Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Perimeter Security Glossary

DDoS-Schutz

Technical and organizational measures against distributed denial-of-service attacks. From CDN-based traffic filtering to anycast routing: How companies ensure availability under DDoS attack.

DDoS protection encompasses all measures designed to maintain system availability even during DDoS attacks. Since individual attackers can now purchase terabit-scale attacks (Mirai botnet: 1.2 Tbps peak traffic), no single system can provide protection on its own—DDoS protection must operate simultaneously across multiple layers.

Types of DDoS Attacks and Their Countermeasures

Volumetric Attacks (Layers 3/4)

The goal: to flood internet access with massive amounts of data.

Typical attacks:

  • UDP/ICMP flood
  • DNS amplification (small request, large response)
  • NTP amplification (up to 600x amplification)
  • Memcached amplification (up to 50,000x amplification)

Protection:

  • Upstream scrubbing: Traffic is filtered at the ISP or scrubbing center
  • Anycast routing: Traffic is distributed across many geographic locations (Cloudflare network: 200+ locations)
  • BCP38: No IP spoofing from the provider’s own network (ISP measure)

Protocol Attacks (Layer 4)

SYN Flood: Thousands of TCP connections are initiated but never completed → Server keeps connections open → Resources are exhausted.

Protection: SYN Cookies, rate limiting per source IP, firewall with connection state tracking.

Application Layer Attacks (Layer 7)

HTTP floods that mimic genuine browser requests—harder to detect.

Slowloris: Keeps HTTP connections open with extremely slow requests. HTTP GET/POST Flood: Many requests targeting resource-intensive endpoints (search, login).

Protection: WAF, CAPTCHA/JS challenge, bot detection, rate limiting per IP and user.

DDoS Protection Methods

CDN + Cloud Scrubbing (Recommended Standard Protection)

User → Cloudflare/AWS Shield/Akamai → Scrubbing → Origin Server

Cloudflare Anycast: Traffic is absorbed regionally—users in Germany land on Cloudflare Frankfurt, an attack from China hits Cloudflare Hong Kong. The origin server sees only filtered traffic.

Major Providers:

  • Cloudflare (free Basic plan, unmetered mitigation starting with Pro)
  • AWS Shield (Standard free, Advanced: $3,000/month)
  • Akamai Prolexic (Enterprise, for critical infrastructure)
  • F5 Silverline (Enterprise)
  • Link11 (German provider, GDPR advantage)

On-Premise DDoS Protection Appliances

For data centers with high-bandwidth uplink connections:

  • Radware DefensePro
  • Corero SmartWall
  • ARBOR Networks (Netscout)

Recommended if: Regulatory requirements prohibit traffic routing via third parties.

ISP-Based Upstream Protection

Many data centers and providers offer "blackholing" (routing to a blackhole) and scrubbing services.

BGP Blackholing: During a massive attack, your own IP is routed to a "blackhole"—no attacker traffic, but also no legitimate traffic. Useful in the short term.

DDoS Protection for Small and Medium-Sized Businesses: A Pragmatic Approach

Implement immediately (free):

  • Host your website behind Cloudflare Free
  • Keep the origin server IP private (only Cloudflare IPs may make requests)
  • Apply rate limiting to login and API endpoints (nginx/Apache)

Affordable (< €200/month):

  • Cloudflare Pro: Advanced WAF, better DDoS protection
  • Hetzner DDoS protection (included in cloud hosting)

Enterprise (upon request):

  • Akamai/AWS Shield Advanced for critical services
  • Redundant connection with BGP failover

Response plan for DDoS attacks

Detection (automatic via monitoring):

  • Increased traffic, rise in latency, availability alert

Immediate measures (0–5 minutes):

  • Activate Cloudflare "I'm Under Attack" mode
  • Tighten rate limiting
  • Contact ISP for upstream filtering

Analysis (5–30 minutes):

  • Traffic characteristics: Volumetric? Layer 7?
  • Attack sources: Geographical? Specific botnet signature?
  • Target: Only one IP/domain? All services?

Mitigation (depending on type):

  • Volumetric: Upstream blackholing or scrubbing center
  • Layer 7: Tighten WAF rules, enable CAPTCHA
  • Geoblocking if attack originates from a specific region

Documentation:

  • Back up traffic logs (for forensics, insurance)
  • Document timeline

Compliance Requirements

NIS2 Art. 21: Availability and protection against attacks on ICT systems – DDoS protection is an implicit requirement.

BSI IT-Grundschutz NET.3.2: Firewall and DDoS protection as a requirement for critical network services.

DORA (Financial Sector) Art. 11: ICT operational stability - DDoS resilience is part of business continuity.

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation