defensiva
DDoS
DoS
SYN flood

What Is a DDoS Attack: Types and Mitigation

What a DDoS attack is: difference from DoS, OSI-layer taxonomy (volumetric, protocol, L7), DNS/NTP/memcached amplification and a mitigation stack.

SecraJuly 6, 202610 min read

A DDoS attack (Distributed Denial of Service) is an attempt to make a service unreachable by flooding it with traffic or requests sent in a coordinated way from thousands of different sources. The goal is not to steal data or gain access, but to exhaust a finite resource: bandwidth, connection-table capacity, CPU cycles or application-server threads. Once that resource runs out, legitimate users can no longer connect and the service goes down. This guide is the defensive cluster's canonical DDoS reference: it defines the attack, classifies it by OSI layer, explains the amplification vectors and closes with a mitigation stack and an incident-response playbook.

DDoS versus DoS: what is the difference

The distinction is a matter of scale and origin. A DoS (Denial of Service) attack comes from a single machine or connection. It is easier to detect and to block: filtering the source IP or applying a rate limit to it is enough. A DDoS (Distributed Denial of Service) attack comes from hundreds, thousands or millions of simultaneous sources, usually compromised machines inside a botnet. That distribution is precisely what makes it hard to mitigate: there is no single IP to block, traffic arrives from diverse ASNs and countries, and much of it carries a spoofed source address.

In practice, any modern defence assumes DDoS. The classic single-source DoS is a solved problem for firewall rules. The real challenge is separating millions of malicious requests from legitimate ones when both look like normal user traffic.

Taxonomy by OSI layer

The most useful way to classify a DDoS attack is by the OSI-model layer it saturates. Each category is measured with a different unit and mitigated with different controls.

Volumetric (layers 3 and 4)

These aim to exhaust the link's bandwidth. They are measured in bits per second (bps) and reach the terabit range in large cases. Typical vectors are the UDP flood (a mass of UDP datagrams to random ports, forcing the host to answer with ICMP port unreachable) and the ICMP flood or ping flood. Because UDP has no handshake, generating volume and spoofing the source is trivial.

Protocol (layer 4)

These do not aim to saturate bandwidth but to exhaust state tables in servers, firewalls and load balancers. They are measured in packets per second (pps). The paradigmatic case is the SYN flood: the attacker sends a flood of TCP SYN segments with a spoofed source, the server reserves memory for each half-open connection and replies with SYN-ACK to an address that never completes the handshake. The connection table fills up and the server rejects legitimate connections. Related variants: ACK flood, RST flood and TCP/UDP fragmentation.

Application (layer 7)

The most dangerous and hardest to filter, because each request is syntactically valid and low-volume. They are measured in requests per second (rps). The HTTP flood launches waves of GET or POST against expensive endpoints (searches, logins, PDF generation) to exhaust CPU and database connections with a trivial amount of traffic. Slowloris does the opposite: it opens many connections and keeps them alive by sending partial HTTP headers very slowly, never closing them, until the server's connection pool is exhausted with barely a few kilobits per second. In 2023, the HTTP/2 Rapid Reset technique (CVE-2023-44487) enabled records of over 398 million rps by opening and immediately cancelling HTTP/2 streams.

Amplification and reflection

The largest volumetric attacks in history do not come directly from the botnet, but from bouncing traffic off misconfigured third-party servers. The mechanism is reflection with amplification: the attacker sends a small request to a public UDP service with a spoofed source address (the victim's), and the service replies with a much larger packet aimed at the victim. Source spoofing is possible because many networks do not filter egress traffic (see what is spoofing).

The amplification factor is the key. The most exploited vectors:

  • DNS (port 53): open resolvers answering ANY queries. Factor of 28x to 54x.
  • NTP (port 123): the monlist command (CVE-2013-5211) returns the last addresses served. Factor of up to 556x.
  • memcached (port 11211): exposed without authentication over UDP. Factor of up to 51,000x. It was the vector of the 1.35 Tbps attack against GitHub in February 2018 (Memcrashed).
  • CLDAP (port 389): factor of 56x to 70x. AWS Shield mitigated a 2.3 Tbps attack over this vector in February 2020.
  • SSDP (port 1900) and Chargen (port 19): smaller factors but abundant in home devices.

Mitigation at source means closing these services to the Internet or disabling the abusable functions (disable monlist, do not expose memcached over UDP, close recursive resolvers). At network level, BCP38 egress filtering (RFC 2827) would prevent the source spoofing that makes the entire reflection family possible.

Botnets and booter/stresser services

The origin of most distributed attacks is a botnet: SOHO routers, IP cameras and IoT devices compromised through default credentials. Mirai proved the model in 2016 with peaks of roughly 1.2 Tbps against Dyn DNS, which took down Twitter, Spotify and GitHub. The fleet of vulnerable devices keeps growing, and with it the recruitment surface (see IoT/OT cybersecurity).

That firepower is for rent. Booter or stresser services advertise themselves with a legitimate look ("stress-testing tools") but actually sell on-demand attacks by the hour against any target, for amounts as low as tens of euros. They have democratised DDoS to the point where no technical skill is needed to launch one today. International law-enforcement operations (such as the successive editions of Operation PowerOFF) dismantle these platforms recurrently, but they reappear under new domains.

The mitigation stack

No single layer stops a modern DDoS. Effective defence is organised in complementary layers, from the network to the application server.

Rate limiting and ACLs. Rate limits per IP, per session or per token, and access-control lists that drop unused protocols and ports. This is the first line, useful against moderate spikes and insufficient on its own against distributed volume.

SYN cookies and protocol hardening. Against SYN floods, enabling SYN cookies avoids reserving state until the handshake completes. Against Slowloris, a reverse proxy that buffers the full request before passing it to the backend (nginx, or mod_reqtimeout in Apache) and aggressive connection timeouts.

Scrubbing and Anycast. When volume exceeds the link's capacity, traffic is redirected (via BGP or a DNS change) toward distributed scrubbing centres that absorb and filter the attack, returning only clean traffic over a GRE tunnel. The Anycast architecture announces the same IP from dozens of points of presence, spreading a volumetric attack across the whole network instead of concentrating it on a single data centre.

Managed scrubbing services. AWS Shield (Standard and Advanced), Cloudflare Magic Transit, Akamai Prolexic, Google Cloud Armor, Azure DDoS Protection and Imperva offer terabit-scale mitigation capacity that no individual organisation can sustain on its own.

WAF for layer 7. Application attacks pass through the network indistinguishable and can only be filtered by understanding the HTTP request: signatures, IP reputation, JavaScript challenges, adaptive CAPTCHA and behavioural analysis. That is the job of a Web Application Firewall, essential against HTTP flood, Slowloris and Rapid Reset.

Detection and response. An IDS and flow telemetry (NetFlow, sFlow) against a traffic baseline make it possible to spot the anomaly in seconds, a precondition for activating any mitigation in time.

Incident-response playbook

Aligned with NIST SP 800-61, the response to a DDoS follows a script:

  1. Preparation. A documented traffic baseline, alert thresholds, ISP and scrubbing-provider contacts, and a runbook tested before the incident.
  2. Detection and classification. Confirm it is DDoS (not a legitimate spike), identify the layer (bps, pps or rps) and the vector.
  3. Mitigation. Activate filtering appropriate to the layer: scrubbing and Anycast for volumetric, SYN cookies and ACLs for protocol, WAF and challenges for layer 7. As a last resort against total link saturation, RTBH (Remote Triggered Black Hole, RFC 5635) coordinated with the upstream.
  4. Communication. Notify the ISP and the provider. Under NIS2, an early warning to the reference CSIRT within 24 hours applies to significant availability incidents.
  5. Post-incident. Analysis of the captured telemetry, threshold tuning and lessons learned.

Compliance fit

Availability is a regulatory requirement, not just an operational one:

  • NIS2 (article 21). Continuity and incident-management measures; the 24-hour early warning to the CSIRT applies to significant availability incidents.
  • DORA (article 11). Digital operational resilience for the financial sector, with continuity plans against disruptions.
  • ISO 27001:2022 (controls 5.29, 8.6, 8.20). Continuity, capacity management and network security.
  • ENS Royal Decree 311/2022 (measure mp.com.4). Protection against denial of service as an explicit control of the availability dimension.

Frequently asked questions

What is DDoS in a nutshell?

DDoS stands for Distributed Denial of Service. It is an attack that saturates an online service with traffic or requests sent simultaneously from many sources to make it unreachable for legitimate users. It does not aim to steal information, but to bring the service down.

What is the difference between DoS and DDoS?

A DoS comes from a single machine and is blocked by filtering its IP. A DDoS comes from thousands of distributed sources, usually a botnet, and often with a spoofed source address, which prevents blocking a single point and forces mitigation by volume and by behaviour.

How long can a DDoS attack last?

From bursts of a few minutes (hit-and-run, designed to evade the activation of defences) to campaigns lasting days with intermittent waves. Duration depends on the attacker's objective and on the cost of sustaining the attack.

Does a traditional firewall stop a DDoS?

Not on its own. A stateful firewall can even become the victim when its connection table is exhausted by a SYN flood. Effective mitigation combines network scrubbing capacity, Anycast, a WAF for layer 7 and rate limits, not a single firewall rule.

Can a DDoS be prevented entirely?

You cannot stop someone from trying, but you can reduce the impact to nearly zero with a prepared architecture: a properly sized scrubbing provider, Anycast, a WAF, a response runbook and spare capacity. The realistic goal is to keep availability during the attack, not to prevent it from happening.

DDoS defence at Secra

At Secra we help validate DDoS resilience on three fronts: reviewing the mitigation architecture (scrubbing, Anycast, WAF and rate limits) to confirm it is properly sized, hardening exposed services that could be abused as amplification reflectors, and running controlled response exercises that measure how long your team takes to detect and contain a saturation event. If your organisation has never rehearsed an availability incident or depends on a critical service without a continuity plan against denial of service, get in touch via contact or explore our managed services.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article