Distributed Denial of Service (DDoS)

A Distributed Denial-of-Service (DDoS) attack is a coordinated cyber assault in which multiple compromised systems flood a target, such as a website, application, or network, with overwhelming amounts of traffic. The goal is to exhaust the target’s bandwidth, processing power, or network capacity, rendering legitimate services unavailable to real users.

The term DDoS stands for Distributed Denial of Service. It expands on the traditional Denial-of-Service (DoS) model, which typically originates from a single source. In a DDoS event, the attack is launched from hundreds or thousands of geographically dispersed systems, making it far more difficult to stop or trace.

DDoS attacks are illegal under U.S. and international law, as they deliberately disrupt online services, inflict operational and financial harm, and erode public trust. For organizations that rely on continuous uptime, such as e-commerce platforms, financial institutions, and SaaS providers, DDoS attacks pose a major threat to both availability and reputation.

How DDoS Attacks Work

Understanding how DDoS attacks operate helps clarify why they are so difficult to defend against. At their core, these attacks use volume and coordination to overwhelm a target’s capacity.

Attackers typically leverage botnets, networks of malware-infected computers or IoT devices, that act in unison to send large volumes of requests toward a single target. As the server or network struggles to process the flood of data, legitimate users experience slow performance or total outages. Because the attacking devices are distributed globally, blocking traffic based on IP addresses alone rarely works.

Modern DDoS campaigns are automated, adaptive, and multi-layered. Attackers frequently change methods midstream, switching between volumetric, protocol, and application-layer vectors to bypass defenses. To mitigate these threats, organizations deploy techniques such as traffic scrubbing, rate limiting, and DNS-layer filtering that identify and drop malicious traffic before it reaches the application layer.

Types of DDoS Attacks

DDoS attacks can target different layers of the network stack, each with a unique strategy and goal. Understanding these categories helps defenders recognize the scope of modern DDoS campaigns.

Note: Some classifications treat DNS amplification as a distinct subtype because it abuses open DNS resolvers to amplify traffic volume against a victim.

Common DDoS Attack Techniques

Attackers use a wide range of methods to execute DDoS campaigns, often combining several at once to maximize disruption. Below are some of the most common techniques seen in the wild.

• DNS Amplification: Exploits open DNS servers to reflect and multiply malicious traffic toward a victim.
• SYN Flood: Sends incomplete TCP handshake requests to consume server resources.
• HTTP Flood: Mimics legitimate web requests to overwhelm application servers.
• ICMP (Ping) Flood: Uses continuous ICMP packets to saturate network capacity.
• Botnet-Based Attacks: Employ infected IoT devices or cloud instances to achieve massive scale and resilience.

Causes and Motivations Behind DDoS Attacks

While DDoS campaigns can vary in size and sophistication, the underlying motivations often reveal the attacker’s intent. Some seek financial gain, others disruption or notoriety.

• Hacktivism: Used to protest organizations or governments by taking public-facing sites offline.
  
  
• Extortion: Criminal groups demand ransom payments to stop ongoing attacks.
  
  
• Competitive Advantage: Unethical businesses or threat actors disrupt competitors’ uptime.
  
  
• Diversion: Deployed as a smokescreen while another intrusion or data breach occurs.
  
  
• Malware Infection: Devices unwittingly conscripted into botnets through large-scale malware campaigns.

Effects of DDoS Attacks

The effects of a DDoS attack can extend well beyond the initial outage, affecting both the victim and connected services. These attacks can have lasting financial, operational, and reputational consequences.

• Service outages or degraded performance, leading to loss of customer trust and revenue.
  
  
• Spikes in bandwidth and mitigation costs due to emergency response efforts.
  
  
• Reputational damage when critical services appear unreliable.
  
  
• Collateral impact on ISPs, CDNs, and customers relying on shared infrastructure.
  
  
• Business continuity risks for uptime-sensitive sectors like finance, e-commerce, and SaaS.

Even brief disruptions can ripple through interconnected systems, disrupting supply chains, customer experiences, and service-level commitments.

Example of a DDoS Attack

Historical examples show how DDoS attacks have evolved from crude bandwidth floods into sophisticated, multi-vector operations.

• Dyn DNS Attack (2016): The Mirai botnet hijacked IoT devices to overwhelm Dyn’s DNS infrastructure, disrupting access to major platforms including Twitter, Netflix, and PayPal.
  
  
• GitHub Attack (2018): A 1.35 Tbps Memcached amplification attack temporarily disabled GitHub, setting a record for the largest DDoS event at the time.
  
  
• Gaming and Streaming Platforms (Ongoing): Frequently targeted for extortion or revenge-based attacks aimed at causing disruption during live events.
  
  

Today, most large-scale attacks are mitigated automatically by Anycast routing, DNS-layer protection, and cloud-based scrubbing centers, preventing widespread service outages before end users notice.

By the Numbers: DDoS Attack Statistics

Data from recent years highlights how DDoS has evolved into a constant background threat rather than an occasional disruption. Attackers are scaling up both in capacity and organization, using automation to sustain pressure on global infrastructure.

• Volumetric DDoS attacks increased 30% year-over-year in the first half of 2024. Around 41,000 DDoS attacks occur daily, according to NETSCOUT’s ATLAS data.
  
  
• The number of active attacking entities rose 57.3% in 2024, totaling 7,933 identified organizations.
  
  
• Attacks exceeding 500 Gbps peaked at 582 incidents in 2024, marking a 37.9% increase over 2023 levels. 

The scale and frequency of DDoS activity continue to rise. Attacks have shifted from isolated incidents to a persistent risk that demands proactive monitoring and always-on, DNS-aware defense strategies.

Related Terms

DDoS attacks often overlap with other network-layer and DNS-based concepts. The following terms expand on related mechanisms and defenses:

• DNS
  
  
• DNS Filtering
  
  
• Protective DNS (PDNS)
  
  
• Anycast
  
  
• Command and Control (C2)

Looking to Strengthen Your Security Foundation?

Stop attacks before they take down your network. Start your free trial of DNSFilter and block malicious traffic at the DNS layer for faster, always-on protection against DDoS and command and control threats.