Virtualization Technology News and Information
Different DDoS Mitigation Techniques and Comparison


By Mike Khorev of Datadome

While there are many different types of cybercriminal activities that occur regularly, DDoS (Distributed Denial of Service) attacks remain one of the most challenging cybersecurity threats to mitigate against.

Even the largest websites with the best, state-of-the-art infrastructure can be brought down with a DDoS attack. A DDoS attack can come at any time, impact any part of the website's resources (making it hard to detect), and can lead to a massive financial and reputation loss that can be long-term and even permanent.

Worse, DDoS attacks are also on the rise in the past couple of years or so, and it's no longer a threat exclusive for large enterprises and big websites. In fact, many cybercriminals are now targeting small and mid-sized companies, with the latest study indicated that 15% of surveyed small companies have been a victim of cybersecurity threats in 2019. 

So, since DDoS attacks are really common and preventing it completely is simply impossible, a proper DDoS mitigation plan is now a necessity for any businesses with a website. There are actually many different methods we can use for DDoS mitigation, and here we will discuss and compare some of the common ones.

Let us begin, however, by discussing the DDoS attack itself.

What Is a DDoS Attack?

DDoS stands for Distributed Denial of Service, but before we can discuss DDoS, we have to first discuss DoS, or Denial of Service.

A DoS attack is a cybersecurity attack meant to shut down a machine or network so it is inaccessible to its intended users (denying the service). It is called a DoS attack when the attack is done by a single device/computer, but when it is done by many devices in a network, it is called DDoS since the attack is now ‘distributed' among the devices.

Typically the perpetrator gains control of the computers by infecting them with malware, turning these computers into a zombie device. The collection of many zombie devices (can be hundreds or even thousands) is called a botnet.

Using a botnet, the perpetrator attempts to overload a target network by:

  • Attacking a known vulnerability in the target network/device
  • Using a spoof (fake origin address) to fool the target network, for example by causing the target server to repeatedly send a ping response to the spoofed IP address, saturating the network's resources
  • To saturate the system's memory, disk space, etc.
  • Exhausting the available bandwidth, for example by sending fake packet requests or spam a port to overwhelm the network.

In general, there are four basic types of DDoS attacks:

1.  Volumetric/Traditional DDoS

The basic form of DDoS is to send a high volume of traffic to saturate the target network's connection. There are various subtypes of volumetric attacks with SYN floods being the most common.TCP floods and UDP floods (like ping floods) are also very common.  

2.  Vulnerability-Based DDoS

A vulnerability-based DDoS exploits a vulnerability in the target. A typical example is to send a malformed request or packet to crash the target network. This type of DDoS attack relies on finding an exploitable vulnerability that has not yet been patched while avoiding malware detection. Vulnerability-based DDoS can be very hard to detect.  

3.  Resource-Consumption DDoS

Often considered the most difficult type to defend against,  but it requires the attacker to conduct enough research to understand the target network, so it's also the rarest type of DDoS.  

In this type of DDoS attack, the perpetrator uses custom software that is capable of interacting with the target's system (i.e. web app) to cause a slowdown or completely crashing the target system.

4.  Amplified-Flooding DDoS

The most common type of DDoS attacks nowadays, due to their effectiveness.

This type of DDoS attack is performed by abusing protocols that use UDP, and there are many methods that can be used like NTP floods, SNMP floods, CharGEN floods, and others. A key characteristic of this type of attack is how the attacker sends a  request to a network, but the response address is forged with the target's address. The system will then send a much bigger (amplified) reply than the original request.

DDoS mitigation Techniques

As discussed, there are many different DDoS methods available, and there are also many DDoS mitigation methods and strategies. In general, however, there are three main DDoS mitigation techniques: CDN dilution, clean pipe, and anti-DDoS proxy.

The first thing to understand is that all three of them (and other mitigation techniques) are not perfect and there's no one-size-fits-all answer to all types of DDoS attacks. Different use cases will have different suitable technique, so understanding all three of them is very important so you can choose the right method according to your needs:

1.  CDN Dilution

This type of DDoS mitigation technique utilizes CDN in mitigating bot traffic. CDN, or Content Delivery Network, is a system of a distributed network that delivers pages and other web content to a user. The basic principle is that the CDN uses a virtual server to distribute the content to the user from a location that is much closer to the user than the original server.

With that being said, the CDN dilution technique uses the huge bandwidth offered by the CDN technology to mitigate and absorb DDoS attacks, especially volumetric (layer 3 and layer 4) DDoS attacks. The edge servers in the CDN network are working as a reverse proxy for the web application: all requests are handled and filtered by the edge server before it's sent back to the origin.

A key advantage of the CDN dilution technique is that it is context-aware, so it is very effective in defending web applications. However, the key weakness is that it is only applicable to web applications and not proprietary TCP/UDP allocations. It is an always-on solution with no lead time, making it a very comprehensive DDoS protection for web apps.

2.  Clean Pipe

Clean pipe is arguably the most common DDoS mitigation technique out of the three. The basic principle of clean pipe-as the name suggests- is fairly simple: all incoming traffic must pass through the ‘clean pipe' center, or also known as "scrubbing center' where the system identifies and blocks malicious traffic, allowing only legitimate traffic to access the server.

Although clean pipe is effective in mitigating DDoS attacks and preventing false positives (blocking legitimate traffic), it is also infamous for its difficulty to implement. You'd need a BGP (Border Gateway Protocol) router and a dedicated device capable of terminating the GRE tunnel.

Also, there are some key limitations of the clean pipe method:

  • It is not an always-on solution. When an attack vector is detected, it will need some time to reroute the traffic to the scrubbing center, which will require at least several minutes before the actual mitigation kicks in.
  • While the clean pipe technique is effective in handling volumetric DDoS attacks, it is not very effective in handling vulnerability-based attacks.
  • Your IP prefix is not hidden, so theoretically an attacker can detect your ISP and analyze your infrastructure to find vulnerabilities.
  • Due to its complexity, it might require human intervention.

However, despite its weaknesses, the clean pipe technique is very versatile. We can consider it a jack of all trades, master of none DDoS mitigation technique. It supports almost all applications in IP stack, but lacks advanced protection for any specific use case. A great option if you want a well-rounded solution.

3.  DDoS Protection Proxy

The third approach here is Anti-DDoS Proxy, which in many ways works in a similar principle to CDN. It is also an always-on solution with no lead time and can be very effective in protecting the system/network from DDoS since it is an always-on solution and a whitelist-oriented model (allowing only defined ports to access rather than open/close all).

Arguably, the anti-DDoS proxy technique is the best approach against slow DDoS attacks, but a significant issue with this technique is that you can't get the real client's IP since the source IP has changed for the backend. This can be a crucial issue for some applications.

CDN Dilution VS Clean Pipe VS DDoS Protection Proxy

A key consideration is that you can use all three techniques to create a comprehensive anti-DDoS solution for your network.

With that being said, here is a table listing the key differences between the three DDoS mitigation techniques:


End Words

While there are many different techniques we can use in DDoS mitigation, it's best to first assess our system and use cases before deciding on the right mitigation technique for you. If you want versatility, however, there is a bot mitigation software by DataDome which is based on the clean pipe technique that is compatible with all major technologies including multi CDN and multi-cloud systems.


About the Author

Mike Khorev 

Mike Khorev is passionate about all emerging technologies in the IT space and loves to write about all of them. He is a lifetime marketing and internet expert with over 10 years of experience in web technologies, SEO, online marketing, and cybersecurity. 

Published Tuesday, September 22, 2020 7:39 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2020>