Skip to main content


Home DDoS mitigation

DDoS mitigation

(also Distributed Denial of Service mitigation)

DDoS mitigation definition

DDoS mitigation (Distributed Denial of Service mitigation) is a set of techniques and strategies that protect a network or online service from being overwhelmed by a DDoS attack.

In a DDoS attack, multiple compromised computers or devices, often forming a botnet, flood the target system with overwhelming traffic, requests, or data. This flood of traffic causes the target system to become unavailable to legitimate users, resulting in a denial of service.

DDoS mitigation aims to block harmful traffic and let genuine traffic reach the target, ensuring the service stays available and performs well during the attack. Common techniques include traffic filtering, rate limiting, anomaly detection, and using content delivery networks or cloud-based protection.

See also: active attack

DDoS mitigation techniques

  • Traffic filtering — Employing firewalls and intrusion prevention systems (IPS) to analyze incoming traffic and block or filter out malicious data packets.
  • Rate limiting — Restricting the number of requests or connections from a single IP address or a small group of IP addresses to prevent overwhelming the target.
  • Anomaly detection — Using machine learning algorithms to identify abnormal patterns in traffic behavior and distinguishing legitimate traffic from malicious traffic.
  • Traffic scrubbing — Diverting incoming traffic through a specialized filtering system that separates legitimate traffic from malicious traffic and forwards only clean traffic to the target.
  • Content delivery network (CDN) services — CDN providers help companies to distribute and manage traffic across various servers, which helps absorb and mitigate DDoS attacks.
  • Load balancing — Distributing incoming traffic across multiple servers to avoid overloading any single server and ensuring the service remains accessible.
  • BGP blackholing — Announcing the target IP address as invalid through the Border Gateway Protocol (BGP) to redirect the attack traffic to a “black hole,” effectively dropping it.