A Distributed Denial of Service (DDoS) attack is an attempt to make a server, network, or application unavailable to its intended users by overwhelming it with traffic from many sources simultaneously. Unlike brute-force hacking or data exfiltration, the goal is not to break in. It is to break availability. If legitimate users cannot reach your service, the attack has succeeded.
DDoS attacks have grown from a nuisance tool used by script kiddies in the early 2000s into a weapon capable of taking down critical infrastructure, extorting businesses, and disrupting entire regions of the internet. In 2025 alone, Cloudflare mitigated 47.1 million DDoS attacks across its network, a 121% increase year over year. Understanding how these attacks work is the first step toward defending against them.
DoS vs. DDoS: What Makes It "Distributed"
A Denial of Service (DoS) attack originates from a single source. One machine sends enough traffic or crafted requests to exhaust a target's resources. DoS attacks are limited by the attacker's own bandwidth, CPU, and network connection. If the attacker has a 1 Gbps link, that is the ceiling for their attack.
A Distributed Denial of Service (DDoS) attack removes that ceiling. Instead of one machine, the attack comes from hundreds, thousands, or millions of sources simultaneously. These sources may be compromised devices in a botnet, misconfigured internet services acting as unwitting amplifiers, or a combination of both. Because the traffic arrives from many different IP addresses and often many different geographic locations, it is far harder to filter and far more powerful in aggregate.
The "distributed" aspect is what makes DDoS attacks so effective. You cannot simply block one IP address. You cannot rate-limit one source. The traffic looks like it is coming from everywhere at once, and in many cases, it is.
How a DDoS Attack Works
Most large-scale DDoS attacks follow a three-phase lifecycle: recruitment, coordination, and execution.
Phase 1: Botnet Recruitment
The attacker builds or rents a network of compromised devices (a botnet). These devices are typically infected through malware distributed via phishing emails, exploit kits targeting unpatched vulnerabilities, or credential stuffing against IoT devices with default passwords. Common botnet members include home routers, IP cameras, DVRs, smart TVs, and increasingly, compromised cloud instances. The Mirai botnet that powered the 2016 Dyn DNS attack comprised roughly 600,000 IoT devices, most of them cameras and DVRs with factory-default credentials.
Phase 2: Command and Control (C2)
The botnet communicates with a command and control server operated by the attacker. Modern C2 infrastructure uses encrypted channels, domain generation algorithms (DGAs), and peer-to-peer architectures to resist takedown attempts. When the attacker decides to launch, they issue a command specifying the target IP or domain, the attack vector (SYN flood, UDP flood, HTTP flood, etc.), and the duration.
Phase 3: Traffic Generation
Every bot in the network begins sending traffic to the target simultaneously. Depending on the attack type, this traffic may be raw packets designed to consume bandwidth, carefully crafted packets designed to exhaust connection-state tables, or legitimate-looking HTTP requests designed to exhaust application resources. The target sees a massive surge in inbound traffic that its infrastructure cannot handle, and service degrades or fails entirely.
Not all DDoS attacks require botnets. Amplification attacks use a small number of attacker-controlled machines to send spoofed requests to open internet services, which then reflect massive responses toward the victim. A single server with a 1 Gbps connection can generate over 50 Gbps of attack traffic using DNS amplification.
The Three Categories of DDoS Attacks
DDoS attacks are classified into three categories based on which layer of the network stack they target and which resource they aim to exhaust.
- Volumetric attacks target bandwidth. They flood the target's network link with more traffic than it can carry.
- Protocol attacks target stateful resources. They exhaust connection tables in firewalls, load balancers, and servers.
- Application-layer attacks target compute resources. They send requests that are expensive for the application to process.
Real-world attacks frequently combine all three categories in a multi-vector assault, but understanding each one individually is essential for building effective defenses.
Volumetric Attacks: Saturating the Pipe
Volumetric attacks are the simplest to understand: send more data than the target's network link can handle. If your server has a 10 Gbps uplink and the attacker sends 50 Gbps of traffic, the excess is dropped at the upstream router or switch. Your server is effectively offline regardless of how powerful its CPU or how well-configured its firewall.
The most common volumetric attack vectors use amplification, where the attacker sends a small request to a third-party service that generates a much larger response directed at the victim.
UDP Flood
The most basic volumetric attack. The attacker sends a high volume of UDP packets to random ports on the target. The target's operating system checks each packet for a listening application, finds none, and responds with an ICMP "Destination Unreachable" message. At high volumes, this consumes both bandwidth and CPU. Because UDP is connectionless, source IPs are trivially spoofed.
DNS Amplification
The attacker sends DNS queries to open resolvers with the source IP spoofed to the victim's address. The queries request large DNS records (typically ANY or TXT records). A 60-byte query can produce a 4,000-byte response, yielding an amplification factor of roughly 28x to 54x. Thousands of open DNS resolvers exist on the internet, making this vector widely available.
NTP Amplification
Exploits the monlist command in older NTP servers. A 234-byte request to a misconfigured NTP server can produce up to 100 response packets totaling roughly 48,000 bytes. This gives NTP amplification a theoretical amplification factor of around 556x, though real-world factors are typically 20x to 200x depending on the NTP server's client history. The monlist command was deprecated in NTP version 4.2.7, but many legacy servers remain unpatched.
Memcached Reflection
Discovered as an attack vector in early 2018, memcached reflection exploits memcached servers that are exposed to the internet on UDP port 11211. The attacker stores a large payload on the memcached server, then sends a spoofed GET request for that key. Because memcached can store values up to 1 MB and responds over UDP without authentication, the amplification factor can exceed 51,000x. This is by far the highest amplification factor of any known vector and was responsible for the record-breaking 1.35 Tbps attack on GitHub in 2018.
Protocol Attacks: Exhausting State
Protocol attacks do not need to saturate the network link. Instead, they exhaust the finite state tables maintained by firewalls, load balancers, and server operating systems. These devices track active connections, and each entry consumes memory. When the table is full, no new connections can be established.
SYN Flood
The SYN flood exploits the TCP three-way handshake. Under normal conditions, the handshake works as follows:
Client --> SYN --> Server (1. Client requests connection) Client <-- SYN-ACK <-- Server (2. Server acknowledges, allocates state) Client --> ACK --> Server (3. Client confirms, connection established)
In a SYN flood, the attacker sends millions of SYN packets with spoofed source IPs. The server responds with SYN-ACK packets and allocates a slot in its connection table for each half-open connection, waiting for the final ACK that will never arrive. Each half-open connection consumes memory and a slot in the backlog queue. Once the queue is full, the server rejects all new TCP connections, including those from legitimate users.
Modern operating systems implement SYN cookies (RFC 4987) to mitigate this by not allocating state until the handshake completes, but stateful firewalls and load balancers sitting in front of the server may still be vulnerable if they track each SYN in their own connection tables.
ACK Flood
The attacker sends a high volume of TCP ACK packets. Stateless devices pass them through because ACK packets are part of normal traffic. But stateful firewalls must look up each ACK against their connection table to determine if it belongs to an established session. At high volumes, this lookup process itself becomes the bottleneck, consuming CPU and memory on the firewall.
Fragmented Packet Attacks
The attacker sends a stream of IP fragments that are intentionally malformed or incomplete. The target's TCP/IP stack must hold fragments in a reassembly buffer until all fragments of a packet arrive. By sending initial fragments without the completing fragments, or by sending overlapping fragments that conflict, the attacker fills the reassembly buffer and consumes memory. Some implementations also suffer CPU exhaustion from attempting to resolve conflicting fragment offsets.
Application-Layer Attacks: The Hardest to Detect
Application-layer (Layer 7) attacks are the most sophisticated category. Each request is individually valid and often indistinguishable from legitimate user traffic at the packet level. The damage comes from targeting expensive operations: database queries, authentication endpoints, file uploads, search functions, or API calls that trigger complex backend processing.
HTTP Flood
The attacker sends a high volume of HTTP GET or POST requests to resource-intensive endpoints. Unlike volumetric attacks, these requests complete full TCP handshakes and present valid HTTP headers, making them invisible to network-layer defenses. A single HTTP POST to a search endpoint that triggers a full-text database query may consume 100x more server resources than serving a static page. At scale, this can exhaust web server workers, database connections, and application memory.
Slowloris
Rather than overwhelming the server with volume, Slowloris holds connections open as long as possible. It opens many HTTP connections and sends partial headers slowly, adding one header line every few seconds to prevent the connection from timing out. Each connection occupies a worker thread or process on the web server. Apache's default prefork configuration, for example, allows 256 simultaneous connections. Slowloris can exhaust all 256 with minimal bandwidth, making the server unavailable despite the network link being nearly idle.
DNS Query Flood
The attacker sends a high volume of DNS queries for random subdomains of the target's domain (e.g., a8x9z.example.com, b3k7m.example.com). Because these subdomains do not exist in any cache, each query forces the authoritative DNS server to perform a full lookup. This exhausts the DNS server's processing capacity, preventing it from resolving queries for legitimate records. The randomized subdomain approach defeats DNS caching entirely.
Application-layer attacks are the hardest to detect because the traffic is low-volume, protocol-compliant, and often uses real browser fingerprints. Network-level metrics like packets per second or bandwidth utilization may appear normal while the application is completely unresponsive. Detection requires monitoring at the application level: request rates per endpoint, response latency, error rates, and backend resource utilization.
Real-World DDoS Attacks That Made History
GitHub, March 2018: 1.35 Tbps
On February 28, 2018, GitHub was hit by the largest DDoS attack recorded at the time. The attack used memcached amplification, sending spoofed UDP requests to thousands of exposed memcached servers that reflected massive responses toward GitHub's infrastructure. The attack peaked at 1.35 Tbps of inbound traffic. GitHub's traffic was routed through Akamai Prolexic within 10 minutes, and the attack was fully mitigated within 20 minutes. This incident put memcached reflection on the map as a critical attack vector and prompted a wave of efforts to secure exposed memcached servers.
AWS, February 2020: 2.3 Tbps
Disclosed in the AWS Shield Q1 2020 threat report, this CLDAP (Connection-less Lightweight Directory Access Protocol) reflection attack targeted an AWS customer and peaked at 2.3 Tbps. CLDAP reflection exploits Active Directory domain controllers exposed to the internet on UDP port 389. A small query generates a response 56x to 70x larger, and with hundreds of thousands of exposed domain controllers available as reflectors, the attacker generated the largest volumetric attack on record at the time. AWS Shield Advanced absorbed the attack at the edge.
Cloudflare, January 2025: 5.6 Tbps
In early 2025, Cloudflare disclosed a 5.6 Tbps UDP flood attack originating from a Mirai-variant botnet comprising approximately 13,000 IoT devices. The attack lasted roughly 80 seconds and targeted an internet service provider in Eastern Asia. Cloudflare's anycast network absorbed it automatically without human intervention. Later in Q1 2025, Cloudflare reported mitigating a hyper-volumetric attack that peaked at 4.8 billion packets per second (Bpps), demonstrating that modern attacks are pushing both bandwidth and packet-rate boundaries simultaneously.
Who Gets Targeted and Why
DDoS attacks are not random. Targets are selected for specific reasons.
- Gaming and gambling: Competitors or disgruntled players use DDoS to disrupt game servers and online casinos. The gaming industry consistently accounts for the largest share of DDoS attacks by volume.
- Financial services: Banks, payment processors, and cryptocurrency exchanges are targeted for extortion (ransom DDoS) or to manipulate markets during trading windows.
- SaaS and cloud providers: Attacking a SaaS platform affects all its customers, maximizing disruption and pressure to pay ransoms.
- Government and political targets: Hacktivist groups use DDoS as a form of protest. State-sponsored actors use it as a component of hybrid warfare, often alongside cyberattacks and information operations.
- Competitive sabotage: Some businesses DDoS competitors during product launches, sales events, or contract bidding periods.
- Extortion: Ransom DDoS (RDDoS) groups send threatening emails demanding payment in cryptocurrency, often demonstrating their capability with a brief attack before issuing the full demand.
How DDoS Attacks Are Detected
Early detection is the difference between a 30-second disruption and a 30-minute outage. The core detection methods include:
PPS and BPS Monitoring
The most fundamental detection signal is a sudden spike in packets per second (PPS) or bits per second (BPS) that exceeds normal baseline levels. Volumetric and protocol attacks almost always produce obvious PPS/BPS anomalies. The challenge is monitoring granularity: SNMP polling at 5-minute intervals will miss short-lived attacks entirely. Effective detection requires per-second sampling at minimum.
Baseline Anomaly Detection
Static thresholds ("alert if PPS > 100,000") produce too many false positives because traffic patterns vary by time of day, day of week, and season. Anomaly detection builds a dynamic baseline of normal traffic and alerts when current traffic deviates significantly. This catches attacks that are large relative to your normal traffic, even if the absolute numbers are modest.
Packet Analysis
Deep packet inspection reveals attack signatures that aggregate metrics miss. A SYN flood shows up as a sudden spike in SYN packets without corresponding ACK completions. A DNS amplification attack shows up as a flood of large UDP packets from source port 53. Memcached reflection arrives on UDP port 11211. Protocol-level analysis enables classification of the attack vector, which directly informs the mitigation strategy.
Flow-Based vs. Host-Based Detection
Flow-based detection (NetFlow, sFlow, IPFIX) operates at the router or switch level and provides a sampled view of traffic patterns across the network. It is useful for detecting large volumetric attacks but misses low-and-slow application-layer attacks due to sampling. Host-based detection operates on the server itself, monitoring every packet with tools like XDP/eBPF or kernel-level PPS counters. It provides complete visibility for that host but has no view of the broader network. A comprehensive detection strategy uses both.
The Modern Mitigation Stack
No single mitigation technique handles all attack types. Defense in depth requires multiple layers, each designed to stop attacks at the appropriate point in the network path.
Local Firewall Rules
The first line of defense. Iptables, nftables, or Windows Firewall rules can drop known-bad traffic patterns (e.g., UDP from source port 11211 if you never need memcached responses). XDP and eBPF programs can filter packets before they reach the kernel's TCP/IP stack, achieving millions of drops per second with minimal CPU overhead. Local rules are effective against small attacks and specific vectors but cannot help when the attack saturates the upstream link.
BGP FlowSpec
BGP FlowSpec allows network operators to distribute traffic filtering rules via BGP to their upstream providers. Rather than null-routing an entire IP (which takes the target offline), FlowSpec rules can selectively drop traffic matching specific criteria: source port, destination port, protocol, packet size, or fragment flags. This pushes filtering upstream to where the bandwidth exists, but requires BGP peering relationships and provider support.
Remote Triggered Black Hole (RTBH)
When all else fails, RTBH uses BGP communities to instruct upstream routers to drop all traffic destined for a specific IP address. This stops the attack but also makes the target unreachable. It is a last resort used to protect the rest of the network when a single IP is attracting enough attack traffic to affect neighboring services.
Cloud Scrubbing
Services like Cloudflare Magic Transit, Akamai Prolexic, and AWS Shield route traffic through their global scrubbing infrastructure. Attack traffic is identified and dropped at the scrubbing center, and clean traffic is forwarded to the origin. These services have aggregate network capacities measured in hundreds of terabits and can absorb even the largest known attacks. The tradeoff is latency (traffic must travel through the scrubbing center) and cost.
Anycast Distribution
Anycast routes traffic to the nearest node in a distributed network. If a target IP is announced from 50 data centers worldwide via anycast, an attack targeting that IP is automatically split across all 50 locations. Each location only handles a fraction of the total attack volume. This is the fundamental architecture behind Cloudflare, Google Cloud Armor, and other large-scale DDoS mitigation platforms.
The DDoS Landscape in 2026
The DDoS threat continues to escalate along every measurable axis.
Cloudflare's 2025 annual report documented 47.1 million DDoS attacks mitigated over the year, a 121% increase over 2024. The largest single attack recorded reached 5.6 Tbps in January 2025. Hyper-volumetric attacks (exceeding 1 Tbps or 1 Bpps) are no longer rare events. They occurred with increasing regularity throughout 2025, driven primarily by IoT botnets running variants of Mirai.
Several trends define the 2026 landscape:
- IoT botnet growth: The number of internet-connected devices continues to outpace security efforts. Many IoT manufacturers still ship devices with default credentials and no automatic update mechanism. Each new wave of devices adds potential botnet capacity.
- DDoS-for-hire commoditization: Booter and stresser services are available for as little as $10/month, lowering the barrier to entry. Law enforcement operations (Operation PowerOFF and others) have disrupted some services, but new ones appear rapidly.
- AI-driven attack adaptation: Emerging attack tools use machine learning to adjust traffic patterns in real time, shifting vectors and source distributions to evade detection signatures. This makes static filtering rules progressively less effective.
- Multi-vector attacks: Modern attacks rarely use a single vector. A typical 2026 attack might combine a volumetric UDP flood to consume bandwidth, a SYN flood to exhaust firewall state tables, and an HTTP flood to overwhelm the application, all simultaneously. This forces defenders to address multiple layers at once.
- Ransom DDoS persistence: RDDoS campaigns continue to target organizations across all sectors, with demand amounts increasing and follow-through attacks becoming more capable.
Detection Is the First Line of Defense
Mitigation only works if you know you are under attack. Many organizations discover they are being DDoSed when customers start complaining, which means the attack has already succeeded for minutes or more. Per-second monitoring of packets per second, bits per second, connection rates, and protocol distribution gives operations teams the visibility to detect attacks within seconds of their start and to classify the vector before choosing a mitigation strategy.
Flowtriq provides per-server DDoS detection with sub-second alerting. It runs on each node in your infrastructure, monitors traffic at the kernel level, automatically classifies attack vectors, and sends alerts to your team through any channel: Slack, Discord, PagerDuty, OpsGenie, email, SMS, or webhook. Detection starts at $9.99/month per node with a 7-day free trial.
See attacks the moment they start. Flowtriq gives you per-second visibility into every packet hitting your infrastructure. Automatic classification identifies the attack vector. Alerts fire in under a second. Start your free 7-day trial and monitor your first node in under five minutes.