DDoS Attack Explained: How Distributed Denial of Service Works

Run a Speed Test

A DDoS (Distributed Denial of Service) attack floods a target — a server, network link, or application — with more traffic than it can handle, making it unavailable to legitimate users. The "distributed" part means the attack comes from thousands or millions of sources simultaneously, making simple IP-based blocking ineffective.

The Three Categories of DDoS Attacks

Volumetric attacks aim to saturate the target's upstream bandwidth with raw traffic volume. Measured in Gbps or Tbps. The target's internet link is flooded before traffic even reaches its servers.

  • UDP flood: Sends high volumes of UDP packets to random ports, consuming bandwidth and forcing the target to process and reject each one.
  • Amplification attacks: Exploit protocols with small requests that produce large responses — DNS (amplification factor ~30×), NTP (700×), memcached (51,000×). The attacker spoofs the victim's IP as the source; the amplifier sends the large response to the victim. Tiny attack bandwidth creates massive victim traffic.
  • ICMP flood: Floods the target with ping requests (echo requests), consuming both bandwidth and CPU for processing.

Protocol attacks exploit weaknesses in Layer 3/4 protocols to exhaust server or infrastructure resources — connection tables, firewall state tables — rather than bandwidth.

  • SYN flood: Sends TCP SYN packets but never completes the handshake. The server allocates state for each half-open connection, exhausting its connection table. Historically one of the most common attacks.
  • Smurf attack: Sends ICMP echo requests to a broadcast address with the victim's spoofed IP; all hosts on the segment reply to the victim.
  • Ping of Death: Sends malformed oversized ICMP packets that crash vulnerable OS network stacks. Largely historical — patched in modern systems.

Application-layer attacks (Layer 7) send seemingly legitimate requests to exhaust server-side resources — CPU, database connections, or memory — rather than bandwidth. Much harder to distinguish from real traffic.

  • HTTP flood: Sends enormous volumes of valid HTTP GET or POST requests. Each request consumes server CPU and database resources. A 1 Gbps HTTP flood can overwhelm servers that would survive a 100 Gbps volumetric attack.
  • Slowloris: Opens many HTTP connections and sends headers very slowly, keeping connections open and exhausting the server's connection pool without sending much traffic at all.
  • DNS query flood: Floods a DNS server with random subdomain queries, exhausting its resolver capacity.

Botnets: The Attack Infrastructure

Most DDoS attacks use botnets — networks of compromised devices (home routers, IoT cameras, servers, PCs) running malware that receives commands from a C2 (command-and-control) server. The Mirai botnet (2016), built primarily from vulnerable IoT devices with default credentials, peaked at 1.2 Tbps — then the largest recorded DDoS attack. Modern botnets rent attack capacity by the hour on darknet markets.

Mitigation Techniques

  • Anycast network diffusion: Distribute traffic across many geographically dispersed PoPs (Points of Presence). Instead of one target absorbing 1 Tbps, 100 PoPs each absorb 10 Gbps — within capacity. Used by Cloudflare, Akamai, and other CDN/DDoS mitigation providers.
  • Rate limiting and traffic scrubbing: Filter traffic through scrubbing centers that identify attack signatures and drop malicious traffic before forwarding clean traffic to the origin.
  • BGP blackholing: Announce the attacked IP prefix to upstream providers with a blackhole community; all traffic to that IP is dropped at the network edge. Effective against volumetric attacks but also drops legitimate traffic — a last resort.
  • SYN cookies: A stateless technique for handling SYN floods — the server only allocates connection state when the three-way handshake completes, eliminating the half-open connection exhaustion vector.
  • Challenge-response (CAPTCHAs, JS challenges): Application-layer defense requiring clients to demonstrate they are browsers. Filters bots in HTTP flood scenarios.

Frequently Asked Questions

Can a DDoS attack steal data?

A pure DDoS disrupts availability, not confidentiality. However, DDoS is sometimes used as a distraction to divert security team attention from a simultaneous data exfiltration attempt. Treat a DDoS event as a potential smokescreen and monitor other systems during an attack.

What is the difference between DoS and DDoS?

DoS originates from a single source. DDoS uses many distributed sources — a botnet or amplification reflectors — simultaneously. DDoS is far harder to block by IP because attack traffic appears to come from thousands of legitimate-seeming addresses.

Related Guides

DDoS Glossary Entry

Concise definition and key terms for distributed denial-of-service attacks.

UPnP Security Risks

How UPnP can turn home routers into DDoS amplifiers.

Firewall Types Explained

How stateful and application firewalls help mitigate protocol attacks.

Secure Your Home Network

Keeping your devices off botnets that power DDoS attacks.

More From This Section

All Security Guides

Router hardening, VPN vs DoH, WiFi security, and WPA3 encryption.

AdGuard Home Explained: Self-Hosted DNS Blocker

AdGuard Home is a self-hosted DNS blocker like Pi-hole — but with built-in DoH, DoT, and parental controls.

ARP Poisoning Explained

ARP poisoning corrupts the ARP cache to redirect traffic through the attacker.

Run a Speed Test

Measure download, upload, ping, and jitter in your browser.