DDoS Attacks (Distributed Denial of Service)

Your server can handle 10,000 requests per second. An attacker commands a botnet to send 10 million. For the next six hours, your customers see nothing but error pages while you scramble to respond.

This is a Distributed Denial of Service attack. Not sophisticated. Not subtle. Just overwhelming force from so many directions that traditional defenses become meaningless.

The Economics of Asymmetry

What makes DDoS attacks uniquely frustrating is the math.

The attacker rents a botnet for $50 an hour. You spend $50,000 on emergency mitigation. They click a button. You mobilize your entire operations team. They move on to another target tomorrow. You spend weeks hardening your infrastructure.

This asymmetry—cheap to attack, expensive to defend—is why DDoS remains one of the most common and effective attack vectors despite being one of the oldest. You don't need sophistication when brute force is this affordable.

Why "Distributed" Changes Everything

A single attacker sending requests from one computer is trivial to stop. Identify the IP address, block it, done.

But distributed attacks come from thousands or millions of IP addresses simultaneously. Each individual source might send perfectly reasonable traffic—maybe 10 requests per second. But multiply that by 100,000 compromised devices, and you have a flood that can't be stopped by blocking individual sources.

These botnets are armies of compromised machines: infected laptops, hacked servers, and especially vulnerable IoT devices. That smart thermostat with factory-default credentials? It might be participating in an attack right now. The security camera with no firmware updates? Same.

The Mirai botnet famously weaponized hundreds of thousands of IoT devices to generate attacks exceeding 1 terabit per second. The devices' owners had no idea their webcams and DVRs were soldiers in a digital army.

Three Ways to Overwhelm

Volumetric attacks are the sledgehammer. Send more data than the network connection can handle. If your Internet link is 10 Gbps, an attacker sending 100 Gbps simply saturates the pipe. Legitimate traffic can't get through because there's no room.

The largest recorded attacks have exceeded 2 terabits per second. That's enough to overwhelm almost any single network connection on Earth.

Protocol attacks are more surgical. Instead of overwhelming bandwidth, they exploit how network protocols work. A SYN flood, for example, abuses TCP's three-way handshake. The attacker sends millions of connection requests without ever completing them. Your server dutifully allocates resources for each half-open connection until it runs out of memory tracking connections that will never complete.

Application layer attacks are the scalpel. They send requests that look completely legitimate but are carefully chosen to be expensive to process. A single search query that triggers a complex database operation. An API call that generates a massive report. These attacks don't need much bandwidth—they need to find your application's weak spots.

A sophisticated attacker combines all three simultaneously. While you're struggling with the volumetric flood, protocol attacks exhaust your firewall's connection tables, and application attacks slip through to crash your servers. Multi-vector attacks are harder to mitigate because each defense addresses only one vector.

The Amplification Trick

Here's something genuinely wild about DDoS: attackers can multiply their firepower using the Internet's own infrastructure.

DNS servers, NTP servers, and other UDP-based services will respond to requests from any IP address. An attacker sends a small request—maybe 60 bytes—but spoofs the source IP to be the victim's address. The server sends its response—maybe 3,000 bytes—to the spoofed address.

The attacker just turned 60 bytes into 3,000 bytes aimed at the victim. A 50x amplification factor.

With memcached amplification (before most servers were secured), attackers achieved amplification factors of 50,000x. Send 1 megabyte, generate 50 gigabytes of attack traffic. The attacker barely needs any bandwidth at all.

This is reflection and amplification: tricking legitimate services into attacking the victim on the attacker's behalf.

Why People Attack

Extortion is increasingly common. "Pay us $10,000 in Bitcoin or we'll knock you offline for a week." Some attackers demonstrate capability with a short attack, then make demands.

Competition is uglier than you'd expect. Businesses have attacked competitors to disrupt product launches, steal customers during outages, or simply make rivals look unreliable.

Activism turns DDoS into protest. Attackers target organizations whose policies they oppose, treating service disruption as a form of speech.

Distraction uses DDoS as cover. While your security team scrambles to restore service, attackers conduct quieter operations—data theft, system compromise, credential harvesting.

And sometimes it's just $20 and a grudge. DDoS-for-hire services—"booters" or "stressers"—let anyone with a credit card attack anyone else. No technical skills required.

The Damage Isn't Just Downtime

The immediate cost is obvious: your service is unavailable, customers can't reach you, revenue stops flowing.

But the secondary costs compound. Your team works through the night instead of building features. Marketing campaigns launch to error pages. Customer support drowns in complaints. And the reputation damage lingers—customers remember when you weren't there.

Some attacks are precisely timed. Product launches. Sales events. Quarterly earnings calls. The attacker doesn't need to keep you down forever—just during the moments that matter most.

Defending the Undefendable

No single defense stops DDoS. You need layers.

Absorb what you can. If your service needs 1 Gbps, provision 10 Gbps. Small attacks become non-events. This doesn't scale to massive attacks, but it handles the everyday noise.

Rate limit intelligently. Restrict how many requests any single IP can make. This helps with unsophisticated attacks but does little against distributed attacks where each source sends modest traffic.

Filter known patterns. Firewalls and intrusion prevention systems can block traffic matching known attack signatures. This catches lazy attackers using off-the-shelf tools.

Distribute your infrastructure. Content Delivery Networks spread your service across hundreds of locations worldwide. An attacker would need to overwhelm all of them simultaneously—a much harder problem.

Outsource the heavy lifting. DDoS protection services like Cloudflare, Akamai, or AWS Shield route your traffic through their infrastructure. They have the massive capacity to absorb attacks that would flatten your network, filtering malicious traffic before it reaches you.

The most resilient organizations combine on-premises defenses for routine attacks with cloud-based protection that activates when attacks exceed local capacity.

An Arms Race Without End

DDoS attacks that made headlines five years ago are now background noise. The scale keeps growing. The techniques keep evolving. As defenses improve, attackers adapt.

The proliferation of insecure IoT devices provides attackers with an ever-growing army. Billions of devices with weak or no security, always online, waiting to be conscripted.

For anyone running services on the Internet, DDoS isn't a possibility—it's an inevitability. The question isn't whether you'll face an attack, but whether you'll still be standing when it ends.