A Practical Guide to DDoS Attack Defense: From Fundamentals to Enterprise Strategies

1. Defense Fundamentals

1.1. Attack Traffic Assessment

The first step in defending against a DDoS attack is accurately assessing the size of the attack traffic. This involves understanding the underlying details of network protocols.

Take a SYN Flood attack as an example. Attackers often use minimal packet sizes for efficiency. A standard SYN attack packet structure is:

• Ethernet Header: 14 bytes
• IP Header: 20 bytes
• TCP Header: 20 bytes
• Ethernet Padding: 6 bytes (to meet the 46-byte minimum frame size)
• CRC Checksum: 4 bytes

Adding the 8-byte preamble and 12-byte inter-frame gap required for transmission, the total frame size on the wire is: 8 + 14 + 20 + 20 + 6 + 4 + 12 = 84 bytes.

From this, we can calculate the maximum packet forwarding rate (PPS) for different bandwidths:

• 100Mbit Network: 100 × 10⁶ / (8 × 84) ≈ 148,809 PPS
• 1000Mbit Network: 1,000 × 10⁶ / (8 × 84) ≈ 1,488,090 PPS

Understanding these fundamentals helps in correctly assessing attack scale and selecting defense solutions.

1.2. SYN Flood Defense

SYN Flood attacks primarily aim to exhaust server CPU, memory resources, and fill the SYN backlog queue. The Linux kernel provides several parameters to mitigate such attacks:

# Enable SYN Cookies to reduce server resource pressure
net.ipv4.tcp_syncookies = 1

# Increase the SYN backlog queue length
net.ipv4.tcp_max_syn_backlog = 8192

# Reduce SYN+ACK retries to release resources faster
net.ipv4.tcp_synack_retries = 2

How SYN Cookies Work: When enabled, the server does not allocate resources immediately upon receiving a SYN packet. Instead, it generates a sequence number (the cookie) using an encryption algorithm and sends it to the client. A full connection state is only established upon receiving a valid ACK response.

Advanced Defense Strategies:

1. TCP First Packet Drop: Drop the initial SYN packet and wait for a retransmission. Legitimate clients will retry; many attack tools will not.
2. TCP Proxy (Scrubbing Device): A dedicated device completes the TCP three-way handshake validation and only establishes a connection with the real server upon success.
3. Hardware Acceleration: Use specialized network processor chips to handle massive SYN queues.

1.3. HTTP Flood Defense

HTTP Flood defense relies heavily on caching and intelligent identification:

• CDN Caching: Cache static content at edge nodes, allowing the CDN to respond directly to requests.
• Rate Limiting: Track request frequency per source IP and blacklist anomalous rates (mindful of false positives).
• JavaScript Challenge: Return a piece of JavaScript code. Normal browsers will execute it and proceed, while many attack bots do not parse JS.
• CAPTCHA Verification: Introduce CAPTCHA challenges for suspicious traffic.

1.4. DNS Flood Defense

Strategies for defending against DNS attacks include:

• Caching & Acceleration: Deploy DNS caching servers to reduce query pressure on authoritative servers.
• Protocol Enforcement: Drop UDP queries, forcing clients to retry over TCP (TCP's connection state makes defense easier).
• Whitelisting: During an attack, only allow queries from whitelisted domains and ISP DNS IPs.
• Anycast Routing: Use Anycast technology to distribute DNS queries across multiple global nodes.

1.5. Slow Connection Attack Defense

Defense methods against slow attacks like Slowloris:

1. Connection Behavior Analysis: Monitor the duration and packet count per TCP connection. Too few HTTP packets may indicate a slow attack; too many may signal an HTTP Flood.
2. Header Timeout Limits: Set a maximum time for HTTP header transmission (e.g., 60 seconds) and terminate connections that exceed it.
3. Minimum Request Rate: Require clients to send a minimum amount of data within a specified timeframe.
4. Connection Limit per IP: Restrict the number of concurrent connections from a single IP address.

2. Enterprise-Grade Defense Architecture

Enterprise DDoS defense is not just a technical solution but a complete system encompassing monitoring, processes, and organizational support.

2.1. Multi-Layer Monitoring System

Establish a defense-in-depth monitoring system covering all layers:

Multi-dimensional monitoring aids in quickly identifying attack targets and methods, preventing single points of failure.

2.2. Emergency Response Process

A robust emergency response process should include:

• Defense Team Structure: Include members from monitoring, operations, networking, security, customer service, and business units, with backups for each role.
• Automated Handling: Automatically analyze attack types and apply pre-defined defense policies when an attack is detected.
• Drills & Rehearsals: Conduct regular DDoS defense drills to ensure all teams are familiar with the procedures.

2.3. Infrastructure Preparation

Pre-attack preparation is equally critical:

• CDN Node Deployment: Distributed nodes can disperse attack traffic, increasing overall defense capacity.
• DNS Configuration Optimization: Set low TTL values (e.g., 60 seconds) to facilitate rapid traffic redirection.
• Cloud Protection Services: Consider using DDoS protection services from cloud providers like Alibaba Cloud DDoS Protection, AWS Shield, etc.
• Bandwidth Redundancy: Maintain excess bandwidth capacity to avoid being saturated by volumetric attacks.

3. Summary & Best Practices

In the cloud era, the frequency and scale of DDoS attacks continue to increase. Effective defense requires a combination of technology, processes, and resources.

Key Insight: DDoS defense is like "ten minutes on stage, ten years of practice off stage." Adequate resource preparation, emergency drills, and hands-on experience are crucial.

Modern DDoS Defense Best Practices:

1. Layered Defense: Deploy defensive measures at multiple layers: network perimeter, data center ingress, and application layer.
2. Hybrid Cloud & On-Premises: Combine on-premises defense devices with cloud-based scrubbing centers to counter ultra-large-scale attacks.
3. Intelligent Learning: Utilize machine learning to identify abnormal traffic patterns and improve defense accuracy.
4. Continuous Evolution: Attack methods constantly evolve; defense strategies must also be continuously updated and optimized.

For most enterprises, partnering with a professional cloud security service provider often offers the best cost-benefit ratio. These providers operate global scrubbing centers, offer terabit-level protection bandwidth, and have dedicated security teams, providing 24/7 automated protection.