What is a DDoS Attack (Distributed Denial of Service)?

Table of Contents 5 sections

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a massive flood of internet traffic from multiple sources simultaneously. Unlike a simple Denial of Service (DoS) attack that originates from a single source, a DDoS attack harnesses the combined bandwidth and processing power of thousands or even millions of compromised devices, making it exponentially more powerful and significantly harder to mitigate.

DDoS attacks exploit the fundamental reality that every server and network has finite capacity. By directing more traffic at a target than it can handle, attackers can saturate bandwidth, exhaust connection tables, consume CPU and memory resources, or crash application processes. The result is that legitimate users are unable to access the targeted service, which can cause significant financial losses, reputational damage, and operational disruption for businesses and organizations of all sizes.

Types of DDoS Attacks

Volumetric attacks are the most common category of DDoS, aiming to saturate the target's bandwidth with sheer volume of traffic. These include UDP floods, ICMP floods, and DNS amplification attacks. Amplification attacks are particularly dangerous because they exploit protocols that generate disproportionately large responses to small requests, allowing attackers to multiply their traffic by factors of 50x or more. A single attacker with modest bandwidth can generate hundreds of gigabits per second of attack traffic using amplification techniques.

Protocol attacks target weaknesses in network protocol implementations to exhaust server resources. SYN floods send massive numbers of TCP connection requests without completing the handshake, filling the server's connection table until it can no longer accept legitimate connections. Application-layer attacks (Layer 7) are the most sophisticated, targeting specific applications or services with seemingly legitimate requests. HTTP floods, Slowloris attacks, and targeted API abuse can bring down web applications with far less bandwidth than volumetric attacks because each request consumes significant server-side processing resources.

DDoS Attack Infrastructure

Most DDoS attacks are powered by botnets, vast networks of compromised devices controlled by a single attacker or criminal group. The Mirai botnet, which emerged in 2016, demonstrated the devastating potential of IoT-based botnets by enslaving hundreds of thousands of poorly secured devices such as security cameras, routers, and DVRs to generate record-breaking attack volumes exceeding one terabit per second. Modern botnets continue to grow as the number of internet-connected devices proliferates.

DDoS-for-hire services, often marketed as "stresser" or "booter" services, have commoditized DDoS attacks, making them accessible to anyone willing to pay a small fee. These services offer subscription-based access to DDoS capabilities, with attack power and duration determined by the pricing tier. Law enforcement agencies have conducted multiple operations to shut down these services, but new ones continuously emerge to replace them. The combination of massive botnets and commercial attack services means that DDoS threats continue to grow in both frequency and intensity.

Impact of DDoS Attacks

The immediate impact of a DDoS attack is service unavailability. For e-commerce businesses, this translates directly into lost sales revenue for every minute the site is down. Financial services firms may be unable to process transactions. Healthcare organizations may lose access to critical systems. Media companies may be unable to publish content. The financial cost of DDoS-induced downtime varies by industry but can reach tens of thousands of dollars per minute for large enterprises.

Beyond the direct financial impact, DDoS attacks cause lasting reputational damage as customers lose confidence in the reliability of the targeted service. DDoS attacks are also frequently used as a smokescreen to distract security teams while attackers simultaneously execute data breaches, deploy malware, or perform other malicious activities under the cover of the chaos created by the attack. Some DDoS attacks are motivated by extortion, with attackers demanding payment to stop the flood, while others are driven by hacktivism, competitive sabotage, or state-sponsored disruption.

Defending Against DDoS Attacks

Effective DDoS defense requires a multi-layered approach combining network architecture, dedicated mitigation services, and incident response planning. Cloud-based DDoS mitigation services from providers like Cloudflare, AWS Shield, and Akamai operate global networks of scrubbing centers that can absorb and filter massive attack volumes before they reach the target. These services use traffic analysis, behavioral profiling, and threat intelligence to distinguish legitimate traffic from attack traffic in real time.

At the infrastructure level, organizations should implement rate limiting to cap the number of requests from individual sources, configure firewalls with anti-DDoS rules, and use anycast network distribution to spread traffic across multiple data centers. Over-provisioning bandwidth and server capacity provides a buffer against smaller attacks. Having a documented and rehearsed DDoS response plan ensures that teams know exactly what to do when an attack is detected, including who to contact, what services to activate, and how to communicate with customers during an outage.