Networking Deep Dive
by Sergey Okinchuk
Zero Trust and SegmentationChapter 10: Load Balancing, Proxies, and CDNs
DDoS — Attacks and Mitigation
Topic 54

DDoS — Attacks and Mitigation

DDoS

A DDoS — distributed denial of service — attack overwhelms a target with traffic from many sources at once, so the defender can't simply block one address. The attacks split cleanly by which layer they exhaust. Volumetric attacks saturate the pipe with sheer bandwidth, measured in hundreds of gigabits or terabits per second. Protocol attacks exhaust connection state — a SYN flood fills the half-open connection table without ever sending enough bytes to fill the link. Application-layer attacks send small numbers of expensive L7 requests that each cost the server far more to answer than they cost to send.

The defining property of DDoS is that you cannot out-provision a large botnet. A million compromised devices generate more traffic than any single origin server's link can absorb, so defense never means "buy a bigger server." It means absorbing the flood across distributed capacity, filtering the junk before it reaches the origin, or dispersing it so no single point sees the whole attack — and which of those works depends entirely on which layer the attack hits.

The three attack classes and what stops each
Volumetric
saturates the pipe (Tbps) · absorb with distributed scrubbing capacity
Protocol
exhausts connection state (SYN flood) · SYN cookies, rate limits
Application
costly L7 requests at low bandwidth · WAF, caching, challenge
Exhausts bandwidthExhausts the server

Attack Categories

Volumetric attacks are the brute-force kind: flood the target with more bits per second than its link can carry, and legitimate traffic queues behind the junk and drops. The attacker doesn't need to reach your server — saturating the upstream link is enough, which is why your own firewall can't stop a volumetric attack that already filled the pipe in front of it.

Protocol attacks target finite state rather than bandwidth. A SYN flood sends a torrent of TCP SYN packets with spoofed sources and never completes the handshake, filling the half-open connection table so legitimate SYNs find no slot. Application-layer attacks go higher still: a flood of HTTP requests that each trigger an expensive database query or a cache miss, so a few thousand requests per second — trivial bandwidth — bring the server to its knees because each one is costly to serve.

Amplification and Reflection

The largest volumetric attacks use amplification: the attacker sends small requests to public servers with the victim's address forged as the source, and those servers send much larger replies to the victim. The attacker spends a little bandwidth and the victim absorbs a lot. The multiplier is the amplification factor — the ratio of reply size to request size — and some protocols are catastrophic here.

DNS open resolvers amplify roughly 50x; NTP's monlist command around 557x; and memcached, exposed on UDP, has reached factors over 50,000x — the 2018 attacks that broke 1.7 Tbps. All of it depends on UDP source spoofing, because UDP is connectionless and the reflecting server has no way to verify the source address before replying. Running any of these services open to the internet makes you an unwitting weapon in someone else's attack.

# the amplification math: tiny spoofed request, huge reflected reply
# attacker -> open resolver:  60-byte query, src forged as victim
dig ANY example.com @open-resolver
# open resolver -> victim:    ~3000-byte answer  (≈ 50x amplification)
# memcached UDP can exceed 50,000x — a few Gbps of requests => Tbps at the victim

Mitigation Layers

Volumetric and protocol attacks are absorbed by capacity and dispersion that you almost never own yourself. Anycast announces the same address from dozens of locations, so an attack's traffic is split across every site that advertises the prefix instead of converging on one — a botnet hitting an anycast address spreads itself thin across the whole network's aggregate capacity. Scrubbing centers sit upstream with terabits of headroom, pull your traffic through, drop the attack, and forward the clean remainder.

Closer to the host, SYN cookies defeat SYN floods by encoding the connection state into the sequence number itself, so the server allocates no table entry until the handshake completes — there is nothing to exhaust. Rate limiting caps requests per source, but it is weak against spoofing and large botnets where each source sends little. These local defenses help against modest attacks and buy time, but they can't absorb a multi-hundred-gigabit flood that has already saturated the link.

Application-Layer Defense

Application-layer attacks are the hardest to filter precisely because the requests look legitimate. A flood of valid-looking HTTP GETs is, packet for packet, indistinguishable from real traffic — the attack lives in the cost of serving them, not in malformed packets a filter can spot. Bandwidth defense does nothing here; you need request intelligence.

A WAF inspects requests at L7 and blocks patterns — known bad signatures, abusive request rates per session, suspicious paths. Challenge mechanisms (a JavaScript proof-of-work or a CAPTCHA) force each client to do work or prove it's a browser, which a cheap bot can't afford at scale while a real user barely notices. The hard part is tuning: too aggressive and you block real users, too loose and the expensive requests still land.

Volumetric vs Application-Layer DDoS

Volumetric is gigabits or terabits of junk aimed at saturating the link before traffic ever reaches your server. The packets are often malformed or reflected and the source addresses spoofed. Defense is bandwidth and dispersion you don't own — anycast and upstream scrubbing — because no single origin link can absorb a terabit flood.

Application-layer is a flood of small, legitimate-looking requests that are individually expensive to serve — a few thousand per second can exhaust a database. The traffic is low-bandwidth and hard to distinguish from real users. Defense is request intelligence — a WAF, rate limiting per session, and challenges — not bandwidth, because the link was never the bottleneck.

Common Mistakes
  • Running open resolvers or exposed UDP services usable for amplification. An open DNS resolver or internet-facing memcached turns your infrastructure into a reflector, amplifying an attacker's traffic up to 50,000x toward someone else.
  • Having no upstream or scrubbing capacity. Your access link saturates long before your server CPU does, so a volumetric attack wins at the pipe and your own firewall behind it never gets the chance to filter anything.
  • Rate limiting by source IP only. Spoofed sources and large botnets give each address a tiny share of the traffic, so a per-IP cap that looks reasonable lets the aggregate flood straight through.
  • Blocking all ICMP to "harden" the edge. That breaks Path MTU Discovery, so large legitimate packets silently vanish and you create an outage while defending against an attack ICMP wasn't even carrying.
  • Trying to absorb a volumetric attack on the origin. Buying a bigger server or fatter local link never out-scales a botnet; the only answer is dispersion and upstream scrubbing, not more origin capacity.
Best Practices
  • Front the origin with anycast and upstream scrubbing so a volumetric flood is dispersed across many sites and filtered before it reaches a single link you can't widen.
  • Enable SYN cookies on internet-facing hosts so a SYN flood allocates no connection-table entry until the handshake completes, removing the state there is to exhaust.
  • Lock down any UDP service that can reflect — close open resolvers, never expose memcached to the internet — so you can't be conscripted as an amplifier and your own egress isn't abused.
  • Defend application-layer floods with a WAF plus per-session rate limits and challenge/CAPTCHA, since the requests look legitimate and only request intelligence, not bandwidth, separates them.
  • Permit the ICMP types Path MTU Discovery needs rather than blanket-dropping ICMP, so your defenses don't black-hole large legitimate packets and cause the outage yourself.
Comparable conceptsAnycast (dispersion)Cloud DDoS / WAF (managed scrubbing)

Knowledge Check

Why can't you defeat a large volumetric DDoS by buying a bigger origin server?

  • A botnet exceeds any single link's capacity, so the pipe saturates before the server matters
  • A bigger server has the same CPU, so it processes the flood no faster
  • Origin servers only accept TCP, and volumetric floods use UDP
  • A bigger server would spend all of its added capacity decrypting the incoming attack traffic instead

How does amplification let an attacker hit a victim far harder than their own bandwidth?

  • By compressing many requests into one packet sent to the victim
  • By spoofing the victim's source so open services reply with far larger packets
  • By renting a botnet large enough to match the victim's link
  • By hiding its own real source address so that the victim has no way to rate-limit it

Why are application-layer DDoS attacks the hardest to filter?

  • They use far more bandwidth than volumetric floods do
  • The requests look legitimate, so filters can't distinguish them from real users
  • They use malformed packets that crash the filtering hardware
  • Anycast is unable to route them at all, so they always reach the origin server directly

You got correct