IBM Cloud Internet Services

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.

A DDoS attack involves an attacker gaining control of a network of online machines. Computers and other machines are infected with malware, turning each one into a bot. The attacker then has remote control over the group of bots (called a botnet). The attacker can then direct the machines by sending updated instructions to each bot using a remote control.

Different DDoS attack vectors target varying components of a network connection. A network connection on the internet is composed of many different components or “layers.” Like building a house, each step in the model has a different purpose. The OSI model is a conceptual framework used to describe network connectivity in seven distinct layers.

Mitigating a multi-vector DDoS attack requires various strategies to counter different trajectories. The more complex the attack, the more difficult to separate from normal traffic – the goal of the attacker is to “blend in” as much as possible. To overcome a complex attempt at disruption, a layered solution will give the greatest benefit. 

A web application firewall (WAF) helps protect web applications by filtering and monitoring HTTP traffic between a web application and the internet. By deploying a WAF in front of a web application, a shield is placed between the web application and the internet. A WAF protects the server from exposure by having clients pass through the WAF before reaching the server.

A WAF that operates based on a blacklist (negative security model) protects against known attacks. Conversely, a WAF based on a whitelist (positive security model) only admits traffic that has been pre-approved. Both blacklists and whitelists have their advantages and drawbacks, which is why many WAFs offer a hybrid security model, which implements both.

A content delivery network (CDN) refers to a geographically distributed group of servers, working together to provide fast delivery of internet content. A CDN quickly transfers assets needed for loading internet content. The popularity of CDN services continues to grow, and today most web traffic is served through CDNs.

To improve speed and connectivity, a CDN will place servers at exchange points between different networks. These internet exchange points (IXPs) are the primary locations where different internet providers connect to provide each other access to traffic originating on their different networks.

For websites loading content, users drop off quickly as a site slows down. The globally distributed nature of a CDN means reduced distance between users and website resources. Instead of having to connect to wherever the origin server of a website may live, a CDN lets users connect to a geographically closer data center. Less travel time means faster service.

The Domain Name System (DNS) is the phonebook of the internet. People access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load internet resources.

DNS resolution involves converting a host name (such as www.ibm.com) into a computer-friendly IP address (such as 192.168.1.1). Each device on the internet is assigned an IP address that’s used to find the device. When loading a web page, what a user types into their browser’s address field is translated into the IP address needed to locate that web page.

The DNS resolver is the first stop in the DNS lookup and is responsible for dealing with the user who made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address