How to prevent DDoS attacks
Since DDoS attacks target your web servers, the way to prevent them is to reduce requests reaching those servers.
flowchart TD; A[Malicious device]-->|Request to application|CDN; CDN -->|Sends remaining requests|Origin; subgraph CDN WAF Cache end A --Prevent external connections---x Origin
Requests can come to your origin server in two ways, from your web application and from direct connections to the server itself.
A cache stores copies of frequently accessed resources (images, CSS files).
When a resource is cached - either on a user's browser or Content Delivery Network (CDN) server - requests for that resource do not have to go to your origin server. Instead, these resources are served directly by the cache.
flowchart TD; User-->|Sends Request|Cloudflare; Cloudflare-->B>Has cached content?]; B-->|Yes - Requested content|User; B-->|No|Origin; Origin-->|Requested content|User;
In the context of DDoS attacks, caching reduces the number of requests going to your origin server, which makes it harder for your server to get overwhelmed by traffic.
A Web Application Firewall (WAF) creates a shield between a web app and the Internet. This shield checks incoming web requests and filters undesired traffic to help mitigate many common attacks.
flowchart TD; User-->|Sends Request|WAF; WAF-->|Filters Request|Application; Application-->|Sends Request|OriginServer; OriginServer-->|Serves Content|Application; Application-->|Serves Content|User;
Generally, your origin server should only accept requests coming from your web application.
This is a general best practice for security, but especially important in the context of DDoS attacks. Any traffic that bypasses your web application will also bypass any WAF or caching and has a stronger chance of overwhelming your origin.
sequenceDiagram participant Client participant DDoS_Protection_Service participant Origin_Server Client->>+DDoS_Protection_Service: Request Note right of DDoS_Protection_Service: Filtered traffic DDoS_Protection_Service->>+Origin_Server: Request Origin_Server-->>-DDoS_Protection_Service: Response DDoS_Protection_Service-->>Client: Response Client->>+Origin_Server: Direct connection Note over Origin_Server: Potential DDoS Attack Origin_Server-->>-Client: Error response