Question

why is it so difficult to stop DDOS attacks by blocking the attacking IP address

Answer 1

why is it so difficult to stop DDOS Attack by blocking the attacking IP address

Sites Don’t Know Where The Attacks Are Coming From

• It’s not as simple as blocking an IP address. Botnets are often made up of many thousands of infected machines spread out all over the world.
• Blocking them one at a time is feasible, but blocking every zombie machine without accidentally blocking genuine requests is a hard problem.

Firewalls Aren’t Designed To Handle DDoS Attacks

• For a firewall to work against a DDoS attack, especially those using protocols like HTTP or DNS that constitute the bulk of genuine use, it has to record IPs and a history of their requests.
• During a DDoS attack, that can be thousands of constantly changing IPs and millions of packets of data to keep track of in state tables.
• The memory and processing resources required to do that quickly for every packet is enormous and most firewalls simply can’t handle the load.

The Defense Can’t Be Mounted On The Hosting Provider’s Infrastructure

• By the time the data gets close to the point of attack, there’s such a flood that it’s practically impossible to do anything other than go offline, which is typically the response of smaller web hosting companies when facing a DDoS attack they close down the site and IP being targeted so that service isn’t degraded for their other clients .
• Routers, switches, firewalls, and load balancers become overloaded. Very few web hosting providers have the resources and bandwidth to handle that sort of attack.
• The defense has to be mounted within ISP’s networks and at edge nodes, which is one of the ways that DDoS mitigation services like CloudFlare help.
• In a nutshell, DDoS attacks are so hard to defend against because the attackers know where the victim is, but the victim doesn’t know where the attackers are. Plus, it’s extremely difficult to tell which packets come from the bad guys and which are legitimate users.