What is a DDoS Attack?

How DDoS Attacks Work

DDoS attacks function by exploiting a fundamental characteristic of network infrastructure: servers and network connections have finite capacity. A web server can handle a certain number of simultaneous connections. A network link can carry a certain amount of traffic measured in gigabits per second. When the volume of incoming requests or traffic exceeds that capacity, legitimate requests cannot be processed and the service becomes unavailable.

Volumetric Attacks

Volumetric attacks — also called bandwidth attacks — work by sending more traffic to the target than its internet connection can carry. Measured in gigabits per second (Gbps) or packets per second (PPS), large volumetric attacks now regularly exceed 1 Tbps — more traffic than most enterprise internet connections can handle by a factor of hundreds. Volumetric attacks use amplification techniques to multiply the traffic generated by each attacking device. DNS amplification exploits misconfigured DNS servers to respond to spoofed requests with responses 50-70 times the size of the request, dramatically multiplying the attack traffic. NTP amplification achieves amplification factors of up to 556x.

Protocol Attacks

Protocol attacks exploit weaknesses in network protocol implementation to consume server or network equipment resources. SYN flood attacks — the most common protocol attack — exploit the TCP three-way handshake. The attacker sends large volumes of SYN packets with spoofed source IP addresses. The target responds with SYN-ACK packets and waits for the final ACK that completes the handshake. Because the source IP addresses are spoofed, the ACK never arrives. The target's connection table fills with half-open connections, exhausting capacity for legitimate connections.

Application Layer Attacks

Application layer attacks — also called Layer 7 attacks — target the application itself rather than the network infrastructure. Rather than overwhelming network bandwidth, these attacks send seemingly legitimate requests to the application at a volume that exhausts application processing capacity. HTTP flood attacks against web servers, slowloris attacks that open connections and send partial requests to keep them open indefinitely, and targeted attacks against computationally expensive application functions are all Layer 7 techniques. These attacks are the hardest to defend against because the individual requests appear legitimate and filtering requires application-layer intelligence.

Who Conducts DDoS Attacks and Why

Understanding the motivation behind DDoS attacks is relevant to assessing your organization's risk profile. Different threat actors use DDoS for different purposes, and the appropriate defensive posture depends partly on which actors are relevant to your organization's threat model.

Criminal Groups: Ransom DDoS

Ransom DDoS (RDoS) has become a standard criminal revenue model. The attack pattern is: send a ransom demand threatening a DDoS attack of a specified scale unless payment is made by a deadline, conduct a brief demonstration attack to prove capability, and either collect payment or escalate to a full attack. Financial services firms, e-commerce platforms, and online gaming companies are the most frequently targeted sectors. Some criminal groups send thousands of ransom demands per campaign without the capacity to follow through on all of them — the economics work because even a small percentage of targets pay.

Nation-States: Infrastructure Disruption

Nation-state DDoS attacks target critical infrastructure, government services, and organizations associated with geopolitical adversaries. Russian DDoS attacks against Ukrainian government and financial infrastructure at the outset of the 2022 invasion, Chinese attacks against Taiwanese government websites during military exercises, and North Korean attacks against South Korean financial institutions are all documented examples. Organizations with contracts with targeted governments, defense industrial base relationships, or operations in geopolitically sensitive regions carry elevated risk from nation-state DDoS.

Hacktivists: Political Disruption

Hacktivist groups use DDoS as a form of political protest or retaliation — targeting organizations whose actions, statements, or affiliations the group opposes. Anonymous, Killnet, and similar groups have conducted campaigns against news organizations, government agencies, financial institutions, and corporations. Hacktivist DDoS attacks are often coordinated through social media and can mobilize large numbers of participants, but typically lack the sustained volume of criminal or nation-state attacks.

DDoS Defense: What Works and What Doesn't

On-Premises vs. Cloud-Based Mitigation

On-premises DDoS mitigation appliances protect against small-to-medium attacks by scrubbing malicious traffic before it reaches internal systems. They are ineffective against volumetric attacks that exceed the organization's internet connection capacity — by the time traffic reaches the mitigation appliance, the connection is already saturated. Effective DDoS mitigation against large volumetric attacks requires cloud-based or upstream mitigation — scrubbing centers operated by DDoS mitigation providers like Cloudflare, Akamai, or AWS Shield that sit between the internet and the organization's infrastructure, absorbing attack traffic before it reaches the organization's network perimeter.

Content Delivery Networks and Anycast

CDNs distribute content across a global network of servers, absorbing DDoS attack traffic across multiple points of presence simultaneously. Anycast network routing announces the same IP address from multiple locations, distributing attack traffic across the CDN's global capacity rather than concentrating it at a single point. Organizations that serve web content through a major CDN receive significant inherent DDoS protection because the CDN's aggregate capacity far exceeds what most attackers can generate.

Business Continuity Considerations

DDoS defense planning should include both technical mitigation and business continuity procedures. For organizations where web application availability is directly tied to revenue — e-commerce, SaaS platforms, online financial services — the revenue impact of extended downtime can be significant. Business continuity planning should address: what is the acceptable downtime threshold before mitigation costs are justified, what is the escalation process when an attack begins, and what manual procedures can maintain essential operations if digital services are unavailable.

Real-World Example: The GitHub DDoS — 1.3 Tbps and Still Standing

In February 2018, GitHub experienced the largest DDoS attack ever recorded at that time — 1.35 terabits per second of traffic, using memcached amplification to achieve an amplification factor of approximately 51,000x. The attack lasted approximately 20 minutes before GitHub's upstream DDoS mitigation provider, Akamai Prolexic, rerouted traffic to their scrubbing infrastructure and mitigated the attack. Total downtime was approximately 10 minutes. The incident demonstrated both the scale that volumetric attacks can reach and the effectiveness of cloud-based DDoS mitigation when properly implemented. GitHub's preparation — having upstream mitigation in place before an attack occurred — was the difference between a 10-minute disruption and a potentially extended outage.