← Back to Dashboard

What is a DDoS Attack?

Understanding distributed denial-of-service attacks — types, detection, and defense

What a DDoS Attack Actually Does

A Distributed Denial-of-Service (DDoS) attack overwhelms a target system with traffic from many sources simultaneously, making the service unavailable to legitimate users. Unlike a regular DoS attack that comes from a single source and can be mitigated by blocking one IP, a DDoS attack may involve thousands or millions of distinct source addresses, making simple IP-based filtering ineffective.

The goal is not to break into a system but to break its availability. For an e-commerce site, even an hour of downtime during peak shopping means significant revenue loss. For critical infrastructure — hospitals, banking systems, government services — the impact extends beyond financial damage to public safety. DDoS is also frequently used as a smokescreen: while the security team scrambles to restore service, attackers exploit the chaos to conduct a separate intrusion through a quieter channel.

DDoS attacks have grown in both frequency and scale. Peak attack volumes have increased from gigabits per second a decade ago to terabits per second today. In 2023, Cloudflare mitigated a 71 million request-per-second HTTP DDoS attack. Google reported blocking a 398 million request-per-second attack that same year. These numbers reflect the expanding pool of insecure internet-connected devices that can be recruited into botnets.

Types of DDoS Attacks

DDoS attacks are classified by the network layer they target. Sophisticated attackers combine multiple types simultaneously (multi-vector attacks) to overwhelm different parts of the target's infrastructure at once.

Volumetric attacks (Layer 3/4)

The goal is to saturate the target's bandwidth — fill the pipe until nothing else gets through. These are the simplest attacks conceptually but can be devastating in scale.

  • UDP flood — Sends massive volumes of UDP packets to random ports on the target. The target must process each packet to determine that no application is listening, consuming CPU and bandwidth. Because UDP is connectionless, the source IP can be spoofed, making attribution difficult.
  • DNS amplification — Exploits open DNS resolvers by sending small queries with the target's spoofed source IP. The resolvers respond with much larger DNS replies (amplification factors of 50-70x), flooding the target. A 1 Gbps attack becomes a 50-70 Gbps flood at the victim's end.
  • NTP amplification — Similar to DNS amplification but abuses the NTP monlist command, which returns the last 600 IP addresses that communicated with the server. Amplification factors can reach 556x.
  • Memcached amplification — Abuses publicly accessible Memcached servers. Amplification factors of 10,000-51,000x have been observed, making this one of the most powerful reflection attacks discovered. The 2018 GitHub DDoS attack used Memcached amplification to reach 1.35 Tbps.

Protocol attacks (Layer 3/4)

These attacks exploit weaknesses in network protocols to exhaust server resources or intermediate infrastructure like firewalls and load balancers.

  • SYN flood — Sends a torrent of TCP SYN packets (connection initiation requests) without completing the three-way handshake. Each half-open connection consumes server memory. Modern servers can handle millions of SYN packets per second, but stateful firewalls and load balancers between them often cannot.
  • ACK flood — Sends TCP ACK packets that the server must process against its connection table. Since the ACKs don't match any valid connection, they waste CPU cycles. Effective against stateful firewalls that track connection state.
  • Ping of death / fragmentation attacks — Sends malformed or oversized packets that crash or slow down the network stack. Less common today but still observed against legacy equipment.

Application layer attacks (Layer 7)

The most sophisticated type. These attacks mimic legitimate user behavior, making them extremely difficult to distinguish from real traffic.

  • HTTP flood — Sends massive volumes of HTTP GET or POST requests to resource-intensive endpoints (search pages, login forms, API endpoints). Each request looks legitimate individually — proper headers, valid user-agents, even completing TLS handshakes. The attack works because the target's web server, application server, and database all consume resources processing each request.
  • Slowloris — Opens many connections to the target web server and sends partial HTTP headers, keeping each connection open as long as possible. The server waits for the request to complete, eventually exhausting its maximum concurrent connection limit. Effective against Apache and other thread-per-connection servers with just a single attacking machine.
  • R-U-Dead-Yet (RUDY) — Similar to Slowloris but targets POST requests. Sends the Content-Length header with a very large value, then sends the body one byte at a time. The server keeps the connection open waiting for the full body, tying up resources.

The Botnet Connection

Almost every significant DDoS attack is powered by a botnet — a network of compromised devices under the attacker's control. The relationship between botnets and DDoS is symbiotic: botnets exist partly to enable DDoS, and DDoS attacks are a primary revenue stream for botnet operators.

IoT botnets are the dominant DDoS weapon today. The Mirai botnet, which emerged in 2016, demonstrated that internet-connected cameras, routers, and DVRs with default credentials could be weaponized into a DDoS army capable of generating over 1 Tbps of traffic. Mirai's source code was released publicly, leading to dozens of variants (Mozi, Gafgyt, Satori) that continue to recruit vulnerable IoT devices. The estimated number of IoT devices susceptible to Mirai-style recruitment runs into the hundreds of millions.

DDoS-for-hire services (also called "booter" or "stresser" services) allow anyone to launch DDoS attacks without owning a botnet. For as little as $10-30/month, these services provide web interfaces where customers specify a target and attack duration. The FBI has seized dozens of these services in Operation PowerOFF, but new ones appear regularly. Some advertise on social media and accept PayPal payments, demonstrating how normalized DDoS has become.

DDoS as extortion has grown into a distinct threat category. Groups send demands threatening DDoS attacks unless a ransom is paid, often in cryptocurrency. Some follow through with short demonstration attacks to prove capability. Others bluff entirely. The attack cost to the criminal is near zero (botnet time is cheap), while the business disruption cost to the victim can be enormous.

How WAYSCloud Detects DDoS Participation

WAYSCloud currently tracks approximately 1 IP addresses flagged for DDoS-related activity including HTTP floods, port scanning (often DDoS reconnaissance), and volumetric attack participation.

Our multi-source threat intelligence correlates DDoS indicators from fail2ban reporters detecting HTTP floods, community feeds tracking botnet infrastructure, and specialized feeds that monitor known DDoS command-and-control servers. When an IP is flagged for http_flood, ddos, or port_scan categories, it indicates the IP has been observed participating in or preparing for distributed attacks.

Port scanning is included because it is frequently a DDoS precursor: attackers scan for open services to identify amplification vectors (open DNS resolvers, NTP servers, Memcached instances) or to find vulnerable devices to recruit into their botnet.

View IPs currently flagged for attack activity →

DDoS Mitigation Strategies

1. Rate limiting and traffic shaping

The first line of defense. Configure your web server and application to limit requests per IP per second. This won't stop a sophisticated DDoS but will mitigate small-scale attacks and reduce the impact of larger ones:

# nginx rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

server {
    location /api/ {
        limit_req zone=api burst=20 nodelay;
        limit_req_status 429;
    }
}

# iptables connection rate limiting
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j DROP
iptables -A INPUT -p tcp --dport 80 -m hashlimit \
    --hashlimit-above 100/sec --hashlimit-burst 200 \
    --hashlimit-mode srcip --hashlimit-name http -j DROP

2. CDN and DDoS protection services

For serious DDoS protection, a reverse proxy CDN is essential. Services like Cloudflare, Akamai, and AWS Shield absorb attack traffic at their edge network (with capacity measured in hundreds of Tbps) before it reaches your origin server. The free tier of Cloudflare provides unlimited DDoS protection — a remarkable offering that has made basic DDoS defense accessible to everyone.

3. BGP blackholing (remotely triggered)

For network operators facing volumetric attacks that saturate upstream links, BGP blackholing tells upstream routers to drop traffic destined for the target IP. This saves the rest of the network at the cost of making the target completely unreachable. It's a last resort — the attacker achieves their denial-of-service goal, but collateral damage to other services is prevented.

4. IP reputation filtering

Proactively block traffic from IPs known to participate in DDoS attacks before they target you:

# Query WAYSCloud for known DDoS participants
curl -s https://ip.wayscloud.services/api/v1/ip/203.0.113.50 | jq '
  .intelligence_data | {
    threat_score,
    risk_level,
    categories,
    recommendation: (if .threat_score > 70 then "BLOCK" else "MONITOR" end)
  }'

# Use the live threat feed to build dynamic block lists
curl -s "https://ip.wayscloud.services/api/threats/live?limit=500" \
  | jq -r '.threats[] | select(.categories | test("flood|ddos|scan")) | .ip_address'

5. Anycast network distribution

If you operate your own infrastructure, anycast routing distributes incoming traffic across multiple geographically dispersed points of presence. An attack that might overwhelm a single server is diluted across many, and traffic from each geographic region is handled by the nearest PoP. This is the same technique CDN providers use internally.

6. Application hardening

Reduce your application's vulnerability to Layer 7 attacks by identifying and protecting resource-intensive endpoints. Cache aggressively, implement CAPTCHA or JavaScript challenges for suspicious traffic patterns, and use connection timeouts to prevent Slowloris-style attacks. Configure your web server to close idle connections after a few seconds rather than minutes.

Preparing for a DDoS Attack

The time to prepare for DDoS is before it happens. Organizations should:

  • Document a DDoS response runbook with escalation procedures and contact information for upstream providers
  • Understand your normal traffic baselines so you can quickly distinguish attacks from legitimate spikes
  • Ensure your DNS has low TTL values so you can quickly switch to DDoS mitigation services
  • Test your mitigation plan with simulated attacks (many DDoS protection vendors offer this)
  • Integrate threat intelligence feeds to proactively block known botnet IPs before an attack begins
  • Separate critical services from public-facing ones so that a DDoS on your website doesn't take down internal operations

Related Threat Intelligence

What is Botnet C2? → Protect Your Server from Brute Force → How to Block Malicious IPs → How to Detect Malicious Traffic → Top Malicious IPs Today → API Integration Guide →