Understanding Modern DDoS Attacks

DDoS (Distributed Denial of Service) attacks have evolved beyond simple volume-based flooding. Today’s attackers use sophisticated techniques:

  • Volumetric Attacks: Flood bandwidth (DNS amplification, NTP reflection)
  • Protocol Attacks: Exploit weaknesses in network protocols (SYN floods, fragmented packets)
  • Application-Layer Attacks: Target application weaknesses (HTTP floods, Slowloris)

The average DDoS attack in 2024 costs organizations $112,000 per incident in downtime and recovery.


Detection: How to Spot a DDoS Attack

Real-Time Indicators

Signal Normal Under Attack
Requests/sec 1000-5000 50,000-1,000,000+
Unique IPs 10,000-50,000 100,000+ (many from botnets)
Geographic distribution Concentrated by user base Spread globally (Botnet)
User-Agent diversity Varied (real browsers) Repetitive (bot clients)
Response times <200ms >2000ms (degraded)

Automated Detection

Modern CDNs detect DDoS via:

  • Anomaly detection: ML models trained on baseline traffic
  • Behavioral analysis: Sudden spikes in traffic from new regions
  • Pattern matching: Known attack signatures (NTP, DNS, etc.)
  • Rate limiting: Blocks repetitive requests from single IPs

Mitigation: Layered Defense

Layer 1: Volumetric Mitigation (CDN Level)

Most CDN providers absorb volumetric attacks automatically:

Akamai’s DDoS Protection:

  • Detects attacks in <30 seconds
  • Reroutes traffic to scrubbing centers
  • Filters malicious traffic, passes legitimate

Cloudflare’s DDoS Mitigation:

  • Automatic detection + manual override
  • “I’m Under Attack” mode for extreme traffic
  • Challenges to verify human traffic

Action: Enable DDoS auto-mitigation on your CDN (should be default).


Layer 2: Protocol Mitigation (Custom Rules)

Configure WAF rules to block attack patterns:

# Block SYN floods (incomplete TCP handshakes)
Block if: [SYN packets > 1000/sec from single IP]

# Block DNS reflection attacks
Block if: [DNS responses > 100x normal size]

# Block HTTP floods with suspicious user-agents
Block if: [User-Agent == "bot" OR "curl" > 100 req/sec from IP]

Action: Work with your CDN to tune protocol-level rules.


Layer 3: Rate Limiting (Application Level)

Implement aggressive rate limiting for critical endpoints:

# Protect login endpoint
Rate limit: 10 requests/min per IP
Action: Challenge (CAPTCHA) after 5 attempts

# Protect API endpoints
Rate limit: 1000 requests/min per user
Rate limit: 10,000 requests/min per IP
Action: Temporarily block after threshold

# Protect search
Rate limit: 100 requests/min per IP (prevents search scraping)

Action: Configure rate limits based on your traffic baseline.


Layer 4: Geographic Filtering

If you don’t serve certain regions, block them outright:

# If you only serve North America + Europe
Block if: [Country NOT IN (US, CA, UK, DE, FR, ...)]

# Or whitelist authenticated users from other regions
Allow if: [Country == anything AND User authenticated]

Action: Review your legitimate user geography, then block outliers.


DDoS Response Plan

When under attack:

Immediate (First 5 minutes)

  1. Activate incident response: Alert your team
  2. Verify it’s an attack: Check traffic metrics vs. baseline
  3. Enable aggressive mitigation: Switch to “Attack Mode” on CDN

Short-term (5-30 minutes)

  1. Isolate affected services: If possible, disable non-critical endpoints
  2. Increase rate limits temporarily: Allow legitimate users through
  3. Monitor origin servers: Ensure they’re not overwhelmed

Long-term (During and After)

  1. Adjust WAF rules: Block observed attack signatures
  2. Engage ISP/CDN support: Provide attack logs for analysis
  3. Post-mortem: Review what worked, what didn’t

Communication

  • External: Notify customers of impact
  • Status page: Real-time updates
  • Root cause analysis: Share learnings internally

Testing Your Defenses

Authorized DDoS Simulation

Many CDN providers offer DDoS simulation services (with permission):

  • Cloudflare: Can help test your setup (limited)
  • AWS Shield Advanced: Includes DDoS response team
  • Third-party: Companies like Gremlin offer controlled chaos testing

Action: Schedule a quarterly DDoS drill to test your response plan.


Common DDoS Mistakes

Ignoring small attacks — Often precursors to larger ones
Not having a response plan — Panic = poor decisions
Using only IP-based blocking — Modern attacks spoof IPs
Underestimating attack volume — Size doubles every few years
Failing to communicate — Customers assume you’re hacked, not under attack


DDoS Checklist for Enterprises

  • Is your CDN configured to auto-mitigate DDoS?
  • Do you have rate limiting on critical endpoints?
  • Is your team trained on incident response?
  • Do you have a communication plan for customers?
  • Have you tested your defenses in the past year?
  • Do you have DDoS insurance or SLA guarantees?

Next Steps

Astrav Consulting helps enterprises:

  • Audit DDoS mitigation readiness
  • Implement layered defense strategies
  • Test and optimize response times

Schedule a DDoS readiness assessment →


Part of our Cloud Security series. Next: Advanced Threat Detection with SIEM Integration