Distinguish between legitimate users and attackers – The secret sauce of DDoS protection

Distributed Denial of Service (DDoS) is unique in the sense that these attacks actually consist of many legitimate individual requests. It is only the large volume of simultaneous requests that turns those legitimate requests into an attack. Consequently, one of the biggest challenges in mitigating DDoS attacks is distinguishing between malicious and legitimate traffic.

Flagging a legitimate user as malicious (false positive) results in the denial of service for legitimate users; conversely, identifying a malicious user as legitimate (false negative) may open the door for additional, undetected cyber-attacks. How then, do DDoS mitigation solutions distinguish between legitimate and malicious users?

Rate limitation is not the way to go

First, I’ll explain why outdated anti-DDoS solutions that base their protection on rate limitation methods cannot address this challenge.

The rate limit mechanism is based on a pre-defined, static threshold of traffic and has two main drawbacks:

  1. It does not mitigate attacks until the attack traffic reaches the predefined threshold. This results in slow detection of attacks or failure to detect attacks below the threshold.
  2. Once the rate based mechanism starts to mitigate suspected traffic, it impacts the quality of experience for all users, including legitimate ones. Not every increase in traffic rate is a result of an attack; there are other cases, such as flash crowd events, that look like attacks to outdated anti-DDoS solutions. As a result, the solution can mistakenly block legitimate traffic.

It is clear that outdated anti-DDoS solutions cannot distinguish properly between attackers and legitimate users. Advanced DDoS mitigation solutions deploy more sophisticated methods, such as behavioral analysis or challenge-response mechanisms to deal with this challenge.

Behavioral Analysis

Behavioral analysis follows application transactions and builds an understanding of the application in order to distinguish between legitimate and malicious users. A baseline application behavior is defined after considering both the amount and frequency of events.

During an attack, data is gathered and compared to the baseline behavior model. If a suspicious behavior is detected, a deeper inspection process is triggered, which analyzes application-level parameters and resolves whether the suspicious behavior is a result of a legitimate burst of application traffic or a result of a malicious application abuse.

For example, a PDF file in a certain website is normally downloaded 10 times per hour. If the same file is downloaded 1000 times per hour, an attacker may be involved, so further security measures must be taken.

Challenge Response

A challenge response (C/R) mechanism sends challenges to suspicious sources and based on the response, determines if the source is a Bot or a real user. An example of a challenge response mechanism is CAPTCHA, which requires the user to type letters and/or digits from a distorted image that appears on the screen. The CAPTCHA test prevents unwanted internet bots from accessing websites, since a normal human can easily read the CAPTCHA, while the bot cannot process the image letters.

To use the C/R mechanism, an attack mitigation system launches a series of queries to the source of a request in question, and according to the responses received, it decides whether to send an additional, more sophisticated challenge, or flag the source as a malicious user. C/R mechanisms use automated processes, and require no human intervention from the mitigation system or from the source. The intelligent usage of a C/R mechanism and network behavioral analysis can almost completely eliminate false positives, guaranteeing an excellent quality of experience for legitimate users.

In summary, anyone can rate limit the traffic to a specific application and prevent floods on the applications, but this will result in denying the service from your legitimate users, which was the original objective of the attackers. Only advanced anti-DDoS solutions can successfully distinguish between attackers from legitimate users during an attack and guarantee proper service to online customers.

Ronen Kenig

Ronen manages the global marketing strategy for Radware’s Security products. His responsibilities include the planning, positioning and go-to-market strategy for all Security products activities worldwide. An industry expert, Ronen has more than 14 years experience in managing R&D and marketing products in the networking infrastructure, Security and application delivery sectors. Ronen writes about Security threats and solutions, application delivery, and cloud computing.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center