Basics of DDoS and Rate Limiting
What is DDoS Attacks?
DDos is attack aim to exhaust server resources such as CPU and memory, or saturate network infrastructure by sending massive volume of traffic to target system
Type of DDoS Attacks
1. Volumetric Attack
Volumetric Attack aim to overwhelm the target system with flood of traffic. these attack typically involve sending massive volume of data packet to target, making target system unable to respond to legitimate request.
- UDP flood
- ICMP flood(Ping flood)
2. Protocol Attack
Protocol Attack exploit the vulnerabilities in network protocols or services to disrupt communication between devices or servers.
- SYN flood: exploit the three-way handshake process in TCP connections by sending massive number of SYN request, but not completing the handshake.
3. Application Layer Attack / Layer 7 Attack
These Attack designed to target the Top Layer in the OSI model where the HTTP GET, POST, and other request occurs.
- HTTP flood
- Slowloris attack
4. Reflection and Amplification Attack
Attacker spoofs the source IP address of their requests to appear as the target address, then sends requests to vulnerable servers that respond with larger data packets to the victim. This amplifies the volumes of traffic directed at the target, overwhelming their service.
- DNS amplification
- NTP amplification
Here you can find other types of DDoS Attack
Importance of Rate Limiting in DDoS Defense
DDoS attacks typically involve flooding the target with an overwhelming amount of traffic. By implementing rate limiting, developer can control the rate at which traffic is allowed to reach their servers or network infrastructure. This helps prevent the network from becoming saturated and ensures that resources are available to handle legitimate request.
Principal of Rate Limiting
1. Control parameters
- Rate Limit: The maximum rate at which requests or connections are allowed within specific period
- Burst Size: The maximum number of requests or connections allowed to exceed the rate limit temporarily before enforcement
- Time Window: The duration over which the rate limit is applied
2. Types of Rate Limiting Techniques
- Token Bucket: Requests are allowed if tokens are available in a token bucket, with tokens replenished at a fixed rate
- Leaky Bucket: Requests are processed at a constant rate, with excess requests overflowing like water from a leaky bucket
- Sliding Window: requests are counted within a sliding time window, and if the count exceeds the limit, further requests are delayed or rejected.
3. Granularity
- Network Layer: Limiting the rate of incoming or outgoing traffic based on IP addresses, ports, or protocols
- Transport Layer: Regulating the rate of data transmission in TCP or UDP
- Application Layer: Restricting the number of API calls, web requests, or other application specific action
4. Enforcement Mechanism
- Delay: Excess requests are delayed, ensuring a steady rate of incoming traffic
- Drop: Excess requests are rejected, signalling to client to retry later
- Throttle: Excess requests are accepted but processed at a reduced rate, ensuring fairness among connections
5. Dynamic adjustments
Rate limiting parameters can be dynamically adjusted based on traffic patterns, system load, or specific criteria
6. Monitoring and Logging
Effective rate limiting requires monitoring traffic patterns, logging violations, and analyzing metrics to fine-tune parameters and detect potential issues