ESSPL Is one of the top Antivirus Security Services provider company in the world, Esspl is providing here the information about How to Protect Applications From DDoS Attacks. Since, With rise of Cyber-attacks in recent times it is very necessary to safeguard our application or websites from all sort of Cyber threats, DDoS being one of the major threat. Before going through the best practice meant for DDoS resiliency, let us know what DDoS is.

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

A Denial of Service (DoS) attack is an attack that can make your website or application unavailable to end users. To achieve this, attackers use a variety of techniques that consume network or other resources, disrupting access for legitimate end users. In its simplest form, a DoS attack against a target is executed by a lone attacker from a single source. In the case of a Distributed Denial of Service (DDoS) attack, an attacker uses multiple sources—which may be compromised or controlled by a group of collaborators—to coordinate an attack against a target. In a DDoS attack, each of the compromised hosts participates in the attack, generating a flood of packets or requests to overwhelm the intended target.

DDoS attacks are most common at Network and Transport layers of the OSI model and sometimes also to the Presentation and Application layers of the OSI model.

DDoS Attack
DDoS Attack

Different Attacks that Affects the Application Performance

Infrastructure Layer Attacks: The most common DDoS attacks: User Datagram Protocol (UDP) reflection attacks and synchronize (SYN) floods, are infrastructure layer attacks. An attacker can use either of these methods to generate large volumes of traffic that can flood the capacity of a network or system like a server, firewall, IPS, or load balancer. These attacks have clear signatures that can make them easier to detect. Effective mitigation of these attacks requires network or system resources in excess of the volume that is generated by the attacker.

Application Layer Attacks: Less frequently, an attacker might target the application itself or application layer attack. These attacks differ from infrastructure layer attacks because the attacker is attempting to over-exercise specific functions of an application in order to render it unavailable. In some cases, this can be achieved with very low request volumes that do not generate a large volume of network traffic. This can make the attack more difficult to detect and mitigate. Examples of application layer attacks include HTTP floods, cache-busting attacks, and WordPress XML-RPC floods. With an HTTP flood, an attacker sends HTTP requests that appear to be from a real user of the web application. Cache-busting attacks are a type of HTTP flood that uses variations in the query string to circumvent content delivery network (CDN) caching which results in origin fetches, causing additional strain on the origin web server. The most common of these attacks is a DNS query flood where an attacker uses many well-formed DNS queries to exhaust the resources of a DNS server. These attacks can also include a cache-busting component where the attacker randomizes the sub-domain string to bypass the local DNS cache of any given resolver. As a result, the resolver is conscripted in an attack against the authoritative DNS server.

Description of Mitigation Techniques (AWS Infrastructure)

AWS infrastructure is DDoS-resilient by design and is supported by DDoS mitigation systems that can automatically detect and filter excess traffic. To protect the availability of your application, it is necessary to implement an architecture that allows you to take advantage of these capabilities. One of the most common AWS use cases is a web application that serves static and dynamic content to users over the Internet.

Services that are available within AWS Regions, like Elastic Load Balancing and Amazon Elastic Compute Cloud (EC2), allow you to build DDoS resiliency and scale to handle unexpected volumes of traffic within a given region. Services that are available in AWS edge locations, like Amazon CloudFront, AWS WAF, Amazon Route 53, and Amazon API Gateway, allow you to take advantage of a global network of edge locations that can provide your application with greater fault tolerance and increased scale for managing larger volumes of traffic.


ESSPL DDoS Resilient reference architecture
DDoS Resilient reference architecture

Infrastructure Layer Defense: On AWS, you have options for architecting your application to be able to scale and absorb larger volumes of traffic without capital-intensive investments or unnecessary complexity. Key considerations in the mitigation of volumetric DDoS attacks include the availability of transit capacity and diversity and protecting AWS resources like Amazon EC2 instances against attack traffic.

Instance Size: Many AWS customers use Amazon EC2 for resizable compute capacity, which allows you to quickly scale up or down as your requirements change. You can scale horizontally by adding instances to your application, as required. You can also choose to scale vertically by using larger instances. Some instance types support features, such as 10 Gigabit network interfaces and Enhanced Networking that can improve your ability to handle larger volumes of traffic. With 10 Gigabit network interfaces, each instance is able to support a larger volume of traffic. This helps prevent interface congestion for any traffic that has reached the Amazon EC2 instance. Instances that support Enhanced Networking provide higher I/O performance and lower CPU utilization compared to traditional implementations. This improves the ability of the instance to handle traffic that is larger in packet volume.

Choice of Region: Many AWS services, like Amazon EC2, are available in multiple locations worldwide. These geographically separate areas are called AWS Regions. When architecting your application, you have the ability to choose one or more regions based on your own requirements. Common considerations include performance, cost, and data sovereignty.

Internet connections and peering relationships that allow for optimal latency and throughput to similarly situated end-users.

It is also important to consider your choice of region in terms of DDoS resiliency. Many regions are closer to large Internet exchanges. Many DDoS attacks originate internationally, so it is helpful to be close to exchanges where international carriers and large peers frequently maintain a strong presence. This helps end-users reach your application when dealing with larger volumes of Traffic.

Load Balancing: Larger DDoS attacks can exceed the size of a single Amazon EC2 instance. To mitigate these attacks, you will want to consider options for load balancing excess traffic. With Elastic Load Balancing (ELB), you can reduce the risk of overloading your application by distributing traffic across many backend instances. ELB can scale automatically, allowing you to manage larger volumes of unanticipated traffic, like flash crowds or DDoS attacks.

ELB accepts only well-formed TCP connections. This means that many common DDoS attacks, like SYN floods or UDP reflection attacks will not be accepted by ELB and will not be passed to your application. When ELB detects these types of attacks, it will automatically scale to absorb the additional traffic but you will not incur any additional charges.

Application Layer Defense: Many of the techniques discussed here are effective at mitigating the availability impact of infrastructure layer DDoS attacks. Defending your application against application layer attacks requires you to implement an architecture that allows you to detect plus scale to absorb and block malicious requests. This is an important consideration because network-based DDoS mitigation systems are generally ineffective at mitigating complex application layer attacks.

Detect and Filter Malicious Web Requests: Web application firewalls (WAFs) are often used to protect web applications against attacks that attempt to exploit a vulnerability in the application. Common examples include SQL injection or cross-site request forgery. You can also use a WAF to detect and mitigate web application layer DDoS attacks. On AWS, you can use Amazon CloudFront and AWS WAF to defend your application against these attacks. Amazon CloudFront allows you to cache static content and serve it from AWS Edge Locations that can help reduce the load on your origin. Additionally, Amazon CloudFront can automatically close connections from slow-reading or slow-writing attackers (e.g., Slowloris). You can use Amazon CloudFront geo restriction to prevent users in specific geographic locations from accessing your content. This can be useful in case you want to block attacks that are originating from geographic locations where you do not expect to serve end-users.

Scale to Absorb: Another way to deal with application layer attacks is to operate at scale. In the case of web applications, you can use ELB to distribute traffic to many Amazon EC2 instances that are over provisioned or configured to auto scale for the purpose of serving surges of traffic, whether it is the result of a flash crowd or an application layer DDoS attack. Amazon CloudWatch alarms are used to initiate Auto Scaling, which automatically scales the size of your Amazon EC2 fleet in response to events that you define. This protects application availability even when dealing with an unexpected volume of requests. By using Amazon CloudFront or ELB, SSL negotiation is handled by the distribution or load balancer, which can prevent your instances from being affected by SSL-based Attacks.

Conclusion – Defending the DDoS Attack

The technique drafted here can allow you to build a DDoS-resilient architecture that is capable of protecting the availability of application against many common infrastructure and application layer DDoS attacks. The degree to which you are able to architect your application according to these best practices will inluence the type, vector, and volume of DDoS attacks that you are able to mitigate.