What Is DDoS?
A DDoS attack uses many systems at once to send traffic or requests toward a target. That is what makes it distributed. Instead of one source trying to knock a service offline, the traffic comes from many devices, which makes blocking and filtering much harder.
DDoS, short for Distributed Denial of Service, is an attack that overwhelms a website, application, API, or network with traffic or requests so legitimate users cannot access it normally. A DDoS attack targets availability rather than confidentiality, which means the goal is usually disruption, slowdown, or outage rather than data theft.
If you want more context on related attack methods, see what is botnet and what is ransomware.
How DDoS works
At a high level, DDoS works by generating more traffic or more expensive requests than the target can handle efficiently.
Build or acquire attack infrastructure
Attackers often rely on a botnet, which is a network of compromised systems they control remotely. These may include:
- Infected PCs
- Servers
- Routers
- IoT devices
- Cloud systems
- Exposed internet-connected appliances
In some cases, attackers also abuse open internet services for reflection or amplification rather than using only directly infected systems.
Choose an attack method
Not all DDoS attacks look the same. They usually fall into three broad categories.
Volumetric attacks
These are designed to flood bandwidth with large amounts of traffic. The aim is to saturate the network path between the internet and the target.
Protocol or state exhaustion attacks
These attacks consume resources in firewalls, load balancers, or servers by abusing how connections are handled. The target may run out of session capacity before bandwidth is fully saturated.
Application-layer attacks
These target the application itself, often with HTTP or API requests. They may use lower overall bandwidth but still knock out the service by repeatedly hitting expensive operations.
Send traffic or requests at scale
Once the attack begins, the attacker directs many systems to send traffic or make requests at the same time. Depending on the technique, this can mean:
- Huge packet floods
- Large numbers of connection attempts
- Repeated requests to web pages
- High-volume API calls
- Bursts intended to consume server resources
- Patterns meant to evade basic blocking
Degrade or deny service
If the attack succeeds, users may see:
- Slow page loads
- Login failures
- Timeouts
- Intermittent outages
- Full service unavailability
- High latency across related systems
Force mitigation and response
Defenders may need to reroute traffic, enable CDN or scrubbing protections, tighten rate limits, block abusive patterns, or work with upstream providers to keep services online.
Common types of DDoS attacks
While the exact techniques change over time, a few categories appear often in real-world incidents.
Traffic flooding
These attacks aim for raw volume. The target’s internet connection or edge infrastructure becomes overwhelmed by the amount of traffic arriving.
SYN floods and connection exhaustion
These attacks abuse connection handling so the target spends resources managing incomplete or malicious sessions.
HTTP floods
Instead of targeting the network path, HTTP floods hit web applications directly. Attackers may repeatedly request pages, files, or searches that consume CPU, memory, or backend resources.
API abuse
APIs are common DDoS targets because they often trigger database queries, authentication checks, or other costly operations. Attackers may repeatedly hit endpoints that are expensive to process.
Amplification attacks
These abuse third-party internet services so a small attacker request creates a much larger response toward the victim. This increases attack volume efficiently.
What DDoS is not
DDoS is often confused with other attack types, but it is not the same as:
- Ransomware, which encrypts or disrupts systems for extortion
- Intrusion-based compromise, where attackers gain internal access
- Phishing, which targets users with social engineering
- Malware infection, which installs malicious code on systems
That said, DDoS can appear alongside other activity. Some attackers use it for extortion, while others use it as a distraction during a broader security incident.
When organizations encounter DDoS
DDoS can affect any organization with internet-facing services, but some environments see it more often.
Public websites and SaaS platforms
E-commerce sites, portals, SaaS applications, and customer-facing services are common targets because downtime affects revenue and customer trust.
APIs and mobile backends
Modern applications often rely heavily on APIs. Attackers may focus on those endpoints if they know requests trigger expensive processing.
Gaming, media, and event-driven services
Gaming services, ticketing systems, streaming platforms, and high-profile launches are frequent targets because uptime is visible and business-critical.
Extortion campaigns
Some attackers threaten a DDoS attack unless payment is made. Others launch a smaller demonstration attack first to prove they can disrupt the service.
Political or retaliatory campaigns
Organizations may also see DDoS during ideological, activist, or retaliatory campaigns where the main goal is disruption and public visibility.
SMB environments
Small and midsize businesses may assume DDoS only affects large brands, but that is not true. Smaller organizations often have less spare capacity and fewer defenses, which can make even a moderate attack painful.
How teams reduce DDoS risk
No single control stops every DDoS attack, but resilience improves when teams layer several defenses.
Use CDN and edge protection
A CDN or dedicated DDoS mitigation provider can absorb and filter large volumes of traffic before it reaches the origin environment.
Apply rate limiting
Rate limiting helps reduce abuse against web applications and APIs by restricting how many requests a client can make in a set time window.
Harden internet-facing architecture
Load balancing, caching, autoscaling where appropriate, and separation between public and internal services can all improve resilience.
Monitor traffic patterns
Baseline visibility matters. Teams should know what normal traffic looks like so they can spot anomalies faster.
Plan response procedures
DDoS response often requires coordination across security, network, hosting, and application teams. Clear contacts and escalation steps reduce response time.
Practical note for smaller organizations
For smaller teams, DDoS readiness usually matters more than buying many standalone tools. If you run public admin panels, remote management systems, or staff access over the open internet, tightening basic exposure is often the first win.
That can include stronger password hygiene with Try 1Password →, better endpoint protection with Get Malwarebytes →, and more careful remote-access practices for employees who regularly use public networks, where a service like Check NordVPN pricing → may be useful. These are not direct DDoS controls, but they can reduce adjacent risks that often appear during broader service disruption or opportunistic attacks.
Conclusion
DDoS is an availability attack designed to make a service slow, unstable, or unreachable by overwhelming the resources it depends on. Because the traffic comes from many systems at once, filtering it is harder than blocking a single source.
For security and IT teams, defending against DDoS is less about malware removal and more about resilience. Good architecture, traffic filtering, rate limiting, monitoring, and a tested response plan all matter when uptime is critical.