DDoS Mitigation
What is DDoS Mitigation?
DDoS MitigationDDoS mitigation is the set of techniques and services that absorb, filter, and re-route distributed denial-of-service attacks before they exhaust a target's network, infrastructure, or application capacity.
DDoS mitigation combats attacks at three layers: volumetric floods (SYN, UDP, amplification) measured in Gbps or Tbps, protocol attacks (e.g., SYN-flood, slowloris), and application-layer attacks against HTTP/HTTPS and APIs. Modern providers — Cloudflare, Akamai, Google, AWS Shield, Imperva — terminate traffic at globally distributed anycast scrubbing centers, applying signature, behavioral, and rate-based filters, plus challenge mechanisms for L7. On-prem appliances and BGP flowspec/Remotely Triggered Black Hole (RTBH) remain important for ISPs and large enterprises. Effective mitigation requires runbooks, telemetry baselines, and pre-negotiated burst capacity, since defense must be in place before the attack starts.
● Examples
- 01
An anycast scrubbing center absorbs a 2 Tbps UDP-amplification flood at the network edge.
- 02
Rate-limiting and JS challenges blunt an L7 HTTP flood against a checkout endpoint.
● Frequently asked questions
What is DDoS Mitigation?
DDoS mitigation is the set of techniques and services that absorb, filter, and re-route distributed denial-of-service attacks before they exhaust a target's network, infrastructure, or application capacity. It belongs to the Network Security category of cybersecurity.
What does DDoS Mitigation mean?
DDoS mitigation is the set of techniques and services that absorb, filter, and re-route distributed denial-of-service attacks before they exhaust a target's network, infrastructure, or application capacity.
How does DDoS Mitigation work?
DDoS mitigation combats attacks at three layers: volumetric floods (SYN, UDP, amplification) measured in Gbps or Tbps, protocol attacks (e.g., SYN-flood, slowloris), and application-layer attacks against HTTP/HTTPS and APIs. Modern providers — Cloudflare, Akamai, Google, AWS Shield, Imperva — terminate traffic at globally distributed anycast scrubbing centers, applying signature, behavioral, and rate-based filters, plus challenge mechanisms for L7. On-prem appliances and BGP flowspec/Remotely Triggered Black Hole (RTBH) remain important for ISPs and large enterprises. Effective mitigation requires runbooks, telemetry baselines, and pre-negotiated burst capacity, since defense must be in place before the attack starts.
How do you defend against DDoS Mitigation?
Defences for DDoS Mitigation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for DDoS Mitigation?
Common alternative names include: DDoS protection, DDoS scrubbing.
● Related terms
- network-security№ 904
Rate Limiting
Rate limiting caps the number of requests an identifier (IP, user, API key, or token) may make over a time window, protecting APIs and apps from abuse, scraping, and brute-force.
- network-security№ 118
Bot Management
Bot management is the practice of detecting automated traffic and distinguishing good bots from malicious ones, then allowing, challenging, or blocking each accordingly.
- network-security№ 151
CDN Security
CDN security uses the global edge of a content delivery network — terminating TLS close to users — to enforce DDoS protection, WAF, bot management, and TLS hygiene.
- network-security№ 1219
WAAP
WAAP (Web Application and API Protection) is the modern evolution of WAF, adding API security, bot management, and DDoS protection into a unified cloud service.
- malware№ 119
Botnet
A network of internet-connected devices infected with malware and remotely controlled by an attacker to perform coordinated activities.