DDoS mitigation is a set of

network management Network management is the process of administering and managing computer networks. Services provided by this discipline include fault analysis, performance management, provisioning of networks and maintaining quality of service. Network managemen ...

techniques and/or tools, for resisting or mitigating the impact of

distributed denial-of-service In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

(DDoS) attacks on networks attached to the

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

, by protecting the target, and relay networks. DDoS attacks are a constant threat to businesses and organizations, by delaying service performance, or by shutting down a

website A website (also written as a web site) is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Examples of notable websites are Google Search, Google, Facebook, Amaz ...

entirely. DDoS mitigation works by identifying baseline conditions for

network traffic Network traffic or data traffic is the amount of data moving across a network at a given point of time. Network data in computer networks is mostly encapsulated in network packets, which provide the load in the network. Network traffic is the main c ...

by analyzing "traffic patterns", to allow threat detection and alerting. DDoS mitigation also requires identifying incoming traffic, to separate human traffic from human-like

bots The British Overseas Territories (BOTs), also known as the United Kingdom Overseas Territories (UKOTs), are fourteen territories with a constitutional and historical link with the United Kingdom. They are the last remnants of the former Bri ...

and hijacked

web browsers A web browser is application software for accessing websites. When a User (computing), user requests a web page from a particular website, the browser retrieves its Computer file, files from a web server and then displays the page on the user' ...

. This process involves comparing signatures and examining different attributes of the traffic, including

IP addresses An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

cookie A cookie is a baked or cooked snack or dessert that is typically small, flat and sweet. It usually contains flour, sugar, egg, and some type of oil, fat, or butter. It may include other ingredients such as raisins, oats, chocolate chips, n ...

variations,

HTTP headers The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

, and

JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...

fingerprints. After the detection is made, the next process is

filtering Filter, filtering or filters may refer to: Science and technology Computing * Filter (higher-order function), in functional programming * Filter (software), a computer program to process a data stream * Filter (video), a software component tha ...

. Filtering can be done through anti-DDoS technology like connection tracking, IP reputation lists,

deep packet inspection Deep packet inspection (DPI) is a type of data processing that inspects in detail the data being sent over a computer network, and may take actions such as alerting, blocking, re-routing, or logging it accordingly. Deep packet inspection is oft ...

blacklisting Blacklisting is the action of a group or authority compiling a blacklist (or black list) of people, countries or other entities to be avoided or distrusted as being deemed unacceptable to those making the list. If someone is on a blacklist, t ...

whitelisting A whitelist, allowlist, or passlist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e. it is a list of things allowed when everything is denied by default. It is ...

, or

rate limiting In computer networks, rate limiting is used to control the rate of requests sent or received by a network interface controller. It can be used to prevent DoS attacks and limit web scraping. Research indicates flooding rates for one zombie machine ...

. One technique is to pass network traffic addressed to a potential target network through high-capacity networks, with "traffic scrubbing" filters. Manual DDoS mitigation is no longer recommended, due to the size of attacks often outstripping the human resources available in many firms/organizations. Other methods to prevent DDoS attacks can be implemented, such as on-premises and/or

cloud-based Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed over multip ...

solution providers. On-premises mitigation technology (most commonly a hardware device) is often placed in front of the network. This would limit the maximum bandwidth available to what is provided by your

Internet service provider An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

. Common methods involve hybrid solutions, by combining on-premises filtering with cloud-based solutions.

Methods of attack

DDoS attacks are executed against websites and networks of selected victims. A number of vendors offer "DDoS-resistant"

hosting services An Internet hosting service is a service that runs servers connected to the Internet, allowing organizations and individuals to serve content or host services connected to the Internet. A common kind of hosting is web hosting. Most hosting provi ...

, mostly based on techniques similar to

content delivery network A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...

s. Distribution avoids a single point of congestion and prevents the DDoS attack from concentrating on a single target. One technique of DDoS attacks is to use misconfigured third-party networks, allowing the amplification of spoofed UDP packets. Proper configuration of network equipment, enabling

ingress filtering In computer networking, ingress filtering is a technique used to ensure that incoming Packet (information technology), packets are actually from the networks from which they claim to originate. This can be used as a countermeasure against various ...

and

egress filtering In computer networking, egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. Typically, it is information from a private TCP/IP computer network to the Internet tha ...

, as documented in BCP 38 and RFC 6959, prevents amplification and spoofing, thus reducing the number of relay networks available to attackers.

Methods of mitigation

* Use of

Client Puzzle Protocol Client Puzzle Protocol (CPP) is a computer algorithm for use in Internet communication, whose goal is to make abuse of server resources infeasible. It is an implementation of a proof-of-work system (POW). The idea of the CPP is to require all cli ...

, or

Guided tour puzzle protocol Guided tour puzzle (GTP) protocol is a cryptographic protocol for mitigating application layer denial of service attacks. It aims to overcome the shortcoming of computation-based puzzle protocols, in which clients are required to compute hard CPU ...

* Use of

Content Delivery Network A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...

* Blacklist of

* Use of

Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

and

Firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

References

{{DEFAULTSORT:DDoS mitigation Computer network security System administration * Cyberwarfare

Methods of attack

Methods of mitigation

See also

References