Three families: volumetric (saturate bandwidth with UDP floods, DNS/NTP/Memcached amplification), protocol (exhaust state tables with SYN floods, fragment attacks) and application (Layer 7: HTTP floods, slowloris, expensive requests to specific endpoints). Each requires different defense.
What DDoS is
DDoS (Distributed Denial of Service) is an attack that saturates a service by sending traffic from thousands or millions of coordinated origins, usually compromised machines in a botnet or network nodes abused as amplifiers. The goal isn't to steal data but to make the service unreachable for legitimate users. Unlike a simple DoS (single origin, easy to block), DDoS by nature is distributed and forces edge defenses with massive visibility and absorption capacity.
Why it matters
A banking, payment, e-commerce or public-administration service down for hours has immediate economic impact, reputational damage and, under NIS2 and DORA, a notification obligation and possible sanctions. The public surface of any organization is a potential target: from extortion (pay or we keep attacking) to hacktivism, distraction from other parallel attacks or competitive pressure. Attacks have grown in scale year after year (record >5 Tbps in 2024-2025), and the cost of executing one keeps dropping with the professionalization of "DDoS-as-a-Service" markets in criminal ecosystems. A serious organization with public presence needs an explicit mitigation strategy, not hope that it won't happen.
Key points
Effective mitigation combines multiple layers: scrubbing centers at the edge (Cloudflare, Akamai, AWS Shield Advanced), CDN rate limiting, WAF rules for Layer 7 and anycast BGP routes that distribute load geographically. A single layer is rarely enough against sophisticated attacks.
Most attacks last under an hour, but some persist for days as a campaign. Automated response speed (activating scrubbing in seconds, not minutes) is the difference between minor disruption and a prolonged outage.
Layer 7 (application) is the hardest type to detect and mitigate: the traffic looks legitimate, requires usage-pattern analysis and fine-grained rate limiting without affecting real users. WAF and bot management are the usual tools.
Example: DNS amplification attack against a public API
A company exposes a payments API on its CDN. An attacker launches a DNS amplification attack: sends millions of small DNS queries to open resolvers across the Internet with the source IP spoofed to point to the victim's API. The resolvers respond with much larger packets, generating 400 Gbps of traffic toward the API. The CDN absorbs the first spike, but the operations team activates a scrubbing center (specialized edge filtering), blocks abused ranges with BGP flowspec and applies strict rate limiting to requests without a valid token. The service stays operational with 4 minutes of degradation. Without that prior architecture, the outage would have lasted hours and customer/regulator notifications would have been unavoidable.
Common mistakes
- Trusting that the hosting provider or corporate firewall will absorb the attack. For medium-size attacks, both saturate quickly. DDoS defense starts outside your network, with specialized scrubbing providers.
- Lacking a documented response plan. When the attack starts, it's no time to improvise who to call, which scripts to run and what to decide. The plan must be written, tested in tabletops and with contacts up to date.
- Forgetting Layer 7. Many DDoS defenses focus on volume and leave application attacks uncovered — attacks that can take down expensive services with little bandwidth (complex searches, aggregations, uncached endpoints).
- Not testing mitigation. An anti-DDoS architecture without real testing (drills with scrubbing provider, not in production obviously) usually fails on day one of a real attack due to unvalidated configurations.
Related services
This concept may relate to services such as:
Frequently asked questions
What's the difference between DoS and DDoS?
DoS (Denial of Service) comes from a single origin, generally easy to block by filtering that IP. DDoS (Distributed Denial of Service) comes from thousands or millions of simultaneous origins, which forces distributed mitigation at the edge with absorption capacity much higher than the target.
Do I need a dedicated anti-DDoS service if I already use a CDN?
Modern CDNs (Cloudflare, Akamai, Fastly, AWS CloudFront) already include some level of DDoS protection, enough for small to medium attacks. For critical infrastructure or services under NIS2/DORA, it's often advisable to activate the advanced tier (Cloudflare Magic Transit, AWS Shield Advanced, Akamai Prolexic) which adds specialized scrubbing and mitigation SLAs.
Is DDoS covered by most cyber insurance policies?
Most cover mitigation costs, revenue loss from interruption and incident-response fees. It's worth reviewing per-event limits, exclusions (some exclude attacks lasting more than X hours) and the minimum control requirements mandated by the policy.