filtering with cloud-based solutions.

Methods of attack

DDoS attacks are executed against websites and networks of selected victims. A number of vendors offer "DDoS-resistant" hosting services, mostly based on techniques similar to

content delivery network A content delivery network (CDN) or content distribution network is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance ("speed") by distributing the service spat ...

s. Distribution avoids a single point of congestion and prevents the DDoS attack from concentrating on a single target. One technique of DDoS attacks is to use misconfigured third-party networks, allowing the amplification of spoofed UDP packets. Proper configuration of network equipment, enabling ingress filtering and

egress filtering In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP computer network to the Internet th ...

, as documented in BCP 38 and RFC 6959, prevents amplification and spoofing, thus reducing the number of relay networks available to attackers. DDoS attacks are typically categorized into three types: volumetric, protocol-based, and application-layer attacks. Volumetric attacks These attacks aim to consume bandwidth by flooding a network or service with massive volumes of traffic. * UDP floods target random ports with UDP packets, causing the host to repeatedly search for non-existent applications and reply with ICMP errors. * ICMP floods overwhelm the target with ping requests, exhausting available processing power and bandwidth. * DNS amplification involves exploiting open DNS resolvers to send amplified traffic to the victim using spoofed requests. Protocol attacks These focus on exhausting resources of network infrastructure by misusing communication protocol behavior. * SYN floods exploit the TCP handshake by initiating multiple half-open connections, overwhelming the server's connection table. *

Ping of Death A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. In this attack, a host sends hundreds of ping requests with a packet size that is large or illegal to another ho ...

uses oversized or malformed ping packets to crash or destabilize systems. * Smurf attacks send spoofed ICMP requests to broadcast addresses, prompting all devices on the network to respond to the victim’s IP. Application layer attacks These attacks mimic legitimate traffic to deplete application server resources, making them particularly difficult to detect. * HTTP floods send large numbers of GET or POST requests, overloading servers with processing demands. * Slowloris maintains many open connections to a web server by sending partial requests slowly, exhausting server threads. * DNS query floods overwhelm DNS servers with rapid requests, preventing legitimate domain resolution.

Methods of mitigation

* Use of

Client Puzzle Protocol Client Puzzle Protocol (CPP) is a computer algorithm for use in Internet communication, whose goal is to make abuse of server resources infeasible. It is an implementation of a proof-of-work system (PoW). The idea of the CPP is to require all cli ...

, or guided tour puzzle protocol * Use of

s * Blacklisting of

* Use of

intrusion detection system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...

s and firewalls

References

{{DEFAULTSORT:DDoS mitigation Computer network security System administration * Cyberwarfare

Methods of attack

Methods of mitigation

See also

References