DDoS (Distributed Denial of Service) attacks flood target systems with malicious traffic to exhaust resources and deny service to legitimate users. Attack types range from volumetric floods that consume bandwidth to application-layer attacks that target specific services, each requiring different detection and mitigation strategies.
Last updated: 2026-06-03
How DDoS Attacks Work
DDoS attacks leverage distributed sources—typically botnets of compromised devices—to generate overwhelming traffic volumes. The goal is to exhaust bandwidth, compute resources, or connection capacity, rendering the target unavailable.
┌─────────────────────────────────────────────────────────────────┐│ DDoS Attack Architecture ││ ││ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ││ │ Bot 1 │ │ Bot 2 │ │ Bot 3 │ │ Bot ... │ │ Bot N │ ││ │ (IoT) │ │ (Server)│ │ (PC) │ │ │ │ (Mobile)│ ││ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ ││ │ │ │ │ │ ││ └───────────┴───────────┼───────────┴───────────┘ ││ │ ││ ┌──────▼──────┐ ││ │ C&C │ ││ │ Server │ ││ └──────┬──────┘ ││ │ Attack command ││ ▼ ││ ┌──────────────┐ ││ │ Target │ ││ │ Server │◀─── Overwhelming traffic││ │ (Victim) │ ││ └──────────────┘ │└─────────────────────────────────────────────────────────────────┘DDoS Attack Classification
DDoS attacks target different layers of the OSI model, each with distinct characteristics and mitigation approaches.
| Layer | Attack Type | Target | Primary Impact |
|---|---|---|---|
| 3-4 | Volumetric | Bandwidth | Network saturation |
| 3-4 | Protocol | State tables | Resource exhaustion |
| 7 | Application | Application logic | Service unavailability |
1. Volumetric Attacks (Layer 3-4)
Overwhelm network bandwidth with massive traffic volumes.
| Attack Type | Mechanism | Typical Volume | Detection |
|---|---|---|---|
| UDP Flood | Random UDP packets to random ports | 10-1000+ Gbps | Traffic volume spike |
| ICMP Flood | Ping requests overwhelm target | 1-100 Gbps | ICMP rate |
| Amplification | Reflected traffic from third parties | 10-700 Gbps | Source port/protocol |
| DNS Amplification | DNS responses amplified 70x | 10-500 Gbps | DNS response ratio |
| NTP Amplification | NTP monlist responses 100x | 10-400 Gbps | NTP traffic pattern |
| SSDP Amplification | UPnP discovery responses 30x | 5-200 Gbps | SSDP source ports |
UDP Flood Example:
Source: Random IPs (spoofed)Destination: Target serverPort: Random portsPacket size: Large UDP datagramsVolume: 50-500 Gbps typicalImpact: Bandwidth saturation, packet lossAmplification Attack Flow:
Attacker ──(small request)──▶ Public Server ──(large response)──▶ Victim
Example DNS Amplification:Attacker sends: 60-byte DNS query (spoofed source = victim IP)Server responds: 4000-byte DNS response to victimAmplification factor: ~70x2. Protocol Attacks (Layer 3-4)
Exploit weaknesses in network protocols to exhaust server resources.
| Attack Type | Mechanism | Resource Target | Detection |
|---|---|---|---|
| SYN Flood | Incomplete TCP handshakes | Connection table | SYN/ACK ratio |
| ACK Flood | ACK packets to non-existent connections | Firewall CPU | Invalid ACKs |
| SYN-ACK Flood | Spoofed SYN-ACK responses | Connection tracking | Unexpected SYN-ACKs |
| FIN/RST Flood | Abnormal connection termination | State tables | FIN/RST rate |
| Smurf Attack | ICMP to broadcast addresses | Network bandwidth | Broadcast traffic |
| Ping of Death | Oversized ICMP packets | Legacy systems | Large ICMP |
SYN Flood Example:
Normal TCP Handshake:Client ──SYN──▶ ServerClient ◀─SYN-ACK─ ServerClient ──ACK──▶ Server (Connection established)
SYN Flood Attack:Attacker ──SYN──▶ Server (spoofed IP)Server ◀─SYN-ACK─ (goes nowhere)Attacker ──SYN──▶ Server (spoofed IP)Server ◀─SYN-ACK─ (goes nowhere)... (thousands more)
Result: Server's connection table fills with half-open connections Memory exhausted, legitimate connections failSYN Flood Metrics:
| Metric | Normal | Under Attack |
|---|---|---|
| SYN packets/sec | 100-1000 | 10,000-1,000,000+ |
| SYN/ACK ratio | ~1:1 | 10:1 to 1000:1 |
| Half-open connections | <100 | 10,000-1,000,000 |
| Connection failures | <1% | 50-100% |
3. Application Layer Attacks (Layer 7)
Target specific application functions with seemingly legitimate requests.
| Attack Type | Mechanism | Target Resource | Detection |
|---|---|---|---|
| HTTP Flood | Massive GET/POST requests | Web server | Request rate/pattern |
| Slowloris | Slow HTTP header transmission | Connection pools | Slow header rate |
| Slow POST | Slow request body transmission | Server threads | Long request duration |
| HTTP Regex | Expensive regex in requests | CPU | CPU spike pattern |
| Hash Collision | Specially crafted inputs | CPU/memory | Resource spike |
| DNS Water Torture | Random subdomain queries | DNS server | NXDOMAIN rate |
| SSL Renegotiation | Repeated SSL handshakes | CPU | SSL handshake rate |
HTTP Flood Example:
GET / HTTP/1.1Host: target.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...Accept: text/html,application/xhtml+xml...
[Repeated thousands of times from distributed sources]Slowloris Attack Flow:
Attacker opens 100+ connections to serverSends partial HTTP headers slowly:
Connection 1: "GET / HTTP/1.1\r\nHost: target.com\r\nX-Header1: a"Connection 2: "GET / HTTP/1.1\r\nHost: target.com\r\nX-Header1: b"...
Every 10-15 seconds, sends additional header data to keep connection aliveServer keeps connections open waiting for complete headersConnection pool exhausted, legitimate users cannot connect4. Multi-Vector Attacks
Combine multiple attack types simultaneously to overwhelm defenses.
| Combination | Strategy | Complexity |
|---|---|---|
| Volumetric + Application | Saturate bandwidth while targeting app | Medium |
| SYN Flood + HTTP Flood | Exhaust connections and app resources | Medium |
| Amplification + Protocol | Network saturation + state exhaustion | High |
| All three types | Maximum disruption | Very High |
Attack Duration and Scale Statistics
| Metric | Typical Range | Notable Extremes |
|---|---|---|
| Duration | 10 min - 2 hours | 24+ hours (sustained) |
| Bandwidth | 1-100 Gbps | 3.47 Tbps (AWS, 2020) |
| Packets/sec | 1-50 Mpps | 809 Mpps (2024) |
| Requests/sec | 1K-1M RPS | 71M RPS (HTTP/2, 2023) |
| Concurrent attacks | 1-3 types | 12+ types simultaneously |
Attack Frequency (2025):
- 15+ million DDoS attacks per year globally
- Average of 41,000 attacks per day
- 25% of attacks exceed 100 Gbps
- Average duration: 30 minutes
- 60% target web applications (Layer 7)
When Each Attack Type Occurs
Volumetric Attacks:
- Often used for extortion (pay to stop)
- Launched by large botnets (100K+ devices)
- Peak during business hours for maximum impact
- Common against gaming, gambling, e-commerce
Protocol Attacks:
- Target infrastructure (firewalls, load balancers)
- Exploit stateful devices with connection tracking
- Effective against unprepared network gear
- Common against enterprise infrastructure
Application Attacks:
- Target specific applications or APIs
- Lower volume but higher precision
- Harder to detect (looks like legitimate traffic)
- Common against financial services, SaaS, healthcare
Detection Methods
Volume-Based Detection
| Method | How It Works | Detection Time |
|---|---|---|
| Traffic threshold | Alert when >X Gbps | Seconds |
| Baseline deviation | Compare to historical baseline | Minutes |
| Flow analysis | NetFlow/sFlow monitoring | Seconds |
Behavioral Detection
| Method | How It Works | Detection Time |
|---|---|---|
| Request pattern analysis | Detect unusual patterns | Seconds-minutes |
| Source IP correlation | Identify coordinated sources | Minutes |
| User agent analysis | Detect bot signatures | Real-time |
| Connection ratio analysis | SYN/ACK imbalances | Real-time |
Machine Learning Detection
| Method | Accuracy | Detection Time |
|---|---|---|
| Anomaly detection | 90-95% | Seconds |
| Classification models | 95-99% | Real-time |
| Deep learning | 97-99% | Real-time |
Mitigation Strategies
Volumetric Attack Mitigation
| Technique | How It Works | Latency Impact |
|---|---|---|
| Traffic scrubbing | Filter attack traffic at scrubbing center | 10-50ms |
| BGP routing | Route traffic through mitigation provider | Variable |
| Anycast | Distribute traffic across global network | Reduces congestion |
| Rate limiting | Limit traffic per source IP | <1ms |
Protocol Attack Mitigation
| Technique | How It Works | Effectiveness |
|---|---|---|
| SYN cookies | Stateless SYN handling | High for SYN floods |
| Connection limiting | Limit connections per source | Medium-High |
| TCP intercept | Proxy TCP connections | High |
| Firewall rules | Drop known attack patterns | Medium |
Application Attack Mitigation
| Technique | How It Works | Effectiveness |
|---|---|---|
| WAF rules | Block malicious request patterns | High |
| Rate limiting per URI | Limit requests to specific endpoints | High |
| CAPTCHA challenges | Verify human users | Medium-High |
| Bot detection | Identify and block bot traffic | High |
| Connection timeout | Close slow connections | High for Slowloris |
Common Mistakes and Fixes
Mistake: Relying only on on-premises mitigation Fix: Use cloud-based DDoS protection for volumetric attacks that exceed your bandwidth
Mistake: No baseline traffic analysis Fix: Establish traffic baselines to detect anomalies quickly; know your normal patterns
Mistake: Mitigating only at Layer 3-4 Fix: Layer 7 attacks require application-layer defenses (WAF, rate limiting, bot detection)
Mistake: No incident response plan Fix: Document DDoS response procedures, escalation paths, and communication templates
Mistake: Manual mitigation only Fix: Implement automated detection and mitigation to respond in seconds, not minutes
Mistake: Testing mitigation only during attacks Fix: Conduct regular DDoS simulation exercises to validate defenses
DDoS Attack Quick Reference
| Attack Type | Layer | Volume | Detection | Mitigation |
|---|---|---|---|---|
| UDP Flood | 3-4 | High | Traffic spike | Scrubbing, rate limit |
| DNS Amplification | 3-4 | Very High | DNS traffic ratio | Scrubbing, anycast |
| SYN Flood | 4 | Medium-High | SYN/ACK ratio | SYN cookies |
| HTTP Flood | 7 | Low-Medium | Request pattern | WAF, rate limit |
| Slowloris | 7 | Low | Connection duration | Timeout, WAF |
| DNS Water Torture | 7 | Low-Medium | NXDOMAIN rate | DNS hardening |
Frequently Asked Questions
What is the difference between DDoS and DoS? DoS (Denial of Service) originates from a single source. DDoS (Distributed Denial of Service) uses multiple sources—typically thousands of compromised devices—to generate attack traffic, making it harder to block.
What is a botnet? A botnet is a network of compromised computers, IoT devices, or servers controlled by an attacker. Botnets generate DDoS traffic, send spam, or perform other malicious activities without the device owners’ knowledge.
How do amplification attacks work? Amplification attacks send small requests to public servers with spoofed source IPs (the victim’s address). The servers send large responses to the victim, amplifying the traffic 10-700x. Common amplification protocols include DNS, NTP, and SSDP.
Why are Layer 7 attacks harder to detect? Layer 7 attacks use legitimate HTTP/HTTPS requests that appear normal to network devices. They don’t require massive bandwidth, making them harder to distinguish from legitimate traffic. They target specific application functions, requiring application-aware detection.
How long do DDoS attacks typically last? Most DDoS attacks last 10-60 minutes. However, sophisticated attacks can persist for hours or days, especially extortion-driven attacks. Extended attacks require sustained mitigation capability.
Can small websites be DDoS targets? Yes. DDoS-for-hire services make attacks affordable ($5-50), so even small sites are targeted. Common motivations include extortion, competition, and ideological attacks. No site is too small to need protection.
What is the cost of DDoS downtime? Average cost: $5,600-9,000 per minute of downtime (Gartner). Costs include lost revenue, productivity, remediation, and reputation damage. Extended attacks can cost millions.
How do I distinguish a traffic spike from a DDoS attack? Traffic spikes from legitimate events (product launches, viral content) show normal request patterns. DDoS attacks show anomalous patterns: unusual source distribution, repetitive requests, known attack signatures, or protocol violations.
Should I pay a DDoS extortion demand? Law enforcement and security experts recommend against paying. Payment encourages future attacks and doesn’t guarantee the attack will stop. Instead, implement DDoS protection and report to authorities.
What is DDoS mitigation as a service? DDoS mitigation services provide cloud-based traffic scrubbing. During attacks, traffic routes through the provider’s network where malicious traffic is filtered. Clean traffic reaches your servers. Providers include cloud platforms, CDNs, and specialized security companies.
How This Applies in Practice
DDoS protection requires a layered approach:
- Network edge: Volumetric attack detection and scrubbing
- Infrastructure: Protocol attack mitigation (SYN cookies, connection limits)
- Application: Layer 7 protection (WAF, rate limiting, bot detection)
Most organizations use a combination of on-premises equipment for immediate response and cloud-based services for large volumetric attacks. The key is automated detection and mitigation—attacks can overwhelm systems in seconds, leaving no time for manual intervention.
How to Implement on Azion
Azion provides integrated DDoS protection across all layers:
- Network Layer Protection: Automatic volumetric attack mitigation at edge locations
- Protocol Protection: SYN cookie support and connection limiting
- Application Protection: WAF with rate limiting and bot detection for Layer 7 attacks
- Global Distribution: Anycast network distributes attack traffic across multiple locations
Azion’s edge platform detects and mitigates DDoS attacks close to the source, protecting your origin infrastructure while maintaining availability for legitimate users.
Learn more in the Azion Documentation.
Related Resources
- What is a DDoS Attack?
- What is DDoS Protection and Mitigation?
- Application Layer Attack
- What is a Bot Attack?
- What is a Web Application Firewall?
Sources:
- Cloudflare. “DDoS Threat Report 2025.”
- NETSCOUT. “Threat Intelligence Report.” 2025.
- Radware. “Global Application & Network Security Report.” 2025.
- Link11. “DDoS Statistics and Trends.” 2025.
- NIST. “Guide to DDoS Attacks.” SP 800-83.