Surviving a flood of malicious traffic designed to take you offline.
A Distributed Denial of Service (DDoS) attack happens when a hacker uses a botnet (thousands of infected computers) to send a massive wave of fake traffic to your website. The goal is to overwhelm your servers so legitimate users can't get in. Because the traffic comes from thousands of different IP addresses globally, you can't just block a single IP. You need a dedicated Mitigation layer (like Cloudflare or AWS Shield) sitting at the edge of the internet to filter the garbage before it reaches your actual application.
Mitigation services use Anycast Routing. They have thousands of servers all over the world broadcasting the same IP address. When a botnet attacks, the traffic is naturally dispersed geographically; bots in Asia hit Asian edge servers, bots in Europe hit European servers. At the edge, they use advanced Rate Limiting and JS challenges (CAPTCHAs) to scrub the bad traffic.
# Cloudflare / NGINX Edge Rules
# 1. Rate Limiting: Block if > 50 reqs / 10 seconds per IP
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=5r/s;
# 2. Challenge Suspicious Traffic (JS Challenge)
# If a request lacks standard browser headers, force them to
# solve a cryptographic puzzle in JS before proceeding.
# 3. Cache Everything (Absorb the hit)
# If bots request the homepage 10,000 times, serve it from
# RAM at the edge. The Origin DB is never touched!
DDoS mitigation is essentially an arms race, and proper protection is expensive. Furthermore, if you accidentally configure your firewall incorrectly, you might accidentally block legitimate users (false positives) or block an API partner who legitimately needs to send high-volume traffic.