What Is a DDoS Attack and How to Protect Your Infrastructure

You're running a legitimate online service when suddenly every request starts timing out. Your server CPU is maxed. Customer support is flooded. And you haven't been breached — you've been buried under traffic you never asked for.

That's a distributed denial-of-service attack in action. Unlike traditional hacks that steal data, DDoS attacks weaponize volume itself. The goal isn't infiltration; it's exhaustion. And in 2025, these attacks are faster, cheaper to launch, and harder to stop than ever before.

How DDoS Attacks Actually Evolved

The first denial-of-service attacks in the 1990s were crude — one machine hammering another with requests until something crashed. By the early 2000s, attackers figured out they could control hundreds or thousands of compromised devices at once using botnets like Trinoo and TFN. Suddenly, floods came from everywhere.

As defenses improved, attackers stopped relying on raw bandwidth alone. They started abusing internet protocols themselves. Reflection attacks became common: send a small request to a misconfigured DNS or NTP server with a forged return address, and that server fires back a much larger response to your victim. A 60-byte query can trigger a 4,000-byte reply. That's a 66× amplification with almost zero effort.

Application-layer attacks followed. Instead of flooding the network, attackers targeted expensive operations like database lookups or login pages. These low-and-slow tactics fly under traditional alarms because they look like real traffic — just enough to drain resources without tripping volumetric thresholds.

Today's botnets pull from cloud instances, containerized workloads, and IoT devices. Attack tools are sold as services with dashboards and SLA guarantees. Traffic routes through residential proxies and VPN exit nodes, making attribution nearly impossible. 👉 Build resilient infrastructure with enterprise-grade DDoS protection and global network capacity

The Mechanics Behind Modern DDoS Campaigns

DDoS works by forcing your infrastructure to spend resources faster than you can replenish them. Attackers recruit distributed sources — compromised routers, IoT devices, abused cloud instances — and issue commands through encrypted channels or DNS tunneling. The result is coordinated traffic that hits from every direction at once.

Reflection attacks are still popular. Attackers send forged requests to stateless services like DNS or NTP with the victim's IP spoofed as the source. The service replies to the fake address, flooding the target without exposing the attacker. When the response is significantly larger than the request, you get amplification.

Volumetric floods at Layers 3 and 4 saturate bandwidth or exhaust connection tables. SYN floods exploit TCP's three-way handshake by opening thousands of connections and never completing them. Servers allocate memory to track these half-open states until they run out of sockets. UDP floods and fragmented packet attacks work similarly — overwhelming routers, firewalls, and load balancers with raw throughput.

At the application layer, attackers shift from brute force to precision. HTTP floods target resource-heavy endpoints with randomized headers and rotating user agents to evade caching. Slowloris holds connections open by sending headers in tiny increments, starving the server of available slots for legitimate users.

Modern campaigns blend these techniques. An attack might start with a UDP flood, switch to TLS handshake abuse, then pivot to HTTP/2 requests once defenses adjust. Some operate in short bursts spaced by irregular intervals to avoid detection. Others persist at subthreshold levels, degrading performance without triggering alarms.

DDoS as a Smokescreen in Multistage Attacks

DDoS is often treated as a standalone nuisance. In reality, it's frequently part of a larger operation. While defenders scramble to restore uptime, attackers probe VPN gateways, cloud management interfaces, or identity providers. The shift in attention creates blind spots.

In hybrid environments, sustained pressure can force teams to relax WAF rules or expose bypass endpoints to preserve service continuity. Attackers monitor these adjustments in real time and pivot to lateral movement using compromised sessions or overprivileged tokens.

DDoS can also weaken defenses indirectly. Volumetric attacks may cause rate-limiting services or authentication APIs to fail open. Load balancers saturated beyond capacity sometimes trigger fallback behaviors that expose administrative interfaces or bypass geofencing. Attackers exploit these moments to escalate privileges or exfiltrate credentials undetected.

Following initial compromise, DDoS becomes a coercive tool. Ransom DDoS groups threaten sustained outages unless paid. Others use it in retaliation for detection, targeting SOC platforms or ticketing systems to impair incident response. When malware is already in place, a timed DDoS event can coincide with destructive payloads — wipers or ransomware operators flood VPN endpoints to delay forensic analysis and isolate recovery teams from cloud consoles.

Real Outages, Real Costs

Modern DDoS attacks aren't just theoretical. In January 2024, at least seven banks in Denmark, including the central bank, suffered coordinated attacks that overloaded websites and online banking platforms for hours. The hacktivist group NoName057(16) rotated targets daily and adjusted payloads to evade static defenses. While no data was stolen, the campaign disrupted interbank clearing and temporarily degraded public confidence.

Around the same time, Google Cloud defended against an attack that peaked at 398 million requests per second. Amazon and Cloudflare faced similar incidents. These attacks exploited HTTP/2's stream multiplexing by sending repeated RST_STREAM frames to rapidly initiate and cancel requests. Unlike volumetric floods, this vector required fewer bots and less traffic volume to overwhelm application-layer infrastructure. Cloud-native services without full Layer 7 introspection remained vulnerable for weeks.

In March 2024, regional hospital networks in Illinois and Michigan faced attacks during peak appointment hours. Telehealth and electronic health record platforms went down for up to 90 minutes, forcing manual switches to backup communication lines. The attacks were traced to paid API keys from illicit marketplaces selling access to residential proxy networks.

According to NETSCOUT's Threat Intelligence Report, there were 7.9 million DDoS attacks globally in 2023, a 13% year-over-year increase. Two-thirds lasted under 15 minutes — short bursts designed to test defenses or degrade uptime without detection. Attackers increasingly target DNS, authentication, and API gateways, components whose failure causes service-wide ripple effects.

Spotting DDoS Before It's Too Late

DDoS detection depends on identifying velocity, volume, and entropy changes across your stack. The key is deviation from baseline: rate, sequence, distribution, and protocol fidelity.

Network-layer indicators often show up as sudden traffic spikes with no corresponding increase in legitimate user behavior. You might see sustained TCP SYN floods without ACK completions, unsolicited UDP traffic from high-port ranges, ICMP floods from spoofed addresses, or DNS query floods targeting randomized subdomains.

Application-layer indicators appear in web server logs and WAF dashboards. High requests per second to single endpoints, particularly those triggering expensive backend operations. Header spoofing with invalid user-agent strings. Repeated POSTs with no variation in payload. Unusually high concurrency from single IPs or rotating blocks with consistent session behavior.

Protocol abuse shows up as burst traffic from known open resolvers, extreme request-to-response byte ratios, or repeated RST_STREAM frames in HTTP/2 environments.

Modern attacks blend volume with behavior-aware tactics. Even low-volume probes can precede full-scale events. Watch for traffic bursts following login flows that fail at token exchange, intentional header variance to evade caching, or API calls without authorization tokens at nonstandard times. 👉 Deploy advanced traffic filtering with real-time threat intelligence and adaptive mitigation

Effective detection requires layered telemetry. Monitor reverse proxies for request patterns and endpoint concentration. Track DNS query-per-second spikes and geographic anomalies. Watch load balancers for connection pool exhaustion. Correlate spikes in requests, error codes, dropped packets, and service latency across your XDR or SIEM platform.

Building Defenses That Actually Hold

Prevention requires more than volumetric filtering or traffic offloading. A meaningful defense anticipates how adversaries exploit architecture, tooling, and operational gaps.

Start with architectural hardening. Avoid deploying stateful services behind public endpoints without caching or request validation. Place reverse proxies or API gateways in front of origin applications to enforce schema checks, concurrency limits, and header normalization. Use autoscaling with upper thresholds to prevent cost exhaustion. Introduce buffering or asynchronous queues to decouple response time from request rate.

At the network layer, block reflection vectors. Disable or restrict NTP, SSDP, or Memcached from responding to unsolicited public queries. Apply ingress filtering and enforce strict packet inspection on edge firewalls. Drop traffic with spoofed headers, malformed TCP flags, or excessive fragmentation.

Rate limiting remains essential, but not in isolation. Apply token bucket algorithms with endpoint-aware policies. Tune thresholds based on behavioral baselines. Separate rate policies for authenticated versus anonymous users. Enable HTTP/2 mitigation options to restrict stream resets.

Deploy scrubber services capable of inline or rerouted mitigation with automatic failover. When using CDN or WAF vendors, confirm coverage includes all layers and doesn't rely on signature matching alone.

Segment environments based on trust and criticality. Avoid placing control interfaces or telemetry collection on public IPs. Require just-in-time access for administrative sessions with enforced MFA. Don't allow elevated identity roles to bypass rate limits.

Run tabletop exercises focused on service degradation. Provide operational staff with dashboards showing request anomalies, cache hit ratios, and backend saturation. Train teams to interpret high request-per-second events alongside business context.

Several approaches give a false sense of protection. Blacklisting IPs fails because attackers rotate sources using proxy networks with near-infinite supply. Auto-scaling without rate enforcement can trigger resource exhaustion at the billing layer. WAFs with default policies miss behavioral attacks or produce false positives. Relying solely on traffic volume metrics misses attacks that target expensive code paths with precision.

When the Attack Hits: Response and Recovery

DDoS response must happen in parallel across operational, technical, and communication layers. Delays or siloed reactions worsen impact.

Initiate mitigation using predefined playbooks tailored to the attack type. Route traffic through a cloud-based scrubbing provider or activate on-premises mitigation appliances. Trigger CDN or WAF rate-limiting policies at the edge. For application-layer attacks, isolate dynamic endpoints from static content and reduce concurrency limits.

Don't disable security controls to preserve performance. Attackers escalate payloads after observing relaxed defenses. In elastic environments, cap auto-scaling to prevent cost exhaustion.

Engage security operations to correlate with ongoing intrusion attempts. Bring in application engineering to identify high-cost endpoints and recommend defensive code changes. Have site reliability teams manage routing changes and controlled failover. Document all mitigation actions in real time and preserve packet captures, server metrics, and application logs.

Recovery starts when controls are back to baseline and telemetry is fully restored. Resume service in phases, validating session state and backend availability before reintroducing full public access.

Conduct a postmortem within 72 hours. Focus on control gaps, visibility breakdowns, response speed, and customer impact. Extract signatures or behavioral patterns to update detection logic, rate thresholds, and scrubber profiles.

Update service diagrams to reflect actual attack paths and mitigation efficacy. Tune playbooks for specific vectors. Integrate synthetic testing to benchmark readiness across regions and endpoints. Validate vendor SLAs and confirm security partners can scale to current throughput levels.

DDoS resilience isn't a product of any one control. It's a reflection of system design, operational discipline, and the ability to prioritize signal over throughput under pressure.