Status DataClose notification

What Is Distributed Denial of Service (DDoS)?

TL;DR: A Distributed Denial of Service (DDoS) attack is an attempt to knock a website, server, or network offline by flooding it with traffic from many sources at once, usually a botnet of compromised devices. Unlike a simple DoS attack, which comes from a single source and is easy to block, a DDoS attack's traffic arrives from thousands of different IPs simultaneously, making it far harder to filter out attack traffic without also blocking real users.

What Distributed Denial of Service Actually Means

Denial of Service (DoS) describes any attack whose goal is to make a system unavailable to the people who are supposed to use it — not by breaking in, but by overwhelming it. The "distributed" in DDoS refers to how that flood of traffic is generated: instead of one attacker sending requests from one machine, the traffic comes from many machines spread across the internet, all directed at the same target at the same time.

Those machines are typically part of a botnet — a network of devices (servers, routers, IoT cameras, even smart appliances) that have been infected with malware and can be remotely commanded without their owners' knowledge. When the attacker triggers the botnet, every infected device sends traffic toward the target simultaneously. The target's server, application, or network link runs out of capacity to handle it, and legitimate requests start timing out or getting dropped.

This is what separates DDoS from most other attack categories: it doesn't require finding a vulnerability or breaching a system. It just requires enough traffic, in the wrong place, at the same time.

How a DDoS Attack Works

A DDoS attack generally plays out in two stages:

  1. Building the botnet. Attackers infect internet-connected devices with malware, either by exploiting unpatched vulnerabilities, phishing, or targeting devices left on default credentials. Each infected device becomes a "bot" that waits for instructions from a command-and-control (C2) server, or from other bots directly in a peer-to-peer setup.
  2. Launching the flood. On command, every bot in the network sends traffic toward the target at once. Depending on the attack type, that traffic might be raw volume meant to saturate bandwidth, malformed protocol requests meant to exhaust server resources, or requests that look like normal application traffic but are sent at a volume no real user base would generate.

Attackers frequently spoof the source IP addresses in this traffic, which is what makes distinguishing attack traffic from legitimate traffic and tracing it back to its origin genuinely difficult in real time.

Common Types of DDoS Attacks

  • Volumetric attacks. The most straightforward category: overwhelm the target's available bandwidth with sheer traffic volume. DNS amplification, where a small spoofed request triggers a much larger response directed at the victim, is a common technique here.
  • Protocol attacks. Target the resources of servers or network infrastructure (firewalls, load balancers) rather than bandwidth itself. A SYN flood, which exploits the TCP handshake to leave connections half-open until server memory is exhausted, is the classic example.
  • Application-layer attacks. Aimed at the layer where web pages are actually generated in response to requests. These mimic legitimate user behavior — a flood of seemingly normal HTTP requests, which makes them harder to distinguish from a real traffic spike.

Attackers often combine more than one type in the same campaign, which is part of why DDoS mitigation tends to require layered defenses rather than a single control.

Why DDoS Attacks Happen

Motives vary, but the recurring ones are:

  • Extortion — demanding payment to stop or avoid an attack
  • Hacktivism — targeting organizations over ideological or political disagreements
  • Competitive disruption — taking a competitor's service offline, common in gaming
  • Distraction — using the DDoS as cover while a separate intrusion or data exfiltration happens elsewhere on the network

That last point is worth taking seriously in incident response: treating a DDoS attack as the whole incident, rather than checking whether it coincided with unusual activity elsewhere, is a common blind spot.

How Organizations Defend Against DDoS

There's no single control that eliminates DDoS risk — mitigation is layered by design:

  • Rate limiting to cap how many requests a single source can make in a given window
  • Web Application Firewalls (WAF) to filter traffic based on request patterns
  • Anycast routing to spread incoming traffic across a distributed network so no single point absorbs the full load
  • Traffic baselining and monitoring so unusual spikes (half-open connections, sudden request volume) get flagged before they escalate

The common thread across all of these: the goal isn't to block all traffic, it's to reliably separate attack traffic from legitimate traffic without taking real users down in the process.

Conclusion

A DDoS attack doesn't need to break anything to be effective — it just needs to make a target unreachable for the people who rely on it. That's what makes it different from most attacks covered elsewhere in this glossary: the objective is availability, not access. Understanding how the traffic is generated and distributed is the first step toward recognizing an attack early and building defenses that hold up against it.