DDoS defence explained: how to detect and mitigate a DDoS attack?
DDoS attacks are easier than ever to launch, harder to trace, and can cause real damage if you’re not prepared. The end result is typically the same: your users can’t reach you or your systems are unavailable. This article is a starting point. We’ll walk through what DDoS actually is and how to detect one, how different types of attacks behave, and what you can do to defend against them. All backed by hands-on experience and technical guidance we’ve collected over the years at FastNetMon.
1. Understand the threat
Begin with knowing what a DDoS attack is: a flood of traffic directed at a system from multiple sources aiming to overload bandwidth, exhaust connection tables, or hog application resources.
Some of the most common attack vectors include:
- UDP floods, DNS or NTP amplification
- SYN floods and TCP state exhaustion
- HTTP/POST floods, Slowloris-style attacks
- Slow or bursty traffic patterns designed to bypass thresholds
Understanding the types of attacks will help you map your attack surface and set up the correct defence mechanisms for your infrastructure.
2. Set up traffic monitoring and threshold detection
Visibility is the foundation. Collect traffic data using flow telemetry (NetFlow, IPFIX or sFlow), or via inline monitoring tools. Establish baselines for normal traffic – pps, Mbps, flows per second. When thresholds are exceeded, an alert or mitigation plan should trigger immediately.
Static thresholds may work in some cases, but consider grouping hosts with similar patterns or important profiles to manage thresholds more accurately.
3. Use threshold‑based mitigation (RTBH / Blackholing)
A BGP BlackHole is a routing technique that serves as an effective and affordable method for mitigating DDoS attacks. As the name suggests, “blackholing” network traffic makes it disappear without a trace, which is a very desirable outcome for malicious traffic.
For high-volume L3/L4 attacks, threshold-based blackholing can be a fast and effective response. Once an offending IP crosses a defined limit, route it to a null‑route (Null0) via BGP, effectively discarding all traffic for that address or prefix
Ideal conditions:
- Massive packet rate to a single IP or small prefix
- Non-critical service or external-facing infrastructure
- Immediate suppression is needed before attack traffic saturates shared resources
Be aware: this blocks all traffic to/from a target, including legitimate users. To understand when blackholing is a good mode of defence – and when it is not, read this article.
4. Apply granular filtering (BGP Flow Spec)
When attacks target critical services or aim to exploit specific protocols, use Flow Spec based traffic filtering. Flow Spec enables control over traffic by matching ports, IPs, TCP flags or other packet attributes, and discarding only selected flows.
Flow Spec advantages:
- Precise mitigation without full service interruption – unlike blunt tools like full blackholing, Flow Spec lets you surgically remove malicious traffic by filtering on specific characteristics (e.g. a port or flag), while letting legitimate traffic pass through. Critical services are more likely to remain available during an attack.
- Rapid deployment once an attack signature is confirmed – Flow Spec rules can be pushed across your network in seconds. As soon as an attack pattern is identified, whether it’s a UDP flood targeting port 53 or a TCP SYN attack, filters can be activated almost instantly, minimising response time.
- Minimal collateral impact on network or user experience – because rules are narrowly tailored, you avoid over-blocking and service disruption for non-targeted users. Latency slow and availability high, even while an attack is in progress.
Read more about how to set up Flow Spec-based DDoS mitigation here.
5. Mitigate application‑layer attacks
While FastNetMon focuses on detecting and mitigating attacks at the network and transport layers (L3/L4), it’s important to recognise that application-layer (L7) attacks often require separate handling. L7 attacks often mimic legitimate requests, bypassing volumetric defences.
Methods include:
- HTTP GET/POST floods
- Slow or partial header attacks (e.g. Slowloris)
- Protocol-based misuse like gRPC or GraphQL loops
Defence options:
- Apply rate limiting or connection caps per source IP
- Use web application firewalls (WAF)
- Route suspect traffic through content scrubbing services
6. Scrubbing centre and hybrid routing
A scrubbing centre is a network facility or cloud-based service designed to defend against large-scale DDoS attacks. Scrubbing centres are specialised in filtering out malicious flows while allowing legitimate traffic through. While filtering all network traffic via a scrubbing centre is certainly an option, it may not be optimal, as it increases latency and can be very expensive. Luckily, many scrubbing providers support automatic diversion via BGP community tags or API triggers.
Steps:
- Monitor attack detection triggers – use your DDoS detection system to watch for traffic anomalies that indicate an active attack. Once thresholds are breached, it’s time to initiate diversion.
- Route traffic for affected prefixes to scrubbing site – announce the IP prefixes under attack using special BGP community tags or automated tools. This redirects inbound traffic through the scrubbing provider’s infrastructure, where filtering takes place.
- Filter and return clean traffic to your network – The scrubbing centre filters out malicious flows and sends only legitimate traffic back via a secure tunnel or peering link. Minimal disruption for end users is ensured while protecting your network capacity.
Learn more about how scrubbing centre automation works in this article.
7. Combine approaches in a layered architecture
A layered mitigation strategy lets you respond fast and scale your defences as attacks evolve, starting with broad detection, then applying more precise controls as needed.
A comprehensive defence model might include:
- Real-time monitoring and injection of flow telemetry – continuously monitor traffic for example using sFlow, NetFlow or IPFIX. This provides the visibility needed to spot abnormal patterns early , whether it’s a sudden flood or stealthier low-rate attack.
- Automated threshold-based blocking (RTBH) in applicable use cases – when traffic to a destination exceeds safe limits, RTBH routes can be used to drop traffic to that specific IP before it reaches your network, preventing congestion and collateral damage.
- Targeted Flow Spec or block list based filtering for nuanced control – for attacks that can’t be blocked wholesale, use BGP Flow Spec or blocklists to filter traffic based on specific attributes to allow legitimate flows while stopping the bad ones.
- Application-level defences – not all attacks are volumetric. Some target application logic, i.e. login pages or search forms. You must do a deeper inspection and mitigation at the web or app layer, often with support from scrubbing centres.
- Ongoing traffic analysis and threshold adjustment based on patterns – after each incident, review traffic trends and tune your thresholds. Attackers constantly adapt, so your defences must evolve too. Avoid false positives with regular refinement and improve response accuracy over time.
This phased approach enables rapid throughput control followed by granular intervention as needed.
8. Reduce mistakes and false triggers
- Group hosts with similar traffic patterns and assign sensible thresholds
- Separate thresholds by traffic type, direction and protocols
- Only ban when an attack condition persists for a short interval to avoid blocking legitimate bursts
- Review alerts and mitigation rules to prevent overblocking important services
Defending against DDoS begins with visibility and ends in measured action. By combining threshold-based mitigation, protocol-aware filtering, and smart application‑layer defences, you gain layered resilience.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com