Home » DDoS Protection: Attack Types, Mitigation, Scrubbing Centers, CDN Protection และ BGP Flowspec
DDoS Protection: Attack Types, Mitigation, Scrubbing Centers, CDN Protection และ BGP Flowspec
DDoS Protection: Attack Types, Mitigation, Scrubbing Centers, CDN Protection และ BGP Flowspec
DDoS (Distributed Denial of Service) เป็นภัยคุกคามที่ร้ายแรงต่อ availability ของ online services Attack Types แบ่งเป็น volumetric, protocol, และ application layer attacks, Mitigation ใช้หลายเทคนิคร่วมกัน, Scrubbing Centers กรอง malicious traffic ก่อนส่งไป origin, CDN Protection กระจาย traffic ไปหลาย edge locations และ BGP Flowspec ให้ ISP/SP สร้าง traffic filtering rules แบบ real-time
DDoS attacks มีขนาดใหญ่ขึ้นทุกปี: record attacks เกิน 3 Tbps, botnets มี devices หลายล้านตัว (IoT devices ถูก compromise), attack-as-a-service ทำให้ใครก็ launch DDoS ได้ด้วยเงินไม่กี่ดอลลาร์ องค์กรที่ไม่มี DDoS protection อาจถูก take offline ได้ในนาที
DDoS Attack Types
| Category |
Layer |
Goal |
Examples |
| Volumetric |
L3-L4 |
Saturate bandwidth (flood pipe) |
UDP flood, ICMP flood, DNS amplification, NTP amplification, memcached |
| Protocol |
L3-L4 |
Exhaust server/firewall resources |
SYN flood, ACK flood, fragmentation, Smurf attack |
| Application |
L7 |
Exhaust application resources |
HTTP flood, Slowloris, RUDY, DNS query flood, API abuse |
Volumetric Attacks
| Attack |
How |
Amplification Factor |
| DNS Amplification |
Spoof source IP + query open DNS resolvers → large responses flood victim |
28-54× |
| NTP Amplification |
Spoof source IP + monlist command to NTP servers |
556× |
| Memcached |
Spoof source IP + query open memcached servers |
10,000-51,000× |
| SSDP Amplification |
Spoof source IP + M-SEARCH to UPnP devices |
30× |
| UDP Flood |
Send massive UDP packets to random ports |
1× (no amplification, pure volume) |
Application Layer Attacks
| Attack |
How |
Why Difficult |
| HTTP Flood |
Send legitimate-looking HTTP requests at high rate |
Looks like normal traffic (hard to distinguish) |
| Slowloris |
Open connections → send headers slowly → keep connections alive indefinitely |
Low bandwidth, high impact (exhaust connection pool) |
| RUDY (R-U-Dead-Yet) |
Send POST with very long content-length → send body 1 byte at a time |
Similar to Slowloris but targets POST handlers |
| DNS Query Flood |
Flood DNS server with random subdomain queries |
Each query requires DNS lookup (CPU intensive) |
| API Abuse |
Send expensive API calls (search, report generation) |
Each request consumes significant server resources |
Mitigation Techniques
| Technique |
Layer |
How |
| Rate Limiting |
L4-L7 |
Limit requests per IP/session → drop excess |
| SYN Cookies |
L4 |
Stateless SYN handling → ไม่ allocate resources จนกว่า 3-way handshake complete |
| Geo-Blocking |
L3 |
Block traffic จากประเทศที่ไม่ใช่ target audience |
| Blackhole Routing |
L3 |
Route attack traffic ไป null route (sacrifice target IP to save network) |
| BGP Flowspec |
L3-L4 |
Push traffic filtering rules ไป routers via BGP (real-time, granular) |
| WAF Rules |
L7 |
Block malicious patterns, rate limit by URL/method/user-agent |
| CAPTCHA/JS Challenge |
L7 |
Challenge bots → only allow humans through |
| Anycast |
L3 |
Distribute traffic ไปหลาย locations → dilute attack across network |
Scrubbing Centers
| Feature |
รายละเอียด |
| คืออะไร |
Data centers ที่รับ traffic ทั้งหมด → filter out malicious → forward clean traffic ไป origin |
| How |
BGP re-route traffic ไป scrubbing center → analyze + filter → GRE/tunnel clean traffic back |
| Capacity |
Multiple Tbps scrubbing capacity (absorb largest attacks) |
| Always-On |
Traffic ผ่าน scrubbing center ตลอดเวลา (minimal latency overhead) |
| On-Demand |
Activate scrubbing เฉพาะเมื่อถูก attack (lower cost, higher latency during activation) |
| Providers |
Cloudflare, Akamai/Prolexic, AWS Shield Advanced, Radware, Imperva |
CDN-Based DDoS Protection
| Provider |
Capacity |
จุดเด่น |
| Cloudflare |
280+ Tbps |
Free DDoS protection (all plans), largest anycast network, WAF included |
| Akamai |
250+ Tbps |
Prolexic scrubbing, Kona WAF, largest CDN edge network |
| AWS Shield |
AWS infrastructure |
Standard (free, auto) + Advanced ($3K/month, DRT team, cost protection) |
| Azure DDoS Protection |
Azure infrastructure |
Basic (free) + Standard (adaptive tuning, attack analytics) |
| Google Cloud Armor |
Google infrastructure |
Adaptive protection (ML-based), custom WAF rules, Google global network |
BGP Flowspec
| Feature |
รายละเอียด |
| คืออะไร |
BGP extension (RFC 5575) ที่ distribute traffic filtering rules ผ่าน BGP |
| How |
Advertise filter rules (src/dst IP, port, protocol, packet size) → routers apply inline |
| Actions |
Drop, rate-limit, redirect, mark DSCP — applied at network edge (before reaching target) |
| Speed |
Deploy filter ภายในวินาที → propagate ไปทุก router ใน AS via BGP |
| vs ACL |
Flowspec: centralized, auto-propagate via BGP | ACL: manual, per-device |
| Use Case |
ISP/SP mitigate DDoS at network edge (before scrubbing center) |
DDoS Protection Best Practices
| Practice |
รายละเอียด |
| Multi-Layer |
Protect L3-L4 (volumetric) + L7 (application) — ไม่ใช่แค่อย่างเดียว |
| CDN + WAF |
Cloudflare/Akamai CDN absorb volumetric + WAF block L7 attacks |
| Anycast |
Distribute traffic → dilute attack across multiple PoPs |
| Rate Limiting |
Implement rate limits บน APIs, login pages, expensive endpoints |
| Runbook |
DDoS response playbook → ใครทำอะไร, escalation path, communication plan |
| Testing |
Regular DDoS simulation/testing → verify protection works before real attack |
ทิ้งท้าย: DDoS Protection = Defense in Depth
DDoS Protection Attack Types: volumetric (flood bandwidth), protocol (exhaust resources), application (L7 abuse) Amplification: DNS (54×), NTP (556×), memcached (51,000×) — spoof source + amplify Mitigation: rate limiting, SYN cookies, geo-blocking, blackhole, BGP Flowspec, WAF, CAPTCHA Scrubbing: redirect traffic → filter malicious → forward clean (Cloudflare, Akamai, AWS Shield) CDN: Cloudflare (280 Tbps), Akamai (250 Tbps) — anycast absorbs volumetric attacks BGP Flowspec: distribute filter rules via BGP → apply at network edge (seconds to deploy) Best Practice: multi-layer (L3-L7), CDN + WAF, anycast, rate limiting, runbook, regular testing
อ่านเพิ่มเติมเกี่ยวกับ Firewall Next-Gen NGFW IPS และ DNS Security DNSSEC DoH DoT ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
