Distributed denial-of-service (DDoS)

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources, such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.

How does a DDoS attack work?

A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack. Computers and other machines (such as IoT devices) are infected with malware, turning each one into a bot (or zombie). The attacker then has remote control over the group of bots, which is called a botnet.

Once a botnet has been established, the attacker is able to direct the machines by sending updated instructions to each bot via a method of remote control. When the IP address of a victim is targeted by the botnet, each bot will respond by sending requests to the target, potentially causing the targeted server or network to overflow capacity, resulting in a denial of service to normal traffic. Because each bot is a legitimate internet device, separating the attack traffic from normal traffic can be difficult.

What are common types of DDoS attacks?

Different DDoS attack vectors target varying components of a network connection. In order to understand how different DDoS attacks work, it is necessary to know how a network connection is made. A network connection on the internet is composed of many different components or “layers.” Like building a house from the ground up, each step in the model has a different purpose. The OSI model is a conceptual framework used to describe network connectivity in seven distinct layers.

What is the process for mitigating a DDoS attack?

Learn more about DDoS

While nearly all DDoS attacks involve overwhelming a target device or network with traffic, attacks can be divided into three categories. An attacker may make use of one or multiple different attack vectors, or cycle attack vectors potentially based on countermeasures taken by the target.

In the modern internet, DDoS traffic comes in many forms. The traffic can vary in design from un-spoofed, single-source attacks to complex and adaptive multi-vector attacks. A multi-vector DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways, potentially distracting mitigation efforts on any one trajectory. An attack that targets multiple layers of the protocol stack at the same time, such as a DNS amplification (targeting Layers 3 and 4) coupled with an HTTP flood (targeting Layer 7) is an example of multi-vector DDoS.

Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter different trajectories. Generally speaking, the more complex the attack, the more likely the traffic will be difficult to separate from normal traffic – the goal of the attacker is to “blend in” as much as possible, making mitigation as inefficient as possible. Mitigation attempts that involve dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the attack may also modify and adapt to circumvent countermeasures. In order to overcome a complex attempt at disruption, a layered solution will give the greatest benefit.

Web application firewall (WAF)

What is a web application firewall?

A web application firewall (WAF) helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. It typically protects web applications from attacks, such as cross-site forgery, cross-site-scripting (XSS), file inclusion and SQL injection, among others. A WAF is a protocol Layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

By deploying a WAF in front of a web application, a shield is placed between the web application and the internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server.

A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities within the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

What is the difference between blacklist and whitelist WAFs?

Learn more about WAF

A WAF that operates based on a blacklist (negative security model) protects against known attacks. Think of a blacklist WAF as a club bouncer instructed to deny admittance to any guests who don’t meet the dress code. Conversely, a WAF based on a whitelist (positive security model) only admits traffic that has been pre-approved. This is like the bouncer at an exclusive party; he or she only admits people who are on the list. Both blacklists and whitelists have their advantages and drawbacks, which is why many WAFs offer a hybrid security model, which implements both.

Content delivery network (CDN)

What is a content delivery network?

A content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of internet content. A CDN allows for the quick transfer of assets needed for loading internet content including HTML pages, JavaScript files, stylesheets, images and videos. The popularity of CDN services continues to grow, and today the majority of web traffic is served through CDNs.

How does a CDN work?

At its core, a CDN is a network of servers linked together with the goal of delivering content as quickly, cheaply, reliably and securely as possible. In order to improve speed and connectivity, a CDN will place servers at the exchange points between different networks. These internet exchange points (IXPs) are the primary locations where different internet providers connect in order to provide each other access to traffic originating on their different networks. By having a connection to these high-speed and highly interconnected locations, a CDN provider is able to reduce costs and transit times in high-speed data delivery.

How does a CDN improve website load times?

Learn more about CDN

When it comes to websites loading content, users drop off quickly as a site slows down. The globally distributed nature of a CDN means reduced distance between users and website resources. Instead of having to connect to wherever a website’s origin server may live, a CDN lets users connect to a geographically closer data center. Less travel time means faster service.

Domain Name System (DNS)

What is DNS?

The Domain Name System (DNS) is the phonebook of the internet. People access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load internet resources.

Each device connected to the internet has a unique IP address, which other machines use to find the device. DNS servers eliminate the need to memorize IP addresses such as 192.168.1.1 (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1:c629:d7a2 (in IPv6).

How does DNS work?

The process of DNS resolution involves converting a host name (such as www.ibm.com) into a computer-friendly IP address (such as 192.168.1.1). An IP address is given to each device on the internet, and that address is necessary to find the appropriate internet device — like a street address is used to find a particular home. When a user wants to load a web page, a translation must occur between what a user types into their web browser (example.com) and the machine-friendly address necessary to locate the example.com web page.

In order to understand the process behind the DNS resolution, it’s important to learn about the different hardware components a DNS query must pass between. For the web browser, the DNS lookup occurs “behind the scenes” and requires no interaction from the user’s computer apart from the initial request.

What is a DNS resolver?

Learn more about DNS

The DNS resolver is the first stop in the DNS lookup, and it is responsible for dealing with the client that made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address.

Note: A typical uncached DNS lookup will involve both recursive and iterative queries.

It's important to differentiate between a recursive DNS query and a recursive DNS resolver. The query refers to the request made to a DNS resolver requiring the resolution of the query. A DNS recursive resolver is the computer that accepts a recursive query and processes the response by making the necessary requests.

Get started

Ready to begin? With our portal and API, a faster, more secure internet is just clicks away.