DDoS Defense — Reference.

Volumetric attacks (L3/L4)

• UDP flood / generic packet flood. Saturate ingress bandwidth. Modern record peaks: 3.8 Tbps (Cloudflare, 2024). No origin-side mitigation possible above your transit capacity.
• Reflection / amplification. Attacker spoofs victim source IP, queries a UDP service that responds with larger payload.
  • DNS (amp factor ~28×) — mitigated by closing open resolvers.
  • NTP monlist (~556×) — patched but legacy still exposed.
  • memcached (~51,000×) — used in 1.3 Tbps GitHub 2018; should never be internet-exposed.
  • CLDAP (~70×), SNMP (~6×), SSDP (~30×).
• Mitigation.
  • Anycast network. Attack traffic distributed across N edge sites.
  • Upstream scrubbing — provider absorbs and drops; clean traffic forwarded.
  • BGP Flowspec for ISP-level filtering.
  • RTBH (Remote-Triggered Blackhole) — last-resort, drops everything to victim IP.
  • BCP 38 / ingress filtering at ISP level — prevents spoofed source IPs leaving the network. Slow rollout industry-wide.

Protocol-layer attacks (L4)

• SYN flood. Half-open connections fill the queue. Mitigation: SYN cookies (Linux net.ipv4.tcp_syncookies=1) — stateless until ACK. SYN proxy at the edge that completes handshake then proxies. Increase tcp_max_syn_backlog + somaxconn.
• ACK flood. Bypasses SYN-cookie defenses by sending ACKs against non-existent connections. Mitigation: rate-limit at edge, stateful firewall drops.
• Slow-Loris / Slowread. Open many connections, send headers one byte at a time, or read response one byte per second. Mitigation: client-rate timeouts, max-headers-time, per-connection memory caps. nginx client_body_timeout / client_header_timeout tight (10s).
• R-U-Dead-Yet (RUDY). Long-form POST with very slow body. Mitigation: max-POST-size, body-timeout.
• TCP state exhaustion. Botnets establish many real-looking connections. Mitigation: per-IP connection limit, GeoIP filtering, captcha challenge on suspicious source.

Application-layer attacks (L7)

• HTTP flood. Many GET/POST. Structurally legitimate. Mitigation: per-IP rate limit, anomaly detection on User-Agent / JA3 / referer distribution. JavaScript challenge / proof-of-work / captcha.
• Cache-buster. Random query string on every request defeats CDN cache. Mitigation: normalize query string, rate-limit unique-cache-key creation per IP.
• Slowpost on expensive endpoints. Search, report-generation endpoints chosen because each request burns CPU. Mitigation: per-endpoint per-IP rate, async queue with backpressure, lower priority for unauthenticated.
• Login endpoint flood. Credential-stuffing or burn capacity. Mitigation: progressive captcha, account-lockout, IP-reputation rate adjustment.
• HTTP/2 Rapid Reset (CVE-2023-44487). RST_STREAM after request creates extreme amplification. Mitigation: implement rate limit on stream resets at server.

Per-endpoint rate logic — design

• Tiered rates. Anonymous < authenticated < trusted partner. Different limits per identity tier.
• Cost-weighted. Cheap endpoints high rate; expensive (search, export, ML inference) low rate.
• Sliding window. Token-bucket (smooth) or fixed-window-with-rollover. Avoid hard fixed windows (attackers hit at second 0 of each window).
• Identity for rate. IP (cheap, easy to evade with botnet), user (better, requires auth), browser-fingerprint (defeats simple rotation).
• Challenge before block. Rate near threshold → JS challenge / captcha → only block after challenge fails.

Build vs buy

• Volumetric defense is buy. You don't have Tbps of transit. Cloudflare, AWS Shield Advanced, Akamai Prolexic, Imperva, NETSCOUT Arbor.
• L4 defense is mixed. Edge appliance + provider — both layers.
• L7 defense is build with components. WAF + rate-limit at edge + application-aware throttle in app + alerting on anomaly. CDN provides defaults; tuning per app is on you.