How to stop DDoS attacks?

How to stop DDoS attacks?

When a bad actor launches an attack to your webpage or service, several things take place on the network. This guide walks you step by step through each action taken during DDoS attack mitigation.


Step 1: Normal state (no attack)

In what is called normal state, websites or services are fully available. From an operational point of view, it is good to note the level of network traffic that reaches your services (for example: network bandwidth in bps, pps, requests-per-second or infrastructure load) in this state to establish a baseline.

Customers can also configure special Edge Network Firewall rules that will be enabled automatically if an attack should arise. These rules can be used to offload a server's iptables and prevent saturating the server link. You should review these rules occasionally.

It’s also a good idea to have a dashboard that monitors your services not only from a technical point of view but also from the business side. This can be useful when under attack to see from your customer’s perspective.

Step 2: The attack starts

When a distributed denial-of-service attack is launched from a botnet of coordinated devices, the first place it can be noticed is at a Point-of-Presence (PoP). This is the place where OVHcloud interconnects with other operators' routers to access the internet. From there, attack traffic enters our global backbone network, and thanks to our very high bandwidth capacity, normally no links are saturated.

Next, the cyber-attack reaches the server, which begins to process it. Signs of unusual activity include high resource usage, low network performance, due to amplified internet traffic or service degradation. In parallel, OVHcloud Anti-DDoS infrastructure's traffic analysis should detect the DDoS attack and trigger mitigation. This will also launch the Edge Network Firewall rules for such IP-address to be enabled if they weren't already forced. If you experience many short attacks that are causing VAC to trigger each time, you may consider adding a longer timeout for mitigation via our REST API.

If part of your infrastructure is outside of the OVHcloud network, you may need to use 3rd party tools to mitigate an attack. You may also try contacting the NOC and provide attack details, scale up your services, perform rate-limiting or activate the "I'm under attack" button if available.


Step 3: Anti-DDoS (VAC) mitigates the attack

Once an attack is detected, mitigation begins within seconds. The server’s incoming traffic is ‘vacuumed’ up by our VAC nodes. The attack is then blocked without any limitation constraints concerning volume or duration. Legitimate traffic continues to flow and reach the server. This process is called  ‘auto-mitigation’ and is completely managed by OVHcloud. We will notify you about the event (by email). It can also be observed while analyzing the path packets going to your server or service (using mtr or traceroute), ‘anti-DDoS vac stages’ will appear.

Step 4: The DDoS attack ends

DDoS attacks are expensive to launch and if unsuccessful not cost-effective. A typical attack lasts from 10 to 12 minutes. The anti-DDoS system deactivates automatically once an attack has ended or after a defined, custom timeout and remains on standby, ready to defend against the next attack.


Ready to get started?

Create an account and launch your services in minutes.


What kind of attacks can Anti-DDoS Infrastructure defend against?

Cyber security covers a broad range of threats. Our Anti-DDoS Infrastructure addresses the greatest of those: Distributed Denial-of-Service attacks, packet floods (incl. syn flood), spoofing, malformed or amplification attacks, etc. Most of these you can't filter on your own as they can saturate the network link in front of your server.