What Is a DDoS Attack? Botnets, Amplification, and Mitigation Strategies

What Is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a cyberattack in which multiple compromised systems — often thousands or millions of devices forming a botnet — are coordinated to flood a target with traffic, requests, or malformed packets, overwhelming the target's capacity and making it unavailable to legitimate users. The distributed aspect distinguishes DDoS from a simple DoS attack launched from a single source: distributing traffic across thousands of source addresses makes blocking the attack far more difficult and can generate traffic volumes no single attacker could produce alone.

DDoS attacks have grown dramatically in scale. Early attacks in the early 2000s measured in megabits or low gigabits per second. By 2018, GitHub was hit with a 1.35 terabit-per-second (Tbps) attack — the largest recorded at the time. In 2023, Cloudflare reported mitigating an HTTP/2 Rapid Reset attack reaching 201 million requests per second (Mrps). DDoS has evolved from a hacktivism and extortion tool into a geopolitical weapon, used by nation-states to disrupt critical infrastructure and government services during conflicts.

Volumetric Attacks

Volumetric attacks aim to saturate the target's internet connection or the capacity of its upstream providers with sheer traffic volume. The goal is simple: send more traffic than the target's network pipe can handle, so that legitimate traffic is crowded out.

The most common volumetric attack vectors include UDP floods (sending high volumes of User Datagram Protocol packets to random ports, causing the target to respond with ICMP Destination Unreachable packets, consuming bandwidth and CPU), ICMP floods (ping floods), and most significantly, amplification attacks. Amplification exploits the fact that certain UDP-based protocols respond to small queries with much larger responses. By spoofing the victim's IP address as the source of the query, the attacker redirects the amplified responses to the victim.

The most abused amplification vectors include DNS (amplification factor of up to 28x), NTP (up to 556x via the monlist command), memcached (up to 51,000x, used in the record-breaking 2018 GitHub attack), and CLDAP (up to 70x). An attacker can send 10 Gbps of spoofed queries and generate hundreds of Gbps of traffic directed at the victim — all without a botnet, simply by exploiting misconfigured servers on the internet.

Protocol Attacks

Protocol attacks (also called state exhaustion attacks) exploit weaknesses in network protocols to exhaust resources on the target or its upstream infrastructure (load balancers, firewalls, routers). Rather than consuming bandwidth, these attacks consume connection state or processing capacity.

The SYN flood is the classic example. TCP connections are established through a three-way handshake (SYN, SYN-ACK, ACK). In a SYN flood, the attacker sends large numbers of SYN packets with spoofed source addresses. The server sends SYN-ACK responses and waits for the final ACK, maintaining a half-open connection entry in its state table for each. The ACK never arrives (because the spoofed source addresses either don't exist or belong to innocent third parties). When the state table fills up, the server can no longer accept legitimate connections.

The Smurf attack sends ICMP echo requests to a network's broadcast address, spoofed to appear from the victim, causing all hosts on the network to simultaneously respond to the victim. The fragmentation attack sends malformed or excessive packet fragments that exhaust reassembly resources. Slowloris holds HTTP connections open by sending partial HTTP headers very slowly, tying up web server connection limits with minimal bandwidth.

Application Layer Attacks

Application layer attacks (Layer 7 attacks) target the application itself rather than network capacity. By sending requests that appear legitimate but are computationally expensive to process — complex database queries, large file uploads, CPU-intensive search operations — attackers can exhaust server resources with far fewer requests than a volumetric attack requires. These attacks are also much harder to distinguish from legitimate traffic.

HTTP floods are the most common application layer attack: thousands of bots simultaneously request pages from the target website, exhausting web server threads, database connections, and CPU. The 2023 HTTP/2 Rapid Reset attacks exploited a vulnerability in the HTTP/2 protocol's stream cancellation feature, allowing attackers to send and immediately cancel hundreds of thousands of requests per connection, exhausting server resources with unprecedented efficiency.

Botnets: The Engine of DDoS

Most large-scale DDoS attacks are powered by botnets — networks of compromised devices controlled by an attacker through a command-and-control (C2) infrastructure. Devices recruited into botnets include infected Windows and Linux computers, but increasingly IoT devices: routers, IP cameras, DVRs, smart TVs, and other internet-connected hardware with weak default credentials or unpatched firmware vulnerabilities.

The Mirai botnet, which emerged in 2016, demonstrated the scale of IoT-powered DDoS. Mirai infected hundreds of thousands of IoT devices (primarily CCTV cameras and DVRs) by scanning for devices with default credentials and exploiting a small set of common username/password combinations. It was used to attack the DNS provider Dyn in October 2016, taking down major services including Twitter, Netflix, and Reddit for hours. Mirai's source code was subsequently released publicly, spawning numerous variants and establishing the IoT botnet as a persistent threat.

DDoS Mitigation Strategies

Effective DDoS defense is layered and must account for attacks at multiple levels. At the network level, rate limiting (restricting the volume of traffic from individual sources), BGP blackholing (null-routing attack traffic at the ISP level, at the cost of also blocking legitimate traffic to the target), and anycast diffusion (distributing attack traffic across a geographically distributed network of scrubbing centers) are fundamental tools.

DDoS scrubbing services (offered by Cloudflare, Akamai, AWS Shield, and others) interpose a large, globally distributed network between the attacker and the victim. Traffic is rerouted to the provider's scrubbing infrastructure, which uses signature detection, behavioral analysis, rate limiting, and challenge-response mechanisms (CAPTCHA, JavaScript challenges) to separate attack traffic from legitimate traffic and forward only clean traffic to the origin.

Application layer defenses include web application firewalls (WAFs) that detect and block malicious request patterns, challenge pages that distinguish human browsers from automated bots, and content delivery networks (CDNs) that distribute load across hundreds of servers globally, reducing the impact of any single attack vector. For organizations that frequently face DDoS threats, having an incident response plan — including pre-established relationships with a DDoS mitigation provider and pre-configured traffic diversion arrangements — is essential, as mitigation must often begin within minutes to be effective.