The DDoS protection market and the technologies used to protect against attacks by operators are still largely closed, but I have learned a lot about it while maintaining sites and internet webservices under continuous attacks for several years.



DDoS attacks appeared around the same time as the internet, but they became a massive phenomenon in the late 2000s. Since 2016-2017, almost all web hosting providers, along with most competitive websites, have come under protection from DDoS attacks. While 10-20 years ago, most server attacks could be repelled on the server itself, the process has become much more complicated now.

In terms of choosing a protection operator, there are two types of DDoS attacks - those at the L3/L4 level (UDP flood, DNS/NTP/etc amplification, SYN/ACK flood, packet fragmentation attacks, ping of death, ping flood, etc.) and those at L7 (application layer). The goal of L7 attacks is to make the server work hard and leave it without resources for real requests. Although there are other types of attacks, these are the most common ones.

There are many companies that deal equally well with SYN/ACK flooding and amplification. However, problems arise with attacks from the L7 level. Many companies do not offer protection at this level or are weaker than their alternatives. The DDoS protection market is divided into two categories - L3/L4 protection and L7 protection. Wide channels are enough to repel attacks with amplification, while equipment or software systems are required to detect and cut off other attacks like SYN/ACK flood and packet fragmentation. There are many companies that produce such equipment and software solutions, and many backbone operators have already installed them, selling DDoS protection services.

All well-known players are capable of more or less effectively repelling L3/L4 DDoS attacks, but the question is how well they can do it. Blocking traffic from countries with the most harmful traffic or discarding unnecessary traffic can be effective measures against amplification attacks. Some operators offer a separate service for protection against attacks at the L3/L4 level, which is much cheaper than full protection.

L7 attacks at the application layer can hit units consistently and efficiently. Qrator.net is the "king of the hill" when it comes to L7 protection, with the percentage of false positives close to zero, but their service is several times more expensive than other market players. Other operators such as DDos-Guard and G-Core Labs also offer high-quality and stable protection.

CloudFlare is a multi-billion dollar company with a DDoS protection service that is widely recognized. Repelling attacks at the L7 level is difficult because all applications are unique, and harmful traffic must be blocked while useful traffic must be allowed. There are many levels of traffic cleaning involved, and specialized equipment, special software, and additional filtering settings for each client are necessary for channel protection.

The idea that blocking is a more accurate method than an IP address is a myth, as in the general case it does not work and may even increase response time to an attack, contrary to popular belief.

It is only feasible in simple cases when the bot does not use a browser. In IPv4, let alone IPv6, blocking with such precision only leads to problems for users in isolated cases. A more helpful and appropriate solution would be to address these issues as they arise.

A significant number of clients have User-Agent equivalents to the current version of Chrome, making it difficult to identify bots that use the same browser or pretend to do so.

Iterating over User-Agents to generate tickets can cause memory overload or block all new tickets with IP-addresses. Behavior-based analysis requires a history of behavior rather than just a single request.

Attempting to ban bots with less accuracy than an IP address may result in the bot imitating a crowd of users, sending their first requests, which could lead to memory exhaustion or blocking the entire IP address.

Simple filtering options will cut off the "first request from bot" only if the bot is not similar to a browser. The option does not work for most browser bots and is not considered to be an advanced solution.

Arbor Networks dominates the global market for preventing DDoS attacks in terms of revenue, with a share of over 55%, significantly surpassing other players.

Radware holds the second position in this market. The acquisition of Prolexic by Akamai and the launch of Arbor's protection services based on hybrid cloud technology are expected to further fuel market growth, according to analysts.

The emergence of integrated DDoS protection solutions from manufacturers, such as firewalls and routers, could affect the DDoS attack prevention system market, limiting options for cheap user solutions intended for internal enterprise use and small to medium-sized business networks owned by hosting providers.

Distributed Denial of Service (DDoS) attacks represent one of the most dangerous forms of cyber threats facing organizations today. A successful DDoS attack can cause significant disruptions to an organization's online operations, costing potentially large amounts of both time and money.

L3 and L4, referring to Layers 3 and 4 of the OSI model, denote the Network and Transport layers, respectively. In DDoS context, attacks at these layers consist of flooding the target with unwanted traffic, often from compromised systems, with the goal of disrupting service availability.

There are several effective ways to repel or mitigate DDoS attacks at L3/L4 level:

Traffic Engineering: You can shape and control traffic flows across your network and into your infrastructure to ensure smooth and secure operations. This may include adjusting route advertisements and peering relations in a way that reduces exposure to attack.

Access Control Lists (ACLs): These are essentially rule-based filters which you can use on your router. The principles of ACLs allow legitimate traffic to pass while blocking malicious traffic.

Rate Limiting: Implement per-client connection and request rate limiting. With rate limits, the server can only accept a certain number of requests per client over a specific amount of time.

Anomaly Detection: Implement anomaly-based detection methods that can help identify abnormal behavior in traffic.

Blackhole Routing: This is an effective but somewhat drastic method of dealing with DDoS attacks. The approach involves discarding all incoming traffic at the edge router instead of forwarding it to the target server.

Upstream Filtering: Many service providers offer upstream filtering services, which work by filtering out DDoS-related traffic before it reaches the target network or server.

Scrubbing Services: These are specialized third-party services that scrutinize the traffic to your network, removing the malicious DDoS packets and only allowing the legitimate ones to reach your target.

Employ CDN Services: Content Delivery Networks (CDN) have a wide geographical distribution of data centers. They can absorb the DDoS traffic and ensure the website/application remains available to the user.

Network Hardware: Use professional-grade network hardware capable of handling high levels of network traffic and that often come with built-in security measures.

Intrusion Prevention Systems (IPS): These monitor network traffic for signs of a potential attack. When they detect potentially malicious activity, IPS systems can take action to stop the attack.


Strategies and best practices to optimize your DDoS protection:

1. DDoS Protection System (DPS): This is a cloud-based solution that can identify and absorb huge volumes of DDoS traffic, while letting authorized traffic through. Most DPS solutions also incorporate AI and ML elements that allow the system to 'learn' about your traffic pattern to quickly identify and mitigate any threats.

2. Maintain Redundancy: Keep important data and services spread across multiple geographical locations and service providers where possible. This approach can make you less vulnerable to a DDoS attack by dispersing the traffic and making your overall system more resilient.

3. Encryption & VPNs: Employing encryption can add an additional level of security to your defenses. Also, using a Virtual Private Network (VPN) can help hide your actual IP address, which could be beneficial in reducing the volume of direct malicious traffic.

4. Regular Audits and Testing: Regular audits of your IT infrastructure can identify potential weaknesses, helping you stay ahead of potential vulnerabilities. Conducting DDoS test drills can also help you find out the points of failures and improve your incident response strategies.

5. Cooperation with Internet Service Providers (ISPs): Regular dialogue with your ISP can be beneficial. They can provide insights into unusual traffic patterns and may have additional services to help thwart DDoS attacks.

6. Sinkholing: This technique diverts the traffic into a 'sinkhole' where the traffic is not responded to. By doing so, the attack traffic is removed from the normal traffic, improving overall network performance.

7. Use Machine Learning Capabilities: With machine learning, systems can 'intelligently' learn from previous traffic patterns to more accurately identify and segregate malicious traffic from normal traffic.

8. Always-On DDoS Protection: For companies that face frequent DDoS attacks, it's worth considering an always-on protection strategy. This approach involves constant monitoring and mitigation, reducing your network's exposure to DDoS attacks.

9. Create a DDoS Response Playbook: Organize your team so everyone knows what to do in case of an attack. This should include your ISP, hosting provider, local authorities if necessary, and everyone else whom the attack impacts.

10. Training & Awareness: Finally, make sure your employees are trained on your systems and the risk of DDoS attacks. The human element is often one of the weakest points in online operations, so ensure all users are made aware of what they should and shouldn't do.


There are several more exhaustive and technical methods for dealing with DDoS attacks at L3/L4 level that organizations can consider:

1. SYN Cookies: This method is used to protect against SYN flood attacks. When the server receives a SYN packet, it responds back with a SYN-ACK packet but it doesn't allocate resources. It will only allocate resources when it receives ACK response from the client. This reduces the chance of resource exhaustion.

2. Anycast Network Architecture: This allows the same IP address to be allocated to multiple, geographically dispersed locations. Traffic can be distributed among these locations using the nearest (from a network perspective) or fastest server. In a DDoS situation, the attack traffic is then absorbed and spread across multiple points reducing the impact on any single point.

3. Deep Packet Inspection (DPI): While this method requires significant processing power, it's one of the most effective ways of detecting and eliminating DDoS packets. DPS involves inspecting the data part of network traffic, and not just headers, allowing for more thorough filtering.

4. Incremental Deployment of Defenses: This strategy involves deploying a range of different defenses at different points within your infrastructure – at the edge, near the target, and at the target itself. This layered approach can help defuse a DDoS attack and minimize its impact.

5. Hybrid DDoS Protection: This approach combines the scalability of cloud-based mitigation with the immediate response of an on-premise solution. It's particularly effective in dealing with volumetric attacks that completely saturate a network's bandwidth.

6. Software-Defined Networking (SDN): SDN can help counter DDoS attacks by routing benign traffic via less congested overprovisioned alternate routes, ensuring the legitimate traffic can pass.

7. Application of Game Theory: Game theory can provide a basis for decision-making when setting up defenses to counter DDoS attacks, on the basis of expected payoff (security), and pricing models for optimal distribution of protection resources.

*Also, organizations can take preventive measures such as:

1. Regular Analysis of Traffic: By analyzing network traffic regularly, organizations can identify the baseline or normal state of traffic. This could give early indications of an attack when the network experiences large spikes.

2. White Listing: This is a process to permit communications only with trusted entities. This approach can help in managing and keeping the traffic clean.

3. Keep Infrastructure Updated: Keeping all software, systems, and infrastructure updated can help improve overall security and make it more difficult for attackers to take advantage of known vulnerabilities.

4. Backup and Recovery Plan: Last but not least, organizations should have a backup and recovery plan to restore systems in case of a successful attack. Recovery from backups should be tested regularly to ensure the plans are effective.