How to Build DDoS Resilient Infrastructure?

Photo of Sonia Anna Puton

Sonia Anna Puton

Updated Aug 23, 2022 • 7 min read
infrastructure ddos protection
Slow DDoS attacks are on the rise, and they're costing businesses big bucks.
In this article, we'll explore what a micro flood is, how they're carried out, and why they're so dangerous. We'll also offer tips on how to protect your business from these attacks.

DDoS attacks threat

DDoS attacks are a type of attack where an attacker attempts to make a computer or network resource unavailable to its intended users. This is usually done by flooding the target with traffic from multiple computers, or by sending malicious requests that overload the system.

Botnets are often used to launch DDoS attacks, as they can generate a large amount of traffic. However, DDoS attacks can also be launched without using botnets. For example, an attacker could use a single computer to send malicious requests to a vulnerable server.

DDoS attacks can be difficult to defend against, as they can come from anywhere in the world and can be hard to trace. However, there are some things that you can do to protect yourself, such as keeping your software up-to-date, using a firewall and most importantly - having a resilient architecture.

Application layer micro floods

Online businesses are migrating to public clouds, therefore the attackers are changing their approach and techniques. We are observing DDoS attacks on a huge scale - Microsoft has reported an attack of 3.47Tbps scale.

Yet, the attacks that are huge in volume are not the ones that are the most deadly. The most concerning is the trend of application-level attacks and micro floods. Radware has reported an almost 80% increase in attacks smaller than 1Gbps. These slower attacks can go undetected, are hard to mitigate and can consume a lot of resources such as bandwidth, CPU and memory usage, allowing an attacker to stealthily cause denial-of-service.

Not volumetric in nature, such attacks can often be launched with only a single machine; additionally, because these attacks occur on the application layer, a TCP handshake is already established, successfully making the malicious traffic look like normal traffic traveling over a legitimate connection.

Application layer DDoS attacks are more complex than lower layer attacks because they contain valid components like TCP connections, IPs, and requests. They are hidden under the protection of TLS encryption. Most WAFs are good at identifying L7 attacks, but they can't catch everything.

Nowadays, the most popular application DDoS attack vectors are Slow HTTP GET and Slow HTTP POST requests. The goal of these attacks is to use up all of the application's resources by opening many connections. The attacker would send an incomplete HTTP request.

The remaining parts are sent in long intervals, to make sure that the connection does not time out and that the server keeps the thread open. It is hard to spot while monitoring the traffic, as it is very similar to the behavior of users with slow Internet connection. The difference though, is in fact that the attacker scripts the requests and repeats them multiple times. This situation causes a denial of service for legitimate users, as the connection table in the server's memory is full, busy handling the illegitimate slow requests.

Build infrastructure that is DDoS resilient

DDoS attacks are on the rise, and they can be very costly for businesses. In a recent study, it was found that DDoS attacks cost businesses an average of $2.5 million per incident. So, how can we build infrastructure that is DDoS resilient?

There are a few things businesses can do to make their infrastructure more DDoS resilient:

Disperse your assets

Make sure that your architecture is decentralized. This includes dispersing assets, locating servers in different data centers, and having diverse paths. It is also advised to separate monitoring, data storage, and app logic to their own dedicated machines.

Utilize load balancers

Best practice is to use load balancers in front of application servers. That will increase availability and limit attack effectiveness.

Use multiple layers of security

In addition to using a DDoS mitigation service, it is important to use multiple layers of security to protect your infrastructure from DDoS attacks. This includes using firewalls, intrusion detection/prevention systems, and anti-virus software.

Harden your systems

Take note of your application server settings such as the connection timeout, maximum memory pool, available CPU time, possible HTTP parameters length etc. Consider installing additional security plugins if applicable.

Stay up to date

Make sure you keep your systems up to date with the latest security patches. Many DDoS attacks take advantage of known vulnerabilities in systems and applications.

Analyze your app bottlenecks

Application functions that require multiple memory or computing resources should be limited and protected. Make sure that a user cannot make multiple function calls. Consider using CAPTCHA or other challenges on your website.

Make sure that you have a disaster recovery plan.

A disaster recovery plan is an important part of any business. Without a plan in place, your business could be crippled in the event of an attack or other emergency. The plan should include steps to take, as well as contact information for employees and vendors on your escalation path.

Cloud Infrastructure Design

Public cloud providers such as Azure and AWS put a great emphasis on availability and resiliency. The publicly available documentation shows multiple design examples for reference. You can utilize these examples to ensure resiliency agains web application DDoS attacks. Make sure that you remember about implementing limits, so that the resources do not scale over your budget.

AWS reference architecture:

AWS reference architecture

The great benefit of the above architecture is the fact that it uses AWS CloudFront - CloudFront offers a feature of automatic application layer DDoS mitigation. When an attack event is detected, there is an automatic implementation of mitigation rules in the associated AWS WAF instances.

Additionally, the design recommends having Elastic Load Balancing in front of your EC2 instances. This will guarantee that your web application is available to legitimate users, even when the application is under heavy load.

Read more: AWS Documentation

Azure reference architecture


Azure recommends to have their Application Gateway WAF deployed in front of the resources and configure the apps to accept only traffic from the Application Gateway IP address. Read more: Azure Documentation.

Market DDoS protection solutions

There are a number of commercial DDoS protection solutions on the market. These solutions vary in terms of features, pricing, and performance. Some of the more popular DDoS protection solutions include Akamai, CloudFlare, and Arbor Networks.

You can tailor your DDoS protection to your needs and in order to help you do so, there are reports published by companies such as Forrester Research and Gartner, that analyze and compare the available solutions. You can find the latest "Forrester Wave" under the following link: DDoS Mitigation Solutions Q1 2021.

Building infrastructure that is DDoS resilient can be difficult, but it is important for businesses to take steps to protect themselves from these types of attacks. By using a DDoS mitigation service, using a cloud-based infrastructure, and using multiple layers of security, businesses can make their infrastructure much more resilient to DDoS attacks.

Photo of Sonia Anna Puton

More posts by this author

Sonia Anna Puton

Sonia is a Cybersecurity Engineer specializing in networks and cloud security.
Lost with AI?  Get the most important news weekly, straight to your inbox, curated by our CEO  Subscribe to AI'm Informed

We're Netguru!

At Netguru we specialize in designing, building, shipping and scaling beautiful, usable products with blazing-fast efficiency

Let's talk business!

Trusted by: