Skip to content
My Docs

Ddos Attacks And Mitigation

Category: Network Security
Type: Network Concepts
Generated on: 2025-07-10 09:07:27
For: Network Engineering, Administration & Technical Interviews

DDoS Attacks and Mitigation: A Comprehensive Cheatsheet

Section titled “DDoS Attacks and Mitigation: A Comprehensive Cheatsheet”

A Distributed Denial-of-Service (DDoS) attack overwhelms a target server, network, or service with malicious traffic, making it unavailable to legitimate users. It’s distributed because the attack originates from multiple compromised systems (a botnet), making it harder to block than a simple DoS attack.

Importance: DDoS attacks can cripple businesses, disrupt critical infrastructure, and cause significant financial losses and reputational damage. Understanding and mitigating DDoS attacks is crucial for network security.

  • DoS (Denial-of-Service): An attack from a single source aimed at disrupting service.
  • DDoS (Distributed Denial-of-Service): An attack from multiple sources (botnet) aimed at disrupting service.
  • Botnet: A network of compromised computers (bots) controlled by a single attacker (bot herder).
  • Amplification Attack: An attack where the attacker sends small requests to a vulnerable server (e.g., DNS server), which then responds with much larger responses to the target, amplifying the attack volume.
  • Reflection Attack: The attacker spoofs the victim’s IP address and sends requests to multiple servers. These servers respond to the victim, unknowingly participating in the DDoS attack.
  • Volumetric Attacks: Overwhelm the target’s bandwidth (e.g., UDP flood, ICMP flood).
  • Application-Layer Attacks (Layer 7): Target specific application features and consume server resources (e.g., HTTP flood, Slowloris).
  • Protocol Attacks: Exploit weaknesses in network protocols (e.g., SYN flood).
  • Mitigation: Techniques used to defend against DDoS attacks.
  • Rate Limiting: Limiting the number of requests from a specific IP address.
  • Blacklisting: Blocking traffic from known malicious IP addresses.
  • Whitelisting: Allowing traffic only from known good IP addresses.
  • Content Delivery Network (CDN): A distributed network of servers that cache content closer to users, reducing the load on the origin server and providing DDoS protection.
  • DDoS Protection Services: Specialized services that filter malicious traffic and protect against DDoS attacks.
  • Sinkholing: Diverting malicious traffic to a “sinkhole” network where it can be analyzed and mitigated.

A DDoS attack typically unfolds as follows:

  1. Infection: The attacker infects numerous computers with malware, creating a botnet.
  2. Command & Control: The attacker controls the botnet through a command-and-control (C&C) server.
  3. Attack Launch: The attacker sends a command to the botnet to launch an attack against the target.
  4. Traffic Overload: The bots flood the target with malicious traffic, overwhelming its resources.
  5. Service Disruption: The target becomes unavailable to legitimate users.
                         +---------------------+
                         | Attacker (Bot Herder) |
                         +---------------------+
                                     |
                                 Command & Control (C&C)
                                     |
                         +---------------------+
                         |       Botnet         |
                         +---------------------+
                         |  Bot1 | Bot2 | Bot3  | ...
                         +---------------------+
                            /   |   |   \
                           /    |   |    \  Attack Traffic
                          /     |   |     \
                         /      |   |      \
           +---------------------------------------+
           |          Target Server/Network        |
           +---------------------------------------+
           |  Legitimate Users (Unable to Access)  |
           +---------------------------------------+

DDoS attacks can leverage various protocols:

  • HTTP: Application-layer attacks like HTTP floods.
    • Requests: GET /index.html HTTP/1.1\r\nHost: example.com\r\nConnection: keep-alive\r\n...
  • UDP: Volumetric attacks like UDP floods.
    • UDP Header: Source Port | Destination Port | Length | Checksum
  • ICMP: Volumetric attacks like ICMP floods (ping floods).
    • ICMP Header: Type | Code | Checksum | Identifier | Sequence Number
  • SYN: Protocol attacks like SYN floods.
    • TCP Header: Source Port | Destination Port | Sequence Number | Acknowledgment Number | Flags (SYN) | Window Size | Checksum | Urgent Pointer
  • DNS: Amplification attacks (DNS amplification).
    • DNS Query: Question Section (Domain Name, Type, Class)
    • DNS Response: Answer Section (Resource Records)

Example: SYN Flood

  1. Attacker sends SYN packets to the target server.
  2. Server allocates resources and sends back SYN-ACK packets.
  3. Attacker does not respond with ACK packets (completing the three-way handshake).
  4. Server’s resources are exhausted, preventing legitimate connections.
Attacker                Server
   SYN --------->
                       SYN-ACK <---------
   (No ACK)
   SYN --------->
                       SYN-ACK <---------
   (No ACK)

  • Mirai Botnet: Infected IoT devices (routers, cameras) and launched large-scale DDoS attacks against Dyn (a DNS provider), causing major internet outages.

  • Memcached Amplification: Exploited vulnerable Memcached servers to amplify traffic by a factor of 50,000x.

  • HTTP Flood: A large number of HTTP requests are sent to a web server, overwhelming its resources and making it unresponsive.

  • Application Layer Attack on E-Commerce Site: Bots mimic legitimate users browsing and adding items to carts, but never completing the purchase. This consumes server resources and slows down the site for real customers.

  • False Positives: Legitimate traffic being incorrectly identified as malicious. Solution: Fine-tune mitigation rules and use reputation-based filtering.

  • Evolving Attack Vectors: Attackers constantly changing their tactics to bypass defenses. Solution: Continuously monitor traffic patterns and update security measures.

  • Bandwidth Saturation: The attack volume exceeds the available bandwidth, making mitigation difficult. Solution: Use DDoS protection services with larger bandwidth capacity.

  • Resource Exhaustion: The attack consumes server resources (CPU, memory), even if the bandwidth is not saturated. Solution: Optimize server configurations and use caching mechanisms.

  • SSL/TLS Encryption: Makes it harder to inspect traffic for malicious patterns. Solution: Use SSL inspection techniques (with caution, due to privacy concerns) or offload SSL decryption to a dedicated appliance.

  • Geolocation Problems: Blocking entire countries/regions based on attack origin can block legitimate users. Solution: Use more granular geo-filtering or only block specific IP ranges within a region.

Linux (iptables) - Rate Limiting:

Terminal window
# Limit incoming SYN packets to 10 per second
iptables -A INPUT -p tcp --syn -m limit --limit 10/second --limit-burst 20 -j ACCEPT


# Drop SYN packets exceeding the limit
iptables -A INPUT -p tcp --syn -j DROP

Cisco Router - Rate Limiting:

! Create an access list to match traffic
access-list 101 permit tcp any any eq 80


! Create a class map to match the traffic
class-map match-all WebTraffic
 match access-group 101


! Create a policy map to limit the traffic
policy-map RateLimitWeb
 class WebTraffic
  police 8000000 8000 8000 conform-action transmit exceed-action drop


! Apply the policy map to an interface (e.g., inbound on GigabitEthernet0/0)
interface GigabitEthernet0/0
 service-policy input RateLimitWeb

NGINX - Rate Limiting (HTTP Flood Mitigation):

http {
    limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1r/s; # 1 request per second per IP


    server {
        location / {
            limit_req zone=mylimit burst=5 nodelay; # Allow a burst of 5 requests
            # ... rest of your configuration ...
        }
    }
}

Cloudflare (Web Application Firewall - WAF) Rule:

(Example using Cloudflare’s expression language):

(ip.geoip.country eq "CN" and http.request.uri.path contains "/wp-login.php")

This example blocks requests from China to the WordPress login page, a common target for bot attacks.

Important: Always test these configurations in a staging environment before deploying them to production.

  • What is a DDoS attack, and how does it differ from a DoS attack?

    • Answer: A DDoS attack is a distributed attack from multiple sources, while a DoS attack is from a single source. DDoS attacks are generally harder to mitigate due to the distributed nature.

  • Explain the different types of DDoS attacks (volumetric, protocol, application-layer).

    • Answer: Volumetric attacks flood the target with traffic. Protocol attacks exploit protocol weaknesses. Application-layer attacks target specific application features.

  • What is a botnet, and how is it used in DDoS attacks?

    • Answer: A botnet is a network of compromised computers controlled by an attacker. It’s used to generate a large volume of malicious traffic in a DDoS attack.

  • How can you mitigate a SYN flood attack?

    • Answer: SYN cookies, SYN proxy, rate limiting, and increasing the SYN backlog queue size.

  • What is DNS amplification, and how can it be prevented?

    • Answer: DNS amplification is a type of DDoS attack where the attacker sends small DNS queries with a spoofed source IP address to public DNS servers, which then respond with much larger responses to the target. It can be prevented by disabling recursion on authoritative DNS servers, rate limiting DNS queries, and implementing source IP address validation.

  • Describe the role of a CDN in mitigating DDoS attacks.

    • Answer: CDNs cache content closer to users, reducing the load on the origin server. They can also absorb a significant amount of attack traffic.

  • What are some best practices for protecting against DDoS attacks?

    • Answer: Use DDoS protection services, implement rate limiting, use a WAF, keep software up to date, monitor traffic patterns, and have a DDoS incident response plan.

  • How can you detect a DDoS attack?

    • Answer: Monitor network traffic for unusual spikes in bandwidth usage, high CPU utilization on servers, increased latency, and a large number of connections from the same IP address.

  • Explain the concept of “blackholing” and how it’s used in DDoS mitigation.

    • Answer: Blackholing involves routing all traffic destined for the target IP address to a null interface (a black hole), effectively dropping all traffic, including legitimate traffic. It’s a last resort when other mitigation techniques fail.

  • What are the trade-offs of using different DDoS mitigation techniques (e.g., rate limiting vs. blackholing)?

    • Answer: Rate limiting can impact legitimate users if not configured carefully. Blackholing drops all traffic, including legitimate traffic, causing complete service outage. CDNs can be expensive but provide better performance and availability.

  • Firewalls: Control network access and block malicious traffic.

  • Intrusion Detection Systems (IDS): Detect malicious activity on the network.

  • Intrusion Prevention Systems (IPS): Block malicious activity on the network.

  • Web Application Firewalls (WAF): Protect web applications from attacks.

  • Network Segmentation: Dividing the network into smaller, isolated segments to limit the impact of attacks.

  • Anomaly Detection: Identifying unusual patterns in network traffic.

  • Machine Learning: Using machine learning algorithms to detect and mitigate DDoS attacks.

  • Cloud Security: Security measures for cloud-based infrastructure.

  • Zero Trust Security: A security model based on the principle of “never trust, always verify.”

  • Cybersecurity Frameworks (NIST, CIS): Provide guidance on implementing cybersecurity best practices.

Further Reading:

This cheatsheet provides a comprehensive overview of DDoS attacks and mitigation techniques. Remember to stay updated on the latest threats and best practices to effectively protect your network. Good luck!