How Cloudflare Mitigates Thousands of DDoS Attacks Every Hour
We'll talk about the different types of DDoS attacks and how Cloudflare prevents them. Plus, resources on public speaking for software engineers, things we learned about LLMs in 2024 and more.
Hey Everyone!
Today we’ll be talking about
How Cloudflare Defines, Measures and Stops DDoS Attacks
DDoS Attacks Explained (Volumetric, Application layer and Protocol layer attacks)
How to Measure DDoS Attacks
Steps for Protecting from DDoS Attacks
Tech Snippets
Resources on Public Speaking for Software Engineers
Things we Learned about LLMs in 2024
How to Track Engineering Time
Static Search Trees and how they can be 40x Faster than Binary Search
How Cloudflare Defines, Measures and Stops DDoS Attacks
Cloudflare is one of the largest internet infrastructure companies in the world, providing CDN services, DDoS protection, DNS management and more to millions of websites. They operate a massive global network with data centers in over 330 cities worldwide, handling trillions of requests per day.
One of Cloudflare's core offerings is protection against Distributed Denial of Service (DDoS) attacks. Unfortunately, these malicious attacks are a constant threat to websites. In 2024 alone, CloudFlare mitigated over 14.5 million DDoS attacks (an average of 2,200 DDoS attacks per hour).
Recently, the Cloudflare engineering team published an awesome blog post delving into the evolution of DDoS attacks over the past decade. We’ll be summarizing the post and adding some extra context on DDoS attacks.
DDoS Attacks Explained
With a Distributed Denial of Service Attack, a hacker will use many geographically distributed machines to send traffic to a website. These machines usually belong to unsuspecting users and have been infected with malware to make them part of the attacker’s botnet.
The goal is to overwhelm the target’s backend with traffic, so the site can no longer serve legitimate users. The attacker might then request a ransom from the company, promising to stop the DDoS attack if the company pays up.
DDoS Attacks can roughly be split into 3 main types: Volumetric, Application layer and Protocol attacks.
Volumetric Attacks
These attacks are based on brute force techniques where the target server is flooded with data packets to consume bandwidth and server resources.
Volumetric attacks will frequently rely on amplification and reflection.
Amplification is where a request in a certain protocol will result in a much larger response (in terms of the number of bytes); the ratio between the request size and response size is called the Amplification Factor.
Reflection is where the attacker will spoof the source of request packets to be the target victim’s IP address. Servers will be unable to distinguish legitimate requests from spoofed ones so they’ll send the (much larger) response payload to the targeted victim’s servers and unintentionally flood them.
Network Time Protocol (NTP) DDoS attacks are an example of volumetric attacks where you can send a 234-byte spoofed request to an NTP server, which will then send a 48,000 byte response to the target victim. Attackers will repeat this on many different open NTP servers simultaneously to DDoS the victim with all the NTP responses.
Application Layer Attacks
These DDoS attacks target the “top” layer in the OSI model - the application layer. Attackers might flood the backend with HTTP requests, exploit expensive API endpoints, create many SSL/TLS handshakes, etc.
Database DDoS attacks are quite common, where a hacker will look for requests that are particularly database-intensive and then spam those in an attempt to exhaust the database resources. Scaling your database through read replicas takes time, so this attack can be pretty successful.
HTTP Floods are some of the most widely seen layer 7 DDoS attacks, where hackers will spam a web server with HTTP GET/POST requests. Sophisticated hackers will specifically design these to request resources with low usage in order to maximize the number of cache misses the web server has.
Protocol Layer Attacks
Protocol attacks will rely on weaknesses in how particular protocols are designed. Examples of these kinds of exploits are SYN floods, BGP hijacking, Smurf attacks and more.
A SYN flood attack exploits how TCP is designed, specifically the handshake process. The three-way handshake consists of SYN -> SYN-ACK -> ACK, where the client sends a synchronize (SYN) message to initiate, the server responds with a synchronize-acknowledge (SYN-ACK) message and the client then responds back with an acknowledgement (ACK) message.
In a SYN flood attack, a malicious client will send large volumes of SYN messages to the server, who will then respond back with SYN-ACK. The client will ignore these and never respond back with an ACK message. The server will waste resources (open ports) waiting for the ACK responses from the malicious client. If repeated on a large scale, this can bring the web server down since the server won’t know which requests are legitimate.
How to Measure DDoS Attacks
First of all, defining an individual DDoS attack can be surprisingly difficult. It is not just a one-time spike in requests. A DDoS attack can last for several hours/days and consist of many smaller incidents (also known as pulses).
Cloudflare analyzes a combination of factors to create a “fingerprint” that helps identify different attacks as part of the same DDoS targeting.
Some factors Cloudflare looks at are:
Attack Vectors: Are the same attack vectors being used across the set of events?
Targets: Are all the attacks focused on the same target website/entity?
Payload Signatures: Do the payloads share anything that could mark them to a certain botnet?
Once they have gotten a rough sense of which pulses are part of the attack, Cloudflare can measure how large the DDoS was.
The main metrics they use are:
Bits per Second (BPS): Measures the total data transferred per second. This is useful for evaluating network-layer attacks that aim to saturate bandwidth like UDP floods.
Requests per Second (RPS): Measures the number of protocol requests made each second. This is useful for application-layer attacks (Layer 7).
Packets per Second (PPS): Represents the number of individual packets sent to the target per second, regardless of size. This is critical for network-layer attacks (Layers 3 and 4) like SYN floods.
How to Protect from DDoS Attacks
Unfortunately, there is no single solution to protecting your service from a DDoS attack. Large companies use many different approaches. Some of them include
Rate Limiting: This is the first line of defense. You set thresholds on the number of requests your server will accept from a single IP address within a given time frame.
Caching and CDNs: You can significantly reduce the load on your web server by caching content and using a Content Delivery Network (CDN). CDNs will distribute your files across multiple servers globally, so that the impact of a DDoS attack is spread out.
Reducing the Attack Surface: Minimize the number of services exposed to the public internet. If you have an endpoint with expensive operations, then protect it through authentication (by requiring an API key).
Monitoring: You should continuously monitor network traffic to detect anomalies and potential attacks. First, establish a baseline for normal traffic patterns. That way, you can quickly identify unusual spikes or patterns that indicate an attack.
Machine Learning - services like Cloudflare use machine learning algorithms to identify suspicious traffic patterns in real time. They wrote an interesting blog post on the ML models they use here.