DDoS — IP & Network Glossary

What is a DDoS attack?

A DDoS attack (Distributed Denial-of-Service) is an attempt to make an online service unavailable by flooding it with traffic from many coordinated sources. Unlike a simple DoS attack from a single host — which modern firewalls and rate limiters easily absorb — a DDoS attack uses hundreds of thousands to millions of compromised devices, making filtering at the destination alone impractical.

The sources are typically:

Botnets of infected IoT devices, routers, and servers
Compromised cloud instances rented with stolen credit cards
Reflection / amplification from misconfigured public servers (more on this below)
Booter / stresser services — illegal services that sell on-demand DDoS as a service

Attack categories

DDoS attacks fall into three broad categories based on which layer they target:

Volumetric attacks flood the link itself with raw bandwidth (UDP floods, ICMP floods, amplification attacks). Measured in gigabits per second.
Protocol attacks exhaust resources in firewalls, load balancers, or servers (SYN flood, ACK flood, fragmentation attacks). Measured in packets per second.
Application-layer attacks target expensive operations — HTTP POSTs that trigger database queries, TLS handshake floods, HTTP/2 rapid reset. Measured in requests per second.

Amplification and reflection

Amplification attacks exploit misconfigured services (open DNS resolvers, NTP servers, memcached instances, older SNMP agents) that respond with a larger packet than they receive. The attacker spoofs the target's IP as the source address, and the reflector sends its oversized reply to the target. A memcached reflection can multiply a single byte of query traffic into 51,000 bytes of response traffic — the mechanism behind the 1.3 Tbps 2018 GitHub attack.

Mitigation

Effective DDoS defense is almost always upstream of the target:

Scrubbing services (Cloudflare, Akamai, Google Cloud Armor, AWS Shield) absorb attacks at their edge
BGP blackholing — your ASN advertises a null route for the target IP, dropping all traffic at peering points
Rate limiting at the CDN or application edge
Bot detection — distinguishing human traffic from automated floods using CAPTCHA or behavioral analysis
Ingress filtering (BCP 38) — ISPs blocking spoofed source IPs at origin would largely eliminate amplification attacks, but adoption is still incomplete

Individual servers cannot defend against a large DDoS on their own — they need upstream help long before the traffic arrives.

Frequently Asked Questions

A DoS (Denial-of-Service) attack comes from a single source IP and is trivial for a modern firewall to block. A DDoS (Distributed Denial-of-Service) attack coordinates thousands to millions of source IPs — usually a botnet or a reflection attack — so blocking any single IP does nothing. DDoS requires upstream mitigation; DoS does not.

Most attacks are short bursts — Cloudflare reports the median attack lasts under 10 minutes, because booter services bill by the minute and attackers test targets for weak points before sustaining. Extended multi-day attacks do happen against high-value targets but are the exception, not the rule.

Tracing the individual source IPs is easy (the packets carry them); tracing the attacker behind the botnet or booter is hard. Source IPs are compromised devices, not the attacker's. Attribution usually comes from following money to the booter operator, infiltrating the crew, or linking payments and infrastructure across attacks.

Yes in virtually every country. In the US it violates the Computer Fraud and Abuse Act (up to 10 years per offense). The UK Computer Misuse Act, Canada's Criminal Code section 342.1, Germany's §303b StGB, and similar statutes elsewhere all apply. Paying a booter service to hit a target carries the same legal exposure as running the attack yourself.

Individual servers cannot stop a large DDoS on their own. Mitigation happens upstream: route traffic through a scrubbing provider (Cloudflare, Akamai, AWS Shield), enable BGP blackholing at your ASN, rate-limit and bot-detect at the CDN edge, and keep reflection-prone services (open DNS resolvers, NTP, memcached) off the public internet.