A DDoS attack, or distributed denial-of-service attack, overwhelms a target with traffic from many sources to make a service unavailable to legitimate users. A DDoS attack targets availability, the ability of a system to respond, by exhausting its bandwidth, connections, or processing capacity. The Cybersecurity and Infrastructure Security Agency (CISA) and content delivery providers such as Cloudflare document these attacks and the methods that mitigate them.
This article defines a DDoS attack, distinguishes it from a denial-of-service attack, explains how botnets power it, describes the attack types, reviews real examples, and explains how to mitigate it. A table summarizes the attack types. Each section states one part of the topic and connects it to the flood of traffic at the center of the definition.
The content is defensive and does not describe how to conduct an attack. The result is a complete account of what a DDoS attack is, how it works, and how to defend against it.
What Is a DDoS Attack?
A DDoS attack is a distributed denial-of-service attack that overwhelms a target with traffic from many sources to make a service unavailable to legitimate users. A DDoS attack targets availability, flooding a server, network, or application until it cannot respond. The defining traits of a DDoS attack are listed below:
- Distributed sources send traffic from many devices at once rather than from a single machine.
- A target in availability is the service’s ability to respond to legitimate requests.
- Resource exhaustion consumes bandwidth, connections, or processing until the service fails.
- No data breach is required, since the goal is disruption rather than theft.
A DDoS attack is one category of cyberattack, targeting availability rather than confidentiality or integrity. It is among the most disruptive of the common network attacks, since a successful flood takes a service offline.
What Is the Difference Between DoS and DDoS?
A denial-of-service (DoS) attack floods a target from a single source, while a distributed denial-of-service (DDoS) attack floods it from many sources at once. The distinction is the number of attacking sources. The differences are listed below:
- A DoS attack originates from one device, making it easier to identify and block.
- A DDoS attack originates from many devices, making the traffic harder to filter.
- Scale gives a DDoS attack far greater traffic volume than a single source can produce.
- Attribution is harder for a DDoS attack, since the traffic comes from many addresses.
A DDoS attack is harder to defend than a DoS attack because blocking one source does not stop the flood, according to CISA guidance. The distributed nature requires defenses that filter or absorb traffic from many sources at once.
How Do Botnets Power a DDoS Attack?
A botnet powers a DDoS attack by combining many compromised devices under one attacker’s control to generate the traffic flood. A botnet supplies the distributed sources that define the attack. The role of a botnet is listed below:
- Compromised devices are computers, servers, and connected devices infected with malware that places them under remote control.
- Command and control lets the operator direct every infected device from a central point.
- Combined traffic from thousands of devices produces a volume no single machine could reach.
- Unaware owners often do not know their devices are part of the botnet.
The Mirai botnet, which infected insecure Internet of Things devices, powered some of the largest recorded DDoS attacks in 2016. Keeping devices patched and protected reduces botnet recruitment, one part of defending against a cyberattack.
What Are the Types of DDoS Attacks?
The types of DDoS attacks are volumetric attacks, protocol attacks, and application-layer attacks. Each type exhausts a different resource of the target. The types are listed below:
- Volumetric attacks consume bandwidth by flooding the target with a high volume of traffic, measured in bits per second.
- Protocol attacks exhaust server or network equipment resources by abusing weaknesses in network protocols.
- Application-layer attacks overwhelm a specific application or web service with requests that appear legitimate.
- Multi-vector attacks combine several types at once to complicate the defense.
Volumetric attacks saturate the connection, protocol attacks exhaust equipment, and application-layer attacks target the service itself, according to Cloudflare and CISA classifications. Application-layer attacks are harder to detect because their requests resemble legitimate traffic, unlike the broad flood of a volumetric attack.
What Are Real Examples of DDoS Attacks?
Real examples of DDoS attacks include large attacks on DNS providers and record-setting floods against major websites. An example shows the scale and impact a DDoS attack reaches. The notable examples are listed below:
- The 2016 Dyn attack used the Mirai botnet to flood a major DNS provider, disrupting access to many large websites.
- Record volumetric attacks reported by Cloudflare and other providers have exceeded terabits per second of traffic.
- Attacks on DNS infrastructure are common because disrupting name resolution affects many services at once.
- Application-layer floods have targeted login pages and APIs to exhaust specific services.
The 2016 attack on the DNS provider Dyn showed how disrupting shared infrastructure affects many services at once. Mitigation providers report attack sizes have grown steadily, making upstream defense essential against the largest of these network attacks.
How Do You Mitigate a DDoS Attack?
A DDoS attack is mitigated through content delivery networks, traffic scrubbing, rate limiting, and upstream mitigation providers. Mitigation absorbs or filters the flood so the service stays reachable. The core mitigations are listed below:
- Content delivery networks (CDNs) distribute traffic across many servers to absorb a flood.
- Traffic scrubbing routes traffic through a service that filters out malicious packets.
- Rate limiting caps requests per source to keep a flood from overwhelming the target.
- Upstream providers such as Cloudflare and Akamai filter attack traffic before it reaches the origin.
- Redundancy spreads a service across multiple servers and regions so no single point fails.
CISA recommends combining upstream mitigation, rate limiting, and redundancy so a flood is absorbed before it exhausts the target. Routing traffic through a content delivery network and scrubbing service is the primary defense large services use, complementing the layered controls of cybersecurity.
What Are the Warning Signs of a DDoS Attack?
The warning signs of a DDoS attack are sudden slowdowns, service outages, and a spike in traffic from many sources. A warning sign indicates that a flood may be in progress. The warning signs are listed below:
- Sudden slowdowns show a service responding far more slowly than normal.
- Service outages make a website or application unreachable without a known cause.
- A traffic spike appears as an unusual surge in requests from many addresses.
- Patterns in the traffic show repeated requests to the same resource from distributed sources.
Monitoring traffic for these patterns allows a faster response, since early detection lets mitigation begin before a full outage. Distinguishing an attack from a legitimate traffic surge relies on the monitoring controls within cybersecurity.
DDoS Attack Types Comparison Table
| Type | Resource Exhausted | Example Method | Primary Mitigation |
|---|---|---|---|
| Volumetric | Bandwidth | High-volume traffic flood | CDN, upstream scrubbing |
| Protocol | Server / network equipment | Abuse of protocol weaknesses | Filtering, rate limiting |
| Application-layer | Application or web service | Flood of legitimate-looking requests | Rate limiting, request filtering |
| Multi-vector | Multiple resources | Combination of attack types | Layered mitigation services |
Who Are the Common Targets of DDoS Attacks?
The common targets of DDoS attacks are websites, online services, DNS providers, and gaming and financial platforms. A target is selected because its availability has high value to its users or owner. The common targets are listed below:
- Websites and online services are targeted to take a business offline and disrupt revenue.
- DNS providers are targeted because disrupting name resolution affects many services at once.
- Gaming and streaming platforms are targeted to disrupt competitive play or extort the operator.
- Financial services are targeted to disrupt transactions or to mask another attack in progress.
CISA notes that DDoS attacks sometimes serve as a distraction that masks a separate intrusion or data theft. An attack on shared infrastructure such as DNS affects many downstream services, a pattern among the common network attacks.
How Do You Prepare a DDoS Response Plan?
A DDoS response plan prepares an organization to detect, mitigate, and recover from an attack before it occurs. A response plan reduces downtime by defining actions in advance. The elements of a response plan are listed below:
- Detection sets monitoring and alerts that identify abnormal traffic early.
- Mitigation contacts establish a relationship with an upstream provider or scrubbing service before an attack.
- Capacity planning provisions redundancy and overhead to absorb a surge in traffic.
- Communication defines how to inform users and staff during an outage.
- Post-incident review analyzes the attack to strengthen defenses afterward.
CISA recommends preparing a response plan and arranging mitigation services in advance, since reacting only after an attack begins increases downtime. A prepared plan turns the layered defenses of cybersecurity into a coordinated response.
Key Takeaways
- A DDoS attack overwhelms a target with traffic from many sources to make a service unavailable.
- A DoS attack uses one source, while a DDoS attack uses many, making it harder to block.
- Botnets supply the compromised devices that generate the traffic flood.
- The types are volumetric, protocol, and application-layer attacks.
- Examples include the 2016 Dyn attack and record floods exceeding terabits per second.
- Mitigation uses CDNs, traffic scrubbing, rate limiting, upstream providers, and redundancy.
What is a DDoS attack in simple terms?
A DDoS attack is a distributed denial-of-service attack that overwhelms a target with traffic from many sources to make a service unavailable to legitimate users. It targets availability rather than stealing data.
What is the difference between DoS and DDoS?
A DoS attack floods a target from a single source, while a DDoS attack floods it from many sources at once. The distributed traffic makes a DDoS attack harder to filter and to attribute.
How do botnets cause DDoS attacks?
A botnet combines many devices infected with malware under one attacker’s control. The combined traffic from thousands of compromised devices produces the flood volume that powers a DDoS attack.
What are the types of DDoS attacks?
The three types are volumetric attacks that consume bandwidth, protocol attacks that exhaust network equipment, and application-layer attacks that overwhelm a specific service. Multi-vector attacks combine them.
How do you stop a DDoS attack?
Mitigate a DDoS attack with content delivery networks, traffic scrubbing, rate limiting, upstream providers such as Cloudflare, and redundancy. These absorb or filter the flood before it exhausts the target.
Is a DDoS attack illegal?
Yes. Conducting a DDoS attack is illegal in most jurisdictions, including under the United States Computer Fraud and Abuse Act. This article covers defense and mitigation only, not how to perform an attack.
Last Thoughts on DDoS Attacks
A DDoS attack is a distributed denial-of-service attack that overwhelms a target with traffic from many sources to make a service unavailable, targeting availability rather than confidentiality or integrity. A DoS attack uses a single source, while a DDoS attack uses many, often supplied by a botnet of compromised devices.
The types are volumetric, protocol, and application-layer attacks, and mitigation uses content delivery networks, traffic scrubbing, rate limiting, upstream providers, and redundancy. Readers can continue with the overview of cyberattacks, the guide to common network attacks, the overview of social engineering, or the introduction to cybersecurity.
