What Is a DDoS Attack?
A Distributed Denial-of-Service (DDoS) attack floods a target - A server, network, or service - With more traffic than it can handle, making it unavailable to legitimate users. Unlike a traditional DoS attack launched from a single source, DDoS attacks originate from thousands or millions of compromised devices (a botnet), making them far harder to block by IP.
Types of DDoS Attacks
| Category | Type | How It Works | Target |
|---|---|---|---|
| Volumetric | UDP Flood | Sends massive amounts of UDP packets to random ports, exhausting bandwidth | Network bandwidth |
| Volumetric | DNS Amplification | Uses open DNS resolvers to reflect/amplify traffic toward the victim (up to 70x amplification) | Network bandwidth |
| Volumetric | NTP Amplification | Exploits NTP monlist command for up to 556x amplification | Network bandwidth |
| Protocol | SYN Flood | Sends SYN packets without completing the handshake, exhausting server connection tables | Server connection state |
| Protocol | Ping of Death / ICMP Flood | Overwhelms the target with ICMP echo requests | Network resources |
| Application Layer | HTTP Flood | Sends seemingly legitimate HTTP GET/POST requests at massive scale | Web server CPU/memory |
| Application Layer | Slowloris | Keeps HTTP connections open by sending partial headers slowly, exhausting server connection pool | Web server connections |
Who Is at Risk
DDoS attacks target online services that depend on availability: e-commerce sites (financial motivation), gaming servers (competitive disruption or extortion), financial institutions, and DNS providers. Even home users with static IPs can be targeted, usually by other gamers ("booting"). Attacks are available as paid DDoS-for-hire services ("booters" or "stressers") for as little as a few dollars, making them accessible to non-technical adversaries.
How to Defend Against DDoS
- Use a DDoS mitigation service (Cloudflare, Akamai, AWS Shield) that absorbs volumetric attacks upstream before they reach your infrastructure.
- Configure rate limiting and connection limits on your web server to slow application-layer attacks.
- Use anycast routing to distribute attack traffic across multiple data centres globally.
- Block known bad IP ranges and implement geographic blocking for regions you do not serve. Run a blacklist check on your own IP to verify it is not already flagged.
- As a home user: contact your ISP if targeted - They can null-route the attacked IP temporarily or assign you a new public IP.
- Use a VPN to hide your real IP in gaming and other high-risk contexts - Attackers cannot target an IP they do not know.
The Three Attack Layers Explained
Layer 3/4 volumetric: drowning the pipe
Volumetric attacks aim at raw capacity - If your link carries 1 Gbps and the attack delivers more, legitimate packets are simply crowded out. Reflection amplification makes this cheap: the attacker sends small spoofed-source requests to open DNS or NTP servers, which send much larger replies to the victim. Defence has to happen upstream, in networks bigger than the flood.
Layer 4 protocol: exhausting connection state
A SYN flood abuses the TCP three-way handshake: millions of handshake openers are sent and never completed, filling the server's half-open connection table until real clients cannot connect. The traffic volume can be modest - The target is the server's bookkeeping, not its bandwidth. SYN cookies and connection-table tuning are the standard mitigations.
Layer 7 application: looking like real users
HTTP floods request expensive pages - Search results, login endpoints, API calls - At rates that exhaust CPU and database capacity. Because each request is well-formed, filtering requires behavioural analysis, rate limiting, and bot challenges rather than simple traffic thresholds, making Layer 7 the hardest class to mitigate cleanly.
DDoS vs DoS vs a Botnet - Terms Untangled
| Term | Meaning | Key Distinction |
|---|---|---|
| DoS | Denial-of-service from a single source | One origin - Often blockable by filtering one IP |
| DDoS | Denial-of-service from many distributed sources | Thousands of origins - Per-IP blocking is useless |
| Botnet | Network of malware-infected devices under one controller | The weapon used to launch DDoS - Often hijacked routers and IoT gear |
| Booter / stresser | Paid DDoS-for-hire service | Illegal to use against targets you do not own, despite "testing" branding |
Your own devices can be on the attacking side without you knowing: compromised home routers and IoT devices are prime botnet recruits. Securing your router - Covered in how to secure your home router - And running a port scan against your own IP keeps your hardware out of someone else's arsenal.
What This Means for You
For a home user the realistic exposure is narrow: gaming-related "booting" against a known IP, and outages of services you rely on. The first is avoidable - Keep your IP out of strangers' hands by avoiding P2P voice connections with unknown players or using a VPN, and if targeted, a router reconnect or ISP call gets you a fresh address. The second needs nothing from you but patience; mitigation happens at the provider. If you run a website, the decision is simpler still: put it behind a CDN or mitigation proxy before trouble starts, because retrofitting protection mid-attack is the worst time to do it.
Frequently Asked Questions
Is launching a DDoS attack illegal?
Yes - In virtually all jurisdictions, intentionally disrupting someone else's computer service is a crime, including paying a booter service to do it for you. "Stress testing" is only lawful against systems you own or have written authorisation to test.
How do I know if I am being DDoSed at home?
The signs are total connection loss or extreme lag that persists across all devices while the router itself stays up, often following an online dispute. Confirm by checking the router's WAN traffic counters if available, and call your ISP - They can see the flood and rotate your IP.
Can a DDoS attack steal my data?
No - A DDoS overwhelms availability; it does not access or extract anything. The caveat: attackers sometimes use a DDoS as a smokescreen to occupy defenders while attempting intrusion elsewhere, which is an organisational concern rather than a home-user one.