What Is a DDoS Attack? Types, Methods, and Defense Strategies
Understand what a DDoS attack is, how distributed denial-of-service attacks work, the main types including volumetric and application-layer, and effective defenses.
What Is a DDoS Attack?
A Distributed Denial-of-Service (DDoS) attack is a cyberattack in which an attacker floods a target — typically a website, server, or network — with an overwhelming volume of traffic from multiple distributed sources, rendering the target unable to serve legitimate users. Unlike a simple Denial-of-Service (DoS) attack that originates from a single source, a DDoS attack coordinates traffic from hundreds, thousands, or even millions of compromised devices, making it far more difficult to block. DDoS attacks are among the most common and disruptive cyber threats, with over 13 million attacks recorded globally in 2023 according to Netscout's Threat Intelligence Report.
The fundamental principle behind every DDoS attack is resource exhaustion: every server, network link, and application has finite capacity, and a DDoS attack aims to exceed that capacity so that legitimate requests cannot be processed.
How DDoS Attacks Work
Botnets: The Attack Infrastructure
Most DDoS attacks are launched through botnets — networks of compromised devices (computers, servers, IoT devices, routers) infected with malware that allows an attacker to control them remotely. The individual compromised devices are called "bots" or "zombies." Modern botnets can contain millions of devices spread across the globe.
The attack process typically follows these steps:
- Recruitment: The attacker infects devices with malware through phishing, software vulnerabilities, or brute-forcing weak credentials — IoT devices are particularly vulnerable due to default passwords and limited security updates
- Command and control (C2): Infected devices connect to a command infrastructure, awaiting instructions from the attacker
- Attack launch: The attacker issues a command specifying the target and attack type; all bots simultaneously begin sending traffic to the target
- Amplification: Many attacks exploit protocols that amplify traffic — a small request generates a much larger response directed at the target
DDoS-for-Hire Services
The barrier to launching DDoS attacks has dropped dramatically. "Booter" or "stresser" services available on the dark web allow anyone to purchase DDoS attacks for as little as $10-50 per hour, with no technical knowledge required. Law enforcement agencies have shut down numerous such services, but new ones continuously emerge.
Types of DDoS Attacks
DDoS attacks are categorized by which layer of the network stack they target, corresponding to the OSI (Open Systems Interconnection) model:
| Attack Category | OSI Layer | Target | Examples |
|---|---|---|---|
| Volumetric attacks | Layer 3-4 (Network/Transport) | Bandwidth and network capacity | UDP flood, ICMP flood, DNS amplification |
| Protocol attacks | Layer 3-4 (Network/Transport) | Server resources and stateful equipment (firewalls, load balancers) | SYN flood, Ping of Death, Smurf attack |
| Application-layer attacks | Layer 7 (Application) | Web server resources (CPU, memory, connections) | HTTP flood, Slowloris, DNS query flood |
Volumetric Attacks
Volumetric attacks aim to saturate the target's network bandwidth. They are measured in bits per second (bps) and can reach enormous scale. The largest recorded DDoS attack exceeded 3.47 Tbps (terabits per second) in 2024. Common techniques include:
- UDP flood: Sends massive volumes of UDP packets to random ports on the target, forcing it to process each packet and respond with ICMP "destination unreachable" messages
- DNS amplification: Sends small DNS queries with the target's spoofed IP address to open DNS resolvers, which return much larger responses to the target — amplification factors of 28-54x are common
- NTP amplification: Exploits the monlist command in NTP servers, achieving amplification factors up to 556x
- Memcached amplification: Exploits misconfigured Memcached servers for amplification factors exceeding 50,000x
Protocol Attacks
Protocol attacks exploit weaknesses in network protocols to exhaust server resources or intermediate equipment:
- SYN flood: Exploits the TCP three-way handshake by sending a flood of SYN (synchronization) packets with spoofed source addresses. The target allocates resources for each half-open connection, eventually exhausting its connection table
- ACK flood: Overwhelms servers or firewalls with TCP ACK packets that must be processed against connection state tables
Application-Layer Attacks
Application-layer attacks are the most sophisticated and difficult to detect because they mimic legitimate user traffic. They target specific application functions that consume disproportionate server resources:
- HTTP flood: Sends seemingly legitimate HTTP GET or POST requests at high volume, exhausting web server capacity
- Slowloris: Opens many connections to the web server and keeps them alive by sending partial HTTP headers very slowly, tying up connection slots without triggering rate limits
- HTTP/2 Rapid Reset: Discovered in 2023, this attack exploits the HTTP/2 protocol's stream multiplexing, rapidly opening and resetting streams to overwhelm servers — responsible for the largest application-layer attacks ever recorded
Notable DDoS Attacks in History
| Year | Target | Scale | Significance |
|---|---|---|---|
| 2016 | Dyn DNS provider | 1.2 Tbps | Mirai botnet; knocked major sites offline (Twitter, Netflix, Reddit) |
| 2018 | GitHub | 1.35 Tbps | Memcached amplification; mitigated in 10 minutes by Akamai |
| 2020 | Amazon Web Services | 2.3 Tbps | Largest volumetric attack at the time; CLDAP reflection |
| 2023 | Google Cloud | 398 million rps | HTTP/2 Rapid Reset; largest application-layer attack recorded |
| 2024 | Cloudflare customer | 3.47 Tbps | Largest volumetric DDoS attack ever publicly disclosed |
DDoS Defense Strategies
Network-Level Protection
Defending against DDoS attacks requires a multi-layered approach:
- Anycast network distribution: Spreading traffic across a global network of data centers so that no single location bears the full attack volume — the foundation of cloud-based DDoS protection services
- Rate limiting: Restricting the number of requests a server accepts from any single source within a given time period
- Blackhole routing: Redirecting attack traffic to a null route (discarding it), though this also drops legitimate traffic to the targeted IP
- BGP flowspec: Using Border Gateway Protocol flow specification rules to filter attack traffic at the network edge before it reaches the target
Application-Level Protection
- Web Application Firewalls (WAFs): Inspect HTTP/HTTPS traffic and filter malicious requests based on rules, signatures, and behavioral analysis
- Bot detection: JavaScript challenges, CAPTCHAs, and behavioral analysis distinguish human users from automated attack traffic
- Connection timeouts: Configuring aggressive timeouts for incomplete connections to mitigate slow-rate attacks like Slowloris
Cloud-Based DDoS Mitigation
Major providers including Cloudflare, Akamai, AWS Shield, and Google Cloud Armor offer cloud-based DDoS protection that absorbs attack traffic across globally distributed scrubbing centers with capacities exceeding 100+ Tbps. These services can detect and mitigate most attacks automatically within seconds, without disrupting legitimate traffic.
Legal and Economic Impact
DDoS attacks carry significant consequences. The average cost of a DDoS attack to a business is estimated at $20,000-40,000 per hour in lost revenue, mitigation expenses, and reputational damage. For large enterprises, costs can reach millions of dollars. Launching DDoS attacks is illegal in virtually all jurisdictions — in the United States, it violates the Computer Fraud and Abuse Act (CFAA) and carries penalties of up to 10 years imprisonment.
Key Takeaways
- DDoS attacks overwhelm targets with traffic from distributed sources, exploiting finite server, network, and application resources
- Attacks are categorized as volumetric (bandwidth saturation), protocol (resource exhaustion), or application-layer (targeting specific application functions)
- Modern DDoS attacks can exceed 3 Tbps in volume or hundreds of millions of requests per second at the application layer
- Effective defense requires multi-layered strategies combining network filtering, application firewalls, and cloud-based mitigation services
Related Articles
cybersecurity
How Encryption Works: Symmetric, Asymmetric, and the Math Behind Digital Security
A comprehensive explanation of how encryption works — symmetric and asymmetric encryption, the mathematics of public-key cryptography, TLS/HTTPS, end-to-end encryption, and how encryption protects data in the modern digital world.
8 min read
cybersecurity
How Two-Factor Authentication Works: Security, Types, and Why It Matters
A comprehensive guide to two-factor authentication (2FA) — how it works, the different types (SMS, authenticator apps, hardware keys, passkeys), the security tradeoffs between them, and why enabling 2FA is one of the most important security steps anyone can take.
8 min read
cybersecurity
How Zero-Day Exploits Work
An in-depth look at zero-day exploits covering how vulnerabilities are discovered, traded, weaponized, and defended against in cybersecurity.
8 min read
cybersecurity
What Is Malware? Types, Threats, and Protection
Learn what malware is, the major types of malicious software including viruses, worms, ransomware, and trojans, how malware spreads, and how to protect against it.
8 min read