Distributed Denial of Service (DDoS) Attacks
Distributed Denial of Service (DDoS) Attacks
DDoS attacks remain one of the most disruptive threats to web servers, attempting to overwhelm resources and make services unavailable to legitimate users. Modern DDoS attacks employ sophisticated techniques, often combining multiple attack vectors simultaneously to bypass simple defenses.
Volume-based attacks flood servers with massive amounts of traffic, exhausting bandwidth or processing capacity. These include UDP floods, ICMP floods, and amplification attacks that exploit services like DNS or NTP to multiply attack traffic. Firewalls defend against volume attacks through rate limiting and traffic validation:
# iptables rules for DDoS mitigation
# Limit ICMP packets
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
# Limit connections per IP
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
iptables -A INPUT -p tcp --dport 443 -m connlimit --connlimit-above 50 -j REJECT
# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 20/s --limit-burst 50 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Protocol attacks exploit weaknesses in network protocols to consume server resources. SYN floods, fragmented packet attacks, and Slowloris attacks fall into this category. Implementing SYN cookies and connection state tracking helps defend against these attacks:
# Advanced DDoS detection script
import collections
import time
import ipaddress
class DDoSDetector:
def __init__(self):
self.connection_tracker = collections.defaultdict(list)
self.blocked_ips = set()
self.thresholds = {
'connections_per_second': 50,
'connections_per_minute': 1000,
'syn_per_second': 100,
'concurrent_connections': 200
}
def analyze_packet(self, packet):
src_ip = packet['source_ip']
timestamp = time.time()
# Track connections
self.connection_tracker[src_ip].append(timestamp)
# Clean old entries
self.connection_tracker[src_ip] = [
t for t in self.connection_tracker[src_ip]
if timestamp - t < 60
]
# Check thresholds
connections = len(self.connection_tracker[src_ip])
if connections > self.thresholds['connections_per_minute']:
self.block_ip(src_ip, 'Exceeded connection rate limit')
return 'blocked'
# Check for SYN flood
if packet.get('flags') == 'SYN':
syn_count = sum(1 for t in self.connection_tracker[src_ip][-100:]
if timestamp - t < 1)
if syn_count > self.thresholds['syn_per_second']:
self.block_ip(src_ip, 'SYN flood detected')
return 'blocked'
return 'allowed'
def block_ip(self, ip, reason):
self.blocked_ips.add(ip)
# Add to firewall blocklist
os.system(f'iptables -A INPUT -s {ip} -j DROP')
print(f"Blocked {ip}: {reason}")
Application layer attacks target web application resources rather than network bandwidth. HTTP floods, cache-busting attacks, and resource exhaustion attacks require application-aware defenses:
# Nginx rate limiting configuration
http {
# Define rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
# Connection limiting
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
# Apply rate limits
location / {
limit_req zone=general burst=20 nodelay;
limit_conn addr 10;
}
location /login {
limit_req zone=login burst=5;
limit_conn addr 2;
}
location /api/ {
limit_req zone=api burst=200;
limit_conn addr 50;
}
# Cache static content to reduce load
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
}
}