Distributed Denial of Service (DDoS)
Coordinated attack that overloads services with massive traffic and impairs availability.
Classification
- ComplexityHigh
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Misconfigurations can make services inaccessible
- Attackers adapt tactics, e.g., low-and-slow methods
- Cost spikes due to unplanned scaling or scrubbing
- Implement minimal attack surface and rate limiting
- Deploy telemetry on all critical paths and correlate events
- Practice incident response regularly including provider coordination
I/O & resources
- Network traffic logs and telemetry
- Baseline profiles of legitimate usage
- Access to edge and CDN configuration
- List of filtered IPs/networks and deployed rulesets
- Incident documentation and forensic artifacts
- Recommended architecture changes for risk reduction
Description
Distributed Denial of Service (DDoS) denotes coordinated attacks that overload a service's resources with massive traffic and reduce availability. The concept covers attack vectors, detection principles and mitigation strategies at network and application layers. Relevant measures include monitoring, scaling, filtering, collaboration with upstream providers and legal response.
✔Benefits
- Improved availability and reduced downtime
- Better situational awareness through telemetry and forensics
- Scalable mitigation options reduce business risk
✖Limitations
- Complete prevention of large volumetric attacks is costly
- False positives can impact legitimate traffic
- Dependence on third parties (CDN/ISP) for effective scrubbing capacity
Trade-offs
Metrics
- Number of blocked malicious connections per minute
Measures effectiveness of filters and blacklists against attacking connections.
- Peak bandwidth utilization during an incident
Shows maximum load on network and aids capacity planning.
- Mean Time to Mitigate (MTTM)
Average time from detection to effective countermeasure.
Examples & implementations
Mirai botnet (2016)
Large-scale attack leveraging compromised IoT devices that impacted DNS providers and accelerated adoption of DDoS defenses.
Targeted API flood on an online service
Attacks on specific API routes caused elevated latency and required WAF rules and throttling.
Volumetric attack against e‑commerce platform
Massive bandwidth load on infrastructure that required CDN-based scrubbing services and ISP coordination.
Implementation steps
Baseline analysis: capture traffic profiles and define anomalies
Configure monitoring and alerting for relevant metrics
Create layered mitigation plan (edge, network, application)
Define automated response playbooks and escalation paths
Conduct regular tests and drills with providers
⚠️ Technical debt & bottlenecks
Technical debt
- Old firewall rules without documentation
- Lack of automation for incident response
- Insufficient telemetry at edge nodes
Known bottlenecks
Misuse examples
- Excessive blocking causes customer loss
- Focusing only on bandwidth, not application logic
- No legal documentation during incident, hindering prosecution
Typical traps
- Relying solely on cloud provider protection without own measures
- Too tight thresholds lead to frequent false positives
- Ignoring low-and-slow attacks by focusing on volume
Required skills
Architectural drivers
Constraints
- • Limited budget and personnel resources
- • Dependence on ISP/CDN support
- • Legal frameworks and reporting obligations