DDoS Mitigation Methods and Tools

Modern businesses are becoming increasingly reliant on information technologies—a fact that cybercriminals are quick to exploit. Networks, websites, and various web applications are now frequent targets of malicious activity. To achieve their goals, attackers use a wide range of tools and tactics.

One of their favorites is the DDoS attack. These are relatively cheap and easy to organize, yet can cause serious damage to the victim. DDoS attacks often target internet-connected devices, including network hardware, physical and virtual servers, online services, websites and apps, and IoT infrastructure.

Contents:

• DDoS Threats for Business
• Targets and Methods of DDoS Attacks
• DDoS Attacks Classification
• Types of DDoS Protection Solutions
• DDoS Mitigation Methods for Different Resources
• Why Enabling Protection Doesn’t Always Guarantee Attack Prevention
• How to Choose the Right DDoS Mitigation Solution
• Conclusions

DDoS Threats for Business

DDoS attacks primarily result in financial and reputational damage. Companies may suffer from lost profits, broken contracts, customer churn, numerous complaints, and a surge of negative publicity in the media and on social networks.

In many cases, DDoS attacks are used as a smokescreen for more targeted intrusions. While security teams are busy mitigating the DDoS threat and restoring system functionality, attackers may exploit the distraction to breach services, steal confidential data, or install malicious software.

Read more: The Impact of DDoS Attacks on Businesses. A Closer Look

Targets and Methods of DDoS Attacks

Most DDoS attacks follow a typical sequence of steps:

1. Reconnaissance and analysis: Attackers gather information about the target and identify obvious or potential vulnerabilities. Based on this, they select their method of attack.
   
2. Preparation: Botnets are created by infecting internet-connected devices with malicious code. These compromised devices can be remotely controlled by the attacker.
   
3. Attack launch: Malicious traffic is generated and sent from multiple infected devices to the target simultaneously.
   
4. Assessment: If the attack does not achieve its goal, the attacker may collect additional data and revise their strategy—returning to step one.

In amplification-based DDoS attacks, the impact is so significant that a botnet may not even be necessary. In these cases, attackers spoof the victim’s IP address and send small requests to vulnerable servers. The servers respond with significantly larger payloads, which are directed at the victim. This amplification effect means that a single machine can launch a powerful attack, with response traffic potentially being tens of times larger than the original request.Another dangerous form is “smart” DDoS attacks, which focus on the most resource-intensive functions of a web application. These targets are overwhelmed not by sheer volume of traffic, but by strategically overloading complex backend processes. This can cause denial of service without saturating bandwidth, and may even be executed from a single device (technically making it a DoS rather than a DDoS attack).

Classification of DDoS Attacks

DDoS attacks come in many forms. To build effective protection, it’s important to understand which types are most common and how they differ in terms of execution.

Attacks can be classified by the protocols they exploit, the method of impact, and their position in the OSI model.

Most commonly, DDoS attacks are grouped based on the OSI layer they target:

• Network Layer (L3)
  
• Transport Layer (L4)
  
• Application Layer (L7)
  

In terms of their impact mechanisms, DDoS attacks are generally divided into three main categories:

• Protocol-based attacks, which exploit weaknesses in network protocols.
  
• Volumetric attacks, which flood the target with massive amounts of traffic.
  
• Application-layer attacks, which exploit vulnerabilities in how applications are structured or function logically.
  

Understanding these classifications allows security teams to better detect and mitigate different types of DDoS threats, whether they’re blunt-force bandwidth floods or more subtle attacks aimed at exhausting application resources.

Learn more: Types of DDoS Attacks.

DDoS Protection Tools: Classification Methods

There are at least three ways to classify tools for defending against DDoS attacks:

• by deployment type: on-premise, cloud-based, or hybrid solutions;
• by protection level: packet-level (L3/L4) or application-level (L7);
• by traffic filtering mode: symmetric or asymmetric.

Classification by Deployment Type

On-Premise Solutions

Advantages:

• Minimal network latency;
• Easy to integrate into existing infrastructure;
• Fine-tuned, custom configuration.
  

Disadvantages:

• High cost of ownership—significantly more expensive than cloud solutions;
• Requires dedicated staff for setup, monitoring, and maintenance;
• Filtering is limited to protection against packet floods;
• Bandwidth is constrained by local capacity—e.g., a 40 Gbps connection can’t stop a 50 Gbps attack.
  

On-premise DDoS protection tools are typically used by large operators and telecom providers: ISPs, cloud providers, and data centers with internal incident response teams.

Cloud-Based Solutions

Cloud DDoS protection offers similar capabilities to on-premise systems, with added benefits like protection against HTTP-based bot attacks and professional support during incidents.

Advantages:

• Lower cost—usually via monthly subscription;
• No staffing costs for monitoring and response;
• High filtering capacity;
• Fast setup—in just minutes;
• Expert support available during attacks;
• Free trial access is often available;
• Application-layer (L7) filtering for websites.
  

Disadvantages:

• Potential latency: traffic is routed through the DDoS provider before reaching the client;
• Sensitive data is transmitted to the cloud.
  

Despite some drawbacks, cloud-based DDoS protection generally offers more advantages—making it a preferred option for many companies over locally installed systems.

Learn more: Cloud-Based DDoS Protection Solutions

Hybrid Solutions

Hybrid DDoS protection combines on-premise equipment with a cloud service. The cloud component can be activated during peak load times when on-premise resources are overwhelmed. This setup addresses the main limitation of local systems: attack volume.

As prices fall, hybrid protection is expected to become more accessible to smaller service providers.

Read also: Hybrid DDoS Protection Solutions: Pros and Cons

Classification by Protection Level

DDoS attacks often exploit vulnerabilities in protocols or systems operating at the network (L3), transport (L4), or application (L7) layers of the OSI model. More frequently now, attackers are conducting “smart” DDoS attacks—using bots to overload the most resource-intensive parts of a web application.

Based on this, DDoS protection solutions can be categorized into three groups:

• Tools that defend against packet-based floods by filtering L3 and L4 traffic;
• Tools that defend against both packet-based and application-level floods (L3–L7)—ideal for websites, where most attacks occur at L7 (check out our L7 DDoS Protection Guide);
• Tools that also defend against “intelligent” DDoS attacks—usually part of Web Application Firewalls (WAFs). These tools block a wide range of threats beyond DDoS. However, WAFs alone do not protect against high-volume packet floods that saturate bandwidth—they are as vulnerable to these as any application server. That’s why WAFs must be paired with dedicated anti-DDoS services for full protection.
  

Typically, on-premise solutions only provide L3–L4 protection. Cloud-based services can vary in capabilities, and their documentation should be studied carefully. For critical online infrastructure, using a WAF in combination with anti-DDoS tools offers the best defense and maximum uptime at all OSI layers.

Classification of DDoS Protection by Traffic Routing Mode

In this case, DDoS protection methods are typically divided into two types: symmetric and asymmetric filtering.

• Symmetric filtering means that both incoming and outgoing traffic (or at least service information about it) passes through the filtering system.
• Asymmetric filtering analyzes only inbound traffic.
  

In general, symmetric filtering methods are considered more effective. By monitoring both traffic directions simultaneously, these systems can make decisions based on a more complete picture of the interaction between the server and clients. Asymmetric systems, in contrast, cannot guarantee full protection against all attack types due to their limited view of traffic flow.

Symmetric protection is usually recommended for websites and critical business applications, while asymmetric filtering is more common in provider networks where scalability and speed are prioritized.

Each class of protection has its own advantages and disadvantages:

Advantages	Symmetric protection	Asymmetric protection
Flexible outbound traffic management	No	Yes
Additional delay	Higher	Lower
Complexity of connection	Higher	Lower
Subscription fee	Higher	Lower
Ability to use multiple providers to protect against DDoS attacks (one IP)	No	Yes
Filtration efficiency	Higher	Lower

DDoS Mitigation Methods for Different Resources

The choice of protection methods and solutions largely depends on the specific assets that need to be secured.

It’s also important to think like an attacker. This means building a threat model—imagining how an attacker might try to execute their plan. Once the potential vulnerabilities are identified, they must be eliminated. But that’s only part of the process. It’s equally important to rigorously test your DDoS protection service to ensure that it can effectively withstand the types of attacks most relevant to your environment. Only through this proactive approach can you be confident that your defenses are ready to counter real-world DDoS threats.

Websites and Web Applications

The first thing to consider when setting up DDoS protection for websites and web applications is whether you have access to the server hosting these resources. If you can fully control the server, it’s important to go beyond just connecting an external DDoS protection service. You should also prepare the server itself: optimize the operating system’s network stack to ensure it can handle high loads effectively.

To effectively defend against DDoS attacks, it’s crucial to ensure your server delivers high performance. It must be able to handle incoming requests over the network. Otherwise, you risk experiencing a “slashdot effect”—where a sudden spike in traffic (e.g., after publishing a new article) overloads the referenced resources.

Sometimes, defending against DDoS requires removing limitations imposed by the operating system’s network stack and the web server. In particular, we recommend optimizing performance parameters for Nginx and the Linux network stack. It’s also advisable to fine-tune your database management system (DBMS) for speed.

If your site uses a popular CMS—such as Joomla!, WordPress, or Drupal—be sure to follow publicly available performance optimization guides. A well-optimized system in normal operation is more likely to withstand DDoS attacks.

In some cases, the application or website is hosted by an external provider. DDoS protection is then typically the responsibility of the hosting provider. It’s a good idea to confirm whether they can protect your resource against application-level (L7) attacks. Either way, you can always connect an external protection service. The key is to configure it so that the real IP address of your server remains hidden from attackers. They should not be able to access it via email headers, open ports, or other services.

Here are a few additional recommendations:

• When connecting your online service to an external anti-DDoS provider, we recommend changing the IP address. If that’s not possible, it’s best to block all incoming traffic except from the IP ranges provided by your protection service.
  
• If your service is mission-critical, consider purchasing or renting reliable, high-performance hosting—ideally on a dedicated server. This helps eliminate the risk of your application being taken down due to an attack on another service hosted on the same infrastructure. It’s also advisable to implement redundancy in both computing resources and bandwidth to minimize the chance of downtime.
  
• To reduce the risk of failure when one or more IP addresses are targeted, use all available IPs and distribute them across different services or users.
  
• Inform your DDoS protection provider which IP addresses are in use and for what purpose. This information will help them build a more accurate and effective defense strategy.

Learn more: How to Protect a Website from DDoS Attacks

Internet Services and Online Games Based on TCP and UDP

To ensure the resilience of services that interact with users via TCP and UDP, it’s recommended to optimize the operating system’s network stack first. Start by checking that network interface card (NIC) interrupts are distributed across different CPU cores. Most modern systems are configured this way by default, but it’s worth verifying to avoid potential performance bottlenecks.

It’s worth noting that when it comes to DDoS protection, it’s generally better to use services operating over the TCP protocol. TCP is inherently more resilient and better suited for mitigating attacks.

Securing servers that rely on the UDP requires significantly more effort. If a server is targeted with a custom-crafted attack that imitates legitimate gaming packets, traditional filtering may fail. The exception is when you proactively share the architecture and behavior of your server with your DDoS protection provider. Together, you can design a tailored mitigation strategy for these non-standard attacks and test its effectiveness through controlled simulations.

To protect internet services and online games that operate over TCP and UDP, it’s essential to start by properly configuring the network interface card (NIC) driver. When a frame reaches the NIC, it triggers a system interrupt—essentially a request for the processor to pause its current task and handle the incoming traffic. However, if every single frame caused an immediate interrupt, the CPU would be overwhelmed, even by basic operations like transferring a file over FTP.

To prevent this, interrupts are queued on the NIC and processed in batches by the CPU, typically 250 to 1,000 times per second. The fewer the batches, the lower the CPU load—but with higher latency.

Fortunately, most modern servers are equipped with multi-core processors. Since the operating system treats each core as a separate CPU, interrupt load can be distributed evenly across them. There are two main ways to achieve this:

1. The preferred method is using hardware queues. Modern NICs support multiple interrupt queues—usually 4 to 16. On Linux, these are often disabled by default. You need to enable them and then evenly distribute the queues across the available processor cores.
2. Alternatively, you can use Receive Packet Steering.This relatively new feature automatically spreads packet processing across all CPU cores, regardless of whether your NIC supports multiple hardware queues. Use this method if you have more CPU cores than hardware queues. Also, consider disabling SMT/HyperThreading during an attack, as it may help improve performance and stability under heavy load.

We also recommend reading our guide on how to protect a game server from DDoS attacks.

Networks

Ensuring the resilience of a network is arguably the most challenging task when it comes to DDoS protection. First, companies often need to protect not only their own internet resources but also the resources of their clients hosted within the same network. Second, network owners usually accumulate a large number of IP addresses. This gives attackers the ability to launch relatively weak, distributed attacks across multiple addresses simultaneously, which can slow down the entire infrastructure.

The first priority should be ensuring that the edge router is powerful enough. You need to verify its throughput capacity, assess the current load, and, if possible, perform stress testing. The utility hping3 is suitable for this task.

The second important step is to make sure that your IP addresses cannot be identified via traceroute—both from outside and inside the network. Any addresses that can be traced this way should be protected using Access Control Lists (ACLs). If needed, consult your DDoS protection provider for assistance.

Learn more: What Can Protect Your Network from DDoS Attacks.

Protection Alone Doesn’t Guarantee Full DDoS Mitigation

The same applies to the availability of online services during an active DDoS attack. In many cases, the issue lies not in “poor” protection, but in flawed architecture or specific features of the service itself.

Back in 2017, we introduced the term  “DDoS protectability” to the industry and explained the key factors that influence it. In short, defendability refers to a service’s ability to be efficiently protected against DDoS attacks with minimal resource consumption.

Building DDoS defendability into a product’s architecture from the design phase is not only possible—it’s essential. This approach improves service availability and reduces protection costs in the long term.

Choosing a DDoS Protection Provider: What to Consider and What to Ask

Many companies today offer DDoS protection services—ranging from cybersecurity specialists to ISPs, hosting providers, and data centers. However, the quality and capabilities of their solutions can vary significantly.

DDoS protection is not an area for rushed decisions. When evaluating providers, make sure to ask the right questions and consider the following:

• Filtering locations: Where are their scrubbing centers located? Are they geographically close to your infrastructure and customer base? Check routing quality and latency using tools like bgp.he.net, ping.pe, or similar platforms.
  
• Expertise and reputation: How long has the provider been offering DDoS protection? Do they specialize in it? Look for client reviews, community involvement, and whether they innovate in the field. This helps assess how well the provider monitors emerging threats and adapts to the evolving cybercrime landscape.
  
• Technical support: Choose a provider with true 24/7 support—DDoS attacks often start at night or on weekends when teams are less alert. Make sure there are multiple communication channels available for urgent issues.
  
• Data localization & compliance: If you or your clients need data residency or compliance with laws like Russia’s Federal Law No. 152-FZ (“On Personal Data”), ask how the provider handles data. Will your traffic leave the country, even in encrypted form?
  
• Client references: Check whether any of your partners already work with the provider. If so, ask them for feedback.
  
• Test before you commit: Don’t sign a contract without first testing the service. Ideally, conduct a stress test—or at least simulate basic attacks—to evaluate protection and support responsiveness. You can do this using free tools and your own monitoring systems.
  
• Transparent pricing: Avoid providers who charge extra based on attack volume or frequency. You have no control over who attacks you or how often, and pricing should reflect that reality.
  

Taking the time to properly vet a DDoS protection provider ensures your business stays resilient in the face of increasingly complex cyber threats.

Conclusions

DDoS protection is a complex and ongoing task. It’s a true test of professionalism—not just for the anti-DDoS service provider, but also for your own IT team: system administrators, developers, and cybersecurity specialists.

Keep in mind that a DDoS protection service must integrate seamlessly into your broader information security processes. If it doesn’t, its effectiveness will be limited.

It’s also important to recognize that the world, business, and IT landscapes are constantly evolving. Your systems are regularly updated—and attackers continue to develop new techniques. That’s why we strongly recommend regularly testing both your infrastructure and your protection services. The ability to quickly adapt to changes in the IT and cybersecurity landscape is critical.

Ultimately, successful defense requires consistent collaboration—between you as the resource owner and your DDoS protection provider.