DDoS Explained — Mechanics, Categories, and Defenses thumbnail

DDoS Explained — Mechanics, Categories, and Defenses

⏱ approx. 20 min views 154 likes 0 LOG_DATE:2026-05-10
TOC

DDoS (Distributed Denial of Service) is the attack of "sending massive volumes of (often legitimate-looking) requests from many sources so the target service becomes unusable for real users." It's one of the few attack classes that succeeds even when the code has no vulnerabilities — and because "a flood of legitimate requests" and "an attack" are fundamentally indistinguishable in principle, it remains one of the hardest problems on the modern Internet. This article covers DoS vs DDoS, the three categories, reflection/amplification, botnets, canonical incidents, the defense layers, and what to do when it actually hits.

01

DoS vs DDoS — the fundamental 1 vs N gap #

Type Sources Defining trait
DoS One source Classical. Vulnerability-based — Ping of Death, LAND attack, etc. Easily stopped by blocking the source IP
DDoS Thousands to tens of millions of sources The modern mainstream. Stopping individual sources is useless; the proxies (botnets / reflectors) can't be eliminated
DRDoS Source spoofing + reflectors The attacker never appears on the wire. To the victim it looks like "attacks are arriving from legitimate servers all over the world"

DoS follows the model of "one attacker exploits a code vulnerability" — types like Ping of Death (1996), where "sending one specially-crafted packet crashes the target OS," and most of these are patched today. DDoS is fundamentally different because "even bug-free code can't stop it". The analogy: "ten thousand fire hoses pointed at you simultaneously" — each hose carries legitimate water, but the combined flow exceeds the target's capacity.

02

Why DDoS is structurally hard #

The reason DDoS is not the kind of problem "a vendor patch can end" comes back to structural problems of the Internet itself.

  • The Internet was designed for mutual trust — packets being deliverable from anywhere is the base feature. "Reject huge volumes of unrelated packets" is a retrofitted fight
  • Source IPs can be spoofed — UDP doesn't establish a connection, so the source IP can be falsified at will. BCP38 (RFC 2827) says ISPs should drop spoofed packets, but fewer than half of the world's ISPs implement it (CAIDA Spoofer Project)
  • Amplifiable servers are left running everywhere — open DNS resolvers, NTP monlist, memcached UDP 11211 — millions of misconfigured servers worldwide
  • IoT device security is catastrophic — default admin/admin Wi-Fi cameras and routers are born every day worldwide, so the new-supply pipeline for botnets never stops
  • "Attack vs legitimate user" is hard to tell apart — a flash sale can multiply legitimate traffic 100×, so blocking on a simple threshold drops paying customers
▸ Even a perfect server can't fix what's upstream

DDoS has the structural property that "even if your servers are perfect, you can't fix problems in the upstream path, the proxies, or in source-IP spoofing." The reason a model based on absorbing the attack in the anycast networks and capacity of huge providers — Cloudflare / AWS Shield / Akamai — has become the realistic answer is precisely this structural fact.

03

The three categories — Volumetric / Protocol / Application #

DDoS is divided by what gets exhausted. Different categories need different defenses, so identifying the type is the first triage step.

① Volumetric ② Protocol ③ Application
Target of exhaustion Link bandwidth (Gbps to Tbps) State tables (conntrack etc.) App compute / DB / connections
Layer L3 / L4 (IP, UDP) L3 / L4 (TCP, ICMP) L7 (HTTP, DNS, TLS)
Unit bps pps rps
Typical attacks UDP flood / ICMP flood / DNS amplification SYN flood / Fragmentation / Smurf HTTP flood / Slowloris / HTTP/2 Rapid Reset
What works anycast / BGP blackhole / scrubbing / ACL SYN cookies / larger conntrack / SYN proxy WAF + bot management / rate limit / CAPTCHA / cache
  • Volumetric = "shove so much water into the pipe it overflows" (saturate the link). For home users and SMBs, the defense is fundamentally outsourced upstream — there is no realistic way to absorb 100 Gbps in-house
  • Protocol = "fill the reception counter with half-finished customers" (SYN flood exhausts the TCP half-open table). SYN cookies handle this
  • Application = "demand heavy work through normal-looking calls" (one million rps to /search?q=xxx, or Slowloris holding connections open). The hardest one to tell apart from real traffic
▸ Modern DDoS combines multiple categories

Saturate the pipe with 1 GB/s of UDP flood, simultaneously fire a million rps of HTTP flood at the app — "multi-vector attack" is the new normal. Identifying each component and routing each to the layer that handles it is essential operational discipline.

For scale — known maxima from 2024 #

  • Volumetric: Cloudflare 5.6 Tbps (UDP reflection, 2024-10)
  • Protocol: hundreds of Mpps (modern NICs handle it, but old L4 LBs melt)
  • Application: Cloudflare HTTP/2 Rapid Reset, 398 Mrps (2023-08) — the highest rps ever observed
04

Reflection + Amplification — orders of magnitude of leverage #

The main reason DDoS reaches "Tbps scale" is the combination of reflection and amplification. UDP protocols that "return several times the data for a tiny query" get repurposed as stepping stones.

1. Attacker spoofs the source IP as the victim
UDP is connectionless, so there's no 3-way handshake verification. The attacker sends a few dozen bytes "from the victim" to the reflector.
2. Reflector (DNS / NTP / memcached / CLDAP) responds
The reflector believes the query came from the victim and returns an N×-larger response addressed to the victim. The attacker never appears on the wire.
3. The victim absorbs the flood of responses
From the victim's view, "attacks are arriving from legitimate servers all over the world." The sources are massively distributed, making blocking by IP impractical.

Main amplification factors (BAF: response bytes per query byte) #

Protocol Amplification Port
memcached x 51,200 UDP/11211
NTP monlist x 556 UDP/123
CharGEN x 358 UDP/19
DNS (open resolver) x 28–54 UDP/53
CLDAP x 56–70 UDP/389
SSDP / UPnP x 30 UDP/1900
SNMP x 6 UDP/161
QUIC reflection x 12–43 UDP/443
▸ Why only UDP gets used for reflection
  • UDP is connectionless → there's no handshake step that verifies the source IP
  • TCP requires SYN-SYN/ACK-ACK three-way → with a spoofed source, the ACK never comes back, so reflection doesn't work
  • ISP-side BCP38 / uRPF would block source spoofing if deployed, but fewer than half of the world's ISPs do so
  • memcached at ×51,200 enabled the "1.35 Tbps attack on GitHub in 2018" (after which the memcached project removed UDP mode outright)

"An attacker with only a 100 Mbps uplink can step on an ×100 amplifier and emit 10 Gbps" — this is the real reason DDoS became executable at the individual level. The fundamental defense is "close every amplifier in the world," but it can't be fully eliminated. The Shadowserver Foundation and the Open Resolver Project continuously scan and notify operators of amplifier lists.

05

Botnets — the supply side of DDoS #

While reflection uses "third-party servers as stepping stones," botnets use "compromised endpoints themselves" as the army. After Mirai (2016) took control of hundreds of thousands of Wi-Fi cameras and routers still using default passwords, IoT botnets became the main supply line for DDoS.

Typical architecture #

  • Loader / scanner — Internet-wide brute force on 23/tcp (Telnet) / 22/tcp (SSH) / 7547/tcp (TR-069) using default credential lists
  • Implant (malware) — persists on the infected endpoint, waits for instructions from C2
  • C2 server — distributes the next target and method via IRC / HTTP / Tor hidden service / blockchain
  • Attack the victim — the bot fleet fires SYN flood / HTTP flood / UDP flood in unison
Botnet Main infection vector Scale / notes
Mirai (2016) Wi-Fi cameras and DVRs (default admin/admin) 400-600K nodes. Krebs / Dyn attacks → source publication exploded into variants
Mirai variants (Satori, Okiru, Reaper etc.) IoT vulnerabilities Tens of thousands to hundreds of thousands operating in parallel
Meris (2021) MikroTik router vulnerability 250K nodes; 21 Mrps over HTTP/2
Mantis (2022) Hijacked cloud VMs (high-quality bots) 26 Mrps HTTP flood from just 5,000 hosts
Residential proxy operators "Free VPN" / browser extensions Residential IPs collected under the guise of legitimacy and reused in attacks
▸ The recent trend is "quality over quantity"

For raw rps efficiency, a few thousand high-bandwidth data-center VMs beat hundreds of thousands of IoT devices. Mantis hitting 26 Mrps from just 5,000 nodes is symbolic.

06

25 years of canonical incidents #

Year Incident Scale / notes
2000 Mafiaboy (a 15-year-old Canadian) Stopped Yahoo!, eBay, CNN, Amazon, Dell. The first time DDoS broke into mainstream media
2007 Estonia attacks Government, banks, and media down for 3 weeks. The first major nation-scale DDoS
2013 Spamhaus 300 Gbps via DNS amplification. The first mega-scale event Cloudflare defended
2016 Mirai → Krebs (620 Gbps), Dyn (1.2 Tbps) Twitter / Reddit / GitHub / Netflix down simultaneously. IoT botnets entered public consciousness
2018 GitHub 1.35 Tbps (memcached amplification) The ×51,200 of memcached UDP. Routed to Akamai Prolexic in minutes
2020 AWS 2.3 Tbps (CLDAP reflection) The largest known volumetric publicly disclosed. Absorbed by AWS Shield Advanced
2021 Meris → Yandex 22 Mrps The highest rps at the time
2023 HTTP/2 Rapid Reset (CVE-2023-44487) Cloudflare 201 Mrps / Google 398 Mrps / AWS 155 Mrps simultaneously
2024 Cloudflare 5.6 Tbps UDP (Mirai variant) 13,000 IoT devices for 80 seconds. The all-time L3/4 record
2025 Cloudflare 7.3 Tbps The bandwidth-side record gets broken every year
▸ "The annual record always gets broken" is normal in this industry

Defenders (Cloudflare / Akamai / AWS) are growing capacity just as fast — as of 2026 the major scrubbing operators each absorb 100+ Tbps on their own.

07

The defense stack — what to stop, where, how #

DDoS defense is built in layers. Doing it all in-house is not realistic; the cost-design question is how much you hand off to upstream providers.

Layer What it does Provided by
Anycast network Distribute attack traffic across global POPs Cloudflare, AWS Global Accelerator, Akamai
Scrubbing center Separate "attack" from "legitimate" and forward only the latter to origin Akamai Prolexic, Imperva, NTT, Verisign
CDN + WAF Serve static content at the edge + L7-filter HTTP floods Cloudflare, AWS CloudFront + WAF, Fastly
BGP RTBH / FlowSpec Blackhole the target IP/prefix on upstream routers ISP / Tier-1 carriers
L4 LB / SYN proxy SYN cookies avoid leaving half-open state F5 BIG-IP, AWS NLB, HAProxy, nginx stream
OS tuning net.ipv4.tcp_syncookies=1 / raise conntrack limits Linux kernel
Application rate limit Per-IP / per-session / per-token request caps nginx limit_req, Cloudflare Rate Limiting
Cache / circuit breaker Cache heavy dynamic pages + auto-503 on overload Application design
Minimum on a Linux server (excluding bandwidth)
$ sudo sysctl -w net.ipv4.tcp_syncookies=1 # mitigate SYN flood $ sudo sysctl -w net.ipv4.tcp_max_syn_backlog=8192 # grow the accept backlog $ sudo sysctl -w net.netfilter.nf_conntrack_max=2000000
nginx rate limiting
# /etc/nginx/conf.d/rate.conf limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; location /api { limit_req zone=api burst=20 nodelay; ... }
Flip Cloudflare into Under Attack mode via API during an attack
$ curl -X PATCH "https://api.cloudflare.com/client/v4/zones/$ZONE/settings/security_level" \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ --data '{"value":"under_attack"}'
08

The first 30 minutes after impact #

The to-do list when a DDoS actually hits is mostly fixed. Preparing the runbook beforehand matters more than anything else.

1. Confirm impact
Which service is down / what bps or rps is abnormal / is it hitting origin directly or via CDN.
2. Identify the attack class
Use tcpdump, NetFlow, the CDN dashboard to tell L3/L4 (UDP/SYN flood) from L7 (HTTP flood).
3. Put CDN/WAF in defense mode
Cloudflare "Under Attack mode" / AWS Shield Advanced Engagement Hotline / Akamai SOC.
4. Narrow by source IP / country
If sources cluster in a region, apply a temporary GeoIP block.
5. Isolate origin
Restrict origin's IP allowlist to CDN IPs only. Block direct hits.
6. Tighten rate limits
Prioritize squeezing heavy endpoints like /api/* /login /search; turn caching aggressive.
7. Law enforcement / customer comms
For large impact, notify police / JPCERT / NICTER. Update the status page; publish progress on social.
8. Post-mortem
Source IP list / amplifier identification / additional defenses / review of RTO and RPO.
▸ The best DDoS defense is preparation

Frantically signing up for Cloudflare Enterprise mid-attack is far worse than already having a CDN/WAF in front and a route that absorbs attacks. Even Cloudflare's free plan is plenty for L7 mitigation on a personal site.

09

Summary #

  • DDoS is one of the few attack classes that succeeds even when the code is bug-free. Rooted in structural problems — the Internet's open design and the ubiquity of amplifiers — it can't be solved by a vendor patch
  • Holding the three categories (Volumetric / Protocol / Application) and the Reflection + Amplification mechanism that creates "orders-of-magnitude leverage" lets you reconstruct what actually happened when a "DDoS of N Tbps" hits the news
  • The fundamental answer is "hand it off upstream" — providers with anycast networks and scrubbing capacity (Cloudflare / Akamai / AWS Shield) do the absorbing. Taking a 1 Tbps event in-house is hard even at Google / AWS scale
  • "DDoS defense = CDN/WAF in front" has become the minimum standard for modern infrastructure. Behind that, layering OS-level SYN cookies, application rate limits, and circuit breakers is the 2026 baseline
𝕏 Post B! Hatena