The fight against denial of service attacks is as old as the Internet. However, modern attackers have much higher attack power due to robot networks. The denial of service attacks they unleash put even the most secure systems at their feet, with their massive data flow. Therefore, the services of large global cloud-based security providers are being used more and more.
The idea is that the incoming DDoS data stream is distributed to many individual systems. In this way, the total attack load is dispersed and the peak load affecting each of the systems decreases. Therefore, the network can withstand serious attacks.
At the network level, Anycast technology has been consolidated , in addition to the packet filtering method. Requests to systems connected through Anycast are automatically directed to a geographically closer server. In this way, when the denial of service attack is global in magnitude, iron is taken away at the local level. Anycast networks like Cloudflare convince with their elegance and resistance.
The Cloudflare blog provides very interesting insight into current progress in fighting SYN flood attacks . In addition to the bot- based mitigation strategy, SYN packet signatures appear to have a promising future. This system consists of generating human readable fingerprints of incoming SYN packets . From the fingerprint, some conclusions can be drawn about the operating system of the computer that originally sent the SYN packet. During a SYN flood attack , when fingerprint analysis is performed, packets sent that do not meet the pattern are filtered.