DDoS Attacks Explained - Drowning a Service in Traffic
A DDoS (Distributed Denial of Service) attack floods a target server with requests from thousands to millions of devices simultaneously, rendering the service inaccessible to legitimate users. Unlike a simple DoS attack from a single source, the distributed nature means blocking individual sender IP addresses is not enough to stop it.
The largest DDoS attack ever recorded, reported by Google in 2023, peaked at 398 million requests per second (398M rps). To put that in perspective, it is equivalent to sending Wikipedia's entire daily page views in roughly 10 seconds.
DDoS attacks require no advanced technical skill to launch. Illegal "DDoS-as-a-Service" platforms sell attack capacity for as little as a few dozen dollars per month. This low barrier to entry is the fundamental reason DDoS attacks remain so prevalent.
Three Categories of DDoS Attacks
DDoS attacks are classified into three types based on which layer of the OSI model they target.
| Category | Target Layer | Common Techniques | Characteristics |
|---|---|---|---|
| Volumetric | L3/L4 (Network) | UDP flood, DNS amplification, NTP reflection | Saturates bandwidth. Can reach Tbps scale |
| Protocol | L3/L4 (Transport) | SYN flood, Ping of Death, Smurf attack | Exhausts server connection tables |
| Application Layer | L7 (Application) | HTTP flood, Slowloris, RUDY | Low traffic volume, high server load. Hard to detect |
How Amplification Attacks Work
The most efficient volumetric technique is the amplification attack. The attacker spoofs the source IP to match the target's address, then sends small requests to DNS servers or NTP servers. These servers respond to the target with payloads tens to hundreds of times larger than the original request. DNS amplification can achieve a factor of up to 54x, while memcached abuse has reached an astonishing 51,000x amplification ratio.
Botnets - The Army Behind DDoS Attacks
The "distributed" in DDoS is made possible by botnets. Computers, IoT devices, and servers infected with malware obey commands from the attacker's C&C (Command and Control) server, sending attack traffic in unison.
The Mirai Botnet - A Turning Point
The Mirai botnet, which emerged in 2016, hijacked approximately 600,000 IoT devices (security cameras, routers) that still had default passwords, and launched a 1.2 Tbps attack against DNS provider Dyn. The attack knocked Twitter, Netflix, Reddit, GitHub, and numerous other major services offline for several hours.
Mirai's source code was publicly released, and its variants remain active today. Checking your home router's security and changing default credentials is the first step toward preventing your devices from becoming part of a botnet.
Scale of Modern Botnets
- Mirai (2016): ~600,000 IoT devices, peak 1.2 Tbps
- Meris (2021): ~250,000 routers, peak 21.8M rps
- Mantis (2022): ~5,000 virtual machines, peak 26M rps (small but powerful)
- HTTP/2 Rapid Reset (2023): Exploited a protocol vulnerability, peak 398M rps
DDoS Defense Strategies
Effective DDoS defense relies not on a single solution but on multiple layers working together.
Network-Layer Defenses
- BGP Anycast: Shares the same IP address across multiple global points of presence, geographically distributing attack traffic
- Blackhole routing: Redirects attack traffic to /dev/null. A last resort because legitimate traffic is also dropped
- Rate limiting: Caps the number of requests per unit of time. Particularly effective against L7 attacks
CDN and Cloud-Based DDoS Protection
CDN providers offer DDoS mitigation services that absorb attack traffic using massive network capacity.
| Service | Network Capacity | Key Features |
|---|---|---|
| Cloudflare | 296+ Tbps | L3/L4 DDoS protection even on the free plan |
| AWS Shield | Undisclosed | Standard is free. Advanced adds WAF integration and 24/7 response |
| Akamai Prolexic | 20+ Tbps | Dedicated scrubbing centers clean attack traffic |
Responding to a DDoS Attack
How quickly and effectively you respond in the first minutes determines the extent of the damage.
- Detect and classify the attack: When a traffic spike is detected, determine whether it is volumetric, protocol-based, or an L7 attack
- Contact your ISP or hosting provider: Request upstream filtering. Your own bandwidth is almost certainly insufficient to absorb the flood
- Activate a CDN/DDoS mitigation service: Even without a prior contract, providers like Cloudflare offer emergency onboarding
- Document the attack pattern: Record source IPs, request patterns, and attack duration. This data is essential for legal action and future prevention
- Report to law enforcement: DDoS attacks are criminal offenses in most jurisdictions, including the Computer Fraud and Abuse Act (US) and the Unauthorised Access to Computer Material Act (UK)
There are many reasons a website can go down, but a sudden traffic spike should always raise suspicion of a DDoS attack.
The Evolving Threat - AI and IoT in DDoS
DDoS attacks continue to grow in both scale and sophistication. Cloudflare's 2024 report found that L7 DDoS attacks increased 61% year over year.
- AI-driven adaptive attacks: Emerging attacks use machine learning to study defense patterns in real time and evade detection
- Explosive IoT growth: An estimated 30 billion IoT devices will be online by 2025, vastly expanding the potential botnet pool
- Protocol vulnerabilities: Attacks like HTTP/2 Rapid Reset exploit design flaws in newer protocols, bypassing traditional defenses
- Ransom DDoS: Attackers combine DDoS with extortion, demanding payment to stop the flood, a tactic increasingly paired with ransomware campaigns
For a comprehensive study of DDoS defense, books on DDoS protection are a valuable resource. Start by visiting IP Checker to see your own IP address and build a foundational understanding of how networks work.