What Is a Volumetric DDoS Attack?
A volumetric DDoS attack is a category of distributed denial of service attack that aims to consume all available bandwidth between the target and the internet. The strategy is simple and blunt: flood the network pipe with so much data that legitimate traffic cannot get through. Volumetric attacks operate at Layers 3 and 4 of the OSI model and are measured in bits per second (bps) or gigabits per second (Gbps).
Volumetric attacks account for the majority of all DDoS incidents by volume. The largest recorded attacks have exceeded 3 Tbps, generated by botnets and amplification techniques that allow attackers to multiply their available bandwidth by factors of hundreds or thousands. Unlike HTTP flood attacks that target the application layer, volumetric attacks do not require the traffic to be well-formed or meaningful — the goal is purely to saturate the target's network capacity.
How Volumetric Attacks Work
Volumetric attacks exploit two fundamental properties of internet infrastructure:
- Finite bandwidth: Every network link has a maximum throughput. A 10 Gbps uplink can carry exactly 10 Gbps. If an attacker sends 15 Gbps of traffic to that link, 5 Gbps of traffic (including legitimate requests) is dropped.
- UDP is connectionless: UDP does not require a handshake before sending data. The attacker can send packets with spoofed source addresses, making it difficult to trace the attack and enabling amplification techniques where third-party servers unknowingly participate in the attack.
The attacker typically controls a botnet — a network of thousands of compromised devices — and instructs all bots to send traffic to the victim simultaneously. In amplification attacks, the attacker also leverages misconfigured third-party servers to multiply the traffic volume far beyond the botnet's own bandwidth.
Common Volumetric Attack Techniques
UDP Floods
A UDP flood sends a massive volume of UDP packets to random ports on the target server. For each packet received, the server must:
- Check whether any application is listening on the destination port.
- If no application is listening, generate an ICMP "Destination Unreachable" response.
This process consumes server resources for every packet. When millions of packets arrive per second, the server spends all its processing capacity handling garbage traffic. UDP floods are straightforward to execute and difficult to filter because UDP packets have no handshake or state to validate.
ICMP (Ping) Floods
An ICMP flood overwhelms the target with ICMP Echo Request (ping) packets. The target must process each packet and, under normal circumstances, respond with an ICMP Echo Reply. At high volumes, the processing overhead and the reply traffic consume both CPU and bandwidth. Most modern network equipment can rate-limit ICMP traffic, but a sufficiently large botnet can still generate enough volume to saturate the network link before ICMP filtering takes effect.
DNS Amplification
DNS amplification attacks exploit open DNS resolvers to generate large DNS responses directed at the victim. The attacker sends small DNS queries (approximately 40 bytes) with the victim's spoofed source IP to open resolvers, which respond with much larger DNS answers (up to 4,000+ bytes) to the victim. With amplification factors of 28x to 100x, an attacker with 1 Gbps of bandwidth can generate up to 100 Gbps of attack traffic. DNS amplification remains one of the most widely used volumetric techniques.
NTP Amplification
NTP amplification exploits the monlist command in older Network Time Protocol (NTP) servers. The monlist command returns the last 600 IP addresses that connected to the NTP server — a response that can be over 100 times larger than the request. The amplification factor for NTP can exceed 556x, making it one of the most potent amplification vectors available.
Although the NTP community has patched most servers to disable monlist by default, tens of thousands of vulnerable NTP servers remain online. A small botnet exploiting NTP amplification can generate traffic volumes that overwhelm even large enterprise networks.
Memcached Amplification
Memcached amplification attacks exploit internet-exposed Memcached servers — in-memory caching systems that should never be accessible from the public internet. The attacker first stores a large data payload on an exposed Memcached server, then sends a spoofed request to retrieve that payload with the victim's IP as the source. The amplification factor is staggering: up to 51,000x in documented cases.
In 2018, a memcached amplification attack against GitHub reached 1.35 Tbps, making it one of the largest DDoS attacks ever recorded at the time. The attack was mitigated within 10 minutes by routing traffic through a DDoS scrubbing service. Since then, the number of exposed Memcached servers has declined but not been eliminated.
SSDP and CLDAP Amplification
Other protocols commonly exploited for amplification include:
| Protocol | Port | Amplification Factor | Exploited Service |
|---|---|---|---|
| SSDP | UDP/1900 | ~30x | UPnP devices (routers, cameras, IoT) |
| CLDAP | UDP/389 | 56x – 70x | Exposed Active Directory domain controllers |
| CharGEN | UDP/19 | ~358x | Legacy character generator protocol |
| SNMP | UDP/161 | ~6x | Network management devices with default community strings |
The Scale Problem
What makes volumetric attacks fundamentally challenging is that no single server or network can absorb them alone. Consider the math:
- A typical web server has a 1-10 Gbps uplink.
- A well-provisioned data center might have 40-100 Gbps of aggregate bandwidth.
- Modern volumetric attacks routinely exceed 500 Gbps and have surpassed 3 Tbps.
When the attack volume exceeds your total bandwidth capacity, no amount of server-side filtering can help — the packets are dropped by your upstream provider's routers before they ever reach your equipment. This is why network-edge and upstream defenses are essential.
Defense Strategies
Anycast Network Distribution
Anycast is the most effective defense against volumetric attacks. In an anycast network, the same IP address is announced from multiple data centers worldwide. When attack traffic is directed at the target IP, it is automatically distributed across all anycast locations based on BGP routing. Instead of 500 Gbps hitting a single data center, the traffic is split across dozens of locations, each absorbing a manageable portion. A CDN with a global anycast network effectively turns volumetric attacks into a distributed load problem rather than a single-point-of-failure crisis.
Upstream Scrubbing Services
DDoS scrubbing centers sit between the target and the internet. During an attack, traffic is rerouted (via BGP or DNS) through the scrubbing center, which inspects every packet, discards attack traffic, and forwards only clean traffic to the origin. Scrubbing services maintain hundreds of terabits of capacity specifically for absorbing volumetric attacks.
BGP Flowspec and ACLs
BGP flow specification (Flowspec) allows network operators to push traffic filtering rules to edge routers dynamically. During a volumetric attack, rules can be deployed within seconds to drop traffic matching specific patterns (source port, destination port, protocol, packet size) at the network edge before it reaches the target infrastructure.
Black Hole Routing
As a last resort, operators can announce a black hole route for the target IP, instructing all upstream routers to drop traffic destined for that IP. This stops the attack but also drops all legitimate traffic. Remote Triggered Black Hole (RTBH) routing is typically used only when the attack threatens to affect other customers or services sharing the same network.
Source Address Validation (BCP38)
Ingress filtering at the network edge (BCP38/RFC 2827) prevents packets with spoofed source addresses from leaving a network. If universally implemented, BCP38 would eliminate all reflection and amplification attacks because the spoofed packets used to trigger amplified responses would be dropped at the source. Adoption has increased but remains incomplete across the global internet.
Protect Your Infrastructure from Volumetric Attacks
Volumetric DDoS attacks are a brute-force problem that requires infrastructure-scale solutions. No single server can absorb a terabit-scale flood. The combination of a global CDN with anycast distribution, upstream scrubbing, and a WAF that handles the application-layer attacks that often accompany volumetric floods provides comprehensive protection. Explore NOC.org's pricing plans to find the protection level your infrastructure requires.
Get
Started