Strange Loop

Are DDoS attacks a threat to the decentralised internet?

DDoS attacks often grab the headlines when they take down an important website. Sadly, DDoS experts usually keep the attack information to themselves. All the DDoS mitigation resources are centralized in a hands of a few large DDoS mitigation vendors. Without the details internet operators are unable to distinguish a real danger from an empty threat.

At CloudFlare we deal with DDoS attacks every day and over the years we've gained a lot of experience. While some of our DDoS defenses require significant investment - e.g. buying more network capacity - many mitigations can be implemented in software.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing.

We'll explain why L3 attacks are even possible in today's internet, what a direct L3 attack may look like and how it is different from a reflected attack. We'll describe our attempts to trace IP spoofing and why the attribution is so hard.

Our architecture allows us to perform attack mitigations in software. We'll explain a couple of effective L3 mitigations techniques we've learned over the years.

While L3 attacks are a real danger to the internet operators, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can finally save the internet and fix the IP spoofing problem for all.

Marek Majkowski

Marek Majkowski


After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.