DDoS
Distributed Denial of Service — overloading a target using traffic from many sources at once.
Botnet
A network of malware-infected devices controlled remotely to launch coordinated attacks.
Amplification
Exploiting protocols that generate large responses to small requests, multiplying attack volume.
Rate Limiting
Throttling the number of requests a source can make, a key DDoS mitigation technique.

How a DDoS attack works

A standard server can handle a fixed number of connections simultaneously. A DDoS attack exploits this by sending far more requests than the server can process — causing it to exhaust its CPU, memory, or bandwidth and begin refusing legitimate connections. The result is complete unavailability: the site goes down.

What distinguishes a DDoS from a simple DoS (Denial of Service) attack is scale. A single attacker's machine cannot generate enough traffic to overwhelm a modern server. Attackers solve this by controlling a botnet — a network of thousands of compromised devices (computers, IoT cameras, routers) that flood the target simultaneously, making the traffic appear to come from many legitimate sources.

1.35 Tbps
GitHub attack (2018) — one of the largest DDoS attacks ever recorded, using Memcached amplification.
$218K/hr
Average business cost of downtime caused by a DDoS attack, excluding reputational damage.
15.4M
DDoS attacks recorded globally in 2023, with gaming, financial services, and telecoms most targeted.

Three types of DDoS attacks

DDoS attacks are classified by which layer of the network stack they target. Each type requires different defensive measures:

  1. 1
    Volumetric attacks — Flood the network pipe with raw traffic (UDP floods, ICMP floods, DNS/NTP amplification). The goal is to saturate the target's upstream bandwidth so no legitimate traffic can reach it. Measured in bits per second (Gbps/Tbps).
  2. 2
    Protocol attacks — Exploit weaknesses in Layers 3 and 4 (network/transport). SYN floods, for example, send thousands of TCP connection requests but never complete the handshake — exhausting the server's connection table. Measured in packets per second.
  3. 3
    Application-layer attacks (Layer 7) — The most sophisticated type. Attackers send seemingly legitimate HTTP requests (e.g., complex database queries, large file uploads) that are cheap to send but expensive for the server to process. Measured in requests per second. Harder to distinguish from real traffic.

How botnets enable DDoS at scale

A botnet is built by infecting internet-connected devices with malware. The infected devices (called "bots" or "zombies") connect back to a command-and-control (C2) server operated by the attacker. When the attacker issues a command, all bots simultaneously begin flooding the target.

Modern botnets are rented services. Criminals build large botnets and sell access on underground forums as "DDoS-for-hire" (also called "stresser" or "booter" services). A one-hour DDoS attack against a small site can cost less than $10, dramatically lowering the barrier for less sophisticated attackers.

Amplification in action: In a Memcached amplification attack, an attacker sends a 15-byte request to a misconfigured Memcached server, spoofing the victim's IP address as the source. The server replies with up to 750 KB of data — sent to the victim. That is an amplification factor of 50,000x. The 2018 GitHub attack used exactly this technique.

Real-world DDoS attacks

DDoS is not a theoretical threat — major organisations are targeted regularly:

  • GitHub (2018): 1.35 Tbps peak — the largest volumetric attack at the time. GitHub's DDoS mitigation service (Akamai Prolexic) rerouted traffic and the attack was neutralised in 10 minutes.
  • Dyn DNS (2016): The Mirai botnet — built from hundreds of thousands of compromised IoT devices — took down major DNS infrastructure, making sites like Twitter, Netflix, and Reddit inaccessible for hours across the US East Coast.
  • Google (2020): A 2.54 Tbps UDP amplification attack against Google infrastructure — the largest ever publicly disclosed at the time — was mitigated without service disruption.

How to defend against DDoS attacks

No single control stops DDoS completely, but layered defences dramatically reduce impact:

  • Cloud-based DDoS scrubbing: Services like Cloudflare, Akamai, and AWS Shield absorb attack traffic before it reaches your infrastructure, filtering malicious requests at the network edge.
  • Rate limiting and traffic shaping: Throttle connections per source IP, block traffic from known botnet IP ranges, and limit the rate of specific request types.
  • Anycast diffusion: Spreading a single service across many geographically distributed nodes means attack traffic is diluted across the network rather than concentrated on one point.
  • Upstream black-holing: In severe attacks, ISPs can "null-route" traffic destined for the victim's IP, sacrificing availability for the targeted address but protecting surrounding infrastructure.
  • Overprovisioning bandwidth: Having more bandwidth than an attacker can generate buys time and limits the effectiveness of volumetric attacks.
Master network attack and defence in CEH v13

CEH v13 covers DoS/DDoS attack methodologies, countermeasures, and hands-on lab exercises in 20 comprehensive modules.

Explore CEH v13