Ref: https://learn.cantrill.io/courses/2022818/lectures/45642191

YouTube: https://www.youtube.com/watch?v=gktp5tGP_6U

• Summary:
• Contents:

DDoS attacks - Overview

• 🔧 Goal: overload websites/web services with a lot of traffic
  • Malicious traffic competes against legitimate connections & overloads infrastructure
  • 💡 Analogy: adding lots of people to a store queue that don't need anything and just waste staff's time → the store staff can't serve the actual customers very well
• ‼️ Distributed nature → big challenge for defender!
  • Many distributed devices involved → hard to identify & block individual IPs/ranges
  • Can NOT be combated with normal NW protection (single IP address blocks)
    • Many IPs to block… which could also block IPs of your user base
• 3 categories
  • Application layer attack (e.g. HTTP flood)
  • Protocol attack (e.g. SYN flood)
  • Volumetric attack (e.g. DNS amplification)
• Often orchestrated by a few people, who control huge botnets
  • Botnet = lots of devices with malware, usually distributed geographically
    • ❗ Owners of the hosts/devices usually unaware that they're part of a DDoS attack

Normal functioning of a web application (example)

• Servers provide website functionality
  • Have capacity buffer or autoscaling capabilities
• Data connection to public internet, with limits on speed, BW and connections
• Users connect to servers via mobile app → 99.9+% of connections are legit (normally)
• Diagram of the normal functioning a typical web application

Types of DDoS attacks

DDoS - Application Layer Attack

• 🔧 Exploits computational processing imbalance in client-server communications
  • e.g. HTTP flood → easy for client to request a web page (small GET request), but often computationally expensive for server to deliver requested page (big response)
  • 💡 Like hand grenades: easy to throw, but difficult to deal with for receiving end