TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is a DDoS Attack? Types, Examples & How to Stop It

A distributed denial-of-service (DDoS) attack overwhelms a website or network with junk traffic so legitimate users can't get through. Here's how DDoS attacks work and how to stop them.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

A distributed denial-of-service (DDoS) attack is an attempt to take a website, application, or network offline by flooding it with more traffic or requests than it can handle. Because the flood comes from many machines at once — often thousands or millions of compromised devices — it's far harder to block than an attack from a single source. The goal isn't to steal data; it's to deny availability, one of the three pillars of the classic CIA triad (confidentiality, integrity, availability).

In short: a DDoS attack is a traffic-based siege. The attacker doesn't break in — they jam the front door so no one else can get through.

DDoS vs DoS: what's the difference?

A plain denial-of-service (DoS) attack comes from a single source — one computer, one connection. It's easy to defend against because you can simply block that one address. A distributed denial-of-service attack uses many sources simultaneously, which is what makes it dangerous:

  • Scale: Traffic from thousands of machines can generate volumes measured in terabits per second — enough to saturate even large networks.
  • Resilience: Blocking one address does nothing when the attack comes from hundreds of thousands of others.
  • Attribution: The real attacker hides behind a sea of compromised devices, making it hard to identify who is responsible.

The "distributed" infrastructure behind most large attacks is a botnet — a network of devices infected with malware and remotely controlled. Increasingly, botnets are built from poorly secured Internet of Things (IoT) devices like cameras and routers, which ship with default passwords and rarely get patched.

How a DDoS attack works

Most DDoS campaigns follow a similar pattern:

  1. Build the army. The attacker compromises devices at scale, enrolling them into a botnet under a command-and-control infrastructure.
  2. Choose a target and method. The attacker picks a victim and the type of flood most likely to exhaust its resources.
  3. Launch the flood. On command, every bot sends traffic to the target simultaneously. The target's bandwidth, connection table, or application logic is overwhelmed.
  4. Sustain or extort. The attack may continue for minutes, hours, or days. Many modern attacks are paired with a ransom demand — pay up, or the flood continues.

A particularly potent variant is the amplification (or reflection) attack. The attacker sends small requests to misconfigured public servers — DNS, NTP, or memcached, for example — but spoofs the source address so the much larger responses are sent to the victim. A few gigabits of attacker bandwidth can be amplified into hundreds of gigabits aimed at the target.

The three main types of DDoS attacks

DDoS attacks are usually grouped by which layer of the network stack they target.

1. Volumetric attacks

The most common category. The goal is simply to consume all available bandwidth between the target and the internet. Examples include UDP floods, ICMP floods, and DNS amplification. Volumetric attacks are measured in bits per second (bps) and can reach into the terabits.

2. Protocol attacks

These exhaust the resources of servers or intermediate equipment like firewalls and load balancers by abusing weaknesses in network protocols. The classic example is the SYN flood, which opens huge numbers of half-finished TCP connections to fill the target's connection table. Protocol attacks are measured in packets per second (pps).

3. Application-layer attacks

The stealthiest and often hardest to detect. Instead of brute volume, these target specific application functions — for example, hammering a login page, a search endpoint, or a database-heavy URL with requests that look legitimate (an "HTTP flood"). Because each request resembles normal traffic, a relatively small number can exhaust server-side resources. These are measured in requests per second (rps).

Why attackers launch DDoS attacks

Understanding motive helps with defense. Common reasons include:

  • Extortion. "Ransom DDoS" (RDoS) campaigns threaten or launch attacks until the victim pays.
  • Hacktivism. Politically or ideologically motivated threat actors use DDoS to silence websites they oppose.
  • Competition and sabotage. Knocking a rival's e-commerce site offline during peak sales causes direct revenue loss.
  • Distraction. A noisy DDoS can serve as a smokescreen while attackers carry out a quieter intrusion or data breach elsewhere.
  • State-sponsored disruption. Nation-state actors use DDoS as a low-cost tool to disrupt critical infrastructure and services.

How to defend against DDoS attacks

No single control stops every DDoS attack — effective defense is layered.

  • Use a dedicated DDoS mitigation service. Cloud-based scrubbing providers and content delivery networks (CDNs) absorb and filter attack traffic across globally distributed infrastructure before it reaches your origin.
  • Over-provision bandwidth and use load balancing. Headroom buys time; load balancers distribute traffic and prevent any single server from being overwhelmed.
  • Deploy rate limiting and a Web Application Firewall (WAF). A WAF is especially important for application-layer attacks, which volumetric defenses miss.
  • Harden your infrastructure. Close or restrict services that can be abused for amplification, and keep systems patched as part of vulnerability management.
  • Have a response plan. Know in advance who to call, how to engage your provider, and how to communicate during an attack. This is a core part of incident response.
  • Monitor continuously. Early detection of abnormal traffic patterns — often surfaced by a SIEM or network monitoring — lets you trigger mitigations before an attack peaks.

Where threat intelligence fits in

DDoS is increasingly an intelligence problem, not just a bandwidth problem. Threat intelligence helps defenders track active botnets, known attacker infrastructure, and ransom-DDoS campaigns targeting specific industries. Feeds of malicious IP addresses and emerging amplification vectors let you pre-emptively block known sources and tune mitigations. Knowing that a wave of attacks is hitting your sector this week — and which method they're using — turns a reactive scramble into a prepared defense.

The bottom line

A DDoS attack weaponizes scale: many machines, one target, the goal of denying availability rather than stealing data. The three families — volumetric, protocol, and application-layer — each demand different defenses, which is why layered mitigation (scrubbing services, WAFs, rate limiting, monitoring, and a tested response plan) is essential. Because attacker infrastructure and tactics shift constantly, staying informed matters: our live threat intelligence feed surfaces reporting on active DDoS campaigns, botnets, and emerging attack techniques from dozens of authoritative sources, updated continuously.

Frequently asked questions

What is a DDoS attack in simple terms?

A DDoS (distributed denial-of-service) attack floods a website or network with so much traffic from many different machines at once that legitimate users can no longer access it. The aim is to deny availability, not to steal data.

What is the difference between DoS and DDoS?

A DoS attack comes from a single source, so it can be blocked by filtering that one address. A DDoS attack comes from many sources simultaneously — usually a botnet of compromised devices — which makes it far harder to block and to attribute.

What are the three main types of DDoS attacks?

Volumetric attacks consume bandwidth (e.g. UDP floods, DNS amplification); protocol attacks exhaust server and firewall resources (e.g. SYN floods); and application-layer attacks target specific app functions with seemingly legitimate requests (e.g. HTTP floods).

How do you stop a DDoS attack?

Use layered defenses: a cloud DDoS mitigation or scrubbing service, a CDN, a Web Application Firewall, rate limiting, over-provisioned bandwidth and load balancing, continuous traffic monitoring, and a tested incident response plan. No single control stops every attack.

Are DDoS attacks illegal?

Yes. Launching a DDoS attack against systems you don't own or have permission to test is illegal in most jurisdictions and can carry serious criminal penalties, even when carried out using rented 'booter' or 'stresser' services.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is a Botnet? How Botnets Work & How to Defend Against ThemAttacksWhat Is Malware? The Main Types ExplainedThreat ActorsWhat Is a Threat Actor? The Main Types ExplainedOperationsWhat Is Incident Response? The Incident Response Lifecycle Explained