Skip to content Skip to navigation Skip to footer

How To Implement a DDoS Mitigation Strategy


What Is DDoS Mitigation?

DDoS mitigation is the process of protecting a server from distributed denial-of-service (DDoS) attacks. This cybersecurity threat involves inundating a server with so many false requests that the server can no longer satisfy legitimate requests, crippling a crucial element of its infrastructure. 

The methods described below involve ways to mitigate Domain Name System (DNS)-based DoS attacks, as well as other types of denials of service.

How To Choose a Mitigation Provider

When choosing a mitigation provider, take into consideration network capacity, processing capacity, scalability, flexibility, and reliability.

Network Capacity

Your DDoS mitigation service needs to have enough bandwidth in its network to block the large volume of false traffic generated during an attack. For instance, if the network can handle 1 Tbps, it can block that much DDoS traffic—after taking into account the bandwidth used up by normal operations.

Processing Capacity

A DDoS mitigation strategy needs to be able to process a large amount of data quickly. One of the DDoS mitigation steps is processing and forwarding traffic. For example, if an attack is coming in at a rate of 75 million packets per second (Mpps) and your DDoS mitigation plan can only process 65 Mpps, some will get through to your server.


Your DDoS mitigation service needs to be scalable because attack sizes are likely to grow rather than diminish. If your DDoS mitigation provider cannot increase its network or processing capacity, larger attacks in the future may be able to penetrate your server.


When defending against DDoS attacks, flexibility is as, if not more, important than rebutting ransomware or viral threats. The system needs to be adaptable to recognize attacks even when there are large fluctuations in legitimate traffic. This requires setting up page rules that differentiate real traffic from false, as well as control how an attack is mitigated. These rules have to be disseminated across the entire network.


Your DDoS service, like a firewall, needs to be reliable. It should be there when you need it—every time. To ensure a reliable defense system, your service needs to have 24/7 oversight, as well as redundancy and failover solutions, which spin up “insurance” systems in the event a primary component fails.

How to Choose a Mitigation Provider

How DDoS Mitigation Works: Stages of Mitigation

Detection Stage

Network Layer Attacks

A dedicated DDoS mitigation appliance at the network layer can detect an attack on this layer. You can also use an out-of-band (OOB) management tool, which manages the network even though it is physically separated from it.

Application Layer Attacks

Application layer attacks can be harder to detect because they incorporate seemingly authentic Hypertext Transfer Protocol (HTTP) requests. To catch these attacks, your best weapon is often a real-time, behavior-based DDoS protection service, which can identify an attack based on the way internet traffic behaves compared to how it should behave during normal operation.

Response Stage


When considering DoS vs. DDoS attack mitigation strategies, rerouting is one thing they have in common. This aspect of the response stage involves sending malicious traffic elsewhere, away from your servers, breaking it down into manageable chunks if necessary.


With blackholing, which is also referred to as “null-routing,” your traffic gets directed to an Internet Protocol (IP) address that does not exist. This can present issues, however, because legitimate traffic may get sent there as well. 


Sinkholing involves diverting traffic from a list of IP addresses that have been identified as malicious. It may not always be effective because attackers can change their IP addresses during an attack, making behavior-based mitigation technologies a better solution.


Scrubbing is one of the more effective DDoS attack mitigation technologies because all traffic gets sent to a central location where it is examined for DDoS threats. Legitimate traffic is then sent to the server it was originally destined for.

Bot Detection

Bots can mimic human behavior, so your DDoS mitigation system needs to be able to detect bots. In this way, bots can be targeted and their potential impact can be negated even before an attack.

Analysis and Adaptation Stage

Analysis and adaptation involve examining security logs to learn more about the nature of a DDoS attack. The information gleaned can be used to adapt the system—design new rules that can allow the service to catch more attacks in the future.

Time to Mitigation

The time to mitigation is impacted by a few different factors: the time it takes to detect an attack, start the mitigation system, and mitigate the attack.

Detecting the Attack

In the detection phase, the system differentiates attack traffic from legitimate traffic. Because the attacks may start off slowly and use seemingly legitimate IP addresses, the detection phase may take some time.

Starting the Mitigation System

When a mitigation system starts, it performs actions, such as detecting bots, scrubbing, and diverting traffic. The time it takes to do this depends on how well mitigation devices are programmed and, in the case of human-based systems, the preparation of the individual members of the team.

Mitigation System in Action

The mitigation system’s effectiveness hinges on its speed. Therefore, careful planning on the part of the team is essential, which includes strategically orchestrating any automated features of a system.

How Fortinet Can Help?

FortiDDoS provides you with a dedicated security processor that protects Layers 3, 4, and 7 from DDoS attacks. The system incorporates behavior-based detection, making reliance on signature files unnecessary. FortiDDoS continually evaluates threats, which minimizes the number of false positives. 

Further, because FortiDDoS monitors hundreds of thousands of system parameters in conjunction with behavior-based analysis, it can defend against all DDoS attacks, including application-based, bulk volumetric, and secure sockets layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS) attacks.

To compare the different FortiDDoS products, use this comparison tool.


What is DDoS mitigation?

DDoS mitigation is the process of protecting a server from distributed denial-of-service (DDoS) attacks. A DDoS attack involves inundating a server with so many false requests that the server can no longer satisfy legitimate requests, crippling a crucial element of its infrastructure.

How does DDoS mitigation work?

DDoS mitigation works by using DDoS attack mitigation technologies for rerouting, blackholing, sinkholing, or scrubbing traffic, as well as detecting DDoS bots.

How do you choose a DDoS mitigation provider?

You should choose a DDoS mitigation provider based on the network capacity, processing capacity, scalability, flexibility, and reliability of their system.

What are the four stages of DDoS mitigation?

The four stages of DDoS mitigation are detection, response, analysis, and adaptation.