DDoS
Distributed Denial of Service
A flood of traffic from thousands of compromised devices that overwhelms a target — a server, website, or home connection — making it unavailable to legitimate users.
In a DDoS (Distributed Denial of Service) attack, the attacker controls a botnet — a network of silently compromised devices (home routers, cameras, IoT gadgets, PCs) — and commands them all to send traffic to the target simultaneously. The combined volume can reach hundreds of gigabits per second, exhausting bandwidth, connection-state tables, or server CPU before a single legitimate request gets through.
DoS vs DDoS
A DoS (Denial of Service) attack originates from a single source machine. Because it has one source IP, it is straightforward to block at the firewall. DDoS scales this to thousands or millions of sources simultaneously — the traffic comes from legitimate-looking IP addresses distributed across the globe, making IP-based blocking ineffective. The "distributed" aspect is what makes DDoS so difficult to stop at the target: you cannot simply block an attacker's address because there are hundreds of thousands of them.
Attack categories
| Category | Target | Method | Examples |
|---|---|---|---|
| Volumetric | Bandwidth (Gbps / Mpps) | Flood the pipe with raw traffic | UDP flood, ICMP flood, DNS amplification |
| Protocol | Connection-state tables | Exhaust firewall/server resources | SYN flood, ACK flood, fragmented packet flood |
| Application layer | Server CPU and memory | Mimic legitimate requests at scale | HTTP flood, Slowloris, HTTPS flood |
Volumetric attacks are measured in gigabits per second (Gbps) for bandwidth exhaustion and millions of packets per second (Mpps) for packet-processing exhaustion. The largest recorded attacks have exceeded 3 Tbps. Protocol attacks are measured in packets per second — a SYN flood sends half-open TCP connection requests faster than the server can process or time out stale entries, filling the connection-state table until legitimate connections are refused. Application-layer attacks are measured in requests per second; Slowloris keeps many connections open with partial HTTP requests, consuming server threads without sending much traffic at all.
Amplification attacks
Amplification (also called reflection) attacks exploit open servers that return responses much larger than the request. The attacker spoofs the victim's IP as the source address, then sends small queries to thousands of open DNS resolvers or NTP servers. Each server sends its (large) response to the victim rather than the attacker. DNS amplification achieves a factor of 28–54x — a 40-byte query returns a 1,700-byte response. NTP amplification using the monlist command returns up to 206 times the request size. The attacker generates a fraction of the final traffic volume while the victim's connection is hit by all of it from thousands of legitimate server IPs.
How ISPs and CDNs mitigate DDoS
Large-scale mitigation works at the network level before traffic reaches the target. ISPs use BGP blackholing — announcing a route for the victim's IP that directs all traffic to null, sacrificing connectivity to stop the flood from consuming upstream links. More refined scrubbing centers absorb attack traffic, filter out malicious packets, and forward clean traffic to the origin. CDNs like Cloudflare use anycast routing: the same IP prefix is announced from hundreds of Points of Presence worldwide. Attack traffic is automatically distributed across all those locations, each absorbing a fraction of the total. No single location sees the full volume. Web Application Firewalls (WAFs) sit in front of the application layer and rate-limit, challenge, or block suspicious request patterns during application-layer attacks.
Impact on home users and gaming DDoS
Home connections are vulnerable when an attacker knows your public IP. For online gamers, IP addresses can leak through peer-to-peer game connections, voice chat software, or by provoking another player who then uses a "booter" service. Even a modest 500 Mbps flood saturates most home connections completely. The simplest fix is requesting a new IP from your ISP — most can reassign one within minutes. A gaming VPN or the VPN features built into some gaming routers hides your real IP from other players, preventing targeted attacks before they start. Home users can also become unwitting participants in DDoS attacks if their devices are compromised and added to a botnet — keeping router firmware updated and changing default credentials reduces this risk.
Frequently Asked Questions
What is the difference between DoS and DDoS?
DoS (Denial of Service) comes from a single source and can be blocked by firewalling that IP. DDoS uses thousands of sources via a botnet — there is no single IP to block.
Can a home connection be DDoSed?
Yes. If an attacker knows your public IP, they can saturate your connection. Contact your ISP to rotate your IP, or use a VPN to hide your real address.
What is a DDoS amplification attack?
Small requests are sent to open DNS or NTP servers with the victim's IP spoofed as source. Those servers send large responses to the victim — the attacker amplifies their traffic 10–100x without sending it directly.