What is a DDoS attack?

DDoS attacks are often motivated by malice. State-sponsored actors use DDoS techniques to attack government websites, while companies may seek to disrupt rivals and improve their market position. However, criminals can also use DDoS methods to extract ransoms and seed secondary malware to steal sensitive data.

Statistics suggest that distributed denial-of-service attacks are rising. According to Cloudflare, global attacks rose by 53% in 2024. Hyper-volumetric attacks exceeding 100 million packets per second (pps) spiked by 592% in the first quarter of 2025, while ransom DDoS attacks also rose by 68% over the same period.

Robust DDoS protection measures are the only way to resist this rising tide.

How does a DDoS attack work?

Distributed denial-of-service attacks generally rely on networks of connected devices known as botnets. This model contrasts with standard denial-of-service (DoS) attacks that use single devices to direct traffic.

Criminals infect large communities of devices with malware agents. These agents connect to a command and control unit, which allows attackers to coordinate thousands of laptops, smartphones, or IoT sensors.

Attackers choose bots that appear to be legitimate. Hijacking legitimate devices helps conceal their DDoS attack as targets struggle to identify suspicious connections.

Activated bots send IP address requests across the victim's network connection. Normally, this would not be a problem. However, most network servers cannot deal with thousands of simultaneous requests. Servers shut down due to malicious traffic and "deny service" to legitimate users.

Types of DDoS attacks

DDoS attacks come in several forms. All use communities of bots to overwhelm victims. However, they employ different techniques to achieve this. To block all types of DDoS attacks, companies need measures to counter each technique.

Common variants include:

Application-layer DDoS attacks

Application-layer attacks target Layer 7 in the OSI network model. This layer of the network model processes HTTP requests to assemble web content.

Application-layer attacks leverage the asymmetric nature of HTTP requests. Making requests is cheap and simple. However, servers must load many files and execute database queries to assemble web pages. This amplifies the effect of malicious traffic.

Detecting application-layer attacks is also challenging. Network security systems struggle to filter legitimate and malicious requests. Servers become overloaded with HTTP requests, and company websites eventually fail.

Protocol DDoS attacks

Protocol attacks work at layers 3 and 4 in the OSI networking model. They are also called "state exhaustion attacks" because they exhaust the processing capacity of firewalls and load balancers.

For example, protocol attacks may launch SYN floods against a victim's network. In these protocol attacks, threat actors send a vast amount of TCP/IP handshake requests using fake IP address information.

Targeted devices respond to each handshake request but never complete the connection process. At scale, this flood of incomplete internet traffic takes down targeted networks.

Volumetric attacks

A volumetric DDoS attack exhausts the bandwidth between targeted networks and the wider internet. Attackers often use a technique called DNS amplification to achieve their goals.

In a volumetric DDoS attack, criminals send a request to a DNS server using a spoofed version of the target's IP address. The DNS server responds to the target's IP address, amplifying a small query into an unstoppable flood of internet traffic.

The above attack types direct traffic in different ways but have several features in common. In summary, all DDoS attacks:

• Aim to overwhelm targeted networks to shut down resources or disrupt operations
• Use botnets to amplify distributed attacks
• Use spoofing techniques to avoid detection
• Exploit fundamental network vulnerabilities

What are the signs of a DDoS attack?

DDoS attacks seek to inflict maximum damage as quickly as possible. Because of this, attacks often have easily detectable symptoms. However, flagging attacks in progress is too late. Security teams need to know the early symptoms to counter a DDoS attack before it damages network assets.

Common indicators of a brewing DDoS attack include:

• Lagging network performance: During DDoS attacks, network speeds slow dramatically. Early on, you may receive complaints about speed from individual users or clusters of users. Spikes in latency or transfer speeds could indicate a developing attack.
• Unexplained network traffic spikes: A DDoS attack directs massive internet traffic volumes at targeted systems. Look for rapid spikes in requests from multiple sources. Traffic spikes 2-3 times above the baseline are often due to volumetric attacks.
• Service crashes: A DDoS attack will eventually take down the entire network if left unchecked. System failures often occur in stages as traffic overwhelms routers and servers. Early symptoms include apps crashing due to excess traffic and sudden website unavailability.
• Traffic source anomalies: Network traffic generally follows baseline patterns, with recurring sources and destinations. During a DDoS attack, traffic originates from multiple new sources. Monitor traffic for unusual IP address ranges and locations.
• Server exhaustion: During DDoS attacks, servers may rapidly reach their maximum bandwidth capacity or run out of memory to process requests. Networks quickly encounter resource utilization issues, compromising the availability of critical resources.

Real-world examples of DDoS attacks

DDoS attacks are more than just network efficiency issues. As some recent case studies show, a DDoS attack can cripple operations across a company network, with significant financial implications.

Google (2023)

In 2023, search engine giant Google suffered what was likely the largest denial-of-service attack ever. At its peak, the attack sent 398 million requests per second—7 times the previous record. Google mitigated the traffic spike via technical expertise, but many similar companies would have struggled.

The attack offers a great example of how protocol attacks work. Hackers exploited CVE-2023-44487, a flaw in the HTTP/2 protocol. Attackers used a rapid reset technique to make web requests before canceling them almost immediately.

As Google reported in its assessment, "Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable." It also recommended promptly patching software exposed to CVE-2023-44487.

Adyen (2025)

Dutch company Adyen processes payments for online and brick-and-mortar stores—operations that demand reliable uptime. Unfortunately, the business suffered a powerful DDoS attack in April 2025 that led to days of disruption.

The Adyen attack shows how hard it is to neutralize DDoS attacks when they escalate. The company's debit card processing services failed and came back online three times in 6 hours. Even then, full payment services were unavailable for over 24 hours.

The result? Immediate financial damage. Adyen's share price dipped by 2 percent the next morning.

Anonymous Sudan: off-the-shelf DDoS attacks with no red lines

In 2024, US prosecutors secured the conviction of the "Anonymous Sudan" hacker collective. Consisting of two Sudanese brothers, the group mounted DDoS attacks against private companies and even critical care hospitals via their Godzilla tools.

Significantly, Anonymous Sudan made Godzilla available to others via Telegram, resulting in 35,000 subsequent DDoS incidents.

The brothers acted as mercenaries, charging $100 per day or $1,700 monthly to target victims. They even provided refunds if attacks proved unsuccessful—a sign of how sophisticated the DDoS ecosystem is becoming.

How to mitigate a DDoS attack?

Anonymous Sudan also shows how vulnerable companies are to DDoS attack campaigns. If a couple of malicious actors can strike fear into major corporations, every business should take action to mitigate DDoS risks. But how can you do so?

Taking action now will aid detection and incident response. Here are some practical tips to mitigate protocol, application layer, and volumetric attacks:

Risk assess critical endpoints

Before putting in place DDoS mitigation measures, it's essential to understand where your network is most vulnerable. Document all internet-facing gateways and devices, and assess each endpoint according to DDoS vulnerability. For example, a DNS server or web API is likely to carry a high DDoS risk and requires immediate attention.

Create reliable network traffic baselines

Use threat management tools to monitor normal network performance and establish baselines for network devices. These baselines are crucial as they allow security systems to detect unusual patterns. Deviations from normal activity are often the first symptoms of an emerging DDoS attack.

Implement Web Application Firewalls (WAF)

Web Application Firewalls help mitigate application layer attacks using the HTTP protocol. WAFs govern how traffic reaches web applications. They can impose rate limiting on suspicious IP addresses, block bots, and detect unusual traffic patterns, giving early warning of threats to critical web assets.

Add redundancy to accommodate traffic spikes

Redundancy adds bandwidth to your network connection, providing extra room for malicious traffic (an essential feature during volumetric attacks). If necessary, implement failover systems to enable continuity during DDoS incidents.

Set blackhole routing for emergencies

Blackhole routing re-routes malicious (and legitimate) traffic away from targeted networks. It is not an everyday measure but a defensive necessity to activate after detecting traffic anomalies.

Rerouting traffic immediately lessens the burden on your network connection. It provides room to resolve vulnerabilities and detect the source of the DDoS attack. However, as blackhole routing throws out good traffic along with bad, security teams need to carefully choose the activation level.

Use threat intelligence to block dangerous IP addresses

Threat intelligence platforms monitor criminal collectives and DDoS attack vectors. They maintain regularly updated databases of IP addresses linked to active groups. Companies can use these registers to create blocklists against the latest threats.

Implement network diffusion

Network diffusion spreads the load during DDoS attacks to geographically distributed devices with shared IP addresses. This architecture avoids a single point of failure and absorbs malicious traffic close to the source.

Use private gateways to manage endpoint traffic

Private gateways are exclusive network entry points policed by multi-factor authentication, next-generation firewalls, and device posture security checks.

Gateways assist DDoS mitigation by reducing the attack surface and funneling users through a single portal. Access controls admit legitimate traffic while blocking bot requests associated with DDoS activity.

Private gateways also allow defense-in-depth. Security teams can place sensitive assets behind a secure gateway, preventing the spread of DDoS attacks to backend systems. This also functions as part of Zero Trust access models that require verification to access network resources.

Protect your systems against DDoS attacks

DDoS attacks appear from nowhere, assaulting target networks with requests until networks surrender. DDoS protection measures can help you detect and mitigate different types of DDoS attacks. However, security requires planning and investment to assess risks and fix vulnerabilities.

Take a proactive and multi-layered approach that secures every step of the OSI 7-layer model. Implement basics like rate limiting or IP blocklists and advanced tools like private gateways, threat intelligence, and web application firewalls.

Even with the best DDoS protection measures, attacks may succeed. Anticipate attacks by adding redundancy and failovers. Don't assume you are secure. A DDoS attack could be imminent, and you must be ready to respond.