DDoS (Distributed Denial of Service) is the attack of "sending massive volumes of (often legitimate-looking) requests from many sources so the target service becomes unusable for real users." It's one of the few attack classes that succeeds even when the code has no vulnerabilities — and because "a flood of legitimate requests" and "an attack" are fundamentally indistinguishable in principle, it remains one of the hardest problems on the modern Internet. This article covers DoS vs DDoS, the three categories, reflection/amplification, botnets, canonical incidents, the defense layers, and what to do when it actually hits.
DoS vs DDoS — the fundamental 1 vs N gap #
| Type | Sources | Defining trait |
|---|---|---|
| DoS | One source | Classical. Vulnerability-based — Ping of Death, LAND attack, etc. Easily stopped by blocking the source IP |
| DDoS | Thousands to tens of millions of sources | The modern mainstream. Stopping individual sources is useless; the proxies (botnets / reflectors) can't be eliminated |
| DRDoS | Source spoofing + reflectors | The attacker never appears on the wire. To the victim it looks like "attacks are arriving from legitimate servers all over the world" |
DoS follows the model of "one attacker exploits a code vulnerability" — types like Ping of Death (1996), where "sending one specially-crafted packet crashes the target OS," and most of these are patched today. DDoS is fundamentally different because "even bug-free code can't stop it". The analogy: "ten thousand fire hoses pointed at you simultaneously" — each hose carries legitimate water, but the combined flow exceeds the target's capacity.
Why DDoS is structurally hard #
The reason DDoS is not the kind of problem "a vendor patch can end" comes back to structural problems of the Internet itself.
- The Internet was designed for mutual trust — packets being deliverable from anywhere is the base feature. "Reject huge volumes of unrelated packets" is a retrofitted fight
- Source IPs can be spoofed — UDP doesn't establish a connection, so the source IP can be falsified at will. BCP38 (RFC 2827) says ISPs should drop spoofed packets, but fewer than half of the world's ISPs implement it (CAIDA Spoofer Project)
- Amplifiable servers are left running everywhere — open DNS resolvers, NTP monlist, memcached UDP 11211 — millions of misconfigured servers worldwide
- IoT device security is catastrophic — default admin/admin Wi-Fi cameras and routers are born every day worldwide, so the new-supply pipeline for botnets never stops
- "Attack vs legitimate user" is hard to tell apart — a flash sale can multiply legitimate traffic 100×, so blocking on a simple threshold drops paying customers
DDoS has the structural property that "even if your servers are perfect, you can't fix problems in the upstream path, the proxies, or in source-IP spoofing." The reason a model based on absorbing the attack in the anycast networks and capacity of huge providers — Cloudflare / AWS Shield / Akamai — has become the realistic answer is precisely this structural fact.
The three categories — Volumetric / Protocol / Application #
DDoS is divided by what gets exhausted. Different categories need different defenses, so identifying the type is the first triage step.
| ① Volumetric | ② Protocol | ③ Application | |
|---|---|---|---|
| Target of exhaustion | Link bandwidth (Gbps to Tbps) | State tables (conntrack etc.) | App compute / DB / connections |
| Layer | L3 / L4 (IP, UDP) | L3 / L4 (TCP, ICMP) | L7 (HTTP, DNS, TLS) |
| Unit | bps | pps | rps |
| Typical attacks | UDP flood / ICMP flood / DNS amplification | SYN flood / Fragmentation / Smurf | HTTP flood / Slowloris / HTTP/2 Rapid Reset |
| What works | anycast / BGP blackhole / scrubbing / ACL | SYN cookies / larger conntrack / SYN proxy | WAF + bot management / rate limit / CAPTCHA / cache |
- Volumetric = "shove so much water into the pipe it overflows" (saturate the link). For home users and SMBs, the defense is fundamentally outsourced upstream — there is no realistic way to absorb 100 Gbps in-house
- Protocol = "fill the reception counter with half-finished customers" (SYN flood exhausts the TCP half-open table). SYN cookies handle this
- Application = "demand heavy work through normal-looking calls" (one million rps to
/search?q=xxx, or Slowloris holding connections open). The hardest one to tell apart from real traffic
Saturate the pipe with 1 GB/s of UDP flood, simultaneously fire a million rps of HTTP flood at the app — "multi-vector attack" is the new normal. Identifying each component and routing each to the layer that handles it is essential operational discipline.
For scale — known maxima from 2024 #
- Volumetric: Cloudflare 5.6 Tbps (UDP reflection, 2024-10)
- Protocol: hundreds of Mpps (modern NICs handle it, but old L4 LBs melt)
- Application: Cloudflare HTTP/2 Rapid Reset, 398 Mrps (2023-08) — the highest rps ever observed
Reflection + Amplification — orders of magnitude of leverage #
The main reason DDoS reaches "Tbps scale" is the combination of reflection and amplification. UDP protocols that "return several times the data for a tiny query" get repurposed as stepping stones.
Main amplification factors (BAF: response bytes per query byte) #
| Protocol | Amplification | Port |
|---|---|---|
| memcached | x 51,200 | UDP/11211 |
| NTP monlist | x 556 | UDP/123 |
| CharGEN | x 358 | UDP/19 |
| DNS (open resolver) | x 28–54 | UDP/53 |
| CLDAP | x 56–70 | UDP/389 |
| SSDP / UPnP | x 30 | UDP/1900 |
| SNMP | x 6 | UDP/161 |
| QUIC reflection | x 12–43 | UDP/443 |
- UDP is connectionless → there's no handshake step that verifies the source IP
- TCP requires SYN-SYN/ACK-ACK three-way → with a spoofed source, the ACK never comes back, so reflection doesn't work
- ISP-side BCP38 / uRPF would block source spoofing if deployed, but fewer than half of the world's ISPs do so
- memcached at ×51,200 enabled the "1.35 Tbps attack on GitHub in 2018" (after which the memcached project removed UDP mode outright)
"An attacker with only a 100 Mbps uplink can step on an ×100 amplifier and emit 10 Gbps" — this is the real reason DDoS became executable at the individual level. The fundamental defense is "close every amplifier in the world," but it can't be fully eliminated. The Shadowserver Foundation and the Open Resolver Project continuously scan and notify operators of amplifier lists.
Botnets — the supply side of DDoS #
While reflection uses "third-party servers as stepping stones," botnets use "compromised endpoints themselves" as the army. After Mirai (2016) took control of hundreds of thousands of Wi-Fi cameras and routers still using default passwords, IoT botnets became the main supply line for DDoS.
Typical architecture #
- Loader / scanner — Internet-wide brute force on 23/tcp (Telnet) / 22/tcp (SSH) / 7547/tcp (TR-069) using default credential lists
- Implant (malware) — persists on the infected endpoint, waits for instructions from C2
- C2 server — distributes the next target and method via IRC / HTTP / Tor hidden service / blockchain
- Attack the victim — the bot fleet fires SYN flood / HTTP flood / UDP flood in unison
| Botnet | Main infection vector | Scale / notes |
|---|---|---|
| Mirai (2016) | Wi-Fi cameras and DVRs (default admin/admin) | 400-600K nodes. Krebs / Dyn attacks → source publication exploded into variants |
| Mirai variants (Satori, Okiru, Reaper etc.) | IoT vulnerabilities | Tens of thousands to hundreds of thousands operating in parallel |
| Meris (2021) | MikroTik router vulnerability | 250K nodes; 21 Mrps over HTTP/2 |
| Mantis (2022) | Hijacked cloud VMs (high-quality bots) | 26 Mrps HTTP flood from just 5,000 hosts |
| Residential proxy operators | "Free VPN" / browser extensions | Residential IPs collected under the guise of legitimacy and reused in attacks |
For raw rps efficiency, a few thousand high-bandwidth data-center VMs beat hundreds of thousands of IoT devices. Mantis hitting 26 Mrps from just 5,000 nodes is symbolic.
25 years of canonical incidents #
| Year | Incident | Scale / notes |
|---|---|---|
| 2000 | Mafiaboy (a 15-year-old Canadian) | Stopped Yahoo!, eBay, CNN, Amazon, Dell. The first time DDoS broke into mainstream media |
| 2007 | Estonia attacks | Government, banks, and media down for 3 weeks. The first major nation-scale DDoS |
| 2013 | Spamhaus | 300 Gbps via DNS amplification. The first mega-scale event Cloudflare defended |
| 2016 | Mirai → Krebs (620 Gbps), Dyn (1.2 Tbps) | Twitter / Reddit / GitHub / Netflix down simultaneously. IoT botnets entered public consciousness |
| 2018 | GitHub 1.35 Tbps (memcached amplification) | The ×51,200 of memcached UDP. Routed to Akamai Prolexic in minutes |
| 2020 | AWS 2.3 Tbps (CLDAP reflection) | The largest known volumetric publicly disclosed. Absorbed by AWS Shield Advanced |
| 2021 | Meris → Yandex 22 Mrps | The highest rps at the time |
| 2023 | HTTP/2 Rapid Reset (CVE-2023-44487) | Cloudflare 201 Mrps / Google 398 Mrps / AWS 155 Mrps simultaneously |
| 2024 | Cloudflare 5.6 Tbps UDP (Mirai variant) | 13,000 IoT devices for 80 seconds. The all-time L3/4 record |
| 2025 | Cloudflare 7.3 Tbps | The bandwidth-side record gets broken every year |
Defenders (Cloudflare / Akamai / AWS) are growing capacity just as fast — as of 2026 the major scrubbing operators each absorb 100+ Tbps on their own.
The defense stack — what to stop, where, how #
DDoS defense is built in layers. Doing it all in-house is not realistic; the cost-design question is how much you hand off to upstream providers.
| Layer | What it does | Provided by |
|---|---|---|
| Anycast network | Distribute attack traffic across global POPs | Cloudflare, AWS Global Accelerator, Akamai |
| Scrubbing center | Separate "attack" from "legitimate" and forward only the latter to origin | Akamai Prolexic, Imperva, NTT, Verisign |
| CDN + WAF | Serve static content at the edge + L7-filter HTTP floods | Cloudflare, AWS CloudFront + WAF, Fastly |
| BGP RTBH / FlowSpec | Blackhole the target IP/prefix on upstream routers | ISP / Tier-1 carriers |
| L4 LB / SYN proxy | SYN cookies avoid leaving half-open state | F5 BIG-IP, AWS NLB, HAProxy, nginx stream |
| OS tuning | net.ipv4.tcp_syncookies=1 / raise conntrack limits |
Linux kernel |
| Application rate limit | Per-IP / per-session / per-token request caps | nginx limit_req, Cloudflare Rate Limiting |
| Cache / circuit breaker | Cache heavy dynamic pages + auto-503 on overload | Application design |
$ sudo sysctl -w net.ipv4.tcp_syncookies=1 # mitigate SYN flood
$ sudo sysctl -w net.ipv4.tcp_max_syn_backlog=8192 # grow the accept backlog
$ sudo sysctl -w net.netfilter.nf_conntrack_max=2000000# /etc/nginx/conf.d/rate.conf
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location /api {
limit_req zone=api burst=20 nodelay;
...
}$ curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE/settings/security_level" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
--data '{"value":"under_attack"}'The first 30 minutes after impact #
The to-do list when a DDoS actually hits is mostly fixed. Preparing the runbook beforehand matters more than anything else.
tcpdump, NetFlow, the CDN dashboard to tell L3/L4 (UDP/SYN flood) from L7 (HTTP flood)./api/* /login /search; turn caching aggressive.Frantically signing up for Cloudflare Enterprise mid-attack is far worse than already having a CDN/WAF in front and a route that absorbs attacks. Even Cloudflare's free plan is plenty for L7 mitigation on a personal site.
Summary #
- DDoS is one of the few attack classes that succeeds even when the code is bug-free. Rooted in structural problems — the Internet's open design and the ubiquity of amplifiers — it can't be solved by a vendor patch
- Holding the three categories (Volumetric / Protocol / Application) and the Reflection + Amplification mechanism that creates "orders-of-magnitude leverage" lets you reconstruct what actually happened when a "DDoS of N Tbps" hits the news
- The fundamental answer is "hand it off upstream" — providers with anycast networks and scrubbing capacity (Cloudflare / Akamai / AWS Shield) do the absorbing. Taking a 1 Tbps event in-house is hard even at Google / AWS scale
- "DDoS defense = CDN/WAF in front" has become the minimum standard for modern infrastructure. Behind that, layering OS-level SYN cookies, application rate limits, and circuit breakers is the 2026 baseline