How to prevent DDoS attacks？

Based on years of practical protection experience and technical documentation from global top security vendors, this article compiles a highly actionable defense system. The following content covers the entire process from basic configurations to hybrid attack mitigation, suitable for IT operations teams, security engineers, and enterprise technical decision-makers.

Of course, the best approach is to integrate CDN5's Advanced Anti-DDoS CDN, where CDN5 engineers and AI bots will handle acceleration and protection for you.

I. Network Layer Defense

1. Bandwidth Expansion & Traffic Scrubbing

• Bandwidth Redundancy Design: Reserve at least 2x the peak business traffic bandwidth. For example, if daily peak traffic is 500Mbps, procure 1Gbps+ bandwidth.
• BGP High-Protection IP Integration (Example: CDN5):

  • Log into the CDN5 console and navigate to the High-Protection IP service page.

  • Select Purchase New Instance, choose a Game Protection or Web Protection plan based on business needs.

  • Configure port forwarding rules (example):

    Bash

     

    # Map High-Protection IP port 80 to origin server 10.0.0.1:8080 add forwarding-rule 80 TCP 10.0.0.1 8080

  • CDN5’s AI bot automatically activates Intelligent Scheduling to switch scrubbing nodes and routes.

2. Blackhole Routing & Rate Limiting (Linux Server Implementation)

• Dynamic IP Blocking:

  Bash

   

  # Block IPs with 1000+ new connections in 1 minute (based on [HK InfoSec Guidelines](https://www.infosec.gov.hk/en/best-practices/business/defending-against-ddos-attack)) iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --setiptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP

• Bandwidth Throttling (for UDP Flood Attacks):

  Bash

   

  # Limit UDP port to 1000 packets/sec (ref: [CDN5 Traffic Control](https://www.cdn5.com/networks/how-to-prevent-ddos-attacks/#traffic-shaping)) iptables -A INPUT -p udp -m limit--limit1000/sec -j ACCEPT iptables -A INPUT -p udp -j DROP

  This configuration reduces 70% of junk traffic.

II. Transport Layer Hardening

1. Linux Kernel Tuning (Mandatory Configurations)

• SYN Cookie Mechanism:

  Bash

   

  # Enable SYN Cookies for SYN Flood defense (details: [CDN5 Transport Layer Guide](https://www.cdn5.com/guides/ddos/attack-prevention/#transport-layer)) echo1 > /proc/sys/net/ipv4/tcp_syncookies 

• Connection Queue Adjustments:

  Bash

   

  # Half-open queue limit (default 1024 → 65535) echo65535 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Fully established queue limit echo65535 > /proc/sys/net/core/somaxconn 

  Supports 10x more concurrent connections.

2. Layer 4 Load Balancing (Nginx Example)

• Geolocation-Based Traffic Routing:

  Nginx

   

  geo$blocked_country { default0; 192.168.1.0/24 1; # Allow internal IPs 58.96.0.0/15 0; # Hong Kong region 223.255.0.0/16 1; # High-risk attack regions (data source: [HK InfoSec Threat Intel](https://www.infosec.gov.hk/en/best-practices/business/defending-against-ddos-attack)) } server{ if($blocked_country) { return444; } # Other configurations... }

  Blocks 90% of overseas malicious traffic.

III. Application Layer Protection

1. CAPTCHA Integration

• SDK Shield Configuration:
  • Log into CDN5’s SDK Shield dashboard.
  • Create rules to trigger challenges for requests from high-risk countries/ASNs (now upgraded to AI-managed mode).
  • Set action: JS Challenge or Managed Challenge.

2. API Protection (Nginx + Lua Dynamic Rate Limiting)

• Business-Specific Rate Limiting:

  Nginx

   

  lua_shared_dictmy_limit 10m; server{ location/api { access_by_lua_block{ locallimit = ngx.shared.my_limit local key = ngx.var.remote_addr .. ngx.var.http_user_agent local req, _ = limit:get(key) if req and req > 100then # 100 requests/sec threshold (ref: [eSecurityPlanet](https://example.com)) ngx.exit(503) else limit:incr(key, 1, 1) end } # Other configurations... } }

  Blocks 95% of API abuse.

IV. Hybrid Attack Mitigation

1. SSDP Reflection Attack Defense

• Drop UDP port 1900 traffic at the border router.

• Suricata Detection Rule:

  Yaml

   

  alertudpanyany->any1900(msg:"SSDPReflectionAttack";content:"M-SEARCH*HTTP/1.1";depth:14;sid:1000001;) 

• Cooperate with ISPs to scrub cross-border SSDP traffic.

2. Layer 4 CC Attack Mitigation

• TCP Connection Fingerprint Analysis:

  Bash

   

  # Use tshark to extract attack patterns (method from [eSecurityPlanet](https://example.com)) tshark -r attack.pcap -Y "tcp.flags.syn==1"-T fields -e ip.src -e tcp.options 

  Analyze TCP option fields to identify botnet clusters.

V. Disaster Recovery & Legal Response

1. Business Continuity Plan

• Static Fallback Page (Nginx Config):

  Nginx

   

  server{ location/ { error_page502503504/static.html; # Normal logic... } location= /static.html { root/var/www/emergency; expires1h; } }

  Automatically switches to a static page during outages (ref: HK InfoSec Guidelines).

2. Attack Forensics & Legal Process

• Capture traffic: tcpdump -i eth0 -w attack.pcap -G 3600 -C 100 (see eSecurityPlanet Guide).
• Extract attacker WHOIS: whois 203.0.113.5 | tee attacker_info.txt.
• Submit evidence (server logs, timestamps) to local cybersecurity authorities.

VI. Toolchain Recommendations

Core Steps

1. Layered Defense: Network scrubbing + transport optimization + application validation.
2. Elastic Scaling: Cloud-native architecture for instant scaling.
3. AI-Driven Rules: Dynamically update rules based on threat intelligence.
4. Legal Compliance: Forensics tools + cyber insurance + legal collaboration.
5. Continuous Testing: Quarterly red/blue team drills to refine defenses.

FAQ: How to Defend Against DDoS Attacks

1. Use a DDoS Protection Service or Self-Defense?

• Use Services: CDN5, Stonecdn, Cloudflare.
• Self-Defense: Suricata (for skilled teams; high cost).

2. Emergency Response During Attacks

• Redirect traffic to a High-Protection IP/CDN.
• Deploy a static page (e.g., GitHub Pages).
• Contact ISPs for traffic filtering.

3. How to Detect an Attack?

• Bandwidth spikes (e.g., 100M → 1G).
• Unusual IPs (tools like LogRhythm).
• Server crashes (CPU/memory spikes without traffic).

5. Budget Solutions for Small Companies

• Free CDN (e.g., CDN5 Free Tier) to hide origin IP.
• Nginx rate limiting (10 requests/sec per IP).
• Block unused ports (e.g., UDP 1900).