In this ultimate guide, you will learn everything about the Distributed Denial of Service (DDoS) Attacks including What are DDoS attacks, Types of DDos Attack, Major Causes, How to Detect DDoS Attacks, and How to Prevent/Mitigate a DDoS Attack and much more.

1. DDOS ATTACK: The Definitive Guide
Page | 1
DDOS ATTACK:
The Definitive Guide

2. DDOS ATTACK: The Definitive Guide
Page | 2
About the Author
Hey guys, it’s Aayush here.
I’m the founder of two online media and news reporting publishers,
TechApprise1
and BizApprise2
.
Unlike most so-called cybersecurity3
“experts”, I publish what I preach.
And in this ultimate guide, I’ve covered everything about the Distributed Denial
of Service Attacks (DDoS) for instance, what are DDoS attacks, their types,
their major causes, how to detect them and how to mitigate a DDoS attack.
So, keep reading till the end.
1
TechApprise – Power On Your Side dated July 14th
, 2020
accessible from: https://www.techapprise.com/
2
BizApprise – Entrepreneurship and Business Reporting, date July 14th
, 2020 accessible from:
https://bizapprise.com/
3
Cyber Security, dated July 14th
, 2020
accessible from: https://www.techapprise.com/category/cybersecurity/

3. DDOS ATTACK: The Definitive Guide
Page | 3
Contents

4. DDOS ATTACK: The Definitive Guide
Page | 4
A Distributed Denial of Service attack is a synchronized attack done using a
large group of compromised infected machines, called zombies or bots, which
send coordinated traffic to the victim which exhaust network resources of the
victim. The attackers aim to overcrowd, bombard, and exhaust the network
resources such as CPU, memory, or link bandwidth of their victim through
sending mass requests from botnet. As a result, the network or website is down
and unable to access and perform user’s requests. Thus, the network denies
responding to the incoming traffic.

5. DDOS ATTACK: The Definitive Guide
Page | 5
DDoS attacks are catastrophic and can bring down a server or network very
quickly. To launch a DDoS attack, the attacker develops (or rents) a network
with compromised hosts — Botnets.
A Botnet is defined as a large group of malware-infected machines, also
referred to as zombies, and send the commands to perform the attack. Bots are
controlled using a botnet architecture and a command-and-control system,
which may be based on Peer-to-Peer (P2P), Internet Relay Chat (IRC), Hyper
Text Transfer Protocol (HTTP) or Domain Name System (DNS).
One can easily find and rent botnets on the black market to perform the DDoS
attack.
The attacker takes advantage of these compromised hosts (collectively forming
botnet) to gather security-related information. In a DDoS attack, the victim can
range from a single web server even to Internet connection of an entire
university, an entire city or even an entire country.

6. DDOS ATTACK: The Definitive Guide
Page | 6
Generally, four players participate in the successful DDoS attack and they are:
(i) THE ATTACKER
(ii) THE HANDLERS
(iii) THE AGENTS
(iv) THE VICTIM
The master or the attacker initially attempts to bring some hosts in a network
under its control by compromising them.
The handlers include some malicious software (like malware) residing on
remote machines that are used by the attacker. The purpose of choosing a set
of victimized computers (handlers) to launch DDoS attacks is mainly to
overcome the possibility of tracing the attack back to the attacker (client).
The agents, the third set of players are practically responsible for performing
the attack. They typically consist of software on compromised machines
through which the attack is performed.
Finally, the victim, the fourth player, maybe a single target machine, server, or
a network of many machines.

7. DDOS ATTACK: The Definitive Guide
Page | 7

8. DDOS ATTACK: The Definitive Guide
Page | 8
The DDoS attack is considered more damaging than a DoS attack and it usually
takes more planning and diligence to initiate it.
DDoS attack mainly involves four steps, and these are mentioned below.
Step 1 – RECRUITING
Under this step, the attacker scans the whole network to find and recruit
vulnerable hosts.
Step 2 – EXPLOITATION
The vulnerable hosts are then compromised for exploitation by the attacker
using malicious programs like malware, Trojan, or any other backdoor
programs.
Step 3 – INFECTION
The attacker infects the compromised hosts to create a base for the effective
launching of the attack.
Step 4 – EXECUTION OR ATTACK
Finally, the last stage, where the attack is launched using the compromised
hosts.

9. DDOS ATTACK: The Definitive Guide
Page | 9
DDoS attacks are classified by various researchers in different ways following
different criteria. The following subsections present DDoS attack types based
on Open Systems Interconnection (OSI) layers approaches used to launch
attacks, the volume of traffic generated and on a rate at which attack take place.
LAYER SPECIFIC DDOS ATTACKS
DDoS attacks can be classified into seven categories based on the seven OSI
layers model. To better understanding, have a look at the various network
layers.

10. DDOS ATTACK: The Definitive Guide
Page | 10
DDoS attacks in layer 1 – Physical Layers include attacks such as cutting
cables, jamming, power surging (high-voltage attack) and even
Electromagnetic Pulse (EMP) attack results into the destruction of electronic
equipment over a wide area.
In layer 2 – the attacks are generally MAC spoofing and MAC flood.
In layer 3 – Network layer there are two main attacks which are Floods (ICMP)
and Teardrop (overlapping IP segments).
In layer 4 which is a Transport layer, have many types of DDoS attacks — SYN
Flood, RST Flood, FIN Flood, Window size 0 (looks like Slow Loris), Connect
attack, LAND (same IP as src/dst), ICMP echo, and UDP flooding.
In a network or transport layer attack, the attacker tries to exhaust resources
such as the bandwidth of the links which carry traffic to the victim, or the memory
of devices such as routers, switches, and firewalls. To achieve this objective,
the zombies send huge amounts of traffic in layers 3 and 4 to the victim.
Such an attack is normally large in volume ranging from a few Mbps to several
hundreds of Gbps or even Tbps. Different network layer protocols such as
Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP) and
Transmission Control Protocol (TCP) are used in such an attack.
In the 5th layer, the major known attack is Slowloris.
In the 6th layer viz. presentation layer, there are XML attacks where the
attacker changes the XML breaks down and change the XML scripts and
expensive repeated queries.

11. DDOS ATTACK: The Definitive Guide
Page | 11
In layer 7, i.e., application layer protocols such as HTTP and HTTPS, to send
traffic to the victim. Such traffic normally carries CPU-intensive queries to the
server and makes it busy forever.
The volume of traffic needed to put a server down is comparatively lower than
that of the other type, i.e., a network layer attack. The traffic in an application
layer attack is indistinguishable from legitimate traffic, making it very difficult to
detect as every attacking device is a genuine internet device with an IP address.
DIRECT AND REFLECTOR BASED DDOS ATTACK
In a DDoS attack, it is not always the zombies that send attack traffic to the
victim. Servers running UDP-based services are often used by attackers to
carry out massive DDoS attacks. Such servers are used as reflectors by the
attacker. Based on the nature of the attacking machines, DDoS attacks are
classified into two categories, (1) Direct AND (2) Reflector-based.
• DIRECT DDOS ATTACK
In a direct attack, the attacker uses zombies directly to launch DDoS attacks of
various types. In contrast, in a reflection or amplification attack, many innocent
intermediate nodes, known as reflectors, are used to generate an attack. The
attacker sends requests to the reflector servers by spoofing the source IP as if
it were the victim’s IP.
As a result, these servers reply to the victim by sending messages whose
volume is normally many times larger than the original request message size.
Hence, this type of DDoS attack is also called an amplification attack. The
attacker uses this technique to amplify the attack traffic up to several hundred

12. DDOS ATTACK: The Definitive Guide
Page | 12
times. DNS amplification attacks and Network Time Protocol (NTP)
attacks are examples of reflection-based DDoS attacks.
• INDIRECT DDOS ATTACK
One can also classify DDoS attacks based on whether the attack traffic is sent
to the victim directly or through intermediaries. In a direct attack, the attacker
sends the attack traffic directly to the victim using many compromised
machines. In contrast, in an indirect DDoS attack, the attacker, instead of
attacking the victim directly, attack the links and other services that are
important for the victim to remain functional. Link-flooding attacks such
as crossfire and coremelt are examples of indirect DDoS attacks.
HIGH AND LOW RATE DDOS ATTACK
DDoS attacks can also be classified based on the volume of attack traffic, as
low and high.
In a low-rate DDoS attack, the attacker usually performs the attack by sending
attack traffic at a low rate matching the legitimate traffic profile. For example, in
the case of an application layer attack, the attacker tries to exhaust the victim’s
processing resources by sending it CPU-intensive queries. Similarly, in a shrew
attack, the volume of the attack traffic is comparatively low.
In a high-rate DDoS attack, the attacker sends a huge volume of attack traffic
toward the victim. It is the most common type of DDoS attack. High-rate traffic
sometimes called a flash crowd, is often mistaken for a DDoS flooding attack,
resulting in dropping of legitimate user requests.

13. DDOS ATTACK: The Definitive Guide
Page | 13
However, as pointed out in, a flash crowd can be distinguished from malicious
traffic by observing the rate of introduction of new IP addresses over a
sequence of time intervals. In a flash crowd, new IP addresses are introduced
suddenly, resembling a flooding attack, but the rate of introduction of new IP
addresses drops after some time, though the high request rate from legitimate
users may persist.
ATTACK BASED ON RATE AT WHICH ATTACK TAKES PLACE
In addition to the classification mentioned above, DDoS attacks can be
classified based on other traffic characteristics, such as the dynamics of the
attack traffic rate.
(a) CONSTANT RATE ATTACK
The attack rate reaches its maximum within a very short period. All zombies,
after receiving a command from an attacker, start sending attack traffic at a
constant rate. This type of attack creates a sudden packet flood at the victim
end.
(b) INCREASING RATE ATTACK
Instead of attacking the victim with full force instantly, the attacker gradually
increases the traffic intensity toward the attacker. An increasing rate attack
approach is adopted by the attacker to understand the victim’s response to
attack traffic so that the attacker can attempt to evade the victim’s detection
mechanisms.

14. DDOS ATTACK: The Definitive Guide
Page | 14
(c) PULSING ATTACK
In this type of attack, the attacker activates a group of bots periodically to send
attack traffic to the victim. Such a mechanism is used to remain undetected by
a detection mechanism. Shrew 52 is an example of a pulsing rate DDoS attack,
sending short synchronized bursts of traffic to disrupt TCP connections on the
same link, by exploiting a weakness in the TCP retransmission timeout
mechanism.
(d) SUBGROUP ATTACK
As in the case of a pulsing rate attack, here also the attacker sends pulses of
attack traffic to the victim. However, the zombies are divided into groups and
these groups are activated and deactivated in different combinations. Such a
subgroup attack approach is used by the attacker to remain disguised and carry
on the attack for a longer period.

15. DDOS ATTACK: The Definitive Guide
Page | 15
Here is the list of the most common DDoS attacks.
1. SYN FLOOD DDOS ATTACK
Under this type of attack, the aim is to take advantage of the weakness in TCP
connection sequence (the three-way handshake).
The attacker sends mass SYN requests to the victim’s server which exploits the
limited slots and overloads them and ultimately resulting in the denial of service.

16. DDOS ATTACK: The Definitive Guide
Page | 16
2. NTP AMPLIFICATION
Under this attack, the attacker aims to bombard the victim’s network resources
by amplifying the file size to its multiple times than the original ones. The larger
the file, the larger the resources it needs and ultimately resulting in the denial
of service.
3. SLOWLORIS

17. DDOS ATTACK: The Definitive Guide
Page | 17
Under the Slowloris attack, the client opens a connection and sends a request,
the listener opens a socket and new connection established and then another
and then another and so on.
The attacker exploits the process-based model but opening several concurrent
connections and holds them open for as long as possible with the least amount
of bandwidth possible and ultimately resulting in the denial of service.
4. PING OF DEATH
In ping of death attack, when the larger IP packet has to be transferred, it has
to be split into multiple small fragments. But the attacker manipulates the size
of the packet. The recipient host reassembles the small fragments into one
packet. But due to the manipulation, the recipient receives a larger packet upon
reassembling. Thus, it overflows the memory allocated to the packet
and ultimately resulting in the denial of service.

18. DDOS ATTACK: The Definitive Guide
Page | 18
Attackers generally target Websites or databases as well as enterprise
networks by gathering information on their weaknesses. But apart from finding
vulnerabilities, there are other causes of DDoS attack as well.
• EASY AVAILABILITY OF TOOLS
The easy accessibility of many attack tools floating in the public domain is one
of the major causes for networks or organizations frequently coming under
DDoS attacks. Evolution of new DDoS attack tools, several noble, and practical
machine learning approaches have been used for DDoS attack detection and
prevention. The relevance and effectiveness of such methods are mostly based
on their performance in terms of classification accuracy and execution time.
One can easily set up and use these tools to launch attacks by sending
unsolicited traffic to the victim from distributed armies of bots or compromised
computers on the Internet. This unsolicited traffic is enough to paralyze the
victim so that it no longer functions or provides service to legitimate users by
consuming all its resources and network bandwidth.
• VULNERABLE ARCHITECTURE OF INTERNET
The pregnable architecture of the Internet is another major cause, allowing the
attacker to easily spoof the source IP (SIP) addresses of attack packets, thus
making it more difficult to detect the attack. Further, the detection of malicious
traffic becomes even harder, if its size and pattern are like those of legitimate
traffic, making malicious traffic unobtrusive.

19. DDOS ATTACK: The Definitive Guide
Page | 19
Several design issues of the original Internet are also responsible. Some of
these are (i) the existence of complex edges but simple cores, (ii) link bandwidth
mismatch between core and edge networks, (iii) simple routing principles, (iv)
lack of centralized network management, and (v) the habit of sharing reserved
resources across data centers.
• TROUBLE FREE AVAILABILITY OF BOTNET
Another major cause is the easy availability of botnets in the black market. One
can easily rent a botnet consisting of millions of Internet of Things (IoT). The
botnet is available to rent for the specific time like for a week and one or two
attacks.

20. DDOS ATTACK: The Definitive Guide
Page | 20
We refer to a DDoS attack as fast when it generates many packets or extremely
high-volume traffic within a very short time, say a fraction of a minute, to disrupt
service. An attack is referred to as a slow attack if it takes minutes or hours to
complete the process.
To counter the rapid emergence of external and internal threats to networks
and resources, researchers have looked at a variety of approaches such as
intrusion detection system (IDS), intrusion prevention system (IPS), intrusion
response system (IRS), and intrusion tolerance system (ITS). Among these,
IDS and IPS are important components of a layered security infrastructure. To
execute an attack on a network or a system, an attacker generally follows four
main steps:
(a) the attacker scans the whole network to find and recruit vulnerable
hosts.
(b) the vulnerable hosts are then compromised for exploitation by the
attacker using malware or backdoor programs
(c) the attacker infects the compromised hosts to create a base for the
effective launching of an attack, and
(d) finally, the attack is launched using the compromised hosts.

21. DDOS ATTACK: The Definitive Guide
Page | 21
A generic DDoS defense solution is comprised of three modules, in this section,
I will focus mainly on monitoring and detection. In the next section, we will see
the reaction module.
• MONITORING
To perform such monitoring activities, it collects necessary information on the
state of the network at various points within the network. For the identification
of such unauthorized services, one should look not only at external traffic but
also at internal traffic. Otherwise, one will miss internal hosts involved in
unauthorized activities.
• DETECTION
Identify any misuse or anomalous behavior in a network and generate reports
to the administration. Intrusion detection is primarily focused on identifying
possible intrusive patterns, incidents, or activities, and reporting them in a
timely and meaningful manner. A detection module analyzes relevant network
traffic information to identify possible security breaches, which include both
misuses and anomalies.

22. DDOS ATTACK: The Definitive Guide
Page | 22
Detection techniques of distributed denial-of-service attacks.
• MISUSE DETECTION
Misuse detection searches for definite patterns (i.e., signatures, rules, or
activities) in the captured network traffic to identify previously known DDoS
intrusion types. Such detection techniques usually exhibit high detection rates
with low numbers of false alarms. However, a misuse detection technique fails
to detect unknown DDoS intrusion types.
• ANOMALY-BASED DETECTION
Anomaly-based detection techniques aim to identify new intrusion types in
addition to the detection of known types. Such techniques analyze network
traffic behavior and attempt to detect unusual patterns at an early stage.
The three main symptoms of DDoS attack are as follow – 1. A website becomes
extremely slow. 2. A website does not load at all. 3. When a website becomes
unavailable. In the next section, you will get to know about precautionary
measures and what-to-do when you are under attack.
Intrusion prevention is performed by a software or hardware device that can
intercept detected threats in real time and prevent them from moving closer
toward victims. It is a useful approach against DDoS, flooding, and brute force
attacks. Today, the general lack of adequate security infrastructure across the
Internet is a major cause of the tremendous pressure faced by Internet Service

23. DDOS ATTACK: The Definitive Guide
Page | 23
Providers to prevent and mitigate DDoS attacks on their infrastructure and
services, on their own.
For effective prevention, one must be able to detect source(s) early and then
initiate appropriate action(s) to identify the attack sources. Since DDoS is a
coordinated attack, it is not straightforward to identify the attack sources in real
time. Further, spoofing of source IP addresses in the attack packets
complicates attempts at reliable DDoS prevention.
Most prevention methods act upon detection of DDoS attacks in one or more of
the following ways: (a) by reconfiguring the security mechanisms such as
firewalls or routers to block future attacks, (b) by removing malicious content
from the attack traffic by filtering out possible attack packets, or (c) by
appropriate browser setting and by reconfiguring other security and privacy
controls to avoid occurrence of future attacks.
However, for effective DDoS prevention, identification of true attack source(s)
is an essential task. Although identification of the true source of the attack is a
daunting task due to the open and decentralized structure of the Internet. IP
traceback is one such powerful candidate among the mechanisms used to
identify the true source of attacks in a network.
➢ IP TRACEBACK
As we have discussed earlier, in a DDoS attack, attackers mostly use zombies
or reflectors to send attack packets to the victim machine using spoofed IP
addresses. One can attempt to detect the attack source manually as well as
automatically. It may be performed either at the victim end or from intermediate
routers and traced back to the original source end. Typically, a hop-by-hop

24. DDOS ATTACK: The Definitive Guide
Page | 24
traceback mechanism is used from router to router. Therefore, for successful
identification of the attack source, co-operation among networks is highly
essential. However, manual traceback is a tedious and time-consuming
process. To expedite the process, researchers have introduced automated
traceback schemes.
➢ LINK TESTING
In link testing, the victim conducts a test on each of its incoming links as a
probable input link for a DDoS attack traffic. If the test result is positive, it
contacts the upstream router(s) closest to the victim. The contacted router then
initiates an interactive traceback process recursively with its upstream routers
until the true source of the attack is identified.
This scheme has at least three main advantages: (i) it can discover attackers
of flooding attacks reliably, (ii) it is cost effective due to relatively low
network overhead, and (iii) the scheme can be replicated in a distributed
manner easily. It has several limitations as well. One major limitation is the
generation of additional traffic, which usually consumes significant network
resources. One can apply link testing to detect attack sources in two distinct
ways: (i) input debugging and (ii) controlled flooding.
In the input debugging scheme, the first task is to recognize an attack at the
victim. Once an attack is recognized, the next task is to generate an attack
signature based on the common features of attack packets. The victim then
sends a message to an upstream router for installation of an input debugging
filter on the egress port. It is expected that such a filter will reveal the associated

25. DDOS ATTACK: The Definitive Guide
Page | 25
input ports and the upstream routers responsible for the generation of the attack
traffic.
The process is repeated recursively until the source of the attack is detected.
This scheme is often successful in identifying the true sources of DDoS attacks
because of its distributed nature. Its limitations include facts such as (i) the cost
of management of resources used to support prevention is significantly
high, (ii) the network and router overhead is large, (iii) it consumes a
significantly large amount of time to communicate with upstream routers,
and (iv) it requires skilled network professionals for effective traceback
operation.
The controlled flooding traceback scheme, introduced by Burch and
Cheswick, works automatically without the involvement of network operators.
The scheme floods the incoming links on the router with high rate (bursty)
network traffic and then observes the response from attackers. It chooses the
incoming links nearest the victim and uses a pre-generated map of Internet
topology, including a few selected hosts.
There is a high dropping probability for packets (including the attacker’s
packets) traveling across the loaded links. The victim can infer the attack links
by computing the changes in packet arrival rates. This process is then
recursively applied on the upstream routers until the source of an attack is
reached. It is a very effective traceback technique.
However, like the previous schemes, it also suffers from three major limitations:
(i) It has high management overhead, (ii) It requires coordination among routers
or switches or even ISPs, and (iii) It requires skilled network administrators.

26. DDOS ATTACK: The Definitive Guide
Page | 26
➢ PACKET MARKING
Packet marking is a significant recent addition to the techniques used for the
identification of the origin of DDoS attacks. In a packet-marking scheme, routers
mark forwarding packets either deterministically or probabilistically, with their
own addresses. So, when an attack occurs, the victim uses the marked
information associated with the packet to trace back to the attack source.
➢ PACKET LOGGING
In the packet logging approach, routers store packet information so that such
information can be used to trace an attack long after the attack has completed.
One can use data mining techniques on the logged packet data to determine
the path that the packets may have traversed.
The main advantages of this method are (i) it stores packet log information
historically for future investigation, (ii) it is easy to trace back, and (iii) it can be
easily deployed in a distributed manner. However, it requires high storage
space to store historical data and has high network overhead and high
management overhead.
➢ ICMP TRACEBACK MESSAGES
In this mechanism, the router generates ICMP traceback messages that include
the content of forwarded packets along with information about adjacent routers
and sends them to the destination. When flooding attacks occur, the victim uses
these ICMP messages to construct attack graphs back to the attacker. The
traceback messages help the victim find the original source of the attack.

27. DDOS ATTACK: The Definitive Guide
Page | 27
This mechanism relies on an input debugging capability that is not enabled in
many router architectures. As a result, it may be difficult to establish a
connection between a participating router and a non-participating router. ICMP
traceback is effective in terms of network overhead as it incurs low management
cost. Moreover, the approach can be distributed easily and is able to effectively
detect attack paths during flooding attacks.

28. DDOS ATTACK: The Definitive Guide
Page | 28
No matter, what you think, but there is no foolproof method to stop a DDoS
attack. With the advancement of technologies, hackers are also finding new
ways to attack which no one can detect and prevent. But still, there are some
ways through which you stop these attacks or minimize your loss. Let’s see
what are some ways through which you can secure your system.
REACTION
DDoS defense system typically reacts with two basic components, viz., a
passive and an active component. The passive component, composed of a set
of procedures, is involved in the inspection of the system’s configuration files to
detect inadvisable settings, inspection of the password files to detect
inadvisable passwords, and inspection of other system areas to detect policy
violations.
In contrast, the active component, which is composed of another set of
procedures, reacts to known methods of attack and generates system
responses. It can respond to suspicious events in several ways, which include
displaying an alert, logging the event, or even paging an administrator. First, I
have mentioned the proactive steps you should take before an actual attack
takes place. In the second part, what to do when your system is under attack.

29. DDOS ATTACK: The Definitive Guide
Page | 29
Below are the proactive steps, you shall take to minimize the DDoS attack.
1. BUY A DDOS ATTACK PROTECTION SERVICE
Buy a Dos/DDoS protection service that will detect the abnormal traffic flows on
your website and divert the traffic to another platform. This will filter out the
excess traffic sent onto your website and hence your network resources will
remain unexhausted.
2. DISASTER RECOVERY PLAN
Develop a disaster recovery plan to ensure successful mitigation and
communication when your website is under attack.

30. DDOS ATTACK: The Definitive Guide
Page | 30
3. SECURE YOUR SYSTEM WITH GOOD PROTECTION SOFTWARES
It is also important to secure your system from any form of malpractice done by
an attacker by way of malicious and other backdoor programs. For that, you
need to regularly update and maintain good antivirus protection on all your
devices. Moreover, install a firewall to restrict traffic incoming and outgoing from
your website. Furthermore, you should always follow good security practices
and take care of how many people have sensitive information to access your
system.

31. DDOS ATTACK: The Definitive Guide
Page | 31
What to do when you are experiencing a DDoS attack. Now there are three
approaches to mitigate a DDoS attack.
1. DO IT YOURSELF
2. OUTSOURCE
3. HYBRID
DO IT YOURSELF
You can do it yourself by buying more hardware capacity and other mitigating
equipment.

32. DDOS ATTACK: The Definitive Guide
Page | 32
The main benefits of doing it yourself are as follows –
1. LOW DELAY
When you are doing yourself mitigation of DDoS attack, the biggest benefit is
there is the low delay in taking the required action. When you are doing
everything by yourself, you are also continuously monitoring and the moment
attack takes place, the moment you can mitigate it.
2. APPLICATION SPECIFIC
Another biggest advantage of doing it yourself is you can set mitigation to a
application. For instance, you can set mitigation equipment to the Gaming
industry specifically AND avoid other industry if you want.
3. BETTER INSPECTION
Another advantage is that you can your systems can inspect both directions of
the traffic.
4. KEYS STAY IN COMPANY
Also, when there is TLS encrypted traffic, the keys to such stays with the
company.

33. DDOS ATTACK: The Definitive Guide
Page | 33
The main drawbacks of doing it yourself are as follows –
1. FLUCTUATION IN NETWORK CAPACITY
The biggest drawback when you are doing it yourself is that there are high
fluctuations in the network capacity. You can not foresee how much do you
overprovision? Double, triple, ten times? The attack can be of any capacity.
You cannot change it every time and immediately.
2. HIGH REQUIREMENTS
To do mitigation yourself, you must consider and need many requirements.
First, you need bandwidth – monthly recurring expensive which adds up,
compute and network hardware. You also need qualified personnel who can
take of the system and sadly it’s hard to find, expensive and hard to retain as
well. You also need these requirements –
• traffic – 10GBps = $2,000/mo (NA)
• colocation space – $400/mo
• power – depends on equipment and location
• equipment – min $20,000 per 10GBps port
• personnel – largest part, fluctuates based on location.
and you need them in many locations also with multiple per location.

34. DDOS ATTACK: The Definitive Guide
Page | 34
Now, here is whether you should go for this method or not. But before
concluding consider these points.
• At present DDoS attacks take place at a very large scale.
• Infrastructure is very expensive to build and maintain.
• Requires a significant amount of know-how.
Therefore, I recommend you that unless hosting a very large site it’s better you
left to the professionals.
OUTSOURCING TO PROFESSIONALS
The second approach is to hire professionals and let them do all the work and
you just sit back, relax, and pay.
There are DDoS mitigation service providers and Content Delivery Networks
(CDNs) available in the market. Their price is based on – (1) Size of Attack, (2)
Clean Traffic. There are also two types of services (1) On-demand DDoS
Mitigation and (2) Always Operational.

35. DDOS ATTACK: The Definitive Guide
Page | 35
In the on-demand DDoS mitigation, the mitigation will only take place, when a
system is under attack and only until the mitigation is completed. It has its own
benefits and drawbacks as discussed below.
1. PREVENT MOST APPLICATION FROM VOLUMETRIC ATTACKS
One major benefit of on-demand DDoS mitigation is that it helps very well when
it comes to protecting your system from volumetric attacks.
2. EASIER TO DEPLOY OFF-LINE

36. DDOS ATTACK: The Definitive Guide
Page | 36
On-demand DDoS mitigation is very easy to deploy. All you need to do is to
have a contract with the firm and when you need it, they will deploy to ensure
maximum protection.
3. GOOD FOR HIGH ATTACK VOLUME
The biggest flaw of doing mitigation yourself is that you cannot handle high
attack volume. But when you outsource it, you can get rid of this issue very
easily.
4. HARDER TO BYPASS
Another major benefit of on-demand mitigation is that the services you get from
professionals are harder to bypass. Unless there is a “once in 3-4 years” attack,
otherwise their mitigation services are harder to crack.
Every coin has two sides, just like every solution also got another side. The
drawbacks of on-demand mitigation are as follows.
1. DELAY IN DEPLOYMENT
This is not the case in doing it yourself approach. But in the outsourcing and
taking on-demand help take some time in deployment. It takes time between
the site being attacked until it switches to the service provider.

37. DDOS ATTACK: The Definitive Guide
Page | 37
2. SHARING OF KEYS
Another major drawback of on-demand DDoS mitigation is that it is difficult to
terminate Transport Layer Security (TLS) without sharing keys.
3. INCREASED LATENCY
The whole process from detection to mitigation takes time when it comes to on-
demand mitigation. Therefore, it increases latency to complete the procedure.
4. GRE TUNNELS COMPLEXITIES
When it comes to securing your network with on-demand mitigation, it creates
complexity in Generic Routing Encapsulation (GRE) tunnel. GRE tunnels
encapsulate various network layer protocols inside virtual point-to-point internet
protocols.

38. DDOS ATTACK: The Definitive Guide
Page | 38
If you want the best protection possible for your system and have a good
budget, this is something you should go after. Here you will get complete
protection for your system and moreover, it can increase your website
performance if used with CDN (Content Delivery Network).

39. DDOS ATTACK: The Definitive Guide
Page | 39
TOOLS USED BY ATTACKERS
There is large and increasing pool of DDoS attack tools available on the
internet. Most tools are freely available on the Internet and are powerful enough
to crash networks and Websites. However, among these, LOIC and HOIC are
very effective in launching a DDoS attack within a short duration of time. LOIC
can generate attack packets involving TCP, UDP, and HTTP protocols,
whereas HOIC supports only the HTTP protocol.
Although TFN, Trinoo, and Stachaldraht are used in launching DDoS attacks,
these tools require substantial customization to use on an experimental testbed.
Further, they are not as powerful as LOIC. However, it must be noted that the
use of these tools to launch an attack in a public network is unethical and a
crime.
Building adequate defense against DDoS attacks is a non-trivial problem for the
network administrator as well as the network security researcher. If attackers
have high skill levels, an existing defense may not be able to handle all types
of new DDoS attacks in near real time.
Since a DDoS attacker uses many compromised nodes to flood the network
instantly, early detection of an attacker’s preparatory activities is essential so
that the attack can be mitigated immediately.

40. DDOS ATTACK: The Definitive Guide
Page | 40
TOOLS/SERVICE USED FOR PROTECTION
There are many tools and services available on the Internet and here is the list
of best among them —
1. Cloudflare
2. F5 Networks
3. Arbor networks
4. Incapsula
5. Black Lotus
6. Akamai
7. AWS Shield
8. BeeThink Anti-DDoS Guardian
9. Sucuri
10. Cloudbric
11. Alibaba
12. Radware DefensePro

41. DDOS ATTACK: The Definitive Guide
Page | 41
I hope this guide help you understand everything about DDoS attack.
Did you learn something new from this guide?
Or maybe you have a question.
You can drop an email at info@techapprise.com or visit Contact Us.