What Is a DDoS Attack? When the Internet Fights Dirty

A DDoS (Distributed Denial of Service) attack is a cyberattack where thousands or millions of compromised devices (a botnet) simultaneously flood a target server, service, or network with so much traffic that legitimate users can’t get through. It’s the digital equivalent of ten thousand people trying to walk through a single doorway at once. Nobody actually gets in, and the doorway (or in this case, the website) becomes completely unusable. DDoS attacks don’t steal data or break into systems; they just make things unavailable, which can be just as devastating for businesses that depend on being online.

How a DDoS Attack Works

The basic concept is brutally simple: overwhelm the target by sending more traffic than it can handle. But the execution has gotten surprisingly sophisticated.

Building the Botnet

Most DDoS attacks don’t come from one computer. They come from botnets, which are networks of infected devices controlled by an attacker. These devices can be:

• Computers infected with malware
• IoT devices with default passwords (security cameras, smart TVs, routers)
• Cloud servers rented with stolen credit cards
• Compromised web servers

The largest botnets have consisted of millions of devices. The Mirai botnet (2016) was built almost entirely from IoT devices with default credentials like admin/admin. It generated attacks exceeding 1 Tbps (terabit per second). To put that in perspective, most websites run on servers with 1 Gbps connections. A 1 Tbps attack is 1,000 times more traffic than the server can possibly handle.

Launching the Attack

The attacker sends a command to all botnet devices: “Start sending traffic to this IP address.” Each individual device might only send a small amount of traffic, but multiplied across thousands or millions of devices, the aggregate volume is enormous.

The target’s servers, load balancers, or network infrastructure get overwhelmed. They either crash, slow to a crawl, or burn through bandwidth allotments that cost real money. Meanwhile, legitimate users trying to access the service get timeouts, errors, or infinitely loading pages.

Types of DDoS Attacks

Not all DDoS attacks work the same way. They generally fall into three categories:

Volumetric Attacks (The Flood)

The simplest approach: just send as much traffic as possible. The goal is to consume all available bandwidth between the target and the rest of the internet.

UDP flood: Send massive amounts of UDP packets to random ports on the target. The target checks for applications listening on those ports, finds nothing, sends back ICMP “destination unreachable” messages, and wastes resources processing the junk.

DNS amplification: Send small DNS queries to public DNS servers with the source IP spoofed to the target’s IP. The DNS servers send their much larger responses to the target. A 60-byte query can generate a 4,000-byte response, giving the attacker a 60x amplification factor.

NTP amplification: Same concept but using NTP (Network Time Protocol) servers. The monlist command returns a list of the last 600 clients that contacted the server. A tiny request generates a massive response, all directed at the victim.

Protocol Attacks (The Exploit)

These target weaknesses in network protocols to exhaust server resources.

SYN flood: Send thousands of TCP SYN packets (the first step of the three-way handshake) without completing the handshake. The server allocates memory for each half-open connection, waiting for the ACK that never comes. Eventually, the server runs out of connection slots and can’t accept legitimate connections.

Ping of Death: Send malformed or oversized ping packets that crash the target. This was a real problem in the 1990s. Modern systems are patched against it, but variations still pop up occasionally.

Smurf attack: Send ICMP echo requests to a broadcast address with the source IP spoofed to the target’s IP. Every device on the broadcast network responds to the target simultaneously.

Application Layer Attacks (The Smart One)

These are the sneakiest because they target specific services with traffic that looks legitimate.

HTTP flood: Send seemingly normal HTTP requests to the target’s web server. Each request is valid, but the volume overwhelms the server’s ability to process them. These are hard to distinguish from real traffic because each individual request looks completely legitimate.

Slowloris: Open many HTTP connections to the target but send the requests incredibly slowly, one byte at a time. The server keeps these connections open waiting for the complete request, eventually exhausting its connection pool. A single computer can take down an unprotected web server with Slowloris.

DNS query flood: Send valid DNS queries at enormous rates, overwhelming the target’s DNS server so it can’t resolve legitimate queries.

Famous DDoS Attacks

Dyn Attack (October 2016)

The Mirai botnet (made of an estimated 100,000 compromised IoT devices) attacked Dyn, a major DNS provider. This took down Twitter, Netflix, Reddit, Spotify, CNN, PayPal, and dozens of other major websites for most of a day. Peak traffic exceeded 1.2 Tbps.

GitHub Attack (February 2018)

GitHub was hit with 1.35 Tbps of traffic using a Memcached amplification attack. This was the largest recorded DDoS attack at the time. GitHub used Akamai Prolexic to absorb the attack and was back online within about 20 minutes.

AWS Shield (February 2020)

Amazon Web Services reported mitigating a 2.3 Tbps DDoS attack against a customer. This remains one of the largest ever recorded. AWS’s infrastructure absorbed it without the customer experiencing significant downtime.

Cloudflare Record (2023-2024)

Cloudflare has reported mitigating attacks exceeding 71 million requests per second (HTTP) and multi-Tbps volumetric attacks. The scale keeps growing.

How DDoS Protection Works

Defending against DDoS is essentially an arms race. Here’s how organizations fight back:

Anycast Networks

Services like Cloudflare, AWS Shield, and Akamai operate massive global networks. When an attack hits, the traffic is distributed across hundreds of data centers worldwide. No single location gets overwhelmed. It’s the “absorb it” strategy.

Traffic Scrubbing

Incoming traffic is routed through scrubbing centers that analyze each packet and drop malicious traffic while passing legitimate requests through. This requires sophisticated analysis to distinguish real users from attack traffic, especially for application-layer attacks.

Rate Limiting

Limit the number of requests a single IP address can make within a time window. Simple but effective against basic attacks. Won’t help against distributed attacks with millions of unique IPs.

Blackhole Routing

As a last resort, the target’s ISP or upstream provider routes all traffic to the target IP into a “blackhole” (nowhere). This stops the attack but also makes the target completely unreachable. It’s like stopping a flood by destroying the bridge; effective but not exactly ideal.

Challenge-based Systems

Present suspicious visitors with CAPTCHAs or JavaScript challenges. Legitimate browsers can solve them; simple bot scripts can’t. You’ve probably encountered Cloudflare’s “checking your browser” interstitial page. That’s this.

DDoS Protection for Regular People

You probably don’t need enterprise DDoS protection, but here are some practical tips:

• Don’t share your IP address publicly (in game chats, forums, Discord)
• Use a VPN when gaming to hide your real IP from other players
• Keep your router’s firmware updated to prevent compromises
• Change default passwords on all network devices
• If you’re being actively DDoS’d, restarting your router may get you a new IP

For website operators on a budget, Cloudflare’s free tier includes basic DDoS protection that handles most attacks automatically. It’s one of the best free services on the internet.

Test It Yourself

Frequently Asked Questions