Build fluency in the vocabulary of detecting and filtering a malicious traffic flood before it hits the origin.
0 / 5 completed
1 / 5
At standup, a dev mentions a service designed specifically to detect and filter a flood of malicious traffic before it ever overwhelms the origin servers behind it. What is this practice called?
DDoS mitigation detects and filters a flood of malicious traffic before it ever overwhelms the origin servers behind it, typically through a dedicated scrubbing layer sitting in front of the actual application. Autoscaling the origin's own capacity adds more servers but does nothing to filter out the malicious traffic itself, so a large enough attack can still overwhelm even an autoscaled fleet. This dedicated filtering is what protects an origin from a volumetric or application-layer flood that autoscaling alone can't absorb.
2 / 5
During a design review, the team wants a volumetric flood of traffic to be absorbed across many geographically distributed edge locations instead of concentrating entirely on one origin data center. Which capability supports this?
Anycast routing distributes a volumetric flood of attack traffic across many geographically distributed edge locations, so no single origin data center bears the full brunt of the attack. Routing every request to a single fixed origin, with no distribution, concentrates the full force of an attack on one location, which is exactly what a volumetric DDoS attack is designed to overwhelm. This distribution across many edge locations is a core technique behind how a large-scale DDoS mitigation service absorbs a massive attack.
3 / 5
In a code review, a dev notices a mitigation system maintains a rolling baseline of normal traffic patterns for a given endpoint, so it can flag a sudden deviation as a likely attack rather than a genuine traffic surge. What does this represent?
Traffic-pattern baselining maintains a rolling picture of what normal traffic looks like for a given endpoint, letting the mitigation system flag a sudden deviation as a likely attack rather than simply a legitimate surge, like a marketing campaign driving real demand. Treating every sudden increase identically, with no baseline, risks either missing a genuine attack or blocking real customers during a legitimate spike. This baselining is what lets an automated mitigation system make that distinction quickly enough to matter during an active attack.
4 / 5
An incident report shows an origin's application servers became completely unresponsive during an attack because all incoming traffic, malicious and legitimate alike, reached the origin directly with no scrubbing layer in front of it. What practice would prevent this?
Routing traffic through a dedicated DDoS mitigation layer filters malicious traffic before it ever reaches the origin, keeping the application servers responsive to genuine customer requests even during an active attack. Continuing to route all traffic directly to the origin with no scrubbing layer is exactly what left the origin completely unresponsive in this incident. This front-line filtering is a standard architectural safeguard for any public-facing service at meaningful risk of a volumetric attack.
5 / 5
During a PR review, a teammate asks why the team routes traffic through a dedicated DDoS mitigation service instead of just autoscaling the origin to absorb a larger volume of traffic on its own. What is the reasoning?
Autoscaling adds more origin capacity but does nothing to filter out malicious traffic itself, so a sufficiently large attack can still overwhelm even a heavily autoscaled origin, and autoscaling that much capacity purely to absorb an attack is also extremely costly. A dedicated mitigation layer can filter and absorb an attack at a scale far beyond what any single origin could reasonably provision for. The tradeoff is the added dependency on, and cost of, running traffic through that dedicated mitigation service continuously.