Since a DDoS attack is a load creation, it can be contained by the same means as a large influx of visitors:
Horizontal scaling. Make your systems horizontally scalable whenever possible. This means that if two servers usually serve your clients, then under load, you can install ten servers in a couple of minutes. Or 100! To do this, it is usually enough not to store data on application servers and provide load balancing between any number of machines. And when using cloud services, you instantly get the necessary additional resources; you do not need to worry about buying and configuring other equipment.
Reserve resources. Along with scaling, you can also implement server reserves – several machines that are always ready to work and can be included at any time in the list of servers where traffic from the balancer falls. Usually, redundancy is used to counteract breakdowns, but in the event of an influx of traffic (both targeted and malicious), you can always put the reserves into the battle.
Asynchronous tasks. Use asynchronous tasks wherever possible. Not every action in the system needs to return a result instantly. Let the most resource-intensive operations be performed in the background – the user can always be notified about updates using push or web sockets. Asynchronous code also needs to be horizontally scalable so that you can quickly jump from 10 copies of a program to 1,000 active copies.
DBMS optimization. The bottleneck is the DBMS. Almost all system components read and write to databases, so a program failure at the database level is a guaranteed system crash. Horizontal scaling does not work when working with databases – you cannot quickly put 1000 instead of 10 servers. Therefore, you need to properly plan the replication, sharding, and clustering of your DBMS or use cloud databases with already configured scaling and other features. It will also be beneficial to have a caching layer between the application and the database itself so that clients do not request the same data from the server 100 times.
Filtering Extra Traffic
The ability to reliably distinguish between malicious and targeted traffic is one of the cheapest ways to protect your site from DDoS attacks:
- Disable all unnecessary services on the servers, and close all unnecessary ports with a firewall. Feel free to cut off ping requests – sometimes DDoS can be organized, including through ICMP. Rigidly set the rules – where and what packets you expect and by what protocol. Cut off unnecessary UDP and TCP receivers.
- Get yourself the ability to monitor and block suspicious network activities using firewalls and OS.
- At the application level, you also need to take care of protection against malicious requests. Block those who send too many requests to the server – the average user will not send 1,000 requests per second.
- Make life difficult for hackers: tricky cookies, crypto-signatures for server requests, encryption – all of this prevents you from attacking yourself head-on. Become a tough nut to crack for hackers – some low-skilled hackers may refuse you.
- Constantly monitor suspicious activity. Ten thousand clients registered in an hour from one IP? Suspicious constant activity at 4 am? Are our users continually asking for the same information? Take the situation with a pencil, investigate, and take action.