0

I'm currently working on a project that builds a defense system against HTTP GET Flooding attacks. When DDoS attacks occur, traffic volume to a server suddenly increases to be far more than the normal range. However, because the detection process takes time, the defense system cannot immediately mitigate the attacks. So I suppose that before the detection process finds out attacker's IP addresses, my defense mechanism needs a mechanism to randomly block flows to the server to avoid server's resource overload.

Can my randomly blocking approach be effective? Is there any other way to mitigate DDoS attacks during the detection period?

Sarah G.
  • 121
  • 6
  • 2
    Random blocking just denies your service to legitimate users. What do you mean by building a defense system? Have you looked at cloudflare? – iainpb Jun 12 '17 at 15:32
  • I actually integrated a hardware-based defense mechanism in an OpenFlow switch of a SDN system to make it can detect and mitigate HTTP GET Flooding attacks. However, I have not ever used cloudflare. Can you suggest me some ideas to solve my problem? – Sarah G. Jun 12 '17 at 15:56
  • 1
    Cloudflare offer DDOS protection and has been known to absorb attacks up to 400 gbps. They are certainly an option worth considering. https://www.cloudflare.com/ddos/under-attack/ the key thing is traffic is routed through cloudflare first so can stop the high traffic ever hitting your server – iainpb Jun 12 '17 at 15:59
  • 1
    Mitigating DDOS attacks is not often a simple job. There's a reason that some of the largest CDNs, hosting, hardware, software, and network vendors are all very active in that space. It takes some large scale capacity to keep the traffic away, to scrub it *before* it reaches me,...I don't care about catching 15 thousand compromised security cameras, – quadruplebucky Jun 12 '17 at 18:43
  • @iain : Do you know how cloudflare detects and mitigates HTTP GET Flooding? How do they differentiate normal and abnormal traffic? I'd like to learn how their countermeasure works. – Sarah G. Jun 13 '17 at 03:14
  • This is a good question but rather than it get lost in the comments, I'd suggest you post as a new question where something with appropriate expertise will see it. – iainpb Jun 13 '17 at 08:11

1 Answers1

1

DDoS is a synchronous attack from many points. So there are no such things as "finding attacker address and stop them".

If the attack appears to be hijacked IoT(e.g. Mirai botnet), you still has a little chance to denied those IP, e.g. send a little script to make sure it is authentic browser response, e.g. get a canvas, browser plugin. Mark and drop the IP if there is no response. However. this method is useless if the attacking node is overwhelming your server capacity.

So the only mitigation is some sort of ISP services, e.g. Content Delivery Network(CDN), so massive traffics don't hit your server directly. the CDN that promising DDoS countermeasure(which can make use of SDN/firewall/etc) will implement stated process.

mootmoot
  • 2,387
  • 10
  • 16
  • Thank you for your answer. I might not fully understand how DDoS attacks affect servers in real world network. As you said, CDN provides the countermeasure against DDoS attacks. Is there any other way to defend? Do you know about SDN-based methods to detect and mitigate DDoS attacks? – Sarah G. Jun 13 '17 at 03:09
  • 1
    @Peter : Please post a new question, e.g. "How SDN/OpenFlow can be used to mitigate DDoS attack" – mootmoot Jun 13 '17 at 07:43