A Distributed Denial of Service (DDoS) attack is one of the most common and disruptive weapons in a hacker’s arsenal. Unlike data-stealing attacks, the goal of a DDoS is simple: take something offline. Websites, APIs, DNS servers, gaming platforms — if it’s connected to the internet, it can be DDoS’d.
What Is a DDoS Attack?
A Denial of Service (DoS) attack floods a target with traffic until it can no longer respond to legitimate requests. A Distributed DoS attack uses thousands or millions of compromised machines (a botnet) to generate the flood, making it nearly impossible to block by IP address alone. The traffic comes from everywhere at once.
Types of DDoS Attacks
Volumetric Attacks (Layer 3/4)
The most common type — pure bandwidth saturation. Attackers flood the target with more traffic than its internet connection can handle. Measured in gigabits per second (Gbps) or packets per second (PPS). Common subtypes:
- UDP Flood: Sends massive amounts of UDP packets to random ports, forcing the server to check for applications at each port and reply with ICMP “Destination Unreachable” messages.
- ICMP Flood (Ping Flood): Overwhelms the target with ping requests.
- DNS Amplification: Sends small DNS queries (spoofed to appear to come from the victim) to open DNS resolvers. The resolvers send much larger responses to the victim — amplifying the attack by up to 70x.
- NTP Amplification: Same concept using Network Time Protocol servers — up to 556x amplification.
Protocol Attacks (Layer 3/4)
These exploit weaknesses in network protocols to exhaust server resources, firewalls, or load balancers.
- SYN Flood: Exploits the TCP handshake. The attacker sends thousands of SYN (synchronization) packets but never completes the handshake, leaving the server waiting for ACK responses with half-open connections until it runs out of resources.
- Ping of Death: Sends malformed or oversized packets that crash older systems.
Application Layer Attacks (Layer 7)
The most sophisticated and hardest to detect. Instead of flooding bandwidth, these attacks send seemingly legitimate HTTP requests that are computationally expensive for the server to process.
- HTTP Flood: Sending massive numbers of GET or POST requests to exhaust server CPU and memory.
- Slowloris: Opens many connections and sends partial HTTP headers extremely slowly, keeping connections open and exhausting the server’s connection limit without generating much traffic.
- Cache Bypass: Sending requests with unique parameters to bypass CDN caches and hit the origin server directly.
How Botnets Work
DDoS attacks are powered by botnets — networks of infected devices (computers, servers, IoT devices like cameras and routers) controlled by a Command and Control (C2) server. Owners of infected devices usually have no idea they’re participating in an attack.
The Mirai botnet (2016) infected over 600,000 IoT devices (mostly security cameras and DVRs using default passwords) and launched attacks exceeding 620 Gbps — the largest ever recorded at the time. It took down Dyn DNS, making major websites like Twitter, Reddit, Netflix, and GitHub inaccessible for hours.
Notable DDoS Attacks
GitHub (2018) — 1.35 Tbps
GitHub was hit with what was then the largest DDoS attack ever recorded — 1.35 Terabits per second. The attack used Memcached amplification (a 51,000x amplification factor). GitHub’s DDoS protection service kicked in after 10 minutes, and the site was back online quickly. The short downtime was a testament to their preparedness.
AWS (2020) — 2.3 Tbps
Amazon Web Services absorbed a 2.3 Tbps DDoS attack in February 2020 — the largest ever recorded at the time. AWS Shield mitigated the attack with minimal impact to customers. AWS disclosed it in their threat report.
Spamhaus (2013)
Anti-spam organization Spamhaus was hit with a 300 Gbps DDoS attack after blacklisting a Dutch hosting provider. The attack was so large it slowed internet connectivity across parts of Europe and affected internet infrastructure globally.
How to Defend Against DDoS Attacks
1. Use a DDoS Protection Service
Cloudflare Free Plan includes basic DDoS protection and is free to start. Their infrastructure absorbs attack traffic at the network edge, far from your origin server. For serious protection, Cloudflare Pro, Akamai, or AWS Shield Advanced offer more sophisticated mitigation.
2. Use a Content Delivery Network (CDN)
A CDN distributes your content across many global servers. This distributes attack traffic across a larger infrastructure, making volumetric attacks much harder to sustain against any single point.
3. Rate Limiting
Configure your web server or WAF to limit the number of requests from a single IP address per second. This helps against HTTP floods and Slowloris attacks without affecting legitimate users much.
4. Anycast Network Diffusion
Anycast routing distributes attack traffic across multiple data centers in different geographic locations, preventing any single location from being overwhelmed.
5. Have an Incident Response Plan
Know what to do before an attack happens. Identify your DDoS mitigation provider, document escalation procedures, and test your response. The worst time to figure out your DDoS plan is during an active attack.
6. Change Default Credentials on IoT Devices
Don’t contribute to botnets. Change default usernames and passwords on all routers, cameras, smart TVs, and IoT devices. The Mirai botnet thrived entirely on devices with factory default credentials.
Summary
DDoS attacks are a constant threat for any internet-facing service. The good news is that effective protection is accessible even for small organizations — Cloudflare’s free tier provides solid baseline protection. For anything mission-critical, invest in proper DDoS mitigation before you need it. An hour of downtime costs far more than a year of protection.