DDoS Mitigation


Understanding DDoS Attacks

Distributed Denial of Service (DDoS) attacks overwhelm resources by flooding them with traffic. Attack vectors include volumetric, protocol, and application-layer attacks.

Detection Strategies

Detect attacks by monitoring traffic anomalies:




import statistics


from collections import defaultdict




class DDoSDetector:


def __init__(self):


self.traffic_history = defaultdict(list)




def analyze_traffic(self, metrics):


alerts = []




for endpoint, values in metrics.items():


history = self.traffic_history[endpoint]


history.append(values["rps"])




# Keep last hour of data


if len(history) > 3600:


history.pop(0)




if len(history) > 60:


mean = statistics.mean(history)


stdev = statistics.stdev(history)


current = values["rps"]




# Alert if traffic exceeds 3 standard deviations


if current > mean + (3 * stdev):


alerts.append({


"endpoint": endpoint,


"current_rps": current,


"baseline_rps": mean,


"severity": "high" if current > mean + (5 * stdev) else "medium"


})




return alerts





Traffic Scrubbing

Route traffic through scrubbing centers to filter malicious packets:




# Scrubbing center configuration


scrubbing:


providers:


- name: "cloudflare"


tier: "enterprise"


always_scrub: false


threshold_activate: "100000 rps"




flow_spec:


- protocol: tcp


dst_port: 443


action: divert_to_scrubber


- protocol: tcp


dst_port: 80


action: divert_to_scrubber




mitigation_actions:


- drop_invalid_tcp_packets


- rate_limit_syn_floods


- filter_dns_amplification


- block_known_bot_networks





Rate Limiting at Edge




# Nginx rate limiting for DDoS


limit_req_zone $binary_remote_addr zone=ddos:10m rate=100r/s;




server {


location / {


limit_req zone=ddos burst=200 nodelay;


limit_req_status 429;


limit_req_log_level warn;




# Additional protection


limit_conn conn_per_ip 10;


limit_conn_status 429;




proxy_pass http://backend;


}




# Specific endpoint protection


location /api/login {


limit_req zone=login:10m rate=5r/s;


limit_req_status 429;


proxy_pass http://backend;


}


}





CDN-Based Protection

Leverage CDN capabilities for volumetric attack absorption:




# CDN DDoS configuration


CDN_CONFIG = {


"cloudflare": {


"under_attack_mode": True,


"security_level": "high",


"challenge_ttl": 300,


"browser_check": True,


"rate_limiting": {


"enabled": True,


"rules": [


{


"path": "/api/*",


"max_requests": 100,


"period": 60


}


]


},


"waf": {


"enabled": True,


"ruleset": "owasp_crs",


"paranoia_level": 2


}


}


}




def enable_ddos_protection(domain):


# Activate Under Attack mode


requests.put(


f"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/security_level",


json={"value": "under_attack"}


)




# Enable browser integrity check


requests.put(


f"https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/browser_check",


json={"value": "on"}


)





Application-Layer Protection




// Challenge-response for suspicious requests


app.get("/challenge", (req, res) => {


if (req.session.challengeSolved) {


return res.redirect("/dashboard");


}




// Generate proof-of-work challenge


const challenge = crypto.randomBytes(16).toString("hex");


const difficulty = 4; // Number of leading zeros needed




req.session.challenge = challenge;


req.session.difficulty = difficulty;




res.send(`



`);


});





Conclusion

Effective DDoS mitigation requires multiple layers: detection, scrubbing, rate limiting, and CDN protection. Deploy rate limiting at the edge for application-layer attacks. Use CDN-based protection for volumetric attacks. Implement automated detection and response. Test your DDoS response plan regularly with tabletop exercises.