Home » DDoS Protection: Attack Types, Volumetric, Protocol, Application, Mitigation และ Scrubbing Centers
DDoS Protection: Attack Types, Volumetric, Protocol, Application, Mitigation และ Scrubbing Centers
DDoS Protection: Attack Types, Volumetric, Protocol, Application, Mitigation และ Scrubbing Centers
DDoS (Distributed Denial of Service) โจมตีโดยส่ง traffic จำนวนมหาศาลเพื่อทำให้ service ล่ม Attack Types แบ่งเป็น 3 categories หลัก: Volumetric floods bandwidth, Protocol attacks exhaust server/firewall resources, Application attacks target specific services, Mitigation ใช้หลายเทคนิคร่วมกัน และ Scrubbing Centers เป็น cloud-based cleaning facilities ที่กรอง malicious traffic ก่อนส่งไป origin
DDoS attacks เพิ่มขึ้น 300%+ ในช่วง 5 ปี: largest attack recorded = 5.6 Tbps (Mirai botnet variant, 2024), average attack size เพิ่มจาก 1 Gbps เป็น 100+ Gbps ไม่มี on-premises firewall ที่รับได้ — ต้องใช้ cloud-based mitigation Organizations ทุกขนาดเป็นเป้าหมาย: 35% ของ DDoS attacks target SMBs, cost of downtime = $5,600/minute average
DDoS Attack Categories
| Category |
Layer |
Target |
Examples |
| Volumetric |
L3/L4 |
Bandwidth / network pipe |
UDP flood, ICMP flood, DNS amplification, NTP amplification |
| Protocol |
L3/L4 |
Server/firewall state tables |
SYN flood, ACK flood, Ping of Death, Smurf attack |
| Application |
L7 |
Web server / application |
HTTP flood, Slowloris, RUDY, DNS query flood |
Volumetric Attacks
| Attack |
How |
Amplification Factor |
| UDP Flood |
Send massive UDP packets to random ports → victim responds ICMP unreachable |
1x (direct) |
| DNS Amplification |
Spoof source IP → send small DNS query to open resolvers → large response to victim |
28-54x |
| NTP Amplification |
Spoof source → send monlist to NTP servers → huge response to victim |
556x |
| Memcached Amplification |
Spoof source → query memcached servers → massive response |
51,000x |
| SSDP Amplification |
Spoof source → query UPnP devices → amplified response |
30x |
| CLDAP Amplification |
Spoof source → query LDAP servers → amplified response |
56-70x |
Protocol Attacks
| Attack |
How |
Impact |
| SYN Flood |
Send millions of SYN packets (never complete handshake) → fill server’s connection table |
Server can’t accept new connections |
| ACK Flood |
Send ACK packets → firewall/server must process each (stateful inspection) |
Firewall state table exhaustion |
| RST Flood |
Send RST packets to disrupt existing connections |
Connection resets, service disruption |
| Fragmentation |
Send fragmented packets that can’t be reassembled → consume memory |
Memory exhaustion on firewalls/servers |
Application Layer Attacks
| Attack |
How |
Difficulty to Detect |
| HTTP Flood |
Send legitimate-looking HTTP requests at high rate → exhaust web server |
Hard (looks like real traffic) |
| Slowloris |
Open connections slowly → send partial headers → keep connections open forever |
Medium (few connections, big impact) |
| RUDY (R-U-Dead-Yet) |
Send POST with very slow body → tie up server threads |
Medium |
| DNS Query Flood |
Send massive DNS queries for random subdomains → exhaust DNS server |
Hard (legitimate protocol) |
| API Abuse |
Flood expensive API endpoints (search, login, checkout) |
Hard (looks like real API calls) |
Mitigation Techniques
| Technique |
How |
For |
| Blackhole Routing |
Route attack traffic to null → drop all traffic to victim IP |
Last resort (drops good traffic too) |
| Rate Limiting |
Limit requests per IP/subnet/session |
Application layer attacks |
| SYN Cookies |
Don’t allocate state until handshake complete → encode state in SYN-ACK |
SYN floods |
| Anycast |
Distribute traffic across global PoPs → absorb volumetric attack across network |
Volumetric (distribute load) |
| WAF Rules |
Block known attack patterns, rate limit by URL/method, CAPTCHA challenge |
Application layer attacks |
| BGP Flowspec |
Push filtering rules into network routers → drop traffic at network edge |
Volumetric (ISP-level filtering) |
| Scrubbing Center |
Redirect traffic → clean → forward only good traffic to origin |
All types (comprehensive) |
Scrubbing Centers / Cloud DDoS Protection
| Provider |
Capacity |
Method |
Features |
| Cloudflare |
248+ Tbps |
Anycast reverse proxy |
Always-on, free tier, WAF, bot management |
| AWS Shield |
Tbps+ |
Inline (Shield Standard free) + Advanced |
Auto-mitigate, SRT team, cost protection |
| Akamai Prolexic |
20+ Tbps |
BGP redirect to scrubbing |
SOC managed, hybrid (cloud + on-prem) |
| Imperva |
10+ Tbps |
Anycast + scrubbing |
L3-L7, WAF, bot protection, API security |
| Radware |
12+ Tbps |
Hybrid (cloud + on-prem DefensePro) |
Behavioral analysis, SSL protection |
DDoS Protection Architecture
| Layer |
Protection |
Tools |
| ISP/Network |
BGP blackhole, Flowspec, upstream scrubbing |
ISP DDoS service, BGP communities |
| Cloud Edge |
Anycast absorption, global scrubbing |
Cloudflare, AWS Shield, Akamai |
| Perimeter |
On-prem DDoS appliance, firewall rate limiting |
Radware DefensePro, Arbor TMS |
| Application |
WAF, rate limiting, CAPTCHA, bot detection |
Cloudflare WAF, AWS WAF, ModSecurity |
| DNS |
Anycast DNS, DNS rate limiting, Response Rate Limiting (RRL) |
Cloudflare DNS, Route 53, NS1 |
ทิ้งท้าย: DDoS Protection = Multi-Layer Defense
DDoS Protection Categories: volumetric (flood bandwidth), protocol (exhaust state tables), application (exhaust servers) Volumetric: DNS amplification (54x), NTP (556x), Memcached (51,000x) — need Tbps-scale mitigation Protocol: SYN flood (connection table), ACK flood (firewall state) — SYN cookies, rate limiting Application: HTTP flood, Slowloris, API abuse — WAF, rate limiting, CAPTCHA, behavioral analysis Mitigation: anycast (distribute), scrubbing (clean), BGP flowspec (ISP filter), WAF (L7), SYN cookies Providers: Cloudflare (248 Tbps), AWS Shield, Akamai Prolexic, Imperva, Radware Architecture: ISP (BGP) → cloud edge (anycast/scrubbing) → perimeter (appliance) → application (WAF) → DNS Key: no single device stops DDoS — need cloud-scale protection + multi-layer defense from network to application
อ่านเพิ่มเติมเกี่ยวกับ Network Security Architecture Defense in Depth SOC และ Firewall Architecture Next-Gen UTM Zero Trust ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
