Cyber Threats & Countermeasures

DDoS Attack

About 4 min read

Last updated: 2026-01-28

What Is a DDoS Attack

A DDoS (Distributed Denial of Service) attack floods a target server or network with massive traffic from numerous computers, rendering the service unavailable. Unlike a DoS attack from a single source, DDoS attacks use botnets (networks of malware-infected devices) numbering from thousands to millions, making simple IP blocking ineffective.

The scale of DDoS attacks continues to grow. Attacks exceeding 1 Tbps are no longer rare, and the emergence of DDoS-as-a-Service has lowered the barrier - anyone can launch an attack for just a few dollars. Motivations range from financial extortion and competitive sabotage to political activism (hacktivism).

Attack Classification and Techniques

DDoS attacks are broadly classified into three categories based on which layer of the OSI model they target.

Volumetric Attacks (L3/L4)

These aim to saturate the target's bandwidth. UDP floods, ICMP floods, and DNS amplification (amplifying DNS responses and directing them at the target) are typical examples. In DNS amplification, the attacker spoofs the source IP to the target's address and sends small queries to open DNS resolvers, which return responses up to 50 times larger to the target.

Protocol Attacks (L3/L4)

These exploit protocol weaknesses to exhaust server resources. SYN floods send massive numbers of TCP connection requests without completing the handshake, filling the server's connection table. Ping of Death and Smurf attacks also fall into this category.

Application Layer Attacks (L7)

These target the application layer with requests that appear legitimate. HTTP floods send large volumes of normal-looking requests, and Slowloris holds connections open by sending headers extremely slowly. Because the traffic looks legitimate, these are the hardest to distinguish from real users.

Defense Strategies and Architecture

DDoS defense is based on multi-layered protection across multiple levels.

  • CDN Deployment: Distributing content across edge servers worldwide absorbs attack traffic. Major CDN providers can mitigate attacks in the tens of Tbps range.
  • WAF (Web Application Firewall): Detects and blocks application-layer attacks. Rate limiting, bot detection, and geographic filtering are effective countermeasures.
  • Anycast Routing: Distributing the same IP address across multiple data centers worldwide disperses attack traffic geographically, preventing concentration on a single point.
  • Rate Limiting: Limiting the number of requests per IP address per unit of time. Effective against HTTP floods but requires careful tuning to avoid blocking legitimate users.
  • DDoS Protection Services: Dedicated services from providers like Cloudflare, AWS Shield, and Akamai offer always-on protection with automatic detection and mitigation.

Incident Response

Swift response during a DDoS attack is critical to minimizing damage. Including DDoS scenarios in your incident response plan is essential.

  1. Detection and Initial Response: Detect anomalous traffic increases, response time degradation, and rising error rates through monitoring alerts. Identify the attack type (volumetric, protocol, or application layer) to determine the appropriate countermeasure.
  2. Activate Mitigation: Enable DDoS protection services or switch DNS to a scrubbing center. If using a CDN, verify that origin IP addresses are not exposed.
  3. Communication: Notify users of the service disruption via a status page or social media. Inform your ISP and hosting provider to request upstream filtering.
  4. Post-Incident Analysis: After the attack subsides, analyze logs to identify attack patterns, evaluate the effectiveness of defenses, and update the response plan.

To learn more about this topic, see Firewall Basics: Your First Line of Network Defense.

Common Misconceptions

Small sites are not targeted by DDoS attacks
DDoS attacks are carried out for diverse reasons - financial extortion, competitive sabotage, and political motives. With DDoS-as-a-Service, attacks can be commissioned for just a few dollars, making sites of any size potential targets.
Increasing bandwidth prevents DDoS attacks
Bandwidth increases provide some defense against volumetric attacks, but application-layer attacks exhaust server resources with minimal traffic. Multi-layered measures including WAF and rate limiting are necessary.

DDoS Attack Types Comparison

Volumetric Attack

Aims to saturate bandwidth. Very high traffic volume (hundreds of Gbps to Tbps). CDN and ISP-level absorption is effective. DNS amplification is a typical example.

Application Layer Attack

Aims to exhaust server processing capacity. Effective even with low traffic volume. Requires WAF and rate limiting for defense. Slowloris and HTTP floods are typical examples.

Share

Related Terms

WAF (Web Application Firewall) A security solution that monitors, filters, and blocks malicious HTTP/HTTPS traf… CDN (Content Delivery Network) A globally distributed network of edge servers that caches and delivers web cont… Firewall A security mechanism placed at network boundaries that inspects and controls inc… Incident Response A systematic, structured process for detecting, containing, eradicating, and rec… Cloud Storage Security The set of measures to ensure the confidentiality, integrity, and availability o… DNS over HTTPS (DoH) A technology that encrypts DNS queries using the HTTPS protocol, preventing ISPs…

Related Articles

Firewall Basics: Your First Line of Network Defense Understand how firewalls work, the different types available, and practical network defense strategi… API Security Basics: Protecting the Backend of Web Services Learn how APIs can be exploited and the fundamental security measures like authentication, authoriza… What Is a DDoS Attack - Types, Botnets, and Defense Methods Learn about the three types of DDoS attacks (volumetric, protocol, application layer), how botnets w…
← Glossary