DDoS Attacks Explained: How They Work and How to Defend
DDoS Attacks Explained: How They Work and How to Defend
DDoS attacks remain one of the most common and destructive forms of cyberattack. Whether you run a personal blog or manage enterprise infrastructure, understanding how these attacks work and how to defend against them is essential. This guide covers DDoS attack mechanics, real-world incidents, and practical defense strategies from an IP perspective.
What Is a DDoS Attack?
A DoS (Denial of Service) attack originates from a single source that floods a target server with excessive requests until it can no longer respond. A DDoS (Distributed Denial of Service) attack takes this further — thousands or even millions of distributed systems attack simultaneously. Because the traffic comes from many different IP addresses, simply blocking one source is ineffective.
Three Types of DDoS Attacks
Volumetric Attacks
These overwhelm the target’s network bandwidth. UDP Flood sends massive volumes of UDP packets indiscriminately, while DNS Amplification exploits open DNS resolvers by sending small queries with a spoofed source IP, causing responses up to 70 times larger to flood the victim. The amplification factor makes these attacks devastatingly efficient.
Protocol Attacks
These exhaust server connection resources. SYN Flood repeatedly sends the initial SYN packet of the TCP three-way handshake without completing it, forcing the server to maintain thousands of half-open connections until its resources are depleted. Ping of Death sends malformed oversized ICMP packets designed to crash the target system.
Application Layer Attacks
The hardest type to detect. HTTP Flood sends large volumes of seemingly legitimate HTTP requests that overwhelm the web server’s processing capacity. Slowloris deliberately keeps HTTP connections open by sending partial requests very slowly, exhausting the server’s concurrent connection limit. Because these requests mimic normal user behavior, simple threshold-based detection often fails.
The Role of Botnets
The core infrastructure behind DDoS attacks is the botnet — a network of compromised devices under an attacker’s remote control. These include malware-infected PCs (“zombies”) and IoT devices such as IP cameras, routers, and smart appliances. The 2016 Mirai botnet commandeered roughly 600,000 vulnerable IoT devices to launch massive attacks. IoT devices are prime targets because users rarely change default credentials.
Notable DDoS Incidents
| Incident | Year | Scale | Details |
|---|---|---|---|
| GitHub | 2018 | 1.35 Tbps | Memcached amplification; largest recorded at the time |
| Dyn DNS | 2016 | ~1.2 Tbps | Mirai botnet; disrupted Twitter, Netflix, Reddit, and more |
| AWS | 2020 | 2.3 Tbps | CLDAP reflection attack; mitigated by AWS Shield |
The GitHub attack exploited misconfigured Memcached servers for amplification. Traffic peaked at 1.35 Tbps within minutes, but CDN-based mitigation brought it under control in roughly 10 minutes — a testament to the value of proper DDoS protection infrastructure.
Proven Defense Strategies
CDN and WAF Services
Services like Cloudflare, AWS Shield, and Akamai filter malicious traffic at globally distributed edge servers before it ever reaches your origin. This is the most effective first line of defense, capable of absorbing even terabit-scale attacks.
Rate Limiting
Automatically throttle IPs that send abnormally high volumes of requests:
limit_req_zone $binary_remote_addr zone=ddos:10m rate=30r/s;
location / {
limit_req zone=ddos burst=50 nodelay;
}IP Blacklists and Allow Lists
Leverage threat intelligence feeds to proactively block known malicious IPs, and maintain allow lists for trusted sources. Regularly check your own IP’s reputation using a blacklist checker to ensure you haven’t been flagged.
Anycast Networks
Anycast assigns a single IP address to servers in multiple geographic locations. Attack traffic is automatically distributed across nodes, so even if one point of presence is overwhelmed, others continue serving legitimate users without interruption.
DDoS from an IP Perspective
One of the toughest challenges in DDoS defense is tracing attacker IPs. Attackers use IP spoofing to forge the source address in each packet. This is especially easy in UDP-based attacks, which lack TCP’s handshake verification. When traffic appears to come from hundreds of thousands of different forged IPs, pinpointing the actual source is nearly impossible.
This is why fundamental measures like BCP38 ingress filtering at the ISP level matter so much. Network operators that enforce source IP validation prevent spoofed packets from ever leaving their network. IP reputation databases also help by flagging addresses with known malicious history.
Wrapping Up
DDoS attacks continue to grow in both scale and sophistication. No single defense is sufficient — a layered approach combining CDN protection, WAF rules, rate limiting, and IP filtering is essential. For a broader introduction to network security fundamentals, read our network security basics guide.
Want to check if your IP has been blacklisted? Use our blacklist checker — it’s a quick first step in IP-based security hygiene.
Related posts: Network Security Basics | IP Blacklist Guide