Distinguish between legitimate users and attackers – The secret sauce of DDoS protection


Distributed Denial of Service (DDoS) is unique in the sense that these attacks actually consist of many legitimate individual requests. It is only the large volume of simultaneous requests that turns those legitimate requests into an attack. Consequently, one of the biggest challenges in mitigating DDoS attacks is distinguishing between malicious and legitimate traffic.

Flagging a legitimate user as malicious (false positive) results in the denial of service for legitimate users; conversely, identifying a malicious user as legitimate (false negative) may open the door for additional, undetected cyber-attacks. How then, do DDoS mitigation solutions distinguish between legitimate and malicious users?

Rate limitation is not the way to go

First, I’ll explain why outdated anti-DDoS solutions that base their protection on rate limitation methods cannot address this challenge.

The rate limit mechanism is based on a pre-defined, static threshold of traffic and has two main drawbacks:

  1. It does not mitigate attacks until the attack traffic reaches the predefined threshold. This results in slow detection of attacks or failure to detect attacks below the threshold.
  2. Once the rate based mechanism starts to mitigate suspected traffic, it impacts the quality of experience for all users, including legitimate ones. Not every increase in traffic rate is a result of an attack; there are other cases, such as flash crowd events, that look like attacks to outdated anti-DDoS solutions. As a result, the solution can mistakenly block legitimate traffic.

It is clear that outdated anti-DDoS solutions cannot distinguish properly between attackers and legitimate users. Advanced DDoS mitigation solutions deploy more sophisticated methods, such as behavioral analysis or challenge-response mechanisms to deal with this challenge.

Behavioral Analysis

Behavioral analysis follows application transactions and builds an understanding of the application in order to distinguish between legitimate and malicious users. A baseline application behavior is defined after considering both the amount and frequency of events.

During an attack, data is gathered and compared to the baseline behavior model. If a suspicious behavior is detected, a deeper inspection process is triggered, which analyzes application-level parameters and resolves whether the suspicious behavior is a result of a legitimate burst of application traffic or a result of a malicious application abuse.

For example, a PDF file in a certain website is normally downloaded 10 times per hour. If the same file is downloaded 1000 times per hour, an attacker may be involved, so further security measures must be taken.

Challenge Response

A challenge response (C/R) mechanism sends challenges to suspicious sources and based on the response, determines if the source is a Bot or a real user. An example of a challenge response mechanism is CAPTCHA, which requires the user to type letters and/or digits from a distorted image that appears on the screen. The CAPTCHA test prevents unwanted internet bots from accessing websites, since a normal human can easily read the CAPTCHA, while the bot cannot process the image letters.

To use the C/R mechanism, an attack mitigation system launches a series of queries to the source of a request in question, and according to the responses received, it decides whether to send an additional, more sophisticated challenge, or flag the source as a malicious user. C/R mechanisms use automated processes, and require no human intervention from the mitigation system or from the source. The intelligent usage of a C/R mechanism and network behavioral analysis can almost completely eliminate false positives, guaranteeing an excellent quality of experience for legitimate users.

In summary, anyone can rate limit the traffic to a specific application and prevent floods on the applications, but this will result in denying the service from your legitimate users, which was the original objective of the attackers. Only advanced anti-DDoS solutions can successfully distinguish between attackers from legitimate users during an attack and guarantee proper service to online customers.


  1. Great article on DDOS, Ronen. I agree that there can be many false positives in the world of security. It’s amazing how many major breaches could have been stopped if they had simply run an Application security test to identify vulnerabilities. There are probably thousands of applications out there that currently have vulnerabilities that can allow a client to see another client’s data.
    Black Diamond Solutions offers a free application security scan to pinpoint those vulnerabilities without the need of source code or other intellectual property.

    get free application security scan

  2. Hello there Google and yahoo works perfectly to me yet your website is running
    steadily which took approximately one minute to successfully load up, I don’t know if it is
    my own problem or perhaps your web site issue. On the other hand I appreciate
    you for writing great blog post. I’m sure this has been incredibly
    helpful individual who seem to visit here.
    This one is definitely terrific everything that you actually have
    implemented and would like to check out cool posts from your
    site. To obtain additional information by
    content that you write-up, I’ve bookmarked this web site.

  3. Trying to book a rescue flight for my wife stranded in India. Air India website under heavy traffic, and I keep getting through, and then robot testing, and then picture picking, and then I am blocked by your software?
    Can’t access booking search results page anymore, tried Chrome, e, and Int. expl. All blocked
    How to book a f;ight now?
    John Peer


Please enter your comment!
Please enter your name here