I want to share what I know about DDoS — what kind of attacks they are, what they are, how to prevent them and minimize the impact of such attacks on your service.
What are DDoS attacks and why are they carried out?
DDoS is a Distributed Denial of Service, a distributed denial of service. In fact, this is a hacker attack that overloads the system so that end users cannot use the service. An attack can be directed at the entire IT infrastructure, a specific service, or a channel prior to that service.

Distributed means that the attack is carried out simultaneously from a large number of devices, which are often geographically distributed. These can be either specially prepared servers or botnets from infected devices. A botnet is a group of devices running scripts that execute the code needed by an attacker, in this case, a DDoS attack. Botnets are often assembled from devices infected with malware, and their owners are not even aware of the "double life" of their gadgets.

A DDoS attack can be organized for a commercial purpose:

To get a ransom is to bring down the system and demand money for stopping the attack.

To frame a competitor. For example, to bring down his website on the eve of a major holiday so that customers could not order anything and went to another store.

But there are also non-commercial reasons for attacks:

geopolitical;

Just for fun;

for the sake of "hacking" practice;

out of "resentment" towards any website, service or brand.

Regardless of the reason, a DDoS attack affects your end infrastructure and makes your service or website unavailable. The reasons for unavailability may be different, for example:

Filling your network channel with parasitic traffic: empty requests and packets.

Resource utilization: your web server or DBMS is loaded with processing unnecessary requests and cannot provide the necessary information to real clients.

In addition to the unavailability of the service, there are other consequences of DDoS attacks:

If your servers are in the cloud and the traffic is paid, you may incur financial costs.

If the site is unavailable for more than two days, search bots will rank you lower. Positions in the search results will have to be restored.

Even after the service is restored, customers will trust you less and may leave for competitors.

Under attack, elements of the IT infrastructure may behave incorrectly. For example, to give the user internal information about a DBMS that cannot be connected to. I also saw a database connection error in practice, even after the DDoS problems were already resolved.

What kind of DDoS attacks are there
There are several classifications of DDoS attacks. Here I want to talk about the classification by levels of the OSI model.

Low-level ones. They occur on the L3-L4 OSI model, that is, in the area of the network and transport protocol:

Network Layer (L3): DDoS attacks over IPv4, IPv6, ICMP, IGMP, IPsec, RIP, OSPF protocols. The targets of such attacks are primarily network devices.

Transport layer (L4): impact over TCP and UDP protocols.
The targets of such attacks are end servers and some Internet services.

Such attacks are very common. The fact is that the Internet standards were made with the expectation that all participants would use them in good faith.

For example, in the UDP protocol, which runs on top of IP, information is transmitted by datagrams, and the packet headers do not contain the IP of either the source or the recipient. UDP trusts addressing to the IP protocol, on top of which it works, and the IP protocol has these headers, but they are not checked in any way. Accordingly, many attacks are based on the fact that one of the IP addresses changes, as a rule, this is the IP address of the source. This is called spoofing, i.e. an attack with data substitution of one of the nodes.

Such attacks are characterized by the fact that they load some parts of your infrastructure, clog the channel or fill in service tables.

High-level ones. They affect the application layer, L7, and affect application protocols, for example, HTTP. The targets of such attacks are the end servers and services.

The most common types of attacks
There are several types of DDoS attacks, depending on what and how specifically they affect. I'll tell you about the four most popular ones.

UDP Flood
UDP works on top of the IP protocol, and there is no connection as such — the data is simply sent without any integrity control.  Therefore, an attacker can, for example, substitute the source IP address - send packets from his device, but pretend that they come from other places. This cannot be verified, and it is in this form that they will come to the server.

In such an attack, the attacker generates a set of maximum-size packets and sends them to the victim server. The danger is that even if the server is closed on the firewall, it is impossible to influence the filtering of such data before it is received by the network interface. The "last mile" from the edge router to the network interface is often the most vulnerable point in terms of bandwidth. The packets will still go through your channel and fill up the bandwidth.

What to do. It is inefficient to ban packets on the server by IP, because the headers are easy to change (the aforementioned spoofing). And if you are also listening to something over a UDP port, it becomes especially difficult to deal with the situation.

Usually, services that work via UDP are streaming: IPTV, voice servers like Teamspeak, games. There is an option to calculate the length of the package that you usually receive, for example, to log into the game. And configure the firewall so that only the addresses from where the packets of the right size with the appropriate content came from are added to the trusted ones. This can be done by analyzing the traffic dump generated by a legitimate client application.

There are also amplification methods that allow you to multiply the attack. The attacker sends a request to completely normal servers around the world (for example, a DNS query that uses UDP port 53), in which he replaces his address with the victim's address in the headers. Accordingly, all servers that received the request send a response not to the attacker's address, but to the victim's address, which was indicated in the headers. Since the DNS response is much larger than the request, the amount of data that comes to the victim's server is often very large.

If you do not work via UDP, you can close it altogether — this is what many providers do by hosting their DNS servers inside the network.

By the way, a new QUIC protocol is being actively implemented, which will be a transport protocol for HTTP3.  This protocol works just on top of UDP and is likely to be susceptible to such attacks. I don't know yet how they plan to deal with them. Maybe they will develop some suitable tools.

Fragmented UDP Flood
It has an additional action besides the one described above. The attacker sends a packet to the victim's server, but says that this is only part of it. The victim server reserves a resource to assemble the package, but no new fragments arrive.

What to do. Discard packets that are expected to be too large so as not to clog up your RAM.

TCP SYN Flood
TCP has a connection setup mechanism. First, the source sends a SYN request that it wants to establish a connection. The receiving server responds with a SYN+ASK packet that it is ready to connect. 

The source responds with an ACK packet, confirming receipt of the SYN+ACK.

The connection is established because both sides have confirmed their readiness, and data begins to be transmitted.

There is already an IP address matching check here, so you will not be able to replace it. But an attacker can generate a SYN packet, initiating a new session with the victim server, and not establish a connection without sending an ASK. Such an attack overflows the connection table, causing a drop in performance. There is simply no room for real requests.

What to do. Block overshoot through the firewall and set limits on the number of SYN packets per second that you expect for your service.

HTTP Flood
It is no longer aimed at the connection, but directly at your service, and usually affects the application layer of the OSI model.

HTTP Flood is just the generation of requests. There is no substitution, violation of standards or the like. These are distributed requests in order to cause unavailability of your web server. It's trivial — an attacker sends millions of requests to generate the main page of your site, and the server simply can't cope. It's like a real collapse on Black Friday, only artificially caused.

The fight against such attacks varies greatly depending on the infrastructure and the nature of the attack. I'll tell you more about it later.

Methods of preventing and protecting against DDoS attacks
General infrastructure analysis
Make an infrastructure plan. Clearly understand what and where you have located, what services and servers you use.

Analyze which elements of the infrastructure should be accessible from the outside. All that should not be — close. For example, the DBMS should not be accessible from the outside. It is necessary to restrict access in the firewall and change the port from the standard one.

Make sure that the IP addresses of the infrastructure are not compromised. Even if you have repelled an attack on the main service, another element of your infrastructure may become the target of an attack.

Minimizing the attack zone
Configure the firewall of the server. In no case should the default settings be left in the policies. It is important to close everything except trusted addresses and networks.

Hide all real infrastructure IP addresses. Change them periodically.

If possible, opt out of unencrypted traffic. Stop using HTTP and switch to HTTPS. This is important for security in general, but it also protects against DDoS so that attackers cannot spy on your packages and understand how you form them in order to fake them later.

Check the business logic to understand how and where your legitimate customer should make requests. This way you will learn to recognize illegitimate ones.