MTE Explains: How DDoS Protection Works

Over the years, distributed denial of service (DDoS) has been a highly reliable way of making sure that a hosted service (like a website or some service like the PlayStation Network) doesn’t see the light of day at least for a while.

The power that these attacks wield gets people curious about the mechanisms behind them, which is why we’ve taken the time to explain how they work and even went as far as thoroughly demonstrating how enormous some of these attacks can get, to the point that one of them can even take out entire sectors of the Internet for millions of people. There is, however, a scant amount of public discussion about how the countermeasure (e.g. DDoS protection) works.

The Problem with Discussing DDoS Protection

The Internet is a massive array of networks connected across one giant, messy void. There are trillions of little packets traveling at nearly the speed of light everywhere around the world. To make sense of its disorienting and mysterious inner workings, the Internet is split into groups. These groups are often split into subgroups, and so on.

This actually makes the discussion about DDoS protection a bit complicated. The way a home computer protects itself from DDoS is both similar to and slightly different from the way a multi-million-dollar company’s data center does it. And we haven’t even reached internet service providers (ISPs) yet. There are just as many ways to classify DDoS protection as there are to classify the various different pieces that make up the Internet with its billions of connections, its clusters, its continental exchanges, and its subnets.

With all that being said, let’s try a surgical approach that touches on all of the relevant and important details of the matter.

The Principle Behind DDoS Protection


If you’re reading this without a clear knowledge of how DDoS works, I suggest you read the explanation I linked to earlier or else it may get a little overwhelming. There are two things you can do to an incoming packet: you can either ignore it or redirect it. You can’t just stop it from arriving because you have no control over the source of the packet. It’s here already and your software wants to know what to do with it.

This is a universal truth we all abide by, and it includes the ISPs that connect us to the Internet. It’s why so many attacks are successful: since you can’t control the source’s behavior, the source can send you enough packets to overwhelm your connection.

How Software and Routers (Home Systems) Do It


If you run a firewall on your computer or your router has one, you’re usually stuck following one basic principle: if DDoS traffic comes flying in, the software makes a list of IPs that are coming in with illegitimate traffic.

It does this by noticing when something sends you a bunch of garbage data or connection requests at an unnatural frequency, like more than fifty times per second. It then blocks all transactions coming from that source. By blocking them your computer doesn’t have to spend extra resources interpreting the data contained inside. The message just doesn’t make it to its destination. If you are blocked by a computer’s firewall and try to connect to it, you’ll get a connection timeout because whatever you send would simply be ignored.

This is one wonderful way to protect against single-IP denial of service (DoS) attacks since the attacker will see a connection timeout every time they check in to see whether their handiwork is making any progress. With a distributed denial of service, this works because all of the data coming from the attacking IPs will be ignored.

There’s a problem with this scheme.

In the world of the Internet, there’s no such thing as “passive blocking.” You need resources even when you ignore a packet coming towards you. If you’re using software, the point of attack stops at your computer but still goes through your router like a bullet through paper. That means your router is working tirelessly to route all the illegitimate packets in your direction.

If you’re using the router’s firewall, everything stops there. But that still means that your router is scanning the source of each packet and then iterating the list of blocked IPs to see whether it should be ignored or allowed through.

Now, imagine your router having to do what I just mentioned millions of times per second. Your router has a finite amount of processing power. Once it reaches that limit, it will have trouble prioritizing legitimate traffic, no matter what advanced methods it uses.

Let’s put all of this aside to discuss another issue. Assuming you have a magical router with an infinite amount of processing power, your ISP is still giving you a finite amount of bandwidth. Once that bandwidth cap is reached, you’ll struggle to accomplish even the simplest tasks on the Web.

So the ultimate solution to DDoS is to have an infinite amount of processing power and an infinite amount of bandwidth. If someone finds out how to accomplish that, we’re golden!

How Large Companies Handle Their Loads


The beauty of how companies handle DDoS lies in its elegance: they use their existing infrastructures to counter any threats that come their way. Usually, this is done either through a load balancer, a content distribution network (CDN), or a combination of both. Smaller websites and services might outsource this to a third party if they do not have the capital to maintain such an extensive array of servers.

With a CDN, a website’s content is copied to a large network of servers distributed across many geographical areas. This makes the website load quickly regardless of where you are in the world when you connect to it.

Load balancers supplement this by redistributing data and cataloging it in different servers, prioritizing traffic by the type of server best suited for the job. Lower-bandwidth servers with great hard drives can handle large amounts of small files. Servers with enormous bandwidth connections can handle the streaming of larger files. (Think “YouTube.”)

And Here’s How It Works

See where I’m going with this? If an attack lands on one server, the load balancer can keep track of the DDoS and let it continue hitting that server while redirecting all legitimate traffic elsewhere on the network. The idea here is to use a decentralized network to your advantage, allocating resources where they are needed so that the website or service can continue running while the attack is directed at a “decoy.” Pretty clever, eh?

Because the network is decentralized, it gains a significant edge over simple firewalls and whatever protection most routers can offer. The problem here is that you need a lot of cash to get your own operation started. While they’re growing, companies can rely on larger specialized providers to give them the protection they need.

How the Behemoths Do It


We’ve toured small home networks and even ventured into the realm of mega corporations. It’s time now to tread into the final stage of this quest: we’re going to look at how the very companies that give you an Internet connection protect themselves from falling into a dark abyss. This is about to get a little complicated, but I’ll try to be as concise as I can without a drool-inducing thesis on various DDoS protection methods.

ISPs have their own unique ways of handling traffic fluctuations. Most DDoS attacks barely register on their radars since they have access to a nearly unlimited amount of bandwidth. Their daily traffic at 7-11 PM (a.k.a. the “Internet Rush Hour”) reaches levels that far exceed the bandwidth you’d get from an average DDoS stream.

Of course, since this is the Internet we’re talking about, there are (and have often been) occasions where the traffic becomes something much more than a blip on the radar.

These attacks come in with gale-force winds and attempt to overwhelm the infrastructure of smaller ISPs. When your provider raises its eyebrows, it quickly reaches to an arsenal of tools at its disposal to combat this threat. Remember, these guys have enormous infrastructures at their disposal, so there are many ways this can go down. Here are the most common ones:

  • Remotely Triggered Black Hole – It sounds a lot like something out of a sci-fi film, but RTBH is a real thing documented by Cisco. There are many ways to do this, but I’ll give you the “quick and dirty” version: an ISP will communicate with the network the attack is coming from and tell it to block all outgoing traffic that’s flung in its direction. It is easier to block traffic that’s going out than it is to block incoming packets. Sure, everything from the target ISP will now appear as if it’s offline to the people connecting in from the source of the attack, but it gets the job done and doesn’t require a lot of hassle. The rest of the world’s traffic remains unaffected.
  • Scrubbers – Some very massive ISPs have data centers full of processing equipment that can analyze traffic patterns to sort out legitimate traffic from DDoS traffic. Since it requires a lot of computing power and an established infrastructure, smaller ISPs will often resort to outsourcing this job to another company. The traffic on the affected sector passes through a filter, and most DDoS packets are blocked while legitimate traffic is allowed through. This ensures the normal operation of the ISP at the cost of massive amounts of computing power.
  • Some traffic voodoo – Using a method known as “traffic shaping,” the ISP will just ram everything that the DDoS attack brings with it into its destination IP while leaving all other nodes alone. This basically will throw the victim under the bus to save the rest of the network. It’s a very ugly solution and often the last one that an ISP will use if the network is in a serious crisis, and it needs swift, decisive action to ensure the survival of the whole. Think of it as a “the needs of the many outweigh the needs of the few” scenario.

The problem with DDoS is that its effectiveness goes hand in hand with advancements in computer power and bandwidth availability. To really fight this threat, we have to use advanced network modification methods that far surpass the capabilities of the average home user. It’s probably a good thing that households aren’t often direct targets of DDoS!

By the way, if you want to see where these attacks are happening in real time, check out the Digital Attack Map.

Have you ever fallen victim to these kinds of attacks at your home or at your workplace? Tell us your story in a comment!

Miguel Leiva-Gomez
Miguel Leiva-Gomez

Miguel has been a business growth and technology expert for more than a decade and has written software for even longer. From his little castle in Romania, he presents cold and analytical perspectives to things that affect the tech world.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox