← Lessons

quiz vs the machine

Gold1430

System Design

DDoS Mitigation

Absorbing or filtering floods of traffic so legitimate users still get served.

5 min read · core · beat Gold to climb

Drowning in traffic

A distributed denial of service attack floods a target from many sources to exhaust its capacity. The defense is to filter bad traffic far from the origin and to absorb what gets through.

Layers of defense

  • Edge scrubbing at a large provider absorbs volumetric floods before they reach your network.
  • Rate limiting caps requests per client so no single source can overwhelm a service.
  • Anycast spreads traffic across many locations so an attack is diluted geographically.
  • Autoscaling adds capacity, though it must be capped to avoid scaling into a huge bill.

Telling good from bad

The core challenge is distinguishing attack traffic from a real surge. Behavioral signals, challenges, and reputation help, but overly aggressive filtering can block real users. Tune for the lowest false positives you can tolerate.

Key idea

DDoS mitigation filters and absorbs floods at the edge with scrubbing, rate limiting, and anycast while trying not to block legitimate users.

Check yourself

Answer to earn rating on the learn ladder.

1. Why filter DDoS traffic at the edge rather than the origin?

2. What is the core difficulty in DDoS mitigation?