DDoS: Protecting EUDI Wallet Infrastructure from Distributed Attacks

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of Internet traffic from multiple distributed sources. Unlike a simple Denial of Service (DoS) attack from a single source, DDoS attacks use botnets -- networks of thousands or millions of compromised computers, IoT devices, and servers -- to generate traffic volumes that no single server can handle. For the EUDI Wallet ecosystem, which provides critical digital identity infrastructure for hundreds of millions of EU citizens, DDoS resilience is not merely a technical preference but a requirement for maintaining trust in the European digital identity framework.

DDoS attacks target different layers of the network stack, and EUDI Wallet infrastructure must defend against all of them:

• •Volumetric attacks (Layer 3/4): These attacks flood the target with massive amounts of data, consuming all available bandwidth. UDP floods, ICMP floods, and amplification attacks (DNS amplification, NTP amplification) can generate traffic exceeding 1 Tbps. For EUDI services, volumetric attacks could saturate the network connections to Trusted List servers or revocation endpoints.
• •Protocol attacks (Layer 3/4): SYN floods, fragmented packet attacks, and Ping of Death exploit weaknesses in network protocols to exhaust server connection tables and firewall state tables. These attacks can disable services even with relatively low traffic volumes by consuming connection-handling resources.
• •Application-layer attacks (Layer 7): These are the most sophisticated and hardest to detect. They mimic legitimate requests -- for example, sending valid-looking OpenID4VCI credential issuance requests or OCSP queries at extremely high rates. Because each request appears legitimate individually, traditional volume-based filtering is ineffective. Behavioral analysis and rate limiting per client identity are required.

Protecting EUDI Wallet infrastructure from DDoS requires a multi-layered defense strategy operating at every level from the network edge to the application:

Edge protection: Traffic first passes through upstream scrubbing centers operated by the ISP or specialized DDoS mitigation providers. These centers can absorb and filter volumetric attacks before they reach the EUDI service infrastructure. Anycast routing distributes incoming traffic across multiple geographically dispersed data centers, so an attack targeting a single IP address is automatically spread across the entire network.

CDN and caching layer: For read-heavy services like Trusted Lists and CRL distribution, CDN caching serves most requests from edge locations without touching the origin servers. Even during a massive attack, cached responses continue to be served from CDN nodes that are not under direct attack. This architectural choice means the most critical verification data remains available even when origin infrastructure is stressed.

Application-layer intelligence: Web Application Firewalls (WAFs) analyze request patterns to distinguish legitimate EUDI Wallet API calls from attack traffic. Machine learning models trained on normal wallet traffic patterns can detect anomalies -- for example, a sudden surge of OCSP queries from IP addresses that have never previously interacted with the service. Rate limiting per authenticated wallet instance provides another layer of protection, ensuring no single client can consume disproportionate resources.

Auto-scaling and redundancy: Cloud-native EUDI service deployments automatically scale horizontally when traffic increases, adding compute capacity to absorb legitimate request surges and buying time for attack mitigation to take effect. Multi-region deployments ensure that even if an entire data center becomes unreachable, services fail over to other regions within seconds.

A unique aspect of the EUDI Wallet architecture is that it does not depend on real-time server connectivity for all operations. This offline capability serves as an inherent DDoS countermeasure. Credential presentations can be verified using locally cached Trusted Lists and CRLs. The wallet stores credentials locally and can present them without contacting the issuer. Device-to-device verification (for example, NFC-based age verification) requires no server interaction at all.

This design philosophy -- minimizing real-time dependencies on central infrastructure -- means that even a successful DDoS attack against EUDI backend services would not immediately prevent citizens from using their wallets for everyday transactions. Degradation is gradual: first, new credential issuance becomes unavailable, then real-time revocation checking stops (falling back to cached data), and only after extended outage do cached trust anchors expire. This graceful degradation model provides hours or days of continued functionality during infrastructure attacks, giving defenders time to mitigate without user-facing service disruption.