What Is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is an attempt to make a server, network, or service unavailable by overwhelming it with traffic from multiple sources. Unlike a simple DoS attack originating from one machine, DDoS attacks use hundreds, thousands, or even millions of compromised devices — collectively called a botnet — making the attack extremely difficult to block by simply banning a single IP.
The core principle is exhaustion: flood a target with more requests than it can handle, causing legitimate users to be unable to connect. The target could be a web server, DNS resolver, game server, API endpoint, or even the routers and links connecting a network to the internet.
DDoS attacks are measured in two ways: volume (gigabits per second, Gbps) for bandwidth-exhaustion attacks, and packets per second (pps) or requests per second (rps) for state-exhaustion and application attacks. The largest recorded attacks have exceeded 3 Tbps — sufficient to saturate most commercial internet exchanges.
Motivations vary: competitive sabotage, extortion (ransom DDoS), hacktivism, distraction during a breach, or simply vandalism. DDoS-for-hire services (called "stressers" or "booters") have made attacks accessible to anyone with a credit card and a grudge.
The Three Main Categories of DDoS Attacks
Volumetric Attacks aim to saturate the target's bandwidth. UDP floods send massive amounts of User Datagram Protocol packets to random ports, forcing the target to respond with ICMP "port unreachable" messages. DNS amplification attacks spoof the victim's IP and send small queries to open DNS resolvers, which respond with much larger answers — amplification ratios can reach 50:1 or higher.
Protocol / State-Exhaustion Attacks target the connection state tables of servers and intermediate devices like firewalls and load balancers. A SYN flood sends millions of TCP connection requests (SYN packets) without completing the handshake, filling the server's connection queue until it can't accept legitimate connections. Smurf attacks and fragmentation attacks fall into this category too.
Application-Layer Attacks (Layer 7) are the hardest to detect because individual requests look legitimate. HTTP floods send realistic GET or POST requests designed to exhaust server CPU, database connections, or disk I/O. Slowloris attacks open many connections and send partial HTTP headers, keeping the connections alive and tying up the server's thread pool. These attacks are highly effective at low volumes — even 10,000 rps can take down an unprotected web server.
- NTP amplification: Up to 556x amplification ratio
- Memcached amplification: Up to 51,000x amplification ratio
- HTTPS floods: SSL handshakes are CPU-intensive for the server
- DNS NXDOMAIN floods: Exhaust recursive resolver caches
How to Detect a DDoS Attack in Progress
Early detection is critical because DDoS impacts cascade quickly. Key indicators include sudden spikes in inbound traffic visible in your router or firewall statistics, unusually high CPU or memory usage on web servers without a corresponding increase in legitimate sessions, and a sharp rise in connection timeout errors or 503 responses in your application logs.
At the network layer, watch for traffic patterns that deviate from baseline: packets that are abnormally small (common in SYN floods), traffic from geographic regions that don't match your user base, or unusual port distributions. Tools like ntopng, NetFlow analysis, or cloud provider traffic analytics can surface these anomalies automatically.
Use a port checker to verify which services are exposed on your server — reducing your attack surface is one of the most effective pre-emptive measures. Run a real IP lookup to understand what ASN and geography your server IP resolves to, helping you interpret traffic origin data correctly.
Set up automated alerting thresholds in your monitoring stack (Prometheus, Grafana, Datadog) so you're notified before the attack causes visible downtime. Aim for alert-to-response times under five minutes for infrastructure-layer attacks.
Is Your Server Exposed?
Check your IP's open ports and headers to understand what attackers can see about your infrastructure
Hide My IP NowDDoS Mitigation Strategies
Anycast diffusion is used by major CDNs (Cloudflare, Akamai, Fastly) to absorb attacks by spreading traffic across hundreds of PoPs globally. Instead of one server receiving 500 Gbps, each of 200 nodes absorbs 2.5 Gbps — easily within capacity. This is why placing your web application behind a CDN is the single most effective DDoS mitigation step for most organizations.
Rate limiting and IP reputation filtering should be configured at the edge. Block traffic from known blacklisted IP ranges, apply connection rate limits per source IP, and use CAPTCHA challenges for suspicious request patterns. For application-layer attacks, Web Application Firewalls (WAFs) can distinguish between bots and real users via behavioral analysis and JavaScript challenges.
Upstream scrubbing centers are offered by ISPs and DDoS mitigation providers. Traffic is rerouted through a scrubbing facility that filters malicious packets and only forwards clean traffic to your origin. BGP blackholing is a more drastic option — the attacked IP is withdrawn from routing, dropping all traffic (both attack and legitimate) at the ISP level.
On-premises mitigation appliances from vendors like Radware, A10 Networks, and Arbor Networks sit in front of your servers and use hardware-accelerated packet inspection to drop attack traffic before it reaches your application. These are necessary for organizations that can't rely purely on cloud-based solutions.
Building a DDoS Response Plan
Organizations without a documented DDoS response plan make decisions under pressure, leading to slower recovery and potential misconfiguration that extends downtime. Your plan should define clear escalation paths, identify decision-makers, and pre-negotiate contracts with mitigation providers before you need them.
Key elements of a DDoS runbook include: how to confirm an attack is occurring (not just a traffic spike), who authorizes activation of upstream scrubbing services, communication templates for customers and stakeholders, and post-incident procedures to analyze the attack and improve defenses.
Test your plan annually with tabletop exercises simulating different attack scenarios. Know your provider's SLA for mitigation activation — some cloud DDoS services activate in under 10 seconds, others require a 15-minute BGP convergence. That difference can mean thousands of dollars in lost revenue.
After every incident, review logs to understand attack vectors, update firewall rules and rate limits accordingly, and check whether your IP was added to any abuse blacklists as collateral damage from the attack.
Frequently Asked Questions
Can a DDoS attack be traced to its source?
Technically yes, but practically it's very difficult. Attackers use botnets (compromised third-party machines), spoofed source IPs, and multiple layers of proxies. Law enforcement can trace attacks with ISP cooperation and legal authority, but attribution in real time is rarely possible. The botnet devices used are typically innocent victims themselves.
How much does DDoS mitigation cost?
Costs range from free (Cloudflare's free plan includes basic DDoS protection) to hundreds of thousands of dollars per year for enterprise-grade always-on mitigation. Most small businesses can get adequate protection for $20–$200/month through CDN providers. On-demand scrubbing for large-scale attacks can cost $1,000–$10,000 per incident.
Can a home connection be DDoS attacked?
Yes. Gamers and streamers are common targets. A home connection can usually be knocked offline with as little as 1 Gbps of attack traffic. ISPs can apply upstream blackholing, but this knocks your connection offline too. VPNs help by obscuring your real IP — if attackers don't know your IP, they can't target you. <a href='/how-to-prevent-ip-tracking'>Hiding your IP address</a> is the best prevention for individuals.
Is a DDoS attack illegal?
Yes, in virtually every jurisdiction. In the US, DDoS attacks violate the Computer Fraud and Abuse Act (CFAA) and can result in federal felony charges. In the UK, they violate the Computer Misuse Act. Even using commercial 'stresser' services against targets you don't own is illegal, regardless of how the service is marketed.
