Module 9 - Security

DDoS Protection

Defending against attacks that try to overwhelm your systems.

1The Highway Traffic Jam Analogy

Simple Analogy

Imagine someone floods a highway with millions of slow-moving cars. Real traffic can't get through-the road is jammed. A DDoS attack does the same to your servers: floods them with fake requests so legitimate users can't connect.

DDoS (Distributed Denial of Service) attacks overwhelm systems with traffic from many sources, making services unavailable to legitimate users. The "distributed" part makes it hard to block.

2Types of DDoS Attacks

Layer 3/4 (Network)

Volumetric Attacks

Flood with massive bandwidth. UDP floods, ICMP floods, SYN floods.

Goal: Saturate network links

Defense: CDN, anycast, scrubbing centers

Layer 7 (Application)

Application Attacks

Target specific endpoints. HTTP floods, Slowloris, API abuse.

Goal: Exhaust server resources

Defense: WAF, rate limiting, bot detection

Protocol

Protocol Attacks

Exploit protocol weaknesses. SYN floods, ping of death.

Goal: Exhaust state tables, connections

Defense: SYN cookies, connection limits

3Defense Layers

CDN / Edge

Cloudflare, AWS CloudFront, Fastly. Absorb traffic at edge, close to attackers.

DDoS Protection Service

AWS Shield, Cloudflare DDoS, Akamai. Automatic detection and mitigation.

Web Application Firewall (WAF)

Block malicious patterns. SQL injection, XSS, known attack signatures.

Rate Limiting

Limit requests per IP, per user, per endpoint. Slow down attackers.

Auto-scaling

Scale up during attacks. May increase costs but maintains availability.

4Rate Limiting Strategies

Per-IP Limiting

100 requests/minute per IP. Simple but can affect users behind NAT.

Per-User Limiting

Rate limit authenticated users. Doesn't help for unauthenticated attacks.

Per-Endpoint

Stricter limits on expensive endpoints (search, login).

Sliding Window

Smooth limits. 100/min checked continuously, not per minute block.

5Real-World Mitigation

Detection

Traffic spike detected. Unusual patterns: single endpoint, same user-agent.

Classification

Is it attack traffic or viral moment? Check signatures, sources.

Mitigation

Route through scrubbing center. Challenge suspicious IPs with CAPTCHA.

Absorption

CDN absorbs volumetric attacks. WAF blocks application attacks.

Recovery

Attack ends. Remove temporary blocks. Post-mortem analysis.

6Protection Services

Cloudflare

CDN + DDoS + WAF. Free tier includes DDoS protection.

AWS Shield

Standard (free) protects L3/L4. Advanced ($3k/mo) adds L7 and support.

Akamai

Enterprise-grade. Massive network capacity.

Google Cloud Armor

GCP WAF + DDoS. Integrates with Cloud CDN.

7Key Takeaways

1DDoS = overwhelming systems with traffic from many sources

2Volumetric (bandwidth), Protocol (state), Application (resources)

3Defense in depth: CDN → DDoS service → WAF → Rate limiting

4Rate limit by IP, user, and endpoint. Stricter for expensive operations.

5Use managed services (Cloudflare, AWS Shield). Don't DIY at scale.

?Quiz

1. Attack floods your /search endpoint with complex queries. Type?

2. Best first line of defense against volumetric DDoS?