What Is a DDoS Attack? How It Works and How to Protect Against It

A DDoS (Distributed Denial of Service) attack is an attempt to make a website, server, or network unavailable by overwhelming it with a flood of traffic from multiple sources. The goal is simple: send more traffic than the target can handle, causing it to slow down or crash entirely.

The "distributed" part means the attack comes from many different sources simultaneously — often thousands or millions of compromised devices (a botnet). This makes DDoS attacks much harder to mitigate than simple DoS attacks from a single source, because you can't just block one IP address.

DDoS attacks are one of the most common cyber threats. They're relatively easy to launch (DDoS-for-hire services exist for as little as $10/hour), but they can cause massive damage — taking websites offline, disrupting businesses, and costing millions in lost revenue and mitigation costs.

Volumetric attacks overwhelm the target's bandwidth by flooding it with massive amounts of data. Examples include UDP floods, ICMP floods, and DNS amplification attacks. These are measured in bits per second (bps) and can reach terabits per second at scale.

Protocol attacks exploit weaknesses in network protocols to consume server resources. The classic example is the SYN flood: the attacker sends millions of TCP SYN packets (connection requests) but never completes the handshake, filling up the server's connection table.

Application layer attacks (Layer 7) target specific web applications with requests that look legitimate but are designed to exhaust server resources. HTTP floods, Slowloris attacks, and DNS query floods fall into this category. These are harder to detect because each individual request looks normal.

DNS amplification is particularly devastating: the attacker sends small DNS queries to open DNS resolvers with the source IP spoofed to the victim's address. The resolvers respond with much larger DNS responses (amplified by 50–70x), flooding the victim with traffic they never requested.

GitHub (2018): Hit by 1.35 Tbps of traffic using Memcached amplification — at the time, the largest DDoS attack ever recorded. GitHub was intermittently unavailable for about 10 minutes before Akamai's DDoS mitigation service absorbed the attack.

AWS (2020): Amazon Web Services mitigated a 2.3 Tbps DDoS attack, the largest on record at the time.

Dyn DNS (2016): A massive DDoS attack on the DNS provider Dyn (using the Mirai IoT botnet) caused outages for major websites including Twitter, Netflix, Reddit, CNN, and Spotify. This demonstrated how attacks on infrastructure providers can cause cascading failures across the internet.

Cloudflare (2023): Mitigated a record-breaking 71 million requests per second HTTP DDoS attack, generated by a botnet of about 30,000 IP addresses.

These attacks are growing larger and more sophisticated each year as botnets expand and new amplification vectors are discovered.

Use a CDN/DDoS protection service: Services like Cloudflare, AWS Shield, Akamai, and Google Cloud Armor sit in front of your servers and absorb DDoS traffic. Cloudflare's free tier includes basic DDoS protection — there's no excuse not to use one.

Rate limiting: Configure your web server and application to limit the number of requests from a single IP address. This helps mitigate application-layer attacks.

Overprovision bandwidth: Having more bandwidth than you typically need gives you headroom to absorb small attacks without going offline.

Anycast routing: Distributes incoming traffic across multiple data centers, so no single location bears the full brunt of an attack.

Keep software patched: Unpatched servers can be recruited into botnets that launch DDoS attacks against others. Keep your OS, web server, and applications updated.

Have a response plan: Know your DDoS mitigation service's activation process before an attack happens. During an attack is not the time to be reading documentation.

Monitor your traffic: Use monitoring tools to establish baseline traffic patterns. Anomaly detection can alert you to an attack in its early stages, when mitigation is most effective.