A DDoS (Distributed Denial of Service) attack is a type of cyber attack in which an attacker seeks to make a website or online service unavailable by overwhelming it with traffic from multiple sources. This document described recommendations for DDoS protection and methods to protect your resources with Wallarm.
DDoS attacks are often launched from a network of compromised computer systems, often referred to as a botnet. Attackers use these systems to send a large volume of traffic to the target, overloading the server and preventing it from being able to respond to legitimate requests. DDoS attacks can be targeted at any type of online service, including websites, online games, and even social media platforms.
There are many techniques that attackers can use to launch a DDoS attack, and the methods and tools they use can significantly vary. Some attacks are relatively simple and use low-level techniques such as sending large numbers of connection requests to a server, while others are more sophisticated and use complex tactics such as spoofing IP addresses or exploiting vulnerabilities in network infrastructure.
DDoS attack taxonomy¶
There are several types of DDoS attacks that attackers can use to disrupt the availability of a website or online service. Here are the common types of DDoS attacks:
|OSI layer / Attack Type||Volumetric and amplification attacks||Protocol exploits and Logic bombs|
|L3/L4|| || |
|L7|| || |
|API/App specific (L7+)|| || |
Volumetric and amplification attacks seek to overwhelm a target with a large volume of traffic. The goal is to saturate the bandwidth or computing resources of the targeted server or network, making it unable to respond to legitimate requests.
Protocol exploits and Logic bombs are DDoS attacks aim to exploit vulnerabilities in the way that a service or network communicates. These attacks can disrupt the normal flow of traffic by exploiting certain protocols or by sending malformed packets that are difficult for the target to process.
Mitigation of DDoS attacks¶
Since DDoS attacks can take many different forms and target different OSI layers, single measures are not effective, it is important to use a combination of measures to provide comprehensive protection against DDoS attacks.
Internet Service Providers and Cloud Service Providers usually provide the first line of L3-L4 DDoS attack defense. As for high-severity L3-L4 DDoS attacks, additional mitigation tools are required, e.g.:
The DDoS attack that generates traffic at a rate of 1 Gbps or more may require specialized DDoS protection services for traffic scrubbing. Traffic scrubbing is a technique for routing traffic through a third-party service that filters out all malicious traffic and transfers to your service only legitimate requests. As an additional protection measure against L3-L4 DDoS attacks you can also use the solutions like NGFW.
L7 DDoS attacks, also known as "application layer" attacks, are more targeted and sophisticated than L3-L4 attacks. Typically, L7 DDoS attacks are aimed at peculiarities of attacked applications and they can be difficult to distinguish from legitimate traffic. For protection against L7 DDoS attacks, use WAF/WAAP or specialized Anti-DDoS solutions that analyze traffic on application layer. It is also recommended to configure the API Gateway or WEB server to be able to handle peak loads.
When choosing protection measures, carefully evaluate the needs and resources of an organization based on the following factors:
Type of attacks
Volume of attacks
Complexity of a web application or API, and costs
It is also necessary to prepare a response plan in order to identify the DDoS attack as soon as possible and take timely countermeasures to mitigate them.
L7 DDoS protection with Wallarm¶
Wallarm provides a wide range of protection measures across L7 DDoS threats:
API Abuse Prevention. Enable the API Abuse Prevention functionality to identify and stop various types of malicious bots.
Brute force trigger to prevent massive number of requests brute-forcing some parameter values, e.g. passwords.
Forced browsing trigger to prevent malicious attempts to detect a web application's hidden resources, namely directories and files.
Geolocation filtering using denylists and graylists. Prevent access to applications and APIs for certain regions distributing attacks.
Block untrusted origins using denylists and graylists. To protect from targeted attacks, it may be helpful to block any untrustworthy origins (Tor, Proxy, VPN) which allow an attacker to hide location and bypass geofilters.
Logic (Data) bomb detection. Wallarm automatically detects and blocks malicious requests containing Zip or XML bomb.
If you are using NGINX-based Wallarm node, it is recommended to configure NGINX to enhance your security across L7 DDoS as follows:
Caching. Configure cache responses to common requests to absorb some of the traffic generated under DDoS attacks and prevent it from reaching your web application or API.
Rate limiting. Create rate limiting rules for incoming requests to restrict the volume of traffic that can be sent to a target web application or API.
Limiting the number of connections. You can prevent resource overuse by setting a limit on the number of connections that can be opened by a single client IP address to a value appropriate for real users.
Closing slow connections. If a connection does not write data frequently enough, it can be closed to prevent it from remaining open for an extended period of time and potentially hindering the server's ability to accept new connections.
If you are using Kong-based Ingress controller with Wallarm services, it is recommended to follow the best practices to secure API Gateway.