DDoS (DDoS)
Imagine a restaurant that seats 50 people. A DDoS attack is like 10,000 people showing up at once and blocking the entrance so actual customers cannot get in. Nobody breaks into the restaurant; they just overwhelm it with volume. In the digital world, attackers use thousands of hijacked computers (a botnet) to flood a website or server with so much traffic that it crashes or becomes impossibly slow for real users.
A Distributed Denial-of-Service (DDoS) attack aims to exhaust the target’s resources (bandwidth, CPU, memory, connection table) by flooding it with traffic from many distributed sources, typically a botnet of compromised devices.
Attack categories:
- Volumetric (Layer 3-4): overwhelm bandwidth with raw traffic volume. Examples: UDP flood, ICMP flood, DNS amplification (small query to open resolver generates large response directed at victim), NTP amplification. Measured in Gbps or Mpps (millions of packets per second). Record attacks exceed 3+ Tbps.
- Protocol (Layer 3-4): exploit protocol weaknesses to exhaust connection state. Examples: SYN flood (fills TCP connection table with half-open connections), Ping of Death, Smurf attack.
- Application (Layer 7): mimic legitimate requests to overwhelm the application. Examples: HTTP flood (millions of GET/POST requests), Slowloris (keeps connections open indefinitely with partial headers), API abuse. Harder to detect because each request looks normal.
Amplification attacks exploit services that produce large responses to small queries:
| Protocol | Amplification Factor |
|---|---|
| DNS | 28-54x |
| NTP | 556x |
| Memcached | 51,000x |
| SSDP | 30x |
Mitigation:
- CDN/Scrubbing services: Cloudflare, AWS Shield, Akamai absorb and filter attack traffic at the edge
- Rate limiting: cap requests per IP/subnet
- SYN cookies: handle SYN floods without allocating connection state
- Anycast routing: distribute traffic across multiple PoPs (points of presence)
- Black hole routing: upstream ISP drops all traffic to the target IP (last resort, also blocks legitimate traffic)
DDoS mitigation with iptables rate limiting
# Rate limit new TCP connections (SYN flood protection)
$ sudo iptables -A INPUT -p tcp --syn -m limit \
--limit 25/second --limit-burst 50 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --syn -j DROP
# Rate limit ICMP (ping flood protection)
$ sudo iptables -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 1/second --limit-burst 4 -j ACCEPT
$ sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Monitor connection states
$ ss -s
Total: 1247
TCP: 842 (estab 412, closed 210, orphaned 15, timewait 200)DDoS attacks are a constant threat to any internet-facing service. Major attacks have taken down GitHub (1.35 Tbps in 2018), AWS (2.3 Tbps in 2020), and Dyn DNS (disrupting Twitter, Reddit, Netflix in 2016). IoT botnets like Mirai recruit insecure cameras and routers as attack nodes. Cloud providers offer built-in DDoS protection (AWS Shield, Azure DDoS Protection, GCP Cloud Armor), but volumetric attacks large enough to saturate upstream links require coordination with ISPs and scrubbing centers. Application-layer DDoS is particularly challenging because each request is individually legitimate; detection requires behavioral analysis and rate limiting by session, not just IP.