SMIP
All articles
securitynetworkingadvanced

What is a DDoS attack and how does protection actually work?

DDoS attacks flood a target with so much traffic that legitimate users can't get through. Here's how attacks work in 2026, the categories of attack, and why anycast networks make protection at scale possible.

May 6, 20266 min read

You've seen the headlines: "site offline due to massive DDoS attack." Maybe you've experienced it on the receiving end — a game server, a forum, a streaming session suddenly unreachable. DDoS — Distributed Denial of Service — is one of the few attacks where the math always favors the attacker, and the defense game is genuinely hard.

Here's the practical guide.

The two-line summary

A DDoS attack overwhelms a target with more traffic, requests, or connection state than it can handle, knocking it offline for legitimate users. The "distributed" part means the attack comes from many sources at once — botnets, reflectors, or massive cloud capacity.

Defense in 2026 relies on networks bigger than any plausible attack: globally-distributed anycast deployments at companies like Cloudflare, Google, AWS, and others.

The attack categories

DDoS isn't one attack — it's a family of attacks at different layers.

Volumetric attacks

The brute-force kind: "send so much data the target's link can't carry it." Measured in bits per second. Modern attacks reach 1–5 Tbps; the absolute peak observed is around 15 Tbps.

Sources:

  • Botnets of compromised IoT devices, routers, and servers (Mirai variants, etc.).
  • Reflection attacks — abuse DNS, NTP, memcached, or LDAP servers as amplifiers. Send a small spoofed query to a public server; it sends a much larger response to the victim's IP.
  • Booter/stresser services that rent attack capacity by the hour to anyone.

If your link is 1 Gbps and the attacker sends 100 Gbps, your link saturates regardless of what your server does. You're offline. Defense at this scale requires bigger pipes than the attacker — only a handful of providers have them.

Protocol attacks

Exploit weaknesses in TCP, UDP, or other transport-layer protocols to exhaust resources. The classic:

  • SYN flood — open many half-finished TCP connections. Each consumes server state. The server runs out of slots; legitimate connections fail.
  • ACK flood — overwhelm the server's connection-tracking with bogus ACKs.
  • UDP flood — pure UDP packets at high rate, often with random destination ports, exhausting firewall state.

Defense: SYN cookies, connection tracking with sane limits, rate limiting at the network edge.

Application attacks (Layer 7)

Lower volume but harder to filter. The attacker sends valid-looking HTTP requests — but at a rate that overwhelms the application.

  • HTTP flood — many GET or POST requests, often to expensive endpoints (search, login).
  • Slowloris — open connections and dribble bytes slowly, holding server slots open without ever finishing the request.
  • Login brute-forcing combined with abuse — looks like normal traffic but hammers expensive auth paths.

Defense: WAF rules, rate limiting per IP / per fingerprint, CAPTCHA for suspicious patterns.

Why DDoS keeps working

A few reasons:

  • The internet is asymmetric. A 100 Gbps server costs $X/month. A 100 Gbps attack costs vastly less than $X/month from a botnet — the attacker isn't paying for the bandwidth, the compromised devices' owners are.
  • Reflection multiplies attack capacity. Sending a 10-byte DNS query that produces a 5,000-byte response is a 500x amplification. An attacker with modest resources can cause massive damage by abusing one open server.
  • Detection is hard. A flood of "valid-looking HTTP requests" can be impossible to distinguish from legitimate traffic without behavioral analysis.
  • Botnets keep growing. Every new IoT device with default credentials is a future participant in some DDoS botnet.

How modern protection works

The dominant pattern in 2026 is anycast scrubbing networks:

  1. The protected site's IPs are announced via anycast from a global network of data centers.
  2. Attack traffic targeting that IP gets distributed across hundreds of locations — automatically, by routing.
  3. At each location, traffic passes through scrubbing infrastructure that filters obvious attack patterns.
  4. Clean traffic forwards to the origin; attack traffic is dropped at the edge.

The math: a 1 Tbps attack, if anycast-distributed across 300 data centers, becomes ~3 Gbps per location. Each location's filtering stack handles that easily. The attack drowns in the network's capacity.

Cloudflare, Akamai, AWS Shield, Google Cloud Armor, and similar services all operate this way. They're effectively distributed sponges with the capacity to absorb anything ever observed.

For sites not behind a major CDN, defense is much harder. Smaller VPS providers can be taken down with a few hundred Gbps; many enterprise data centers similarly. This is why "always front your service with a major CDN" is the universal advice for any internet-facing service that might attract attention.

The economics of attack

The attacker side has its own market:

  • Free / leaked tools — basic scripts available openly. Capacity: a few Gbps, takes down small sites.
  • Booter services — rent attack capacity. $20–500/month for hundreds of Gbps. Most are technically illegal but remain easy to find.
  • Botnet rentals — black market access to compromised device pools. Tens of thousands of IoT devices = tens of Gbps from any single bot, hundreds aggregated.
  • Sophisticated state actors — operate at the largest scales observed. Rare but extreme.

The defender side has its own pricing:

  • Free tier on Cloudflare — full DDoS protection at no cost for personal sites. Limits at the contract level for ToS, not technical capacity.
  • Enterprise CDN contracts — six-figure annual deals for guaranteed protection, faster response, and dedicated capacity.
  • Specialized providers like Project Shield (Google for journalism/civil society) — free for non-profits and protected speech.

For most small sites, free Cloudflare is genuinely sufficient. For larger commercial sites, paying for explicit DDoS guarantees becomes worth it.

What you can do as a site owner

Listed roughly in order of impact:

  1. Front your site with Cloudflare or a similar service. Fifteen minutes of setup, free, eliminates 99% of DDoS scenarios.
  2. Don't expose origin IPs. If your origin's IP becomes public, attackers can bypass the CDN. Keep origins firewalled to allow only CDN IP ranges.
  3. Rate-limit at the edge. Limit per-IP request rates for expensive endpoints (search, login, API).
  4. Cache aggressively. A page served from cache costs nothing; a page served fresh costs database calls. Make as much cacheable as possible.
  5. Use modern stacks. HTTP/3, TLS 1.3, and async server frameworks all handle high concurrency better than legacy gear.
  6. Monitor. Get paged on traffic anomalies. The first ten minutes of a DDoS is when intervention matters most.

What you can't do alone: absorb a 100+ Gbps attack on a single server. That requires a network bigger than the attack.

What you can do as a user

DDoS is a server-side problem. As a user, you're rarely the target — except in two specific situations:

  • Streamers and competitive gamers. People DDoS individual home IPs to knock specific players offline. Solution: use a VPN that masks your real IP, especially the kind designed for gaming with low latency. Some game services offer "voice IP hiding" features for this exact reason.
  • Journalists, activists, public figures. If you're publicly visible and someone wants to silence you, your home connection or self-hosted services can be targeted. Solution: don't self-host visibly; use Cloudflare or a similar service in front of anything publicly addressed.

For everyone else: you're not the target.

Quick FAQ

Is "DDoSing" someone illegal? Yes, in essentially every jurisdiction. Computer Fraud and Abuse Act in the US, equivalent laws elsewhere. People go to prison for this.

What's the difference between DoS and DDoS? DoS is from one source. DDoS is from many. The "distributed" part is what makes it hard to filter — you can't just block one IP.

Can I DDoS-test my own site? Yes, but with cooperation from your provider. Cloudflare and others offer test tools. Don't spin up your own attack against random infrastructure even for testing — even self-hosted gear may be on shared networks where collateral damage matters.

Why don't ISPs filter spoofed traffic? BCP 38 ("source address validation") would prevent reflection attacks if all ISPs implemented it. Many don't, because there's no incentive — the attack is on someone else's infrastructure, not theirs. Slow industry progress.

Is there a "next big DDoS attack" that'll be worse? Always. Attack capacity grows roughly as fast as defense capacity — but the upper bound on attack is the size of botnets, which grows with new vulnerable devices. Every IoT firmware bug is a potential future participant.

TL;DR

  • DDoS = floods of traffic, requests, or state designed to overwhelm a target.
  • Three categories: volumetric (raw bytes), protocol (TCP/UDP weakness), application (Layer 7).
  • Defense at scale = anycast scrubbing networks bigger than any plausible attack.
  • For site owners: front with Cloudflare or similar; don't expose origin IPs.
  • For users: rarely a direct target unless you're a streamer, gamer, or public figure.

The asymmetry of the internet means DDoS keeps being effective. The defense is to be on the right side of the asymmetry — behind a network bigger than the attack.