Understanding Modern DDoS Attacks
DDoS (Distributed Denial of Service) attacks have evolved beyond simple volume-based flooding. Today’s attackers use sophisticated techniques:
- Volumetric Attacks: Flood bandwidth (DNS amplification, NTP reflection)
- Protocol Attacks: Exploit weaknesses in network protocols (SYN floods, fragmented packets)
- Application-Layer Attacks: Target application weaknesses (HTTP floods, Slowloris)
The average DDoS attack in 2024 costs organizations $112,000 per incident in downtime and recovery.
Detection: How to Spot a DDoS Attack
Real-Time Indicators
| Signal | Normal | Under Attack |
|---|---|---|
| Requests/sec | 1000-5000 | 50,000-1,000,000+ |
| Unique IPs | 10,000-50,000 | 100,000+ (many from botnets) |
| Geographic distribution | Concentrated by user base | Spread globally (Botnet) |
| User-Agent diversity | Varied (real browsers) | Repetitive (bot clients) |
| Response times | <200ms | >2000ms (degraded) |
Automated Detection
Modern CDNs detect DDoS via:
- Anomaly detection: ML models trained on baseline traffic
- Behavioral analysis: Sudden spikes in traffic from new regions
- Pattern matching: Known attack signatures (NTP, DNS, etc.)
- Rate limiting: Blocks repetitive requests from single IPs
Mitigation: Layered Defense
Layer 1: Volumetric Mitigation (CDN Level)
Most CDN providers absorb volumetric attacks automatically:
Akamai’s DDoS Protection:
- Detects attacks in <30 seconds
- Reroutes traffic to scrubbing centers
- Filters malicious traffic, passes legitimate
Cloudflare’s DDoS Mitigation:
- Automatic detection + manual override
- “I’m Under Attack” mode for extreme traffic
- Challenges to verify human traffic
Action: Enable DDoS auto-mitigation on your CDN (should be default).
Layer 2: Protocol Mitigation (Custom Rules)
Configure WAF rules to block attack patterns:
# Block SYN floods (incomplete TCP handshakes)
Block if: [SYN packets > 1000/sec from single IP]
# Block DNS reflection attacks
Block if: [DNS responses > 100x normal size]
# Block HTTP floods with suspicious user-agents
Block if: [User-Agent == "bot" OR "curl" > 100 req/sec from IP]
Action: Work with your CDN to tune protocol-level rules.
Layer 3: Rate Limiting (Application Level)
Implement aggressive rate limiting for critical endpoints:
# Protect login endpoint
Rate limit: 10 requests/min per IP
Action: Challenge (CAPTCHA) after 5 attempts
# Protect API endpoints
Rate limit: 1000 requests/min per user
Rate limit: 10,000 requests/min per IP
Action: Temporarily block after threshold
# Protect search
Rate limit: 100 requests/min per IP (prevents search scraping)
Action: Configure rate limits based on your traffic baseline.
Layer 4: Geographic Filtering
If you don’t serve certain regions, block them outright:
# If you only serve North America + Europe
Block if: [Country NOT IN (US, CA, UK, DE, FR, ...)]
# Or whitelist authenticated users from other regions
Allow if: [Country == anything AND User authenticated]
Action: Review your legitimate user geography, then block outliers.
DDoS Response Plan
When under attack:
Immediate (First 5 minutes)
- Activate incident response: Alert your team
- Verify it’s an attack: Check traffic metrics vs. baseline
- Enable aggressive mitigation: Switch to “Attack Mode” on CDN
Short-term (5-30 minutes)
- Isolate affected services: If possible, disable non-critical endpoints
- Increase rate limits temporarily: Allow legitimate users through
- Monitor origin servers: Ensure they’re not overwhelmed
Long-term (During and After)
- Adjust WAF rules: Block observed attack signatures
- Engage ISP/CDN support: Provide attack logs for analysis
- Post-mortem: Review what worked, what didn’t
Communication
- External: Notify customers of impact
- Status page: Real-time updates
- Root cause analysis: Share learnings internally
Testing Your Defenses
Authorized DDoS Simulation
Many CDN providers offer DDoS simulation services (with permission):
- Cloudflare: Can help test your setup (limited)
- AWS Shield Advanced: Includes DDoS response team
- Third-party: Companies like Gremlin offer controlled chaos testing
Action: Schedule a quarterly DDoS drill to test your response plan.
Common DDoS Mistakes
❌ Ignoring small attacks — Often precursors to larger ones
❌ Not having a response plan — Panic = poor decisions
❌ Using only IP-based blocking — Modern attacks spoof IPs
❌ Underestimating attack volume — Size doubles every few years
❌ Failing to communicate — Customers assume you’re hacked, not under attack
DDoS Checklist for Enterprises
- Is your CDN configured to auto-mitigate DDoS?
- Do you have rate limiting on critical endpoints?
- Is your team trained on incident response?
- Do you have a communication plan for customers?
- Have you tested your defenses in the past year?
- Do you have DDoS insurance or SLA guarantees?
Next Steps
Astrav Consulting helps enterprises:
- Audit DDoS mitigation readiness
- Implement layered defense strategies
- Test and optimize response times
Schedule a DDoS readiness assessment →
Part of our Cloud Security series. Next: Advanced Threat Detection with SIEM Integration