Preventing DDoS attacks

An effective way to prevent DDoS attacks targeting your web servers is to reduce the requests that reach those servers. Requests can come to your origin server from your web application and from direct connections to the server itself.

Request paths — The paths requests can take to your servers

Reducing application requests to the origin

Caching

A cache stores copies of frequently accessed resources such as images and CSS files.

When a resource is cached, whether on a user’s browser or Content Delivery Network (CDN) server, requests for that resource do not have to go to your origin server. These resources are instead served directly by the cache. During a DDoS attack, caching reduces the number of requests going to your origin server, which makes it harder for your server to get overwhelmed by traffic.

Reduce requests with caching — Reduce requests to the origin by using caching

Web application firewall (WAF)

A WAF creates a shield between a web application and the internet. The WAF checks incoming web requests and filters potentially malicious traffic to mitigate common attacks.

Reduce requests with WAF — Reduce requests to the origin by using WAF

Prevent external connections

Generally, your origin server should accept only requests that come from your web application, but especially in context of DDoS attacks. Traffic that bypasses your web application also bypasses any WAF or caching you have, and has a stronger chance of overwhelming your origin.