What is a DDoS Attack? Types, Responses, and Prevention

A distributed denial-of-service (DDoS) attack is when a network is flooded with requests and crashes as a result. Here's what to know about responding to this cyberthreat.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

A distributed denial-of-service (DDoS) attack sends massive volumes of traffic to a network, server, or system until it becomes nonfunctional. A DDoS attack is a subcategory of a denial-of-service (DoS) attack. But instead of only having one source, a DDoS attack uses multiple sources to execute its assault.

The goal is simple: Send so much traffic that the system becomes paralyzed by it. But the motivations of the cybercriminal can vary. Here are a few reasons why DDoS attacks are used:

  • Hacktivists: Activism may use hacking to bring attention to their causes or show opposition to companies.
  • Extortion: Just like ransomware, hackers may attack with a DDoS strategy and only stop if they receive a ransom.
  • Competition: Corporate sabotage is not completely unheard of, and companies may pay cybercriminals to cause harm to their competitors, such as taking their websites offline.
  • Smokescreen: Hackers may use a DDoS attack to distract companies from other cyberattacks happening in the network.

Regardless of why hackers implement DDoS attacks, you can be affected once you are blocked from accessing important information online and even your personal accounts. Keep reading to learn more about how DDoS attacks work and what can be done to mitigate and prevent them.

In this article
How do DDoS attacks work?
Types of DDoS attacks
Application layer attacks
Protocol attacks
Volumetric attacks
How to identify and respond to a DDoS attack
How to mitigate a DDoS attack
DDoS attack FAQs
Bottom line

How do DDoS attacks work?

Let's use an online store as an example. It receives orders, gets payments, packages items, and then ships them out. But what happens when someone calls and makes a fake order with more than 100 items? You spend all your time and resources getting this shipment ready only for the person to not pick it up.

This is already an annoying problem, but imagine if you were getting several calls requesting large orders a day and you couldn't tell the difference between authentic orders and prank orders. You may end up breaking down and not getting anything productive done. This is essentially what happens to network resources when a DDoS attack is executed.

Cybercriminals use botnets to send a large number of requests to the targeted infrastructure. Botnets are a group of malware-infected computers, known as bots, that are controlled by a hacker.

The DDoS attack is practically automated thanks to botnets. The hacker can issue an order for botnets to send repeated requests until a server is too overwhelmed to function properly.

This can be fairly effective because botnets may pose as legitimate users with their own internet protocol (IP) addresses. Servers may not immediately recognize the threat and interact with them. It can also be difficult for information technology (IT) professionals to sort out the botnets from legitimate users for this reason.

Types of DDoS attacks

There are several types of DDoS attacks. Although they all accomplish the goal of overwhelming and paralyzing a server, they all do so in slightly different ways. DDoS attacks usually fall into three categories: application layer attacks, protocol attacks, and volumetric attacks.

Cybercriminals often will use a mix of these attacks to make it more complicated for IT security professionals to respond. Let's dive into each of these attack vectors and see how they work.

Application layer attacks

So you enter the URL of a specific webpage into your browser. The application layer is the server responding to the HTTP request to see that page.

An application layer attack focuses on the response and sends multiple requests to consume disk space and available memory. Because the attack stems from various IP addresses, it can be difficult for the server to recognize it's under attack.

Protocol attacks

Protocol attacks focus on the transactions between web servers with malicious connection requests. The idea is to overwhelm the targeted server and exhaust the processing capacity, firewalls, routing engines, and load balancers. Some of the protocols that get targeted include:

  • User Datagram Protocol (UDP): Responsible for speeding up communications between servers
  • Internet Control Message Protocol (ICMP): Helps spot any data transmission problems
  • Transmission Control Protocol (TCP): Establishes a connection and then maintains it

One way to execute a protocol attack is to send fraudulent SYN packets, known as a SYN flood attack. The TCP conducts a connection between the sender (SYN packets) and the receiver (SYN-ACKs).

It starts with a cybercriminal sending fraudulent SYN packets to start the connection. The targeted server responds by sending SYN-ACKs and waits for the connection request to be completed. But because the attack leaves the targeted server hanging, it leads to the server using too much space for the connection requests and eventually crashing.

It's like if someone asks you for a high-five but then moves their hand away at the last second and doesn't complete the high-five with you.

Volumetric attacks

Imagine you are driving and then an unannounced parade started blocking the roads. This creates a traffic jam, so you can no longer drive your car down the road.

This is basically what happens to users with volumetric attacks. As the name implies, it sends massive amounts of attack traffic to a server to exhaust the bandwidth. Because the server is overcrowded, it can't allow authentic requests through.

An example is domain name system (DNS) amplification attacks. A cybercriminal spoofs the target's IP address by impersonating the real server. Then it sends requests to the DNS server. The DNS server then responds but sends the data to the real IP address. The goal is to overwhelm the target server with requests it didn't ask for.

How to identify and respond to a DDoS attack

There are several signs that can identify a DDoS attack. Some of these red flags include:

  • Your website has crashed or takes too long to respond to requests
  • A server repeatedly crashes for no apparent reason
  • Internet connection speeds slow down significantly
  • You are unable to login into financial systems, such as your bank account
  • Your Wi-Fi signal drops and can't connect
  • You have problems accessing websites
  • An increase in spam emails

One of the reasons why DDoS attacks are particularly hard to respond to is that the source is from multiple IP addresses. It makes it harder to identify who is sending fraudulent requests and who is sending authentic requests.

You may want to contact your internet service provider (ISP) to get help filtering traffic. This may mean legitimate traffic gets denied too, but it's difficult to separate the authentic users from botnets. Here are three ways to respond to DDoS attacks:

  • Black hole filtering: Create a filter for traffic to evaluate it based on certain criteria. If it doesn't meet the criteria, it goes to a null interface or a black hole.
  • Casting: If you have access to multiple servers, you can distribute the traffic across all of them to lower the traffic and increase your overall capacity.
  • IP blocking: If you notice IP addresses within the same range, these may be botnets and you can block them.

Responding to a DDoS attack is costly and time-consuming. It's much more effective to prepare yourself against a DDoS attack and prevent the attack from happening in the first place.

Another potential DDoS threat is having a hacker infect your device and make it part of their botnet. A cybercriminal may be able to make your device part of their botnet in a variety of ways. Maybe you clicked on a suspicious link online and downloaded malware. Another possibility is that you were sent a phishing email and got tricked into a malware installation.

Luckily, it's possible to tell if your device is part of a botnet. You can run your antivirus software, and it should be able to detect botnet malware. Once detected, you can delete the infected files and start recovering from the cyberattack.

How to mitigate a DDoS attack

Preventing a DDoS attack is well worth the effort because it's difficult to stop a DDoS attack once it's infiltrated your infrastructure. There are several tools you can implement to create a multilayered cybersecurity and DDoS mitigation strategy. Here are a few tools to consider:

  • Use a virtual private network (VPN). A VPN can hide your IP address and make it more difficult to make you a target of a DDoS attack.
  • Invest in a service with DoS protection. DoS protection can notice the early signs of a DDoS attack. However, it's usually expensive for a household, especially because it's normally meant for businesses. A VPN service for DDoS protection may be a better alternative.
  • Keep antivirus software updated. You'll need updated antivirus software to stop the latest version of viruses and malware. It can also detect botnet malware and prevent your device from being used as a botnet.
  • Install a firewall. Firewalls offer numerous cybersecurity protection measures. For DDoS attacks, web application firewalls can help mitigate traffic requests between a web application and the internet.
  • Use dynamic IP addresses. Ask your ISP for dynamic IP addresses, which gives you a new IP address every day. It makes it harder to track you if you don't have a static IP address.

DDoS attack FAQs


What is the difference between a DDoS attack and a DoS attack?

The difference between a distributed denial-of-service (DDoS) and a denial-of-service (DoS) attack is the number of malicious sources making a flood of requests. A DDoS attack uses botnets and has several sources, whereas a DoS attack only has one source.


What is an example of a DDoS attack?

An example of a DDoS attack recently occurred when Google fended off the largest DDoS attack to date. The application layer attack peaked at 46 million requests per second. An early warning system gave Google time to mitigate the DDoS attack and prevent it from breaching the infrastructure.


How long do DDoS attacks last?

On average, DDoS attacks lasted roughly 50 hours in the second quarter of 2022, according to Securelist. However, 95.24% of DDoS attacks in the same period were considered “very short” or under four hours in duration. DDoS attack durations can vary depending on the hacker.

Bottom line

A distributed denial-of-service attack is stressful for companies and internet users. Companies risk losing access to their website and infrastructure. Meanwhile, internet users can't access online services. They may also find themselves in a position where their devices are being used as part of a botnet.

There are plenty of cybersecurity tools to use to protect yourself from DDoS attacks and reduce exploitable vulnerabilities. VPNs reduce your exposure to DDoS attacks because it masks your real IP address. Antivirus software and firewalls can detect malicious traffic and files. The key is to use these tools consistently and ensure they are updated regularly, so you can have a strong cybersecurity system.

Staying safe online requires proactive measures. Learn more about the benefits of VPNs, creating strong passwords, and why antivirus software is necessary to protect you from cybercrimes.

Customizable Coverage That is Simple to Use
Editorial Rating
Learn More
On NordVPN's website
Up to 66% off 2-year plans + 3 months extra
  • Ultra-secure, high-speed VPN complete with malware protection and automatic blocking of intrusive ads and third-party trackers
  • Other benefits include a premium password manager, dark web monitoring, and access to IP-restricted content
  • 3 plans to choose from for custom protection on up to 10 devices
  • Too many confusing plans

Author Details
Sara J. Nguyen is a freelance writer specializing in cybersecurity. She aims to help people protect their data while enjoying technology. She has written about online privacy and tech for over 5 years for several organizations. When she's not writing about the latest cybersecurity trends, you can find her on LinkedIn.