DDOS – The word has been most furious threat of the decade for any business having dependency on their web presence.  For those new to the internet threats,  DDOS is an proven and commonly practiced way to block resources of an web server by overwhelming it by sending hits/requests/ queries from a large number of terminals at the disposal of attackers.  Since an web server must make itself available on the network to remain accessible for legitimate user/queries, potentially it remains exposed to a DDOS attack unless a DDOS mitigation layer has been deployed. Though the primary object of an DDOS attack is to engage 100% of system resources with face queries thus making the server unavailable for legitimate users, highly intelligent attackers also use it to cover up an intrusion/injection effort by making traffic logs too large to be analyzed instantaneously.

Since DDOS do not need an internal access to an web site or web application to take it down temporarily, it has been the most common way to harm the  web presence of any business. However an effective DDOS mitigation mechanism can minimize your risk exposure to almost zero. By effectively detecting an DDOS attack instantaneously you can avoid any downtime may cause by an DDOS attack.

DDOS Mitigation Process Flow
DDOS Mitigation Process Flow

Detection of DDOS Attacks

A timely detection is the most important part of any DDOS mitigation mechanism. Detection is done by continuous analysis and comparison of traffic pattern and volume with the standards expected for a certain day and time. Though the artificial intelligence of a DDOS detection program is highly complicated, in lay mans view this is to compare incoming traffic pattern with what is expected at a particular day and time. As an example, average traffic on your website on any Sunday morning is less than 50 per minute. At a certain Sunday morning traffic volume jumps to over a few thousands per minutes. Another easy example can be average season duration of your website users has been less than 3 minutes where a certain point of time system identifies hundreds of active users with never ending seasons. An advance DDOS detection program typically checks for traffic volumes, season durations, volume and magnitude of queries per users, traffic geo concentration, and user system attributes such as browsers, OS etc and many other parameters. It also continuously updates its benchmark standards according to changing dynamics to avoid false positives.

Diversion Of Traffic

Once a DDOS attack is identified traffic to the particular web server has to be diverted either to discard or to filter out the attack traffic from the legitimate ones. There are two type of diversion techniques commonly used for DDOS mitigation. To mitigate a DDOS attack target towards a domain name DNS routing is used. DNS routing is nothing but pointing the domain name to a mitigation server by changing the A record and CNAME . The mitigation server (also known as scrubbing server)  then receives all traffics towards the specific domain and filter out unintended volume and pass on the legitimate ones towards the destination web server.  DNS routing can be used as both proactive and reactive measure. In case of proactive installation, your web server domain always remain pointed towards the scrubbing server instead of actual web server .  In case of reactive use, the DNS routing has to be enabled when a DDOS attack has been already identified. Some domain service providers take significant time for any change in A records to be effected. In that case consider the downtime in advance if your DDOS mitigation plan includes a reactive DNS routing.

To handle the more advanced DDOS attack which  uses direct IP targeting instead of targeting a domain name BGP routing is used. IN BGP routing all packets directed towards the web server IP address is redirected to the scrubbing server where malicious packets are filtered out and legitimate packets are forwarded towards web server through a secure connection. Depending upon the volume of attack, BGP routing may slow down the system significantly as legitimate packets are waiting in the queue to be checked and then reach to its intended destination. For that reason BGP routing is always used as a reactive measure and activated only when IP targeted DDOS attack is identified.


The objective of this stage is to filter out malicious traffic from the legitimate ones such as valid users, API calls and search engine bots. Filtering is handled by a server widely known as scrubbing server. Scrubbing serves receives diverted traffic, compare each hits with its in built intelligence, and discard the malicious traffic to keep the web server available for legitimate traffic. Here the challenge is to reduce false positives as much as possible so that the legitimate traffic never get blocked in an attempt to filter out malicious traffic.

Analyzing the Log

It is very important to analyzing traffic logs after each attack to identify all information about the pattern of the attack. Such information is to be used in the DDOS detection and filtering mechanism to keep the programs upto date with the expected traffic trends. This will further strengthen the system for faster detection and zero false positive while filtering malicious traffic during an attack.

Importance of Application Layer Security

With the evolving threat landscape, DDOS is transforming itself to focus on application layer rather than simply overburdening targeting web servers. Being much stealthier than their network layer counterparts, application layer DDoS attacks typically mimic legitimate user traffic to evade security measures. To prevent such attacks your application solution must be capable of distinguishing between legitimate users and DDOS bots. Smarter the attacker is, more intelligence is needed in the application layer defense to outsmart bots which always pretend to be legitimate traffic.  Securing APIs, and validating API calls on the run time are mandatory measures for the application granting access to third party application. If your application providing sizable insecure data feeds, validation mechanism must be there to limit number of maximum requests per IP address in unit time. Where a application security cannot complete profiling of HTTP(s) requests human validation steps (captcha or similar) to come in to be sure about legitimacy of the user approaching.

Since it will always be the battle of intelligence between an attacker and the protector sometime thinking like an evader might help you in decide right set of protocols to be deployed for protection. In case you would be interested in consulting a DDOS mitigation expert to explore possible options, we are always standing by to take new challenges. Contact Us Today to know more.