DDoS Attacks: How Distributed Denial-of-Service Floods Knock Sites Offline

Overwhelming the Target with Sheer Volume

On October 21, 2016, millions of internet users across the United States found that major websites — Twitter, Netflix, Amazon, Reddit, Spotify, and dozens more — were inaccessible. The cause was a DDoS attack against Dyn, a DNS provider whose infrastructure handled routing for these services. The attack peaked at 1.2 terabits per second of traffic, a scale not seen before, generated primarily by the Mirai botnet — a network of 600,000 compromised Internet of Things devices including home routers, IP cameras, and DVRs. The attack lasted most of a day and caused an estimated $110 million in damages.

A Distributed Denial of Service (DDoS) attack is an attempt to disrupt a network service by overwhelming it with traffic from many sources simultaneously. The key word is "distributed" — unlike a single-source denial of service attack, which can be blocked by filtering a single IP address, DDoS traffic originates from thousands or millions of different sources, making source-based blocking impractical.

The Botnet: DDoS's Attack Platform

Most large-scale DDoS attacks are executed through botnets — networks of compromised computers and devices ("bots" or "zombies") controlled remotely by an attacker (the "botmaster"). Devices become bots when they are infected with malware, typically through phishing, exploitation of unpatched vulnerabilities, or — as with Mirai — brute-force login to devices using default factory credentials.

Mirai's source code, released publicly in 2016, revealed its propagation mechanism: it scanned the internet for IoT devices with exposed Telnet ports, then attempted login using a hardcoded list of 61 default username-password combinations (admin/admin, root/password, and similar). The list succeeded because a staggering proportion of deployed IoT devices were never reconfigured from factory defaults. Mirai and its descendants continue to proliferate; variants remain active today.

DDoS-as-a-service ("booter" or "stresser" services) has democratized DDoS attacks. These commercial services — often advertised openly on forums — rent botnet capacity for as little as $5–$20 per hour, enabling anyone to launch significant attacks without technical expertise.

Types of DDoS Attacks

Amplification: Getting More from Less

Amplification attacks allow attackers to generate enormous traffic volumes while controlling a relatively small number of attacking machines. The technique exploits protocols that return significantly more data than they receive, and uses IP address spoofing to direct the amplified response to the victim.

• DNS amplification: An attacker sends small DNS queries (typically 60–70 bytes) with the victim's IP as the spoofed source address to open DNS resolvers. The resolver responds with a large DNS response (up to 4,000 bytes) to the victim. Amplification factor: up to 65×
• NTP amplification: Exploits the Network Time Protocol's "monlist" command, which returns the last 600 IP addresses that contacted the server. Amplification factor: up to 556×
• Memcached amplification: The 2018 GitHub attack used compromised Memcached servers. Amplification factor: up to 51,000× — meaning 1 byte of attacker traffic could generate 51,000 bytes directed at the victim. The attack peaked at 1.35 Tbps, the largest ever recorded at the time.

Application Layer Attacks: Harder to Detect

Layer 7 (application layer) DDoS attacks are the most sophisticated and hardest to defend against because they generate traffic that appears legitimate at the network level. A Slowloris attack, for example, opens many simultaneous HTTP connections to the target server and sends partial HTTP headers very slowly, keeping the connections open without completing requests. The server holds resources open for each connection, eventually exhausting its connection pool and denying service to legitimate users — all while the attack generates very low traffic volume that easily evades volumetric detection.

HTTP floods send rapid sequences of seemingly legitimate HTTP GET or POST requests. Bot-driven attacks of this type can be impossible to distinguish from legitimate user traffic without behavioral analysis (unusual geolocation distributions, abnormal user agent strings, request timing patterns, lack of JavaScript rendering).

Notable Attacks and Scale

DDoS Mitigation and Defense

Defending against DDoS requires infrastructure that can absorb, filter, and reroute malicious traffic at scale.

• CDN and anycast routing: Content delivery networks like Cloudflare, Akamai, and Fastly distribute traffic across hundreds of geographically dispersed nodes using anycast routing. Attack traffic is absorbed across the entire network rather than concentrated at a single origin server.
• Scrubbing centers: Upstream providers divert traffic to specialized scrubbing centers that use deep packet inspection and behavioral analysis to strip malicious traffic before forwarding clean traffic to the origin.
• Rate limiting and traffic shaping: Restricting the rate of incoming requests from individual IPs or geographic regions; effective against smaller attacks and as a component of broader defenses.
• BGP blackholing: As a last resort, announcing routing changes that cause attack traffic to be dropped at the network level before reaching the target — also drops legitimate traffic to the targeted IP.
• Overprovisioning: Maintaining bandwidth and server capacity significantly beyond normal load to absorb attack spikes; expensive but straightforward.