Some attacks steal data. Some attacks spy on users. And some attacks have only one goal: to make your service unavailable.

DDoS attacks fall into the latter category, and they are more common and more accessible to attackers than many organizations realize. They don’t require exploiting a specific vulnerability or gaining access to internal systems. All it takes is generating enough traffic to cause your infrastructure to collapse under its own weight.

What makes a modern DDoS attack particularly dangerous is not only the volume it can reach (attacks exceeding 2 Tbps have been recorded), but also the variety of forms it can take. A volumetric attack that saturates bandwidth is relatively easy to identify. However, an application-layer attack that mimics legitimate traffic and silently exhausts your server’s resources is far more difficult to detect and stop.

This article explains how DDoS attacks work, the different forms they take, the damage they have caused in real-world incidents, and the mitigation strategies that actually work.

What Is a DDoS Attack?

A DDoS (Distributed Denial of Service) attack involves flooding a server, network, or application with more traffic than it can process, making it inaccessible to legitimate users.

The key word is distributed. Unlike a traditional DoS attack, which originates from a single source and is relatively easy to block, a DDoS attack is launched simultaneously from thousands or even millions of compromised devices. That means there is no single IP address to filter. The attack comes from everywhere at once.

With that in mind, what exactly is the difference between DoS and DDoS?

In a DoS attack, the traffic originates from a single source. In a DDoS attack, however, malicious traffic comes from a distributed network of malware-infected devices that the attacker controls remotely. These networks are known as botnets. That distribution is what makes DDoS attacks an entirely different challenge.

How a DDoS Attack Works

The Role of Botnets

As mentioned earlier, most DDoS attacks are carried out through botnets, which may consist of personal computers, servers, IP cameras, home routers, IoT devices running default credentials, and more. Any of these devices can become part of a botnet without their owners ever knowing, as attackers do not need to build the infrastructure themselves.

Botnets can be rented on underground marketplaces at prices that have dropped significantly in recent years. This has effectively democratized the ability to launch large-scale attacks: any actor with sufficient motivation and a modest budget can orchestrate a DDoS attack capable of overwhelming well-provisioned infrastructure.

OSI Layers: Where the Attack Strikes

Not all DDoS attacks operate at the same level. Depending on their objective, they target different layers:

  • Network Layer (L3): Saturates bandwidth with massive volumes of packets.
  • Transport Layer (L4): Exploits the behavior of protocols such as TCP to consume server resources or overwhelm intermediary network devices.
  • Application Layer (L7): Generates seemingly legitimate HTTP/HTTPS requests that exhaust application resources.

This distinction is not merely academic. Each layer requires a different defense strategy, and misidentifying the type of attack you’re facing can lead to ineffective mitigation measures.

Types of DDoS Attacks

Volumetric Attacks

The objective is simple: consume all available bandwidth between the target system and the rest of the internet.

Massive traffic volumes are generated using techniques such as UDP floods, ICMP floods, and amplification attacks (DNS, NTP, Memcached), in which attackers exploit misconfigured servers that respond with packets far larger than the original requests.

A well-executed amplification attack can multiply the original traffic by factors of 10x, 50x, or even more. The attacker sends very little; the target receives an enormous amount.

Protocol Attacks

These attacks do not aim to saturate bandwidth. Instead, they seek to exhaust the resources of servers or intermediary network devices, such as firewalls and load balancers, by exploiting the way communication protocols work.

The most well-known example is the SYN flood. Attackers initiate thousands of TCP connections by sending SYN packets but never complete the handshake. The server reserves resources for each pending connection, eventually filling its connection table until it can no longer accept new connections—including legitimate ones.

Application-Layer Attacks (Layer 7)

These are the most sophisticated and the most difficult to detect.

Rather than overwhelming the network, they generate HTTP or HTTPS requests that appear completely legitimate. The server processes them as though they came from real users until CPU, memory, or database resources are exhausted.

An HTTP flood can generate millions of GET or POST requests targeting a specific URL. Slowloris attacks open multiple connections and keep them active by intermittently sending partial headers, occupying connection slots without ever completing a request.

From the outside, the traffic may appear entirely normal. A traditional firewall cannot distinguish between a legitimate HTTP request and a malicious one. Mitigating these attacks requires deep inspection at the application layer.

DDoS Attack Examples: Real Incidents That Disrupted Major Organizations

The following DDoS attack examples show how denial-of-service campaigns have disrupted governments, stock exchanges, cloud providers, and some of the largest websites on the internet.

2025: NoName057(16) Attacks Against Spanish Public Institutions

In March 2025, dozens of Spanish municipalities, provincial councils, and public-sector organizations saw their websites taken offline following a coordinated wave of denial-of-service attacks carried out by the group NoName057(16). Although no data was stolen, the impact was significant, leaving thousands of citizens without access to essential digital services.

2020: Amazon Web Services – 2.3 Tbps

AWS reported in its threat intelligence report that it had mitigated the largest DDoS attack recorded at the time: a 2.3 Tbps attack sustained over three days. The target was an unidentified customer, and the attack relied on CLDAP reflection techniques.

The scale of the incident highlights the fact that cloud infrastructure providers are themselves targets, and that the capacity of even the largest providers is not unlimited.

2020: New Zealand Stock Exchange – Days of Disruption

For several consecutive days in August 2020, the New Zealand Stock Exchange experienced disruptions severe enough to force the suspension of trading operations.

The attack was not particularly sophisticated from a technical perspective, but it was persistent and targeted an organization with an extremely low tolerance for downtime.

The incident illustrates how the criticality of the affected service can exponentially amplify the impact of an attack that, in a different context, might have been contained with far fewer consequences.

2018: GitHub – 1.35 Tbps Memcached Amplification Attack

In February 2018, GitHub suffered the largest DDoS attack ever recorded at that point, peaking at 1.35 Tbps.

Attackers used Memcached amplification, exploiting internet-exposed caching servers to multiply traffic volumes on a massive scale.

GitHub was able to mitigate the attack within minutes by redirecting traffic to its scrubbing service. The incident delivered a clear lesson: even top-tier enterprise infrastructure can become a target, and response time is everything.

2016: Dyn – When DNS Goes Down, the Internet Goes Down

In October 2016, the Mirai botnet—made up primarily of security cameras and digital video recorders running default credentials—launched a massive attack against Dyn, one of the internet’s leading DNS providers.

The result was widespread outages affecting Twitter (now X), Netflix, Reddit, Spotify, and PayPal for several hours.

The attack revealed something many organizations had not fully considered: dependence on shared infrastructure as a risk vector. It did not matter how well each individual company protected its own systems. If the DNS provider resolving their domains went down, their services went down as well.

The Real Business Impact of a DDoS Attack

A DDoS attack is not just a technical problem for the IT team to solve. Its consequences affect the entire organization.

Service Disruption

The most immediate consequence. For e-commerce businesses, financial services, and SaaS platforms, every minute of downtime carries a direct and measurable cost.

Reputational Damage

Users who cannot access a service do not always understand the cause. The perception of unreliability can erode trust even after service has been fully restored.

Remediation Costs

Mitigating an ongoing attack requires human and technical resources that organizations are rarely staffed for under normal circumstances. In many cases, it means bringing in emergency services or purchasing additional capacity at short notice.

Regulatory Consequences

In sectors such as finance, healthcare, and critical infrastructure, a prolonged outage may result in SLA breaches or non-compliance with availability requirements, potentially leading to regulatory penalties.

DDoS as a Distraction

This is perhaps the most concerning—and least discussed—scenario: in some advanced attacks, the DDoS campaign is not the primary objective but rather a smokescreen designed to distract the security team while an intrusion is carried out elsewhere in the infrastructure.

While the team is focused on traffic alerts, someone is coming through another door.

Could your infrastructure withstand a Layer 7 DDoS attack?

Many organizations discover weaknesses only after an outage occurs.

Take our free infrastructure resilience assessment to identify potential availability and security gaps before attackers do.

Start the assessment

How to Detect a DDoS Attack

Early detection can make the difference between a contained incident and a prolonged outage. The most common indicators include:

  • A sudden and unexplained spike in traffic, especially if it originates from multiple geographic locations or unusual IP ranges.
  • Progressive performance degradation with no apparent cause, including increased latency, frequent timeouts, and slow response times.
  • Resource exhaustion, such as CPU, memory, or active connection counts reaching their limits without any correlation to normal system activity.
  • Anomalous patterns in logs, including unusually high volumes of requests to the same URL, large numbers of incomplete connections, or statistically improbable distributions of source IP addresses.
  • Monitoring system alerts indicating availability issues or traffic thresholds being exceeded.

None of these symptoms alone confirms an attack. However, the combination of several indicators—especially when they appear suddenly and simultaneously—should trigger your incident response procedures.

DDoS Mitigation Strategies

There is no single solution that can protect against every type of DDoS attack. Effective mitigation requires a layered approach, where each defense mechanism complements the others.

Rate Limiting and Traffic Filtering

Rate limiting establishes a maximum number of requests or connections allowed per IP address within a defined period of time.

It provides a useful first line of defense against floods and brute-force attacks, but it has clear limitations when facing distributed attacks originating from thousands of different IP addresses.

Filtering based on IP reputation, geolocation, or behavioral patterns helps block known malicious traffic before it reaches the application. Its effectiveness depends on the quality of the threat intelligence feeding the system and the ability to update that intelligence in real time.

Cloud Scrubbing vs. Infrastructure-Based Protection

Scrubbing services redirect traffic to dedicated filtering centers where malicious traffic is removed before reaching the target environment.

They are highly effective against large-scale volumetric attacks because they can absorb enormous traffic volumes through their global network capacity.

However, this model has limitations that organizations should understand:

  • Traffic passes through third-party infrastructure. This may conflict with data sovereignty requirements or regulations such as GDPR, particularly in highly regulated industries.
  • If the cloud provider itself becomes the target, the protection fails. The Dyn attack discussed earlier demonstrated this clearly. More recently, several incidents affecting major CDNs have created cascading disruptions for their customers.
  • Hybrid and on-premises environments cannot always reroute traffic externally without compromising architectural requirements or introducing unacceptable latency.

For these organizations, an alternative approach is to deploy protection directly within their own infrastructure—at the network perimeter, in front of applications, with real-time inspection and response capabilities that do not depend on third-party intermediaries.

WAF and IPDS: Application-Layer Protection

When defending against Layer 7 attacks, surface-level traffic inspection is not enough.

Organizations need visibility into request content, client behavior, and long-term access patterns.

A WAF (Web Application Firewall) performs deep inspection of HTTP/HTTPS requests and applies rules designed to identify anomalous behavior, including floods, aggressive scraping activity, and injection attempts disguised as DDoS traffic. Malicious requests are blocked before reaching the application.

An IPDS (Intrusion Prevention and Detection System) operates at the network level, identifying known attack signatures, traffic anomalies, and botnet-related behavior. It can automatically block or rate-limit suspicious traffic in real time.

Example of a Layer 7 DDoS Mitigation Architecture

DDoS attack example

In a modern Application Delivery Controller (ADC) architecture, DDoS mitigation typically occurs before traffic reaches backend servers.

When a DDoS pattern is detected, the platform can apply connection limits, reputation-based filtering, HTTP request inspection, and dedicated DoS protection rules to block malicious traffic in real time.

This architecture illustrates how these protection layers work together. In this example, the mitigation layer is implemented using SKUDONET.

When an IP address exceeds defined thresholds or exhibits behavior associated with botnets, requests are automatically blocked while legitimate traffic continues to reach backend servers.

Best Practices for Preventing DDoS Attacks

Build Redundancy into the Architecture from the Start

An architecture with multiple entry points, distributed load balancing, and automatic failover capabilities reduces the impact of any attack.

If one node fails, traffic is redistributed. High availability is not just a performance enhancement—it is operational resilience.

Audit Your Attack Surface Regularly

Unnecessarily exposed services, unjustified open ports, internet-accessible Memcached servers, or publicly reachable DNS services can all be leveraged by attackers to launch or amplify attacks.

If something should not be exposed, it should not be accessible.

Keep Systems Updated and Properly Patched

Many amplification attacks exploit vulnerable or misconfigured services.

Maintaining up-to-date systems and regularly auditing the configuration of exposed services significantly reduces the attack surface.

Configure Proactive Alerts with Realistic Thresholds

Do not wait until systems begin to fail before detecting an attack.

Establish a baseline for normal traffic patterns and configure alerts that trigger when those patterns are exceeded, leaving enough time to respond before the impact becomes irreversible.

Have an Incident Response Plan Before You Need One

When an attack begins, it is too late to decide what to do.

Teams should already know exactly which steps to follow: who to notify, which countermeasures to activate and in what order, how to communicate internally, and, when necessary, how to communicate with customers.

DDoS attacks have evolved from a form of digital protest into a systematic disruption tool used by actors driven by financial, competitive, or geopolitical motives.

They have evolved as well. Modern application-layer attacks are quieter, harder to distinguish from legitimate traffic, and often more effective than traditional volumetric floods while requiring far less traffic.

The response cannot be reactive.

An effective protection strategy combines architectural redundancy, early detection, multi-layer traffic filtering, and application-specific defenses. None of these measures is sufficient on its own, and relying exclusively on external cloud-based services introduces a single point of failure that recent incidents have shown to be very real.

Organizations responsible for critical infrastructure need to know exactly where their protection resides, who controls it, and what happens when that protection fails.

How Prepared Is Your Infrastructure?

DDoS attacks continue to grow in scale and sophistication, but the biggest risk is often not knowing whether your current architecture can withstand them.

Take the infrastructure assessment and receive an instant evaluation of your application’s resilience against availability and security threats.

Start the assessment

Frequently Asked Questions

What is the difference between a DoS and a DDoS attack?

A DoS attack originates from a single source. A DDoS attack uses a distributed network of compromised devices (a botnet) to generate the volume of traffic required to overwhelm a target.

That distributed nature is what makes DDoS attacks exponentially more difficult to stop using traditional defenses.

Can a traditional firewall stop a DDoS attack?

Partially.

A firewall can block known IP addresses and filter certain traffic patterns, but its capabilities are limited against large-scale volumetric attacks or Layer 7 attacks that mimic legitimate traffic.

Dedicated solutions are required, such as WAFs, IPDS platforms, scrubbing services, or a combination of all three.

What is a Layer 7 DDoS attack?

A Layer 7 DDoS attack targets the application layer of the OSI model.

Rather than saturating bandwidth, it generates seemingly legitimate HTTP or HTTPS requests that consume application resources such as CPU, memory, and database connections.

These attacks are among the most difficult to detect because the traffic appears normal and requires deep application-layer inspection to be mitigated effectively.

Do cloud providers automatically protect against DDoS attacks?

Major cloud providers offer some level of built-in DDoS protection, but it is neither universal nor foolproof.

Sophisticated application-layer attacks can bypass these defenses. In addition, when the cloud provider itself becomes the target, the protection may become ineffective for all of its customers simultaneously.

What is a botnet, and how does it relate to DDoS attacks?

A botnet is a network of compromised devices remotely controlled by an attacker.

In a DDoS attack, the botnet serves as the delivery mechanism: all devices send traffic to the target in a coordinated manner, generating the volume required to overwhelm it.

Today, IoT devices running default credentials remain one of the primary sources of botnet recruitment.

How much can a DDoS attack cost a business?

The answer depends on the duration of the attack, the industry, and the criticality of the affected services.

Beyond the direct cost of downtime, organizations must also consider remediation expenses, reputational damage, and—in regulated industries—potential penalties for failing to meet availability requirements.

Taken together, serious incidents often cost tens or hundreds of thousands of euros, and in some cases significantly more.