Distinguish between legitimate users and attackers – The secret sauce of DDoS protection


Distributed Denial of Service (DDoS) is unique in the sense that these attacks actually consist of many legitimate individual requests. It is only the large volume of simultaneous requests that turns those legitimate requests into an attack. Consequently, one of the biggest challenges in mitigating DDoS attacks is distinguishing between malicious and legitimate traffic.

Flagging a legitimate user as malicious (false positive) results in the denial of service for legitimate users; conversely, identifying a malicious user as legitimate (false negative) may open the door for additional, undetected cyber-attacks. How then, do DDoS mitigation solutions distinguish between legitimate and malicious users?

Rate limitation is not the way to go

First, I’ll explain why outdated anti-DDoS solutions that base their protection on rate limitation methods cannot address this challenge.

The rate limit mechanism is based on a pre-defined, static threshold of traffic and has two main drawbacks:

  1. It does not mitigate attacks until the attack traffic reaches the predefined threshold. This results in slow detection of attacks or failure to detect attacks below the threshold.
  2. Once the rate based mechanism starts to mitigate suspected traffic, it impacts the quality of experience for all users, including legitimate ones. Not every increase in traffic rate is a result of an attack; there are other cases, such as flash crowd events, that look like attacks to outdated anti-DDoS solutions. As a result, the solution can mistakenly block legitimate traffic.

It is clear that outdated anti-DDoS solutions cannot distinguish properly between attackers and legitimate users. Advanced DDoS mitigation solutions deploy more sophisticated methods, such as behavioral analysis or challenge-response mechanisms to deal with this challenge.

Behavioral Analysis

Behavioral analysis follows application transactions and builds an understanding of the application in order to distinguish between legitimate and malicious users. A baseline application behavior is defined after considering both the amount and frequency of events.

During an attack, data is gathered and compared to the baseline behavior model. If a suspicious behavior is detected, a deeper inspection process is triggered, which analyzes application-level parameters and resolves whether the suspicious behavior is a result of a legitimate burst of application traffic or a result of a malicious application abuse.

For example, a PDF file in a certain website is normally downloaded 10 times per hour. If the same file is downloaded 1000 times per hour, an attacker may be involved, so further security measures must be taken.

Challenge Response

A challenge response (C/R) mechanism sends challenges to suspicious sources and based on the response, determines if the source is a Bot or a real user. An example of a challenge response mechanism is CAPTCHA, which requires the user to type letters and/or digits from a distorted image that appears on the screen. The CAPTCHA test prevents unwanted internet bots from accessing websites, since a normal human can easily read the CAPTCHA, while the bot cannot process the image letters.

To use the C/R mechanism, an attack mitigation system launches a series of queries to the source of a request in question, and according to the responses received, it decides whether to send an additional, more sophisticated challenge, or flag the source as a malicious user. C/R mechanisms use automated processes, and require no human intervention from the mitigation system or from the source. The intelligent usage of a C/R mechanism and network behavioral analysis can almost completely eliminate false positives, guaranteeing an excellent quality of experience for legitimate users.

In summary, anyone can rate limit the traffic to a specific application and prevent floods on the applications, but this will result in denying the service from your legitimate users, which was the original objective of the attackers. Only advanced anti-DDoS solutions can successfully distinguish between attackers from legitimate users during an attack and guarantee proper service to online customers.


Please enter your comment!
Please enter your name here