DDoS

How DDoS Attacks Work

In a DDoS attack, an adversary directs traffic from thousands or millions of compromised devices — forming a botnet — toward a single target. The sheer volume overwhelms the target's network capacity, server resources, or both. Unlike a single-source DoS attack, the distributed nature makes IP-based blocking ineffective: blocking one source addresses only a fraction of the traffic.

Attack types vary. Volumetric attacks flood bandwidth (UDP floods, ICMP floods). Protocol attacks exhaust stateful resources such as firewall connection tables (SYN floods). Application-layer attacks send seemingly legitimate requests at high volume, targeting specific application endpoints that are expensive to process.

Amplification Attacks

Amplification exploits protocols that return much larger responses than the request. DNS amplification sends small queries with a spoofed source IP to open resolvers; the resolvers send large responses to the victim. Amplification factors of 50x or more are possible with DNS, NTP, and memcached. Source address filtering (BCP38) at ISPs is a key mitigation.

DDoS Defense

Modern DDoS mitigation relies on scrubbing centers — facilities with massive network capacity that filter attack traffic, passing only clean traffic to the origin. Cloud providers offer this as a managed service. On-premise solutions use rate limiting, traffic shaping, and FirewallA network security device or software that monitors and filters incoming and outgoing traffic based on predefined rules. Firewalls can block traffic by IP address, port number, protocol, or application-layer content. rules to shed attack traffic before it reaches application servers. Understanding Intrusion Detection System (IDS)A security system that monitors network traffic or system activity for suspicious patterns and known attack signatures. Unlike a firewall, an IDS detects and alerts on threats but does not actively block them. is valuable context for identifying DDoS traffic patterns early.