DDoS Mitigation

DDoS mitigation is the set of techniques used to keep a service available during a distributed denial-of-service attack — an attempt to exhaust the target's network, compute, or application capacity by flooding it with traffic from many sources. Mitigation aims to identify hostile traffic, drop or rate-limit it, and pass legitimate requests through with as little disruption as possible. Attacks are typically grouped into three layers. Volumetric attacks (UDP floods, ICMP floods, reflection and amplification attacks exploiting open DNS, NTP, or Memcached servers) try to saturate the victim's uplink; reported amplification factors range from about 50x for DNS to roughly 50,000x for unpatched Memcached. Protocol attacks such as SYN floods, ACK floods, and fragmented-packet floods exhaust state on firewalls, load balancers, and operating-system connection tables. Application-layer attacks like HTTP GET/POST floods and the 2023 'HTTP/2 Rapid Reset' issue, which generated bursts of hundreds of millions of requests per second, target expensive endpoints rather than raw bandwidth. Operationally, defenders combine several layers. Always-on Content Delivery Network (CDN) and Anycast front-ends absorb volumetric traffic by spreading it across hundreds of PoPs, so no single site sees the full attack. Standalone or in-CDN scrubbing centers redirect suspect traffic via BGP or DNS, inspect it, and forward only clean packets to the origin. Stateless filters such as SYN cookies, BCP 38 source-address validation at ISPs, and TCP and TLS handshake checks deal with protocol attacks, while Web Application Firewalls, bot management, and per-IP or per-token rate limiting handle application-layer floods. Headline events — the 2.3 Tb/s attack on AWS in February 2020 and a 22.2 Tb/s attack reported by Cloudflare in September 2025 — illustrate the steady escalation that keeps DDoS mitigation a core service of modern CDN and transit providers.