What Is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic from multiple sources. Unlike a simple Denial of Service (DoS) attack that originates from a single machine, a DDoS attack leverages hundreds or thousands of compromised devices — often called a botnet — to generate traffic volumes that no single server can handle.
The goal is straightforward: exhaust the target's resources so legitimate users cannot access the service. This can mean saturating the network bandwidth, consuming server CPU and memory, or crashing the application layer entirely. DDoS attacks have been responsible for some of the largest internet outages in history, and they remain one of the most common weapons in an attacker's toolkit.
How DDoS Attacks Work
A typical DDoS attack follows a multi-stage process:
- Building the botnet: The attacker compromises thousands of devices (computers, IoT devices, routers) using malware. Each infected device becomes a "bot" or "zombie" that the attacker controls remotely via a Command and Control (C2) server. See our common attack terms glossary for more on botnets and C2 infrastructure.
- Reconnaissance: The attacker identifies the target and probes for weaknesses — which ports are open, what services are running, and where the weakest link in the infrastructure chain exists.
- Launching the attack: The attacker sends a command to the botnet, instructing all bots to send traffic to the target simultaneously. Because the traffic comes from thousands of different IP addresses spread across the globe, it is extremely difficult to distinguish from legitimate traffic.
- Sustaining pressure: Sophisticated attackers rotate attack vectors, switching between volumetric, protocol, and application-layer techniques to evade defenses. Multi-vector attacks are now the norm rather than the exception.
The Three Categories of DDoS Attacks
DDoS attacks are generally classified into three categories based on which layer of the network stack they target. Understanding these categories is essential for building an effective defense strategy.
1. Volumetric Attacks (Layer 3/4)
Volumetric attacks aim to consume all available bandwidth between the target and the internet. They work by sheer volume — flooding the network pipe with so much data that legitimate traffic cannot get through. Common volumetric techniques include:
- UDP floods: Sending massive numbers of UDP packets to random ports, forcing the server to check for listening applications and reply with ICMP "Destination Unreachable" packets.
- ICMP (Ping) floods: Overwhelming the target with ICMP Echo Request packets.
- DNS amplification: Exploiting open DNS resolvers to send large DNS responses to the target, amplifying the attacker's bandwidth by factors of 28x to 70x.
- NTP amplification: Similar to DNS amplification but using Network Time Protocol servers, with amplification factors exceeding 500x.
Volumetric attacks are measured in bits per second (bps) and can exceed multiple terabits per second in the largest recorded incidents.
2. Protocol Attacks (Layer 3/4)
Protocol attacks exploit weaknesses in Layer 3 and Layer 4 protocols to consume server resources or the resources of intermediate infrastructure like firewalls and load balancers. Unlike volumetric attacks, they do not rely on raw bandwidth. Instead, they abuse protocol mechanics to exhaust connection state tables. Key examples include:
- SYN floods: Sending a rapid succession of TCP SYN requests without completing the three-way handshake, filling the server's half-open connection table.
- Ping of Death: Sending malformed or oversized ICMP packets that crash the target system when reassembled.
- Smurf attacks: Broadcasting ICMP requests with a spoofed source IP (the victim's IP) to an entire network, causing all hosts to reply to the victim simultaneously.
Protocol attacks are measured in packets per second (pps) and target the processing capacity of network equipment rather than bandwidth.
3. Application-Layer Attacks (Layer 7)
Application-layer attacks target the web application itself, consuming server resources by making seemingly legitimate HTTP requests. They are the hardest to detect because each individual request looks normal — the damage comes from the cumulative volume and targeting of resource-intensive endpoints.
- HTTP floods: Sending high volumes of HTTP GET or POST requests to pages that require database queries, file processing, or API calls.
- Slowloris: Opening many connections to the server and keeping them alive by sending partial HTTP headers, eventually exhausting the server's connection pool.
- Application exploits: Targeting specific application vulnerabilities, such as search functions that trigger expensive database queries or file upload endpoints.
Application-layer attacks are measured in requests per second (rps) and often require far fewer resources from the attacker than volumetric attacks.
Impact of DDoS Attacks
The consequences of a successful DDoS attack extend far beyond temporary downtime:
| Impact Area | Description |
|---|---|
| Revenue loss | E-commerce sites lose sales for every minute they are offline. For large retailers, this can amount to hundreds of thousands of dollars per hour. |
| Reputation damage | Customers lose trust in services that experience frequent or prolonged outages. |
| Operational costs | Incident response, forensics, and infrastructure scaling during an attack can be extremely expensive. |
| Ransom demands | Many DDoS attacks are accompanied by extortion attempts (RDoS), where attackers demand payment to stop the attack. |
| Diversion tactic | DDoS attacks are frequently used to distract security teams while attackers carry out data breaches or other intrusions. |
DDoS Mitigation Strategies
Effective DDoS protection requires a layered approach that addresses all three attack categories:
Network-Level Defenses
- Anycast network distribution: Spreading traffic across multiple data centers so that no single location bears the full attack volume. A CDN with a global anycast network is one of the most effective defenses against volumetric attacks.
- Rate limiting: Restricting the number of requests a single IP can make within a given timeframe to prevent any single source from overwhelming the server.
- Black hole routing: Diverting attack traffic to a null route. This is a last-resort measure because it also discards legitimate traffic.
- BGP flowspec: Using BGP flow specification rules to filter malicious traffic at the network edge before it reaches your infrastructure.
Application-Level Defenses
- Web Application Firewall (WAF): A WAF inspects HTTP traffic and can identify and block application-layer attacks based on request patterns, rate anomalies, and behavioral analysis. NOC.org's WAF service provides managed rule sets specifically designed to counter Layer 7 DDoS attacks.
- CAPTCHA challenges: Presenting JavaScript or CAPTCHA challenges to suspicious traffic to verify that requests come from real browsers rather than automated bots.
- Geographic filtering: Blocking or rate-limiting traffic from regions where you have no legitimate users.
Infrastructure Preparation
- Over-provisioning: Maintaining bandwidth and server capacity well above normal requirements to absorb attack spikes.
- Redundancy: Distributing infrastructure across multiple providers and geographic regions to eliminate single points of failure.
- DDoS response plan: Documenting procedures for detection, escalation, mitigation, and post-incident review so your team can respond quickly under pressure.
Protect Your Infrastructure
DDoS attacks are growing in frequency, scale, and sophistication. Every organization with an online presence is a potential target. The combination of a global CDN, a properly configured WAF, and network-level filtering provides the strongest defense against all three categories of DDoS attacks. Explore NOC.org's pricing plans to find the protection level that matches your infrastructure needs.
Get
Started