why is it so
difficult to stop DDOS Attack by blocking the attacking IP
address
Sites Don’t Know Where
The Attacks Are Coming From
- It’s not as simple as
blocking an IP address. Botnets are often made up of many thousands
of infected machines spread out all over the world.
- Blocking them one at
a time is feasible, but blocking every zombie machine without
accidentally blocking genuine requests is a hard problem.
Firewalls Aren’t
Designed To Handle DDoS Attacks
- For a firewall to
work against a DDoS attack, especially those using protocols like
HTTP or DNS that constitute the bulk of genuine use, it has to
record IPs and a history of their requests.
- During a DDoS attack,
that can be thousands of constantly changing IPs and millions of
packets of data to keep track of in state tables.
- The memory and
processing resources required to do that quickly for every packet
is enormous and most firewalls simply can’t handle the load.
The Defense Can’t Be
Mounted On The Hosting Provider’s Infrastructure
- By the time the data
gets close to the point of attack, there’s such a flood that it’s
practically impossible to do anything other than go offline, which
is typically the response of smaller web hosting companies when
facing a DDoS attack they close down the site and IP being targeted
so that service isn’t degraded for their other clients .
- Routers, switches,
firewalls, and load balancers become overloaded. Very few web
hosting providers have the resources and bandwidth to handle that
sort of attack.
- The defense has to be
mounted within ISP’s networks and at edge nodes, which is one of
the ways that DDoS mitigation services like CloudFlare help.
- In a nutshell, DDoS
attacks are so hard to defend against because the attackers know
where the victim is, but the victim doesn’t know where the
attackers are. Plus, it’s extremely difficult to tell which packets
come from the bad guys and which are legitimate users.