We have been working in the field of protection from DDoS attacks for many years and once we began to wonder why some applications are easier to secure than others, and some are more difficult, and why this happens.
This is how we came up with the term “DDoS protectability” and investigated the factors that affect it among our clients.
The following main groups of parameters affect the security of an Internet service:
As a bad example, consider an online game that uses the UDP Protocol. Its website and game server are located on the same IP address. After each request, the site goes to the game database to calculate statistics. The game protocol allows the potential attacker to select a sequence of packets similar to the legitimate one, and thus inflict significant load on the application, dramatically reducing its performance.
As a good example, let's take a taxi automation service. Its website is located separately, and the authorization service for clients with mobile apps installed on their smartphones is located separately and works over the HTTPS protocol. The service itself, which connects taxi drivers' mobile apps, is deployed on a pool of IP addresses that are not consecutive from different subnets. Each taxi driver, depending on their username, is given a different set of IP addresses to connect to. The application establishes a TCP connection with several IP addresses at once, and if some of them are unavailable, it transparently switches to others. In addition, each time the client connects, the authorization token and the client's IP address are checked to make sure that the token actually belongs to the client. Such a scheme will be obviously more resistant to DDoS attacks, since it will be extremely difficult for an attacker to influence the taxi service in such a way as to make it inaccessible (or at least difficult to access) for its customers.
As you can see, DDoS protectability should be planned at the stage of planning the IT infrastructure and architecture – good design will increase the availability and reduce further costs of protection from DDoS attacks. Next time we will discuss how to implement the principles of good design in practice and what else you need in order to implement the effective protection from DDoS attacks.