title | pcx_content_type | weight | layout |
---|---|---|---|
How to prevent DDoS attacks |
learning-unit |
2 |
learning-unit |
Since DDoS attacks target your web servers, the way to prevent them is to reduce requests reaching those servers.
flowchart TD;
A[Malicious device]-->|Request to application|CDN;
CDN -->|Sends remaining requests|Origin;
subgraph CDN
WAF
Cache
end
A --Prevent external connections---x Origin
Requests can come to your origin server in two ways, from your web application and from direct connections to the server itself.
A cache stores copies of frequently accessed resources (images, CSS files).
When a resource is cached - either on a user's browser or Content Delivery Network (CDN) server - requests for that resource do not have to go to your origin server. Instead, these resources are served directly by the cache.
{{}}
In the context of DDoS attacks, caching reduces the number of requests going to your origin server, which makes it harder for your server to get overwhelmed by traffic.
A Web Application Firewall (WAF) creates a shield between a web app and the Internet. This shield checks incoming web requests and filters undesired traffic to help mitigate many common attacks.
flowchart TD;
User-->|Sends Request|WAF;
WAF-->|Filters Request|Application;
Application-->|Sends Request|OriginServer;
OriginServer-->|Serves Content|Application;
Application-->|Serves Content|User;
Generally, your origin server should only accept requests coming from your web application.
This is a general best practice for security, but especially important in the context of DDoS attacks. Any traffic that bypasses your web application will also bypass any WAF or caching and has a stronger chance of overwhelming your origin.
sequenceDiagram
participant Client
participant DDoS_Protection_Service
participant Origin_Server
Client->>+DDoS_Protection_Service: Request
Note right of DDoS_Protection_Service: Filtered traffic
DDoS_Protection_Service->>+Origin_Server: Request
Origin_Server-->>-DDoS_Protection_Service: Response
DDoS_Protection_Service-->>Client: Response
Client->>+Origin_Server: Direct connection
Note over Origin_Server: Potential DDoS Attack
Origin_Server-->>-Client: Error response