DDoS, Software

DDoS Defense Triad

Distributed Denial Of Service(DDoS) is one of the most disruptive cybercrimes that can cause substantial financial loss to its the victim. Recent DDoS attacks brought up to 1.3 Tbps of traffic with 126.9 million packets of data per second(Github, Feb 2018) and were used to serve a variety of motives ranging from financial gains to political protests, “Hacktivism.” In this post, I’ll cover three primary DDoS defense techniques that are low cost and can be easily deployed by small to medium scale businesses.

Fig. 1: DDoS defense triad


  1. Intrusion prevention
    1. General Security Policy
    2. Ingress and Egress Filtering
    3. 3rd party DDoS protection services
    4. static signature detection
  2. Intrusion detection
    1. Anomaly detection
    2. Misuse detection
  3. Intrusion response
    1. Source Identification
    2. Multi-level rate limiting
    3. Class-based Queuing


Intrusion Prevention(IP)

Intrusion prevention(IP) techniques aim to lay down stringent security practices for the prevention of DDoS attacks before they even happen. They make the system robust enough to ensure that the servers can handle initial DDoS traffic so that they don’t just go offline as the traffic increase. Besides enterprise servers, intrusion prevention techniques can also be applied at intermediate gateways and routers. Following are some of the IP techniques:

Fig 2: Intrusion prevention techniques

General Security Policy(GSP)

Security policies are the strategic decisions made by the management for setting objectives, allocating appropriate financial and human resources required to prevent, detect, tolerate, and recover from cybercrimes. Security policies can be laid down at multiple levels ranging from system-specific to issue-specific. In the case of DDoS attacks, system-specific policies include the selection of hardware and software required to prevent, detect, and tolerate DDoS attacks. Specifically, System-specific policies determine the selection of Intrusion detection system(IDS), proxy servers, gateways, frequency of backups, network bandwidth, computing power, etc. Issue-specific policies determine the type of firewall, firewall configuration, Intrusion prevention system(IPS), Encryption policies, user identity, and privilege management, etc.  It is very critical to design a strict GSP and ensure its enforcement.

3rd Party DDoS mitigation services

Various companies like Cloudflare, Imperva, Akamai, Neustar, etc. provide cloud as well as on-premise DDoS protection services. Cloudflare DDoS protection services for business costs about 200$/month, which is quite similar to that of its competitors. While selecting these services, remember that the cost of DDoS protection should be less than the financial losses due to website/CDN unavailability during a DDoS attack. For most of the small-to-medium scale businesses, the cost of availing these 3rd party services can be quite high, so it is recommended to use other prevention methods, given below.

Ingress and Egress Network traffic filtering

Ingress, Egress filtering are two of the widely used techniques that work by restricting incoming and outgoing network traffic via a firewall or edge devices. Ingress filtering, being fairly straightforward, works by restricting incoming network traffic that originates from “illegitimate” source IPs like This method requires the system admins to maintain a static( as in Ingress Access Lists) or dynamic( as in Strict Reverse Path Forwarding, etc.) list of valid IP prefixes, against which incoming network traffic is compared. There are various ways with which ingress filtering can be implemented depending upon your position in the network i.e., ingress filtering method used by an ISP, which uses asymmetric hot-potato routing will be different from edge-network interface within a corporate local network which typically uses symmetric routing. RFC3704 and RFC2827 provides a comprehensive list of ingress filtering methods that can be used by different entities.

Egress filtering, on the other hand, works by restricting the outgoing packages that do not conform to the security standards set by the system admins. For instance, within a corporate network, there is only a limited set of valid IP blocks, and any outgoing traffic whose source doesn’t match these sets of valid IP blocks should not be allowed to exit. Another example of egress filtering in corporate settings is to block packets belonging to protocols other than DNS, HTTP(S), MAIL( like POP or IMAP), etc. Remember that egress filtering prevents your network from taking part in a DDoS attack against another victim. Egress filtering, in some scenarios, can not be implemented. For instance, if your edge device or network needs to forward legitimate traffic whose origin is outside the set of internal valid IP blocks, then egress filtering cannot be used at all.

Static traffic signature matching

This technique works by retrieving and comparing the signature of the network traffic, allowed through the firewall, against a set of known malicious traffic signatures. If there is a match, incoming source IP is then blocked. This method has a lot of disadvantages. First, it cannot prevent 0-day DDoS attacks since their traffic signature is not previously known. Second, if the database of malicious traffic signatures is quite big, which is usually the case, then this method can consume significant resources like memory and time, thus making the entire system less efficient, even in absence of a DDoS attack. Third, even if it can label the incoming traffic as malicious, still blocking the source IP won’t help because attackers usually use IP spoofing and reflective DDoS attacks. Note that in reflective DDoS attacks, traffic comes from legitimate sources like DNS servers, thereby permanently blocking these IP addresses can be harmful.

Intrusion Detection(ID)

Intrusion Detection Systems(IDS), in contradiction to IPS, sits off the line and is purely a monitoring device that actively monitors the traffic passing through IPS. Since intrusion detection is a resource-intensive process, it is usually deployed on a separate server, as depicted in Figure 3. Upon detection of anomalous/malicious network traffic, it alerts the system admins and gives feedback to the intrusion response system.

Fig 3: DDoS Defense overview

Anomaly detection and misuse detection are two techniques used for intrusion detection. On the one hand, where anomaly detection works by monitoring the server activities, misuse detections work by monitoring the incoming and outgoing network traffic.

Anomaly detection

Anomaly detection service monitors the server activities, including bandwidth consumption, RAM usage, number of user logins, storage consumption, number and types of active ports and processes, etc. It first quantifies the normal server usage and activities, and then upon detection of an anomaly from normal behavior, it alerts the system admins and activates the IRS. Since there is no fixed definition of “normal behavior,” statistics and machine learning-based classification models are frequently used for anomaly detection. Anomaly detection has an advantage that along with 0-days DDoS attacks, it can also detect malicious activities like due to botnets or malware. The only disadvantage of this technique is that it requires a significant amount of resources, both in terms of memory and processing power.

Misuse detection

Misuse detection services monitor the incoming and outgoing network packets and match it against some well-defined intrusion patterns. These intrusion patterns can constitute of unusual size, type, arrangement, or quantity of packets belonging to certain protocols. For instance, in the case of GRE flooding, the network is flooded with GRE or GRE-like data packets, which is quite uncommon as GRE is not a widely adopted protocol. In the case of ICMP flooding, attackers usually use large ICMP data packets of around 1500 bytes, which is again anomalous. Misuse detection services can not detect 0-day attacks, but since 0-days attacks are quite infrequent, misuse detection services are widely used.

Intrusion Response(IR)

Upon detection of an ongoing DDoS attack, intrusion response system(IRS) responds by taking one or more of the following measures. Remember that the aim of the IRS is to mitigate the effect of DDoS, ideally by completely blocking illegitimate network packets.

Source Identification

Tracing DDoS attack source(s) is the first and one of the most important steps towards defeating a DDoS attack. Efficient and early attack source identification can help register cyber crimes and thus, deter other attackers. PHIL, DECIDUOUS, and iTrace are three popular DDoS source identification frameworks that are resilient against IP spoofing. In the current scenario, only destination IP is required to route a packet thus attackers can put any IP in the source field. This is the source identification problem. DECIDUOUS was one of the earliest IPsec-based source identification mechanism that works by utilizing the node-to-node authentication function of the IPsec protocol to establish an authenticated tunnel between every possible node in between the victim and the attacker. Although DECIDUOUS was widely adopted, it has several drawbacks, one of which is that network traffic from every node between victim and attacker has to route through IPsec tunnels which decrease the efficiency of the entire network. Another requirement of this method is that every node between the victim and attacker should cooperate, otherwise this method will fail. PHIL is also IPsec-based and aims to mitigate the drawbacks of DECIDUOUS by allowing to autonomously set up dynamic IPsec tunnels.

In the i-TRACE(ICMP Traceback) mechanism, intermediatory nodes infrequently send an ICMP traceback packet along with the data packet to the destination. With enough data packets, the victim can easily trace back the source of the DDoS attack. It is relatively faster and a much better approach.

Multi-level rate limiting

Rate limiting is a feature of the Linux firewall that allows the system admin to set an upper bound on the amount of incoming traffic from a particular IP address. In addition to this, we can also limit the incoming traffic belonging to a certain protocol. Multi-level rate limiting is an adaptive rate-limiting technique that imposes a stricter restriction on the source IP(s), or on the protocol(s) exploited in DDoS attack, as the duration of DDoS attack increases, For instance, if the default upper-bound on GRE packets is 100pps(packets per second) and the GRE traffic during a DDOS attack exceeds the upper bound, then the multi-level rate limiting technique will adaptively decrease the upper on GRE traffic. Similarly, if an IP address produces data traffic that is more then the upper-bound and for a long duration, then the upper bound on traffic allowed from this particular IP address will decrease. This method can be used along with the IDS, where IDS can provide the IP and protocol to put restrictions on.

Class-based Queuing(CBQ)

CBQ is another technique IRS technique that works by dividing the entire system bandwidth into multiple classes or queues belonging to certain protocols. For instance, a system admin can choose to allocate 80% of the bandwidth to HTTP(S) traffic, 10% to mail services, and 10% to ICMP protocol. This is a very effective solution against GRE and  SYN flooding. CBQ can be implemented using the mangle table and ‘tc’ command in Linux. You can read more about this technique in [2].


  1. DDoS Attacks and Defenses course on Coursera by Prof. Edward Chow
  3. Kerbs on Security: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  4. On Network-Layer Packet Traceback: Tracing Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks. [link]
  5. Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud by Navaz et al. [link]
  6. Denial of Service attacks and the emergence of “Intrusion Prevention Systems” by Adrian Brindley [link]
  7. DDOS protection strategies [link]
Tagged , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.