How do major sites prevent DDoS?

They generally have a very layered approach. Here are some things I've either implemented or seen implemented at large organizations. To your specific question on smaller businesses you generally would find a 3rd party provider to protect you. Depending on your use case this may be a cloud provider, a CDN, a BGP routed solution, or a DNS-based solution.

Bandwidth Oversubscription - This one is fairly straightforward. As you grow larger, your bandwidth costs drop. Generally large organizations will lease a significantly larger capacity than they need to account for growth and DDoS attacks. If an attacker is unable to muster enough traffic to overwhelm this, a volumetric attack is generally ineffective.

Automated Mitigation - Many tools will monitor netflow data from routers and other data sources to determine a baseline for traffic. If traffic patterns step out of these zones, DDoS mitigation tools can attract the traffic to them using BGP or other mechanisms and filter out noise. They then pass the clean traffic further into the network. These tools can generally detect both volumetric attacks, and more insidious attacks such as slowloris.

Upstream Blackholing - There are ways to filter UDP traffic using router blackholing. I've seen situations where a business has no need to receive UDP traffic (i.e. NTP and DNS) to their infrastructure, so they have their transit providers blackhole all of this traffic. The largest volumetric attacks out there are generally reflected NTP or DNS amplification attacks.

Third Party Provider - Even many fairly large organizations fear that monster 300 Gbps attack. They often implement either a DNS-based redirect service or a BGP-based service to protect them in case they suffer a sustained attack. I would say CDN providers also fall under this umbrella, since they can help an organization stay online during an attack.

System Hardening - You can often configure both your operating system and your applications to be more resilient to application layer DDoS attacks. Things such as ensuring enough inodes on your Linux server to configuring the right number of Apache worker threads can help make it harder for an attacker to take down your service.


While there are no real counter measures for DDOS, there are someways to control it.
First is by using a Content Delivery Network, Using several data centers across the world to serve contents to visitors from different geographical areas. This helps to eliminate single point of failure and makes it harder to exhaust resources or saturate the links and balance the attack load.
Another way is to work closely with major backbones, ISPs and respective organizations to block the attacker IPs in the most specific network as possible to prevent their traffic from reaching their targets. Hope it helps.


As a mid-sized company, we use a DOS mitigation service to reduce the risk of our website from being knocked offline. Our site resolves to the provider's IP address. The provider then forwards the request to our webserver. Our webserver only communicate with the provider.

They then use their tools to determine if certain attacks are actual attacks by using a variety of monitoring and correlation tools. If there is deemed to be an attack, the provider does not forward the request to our web servers and soaks up the attack. In order to be able to perform this type of mitigation, your capacity must exceed that of what the attacker is trying to deliver. With larger companies that normally expect a larger bandwidth capacity, I would expect that they either outsource to ISPs or create an internal system to perform the same mitigation strategy.

Tags:

Ddos