What Is a DDoS Attack? How It Works and How It Is Stopped

Q: What is a DDoS attack?

A DDoS, or Distributed Denial of Service, attack tries to make a website or service unavailable by flooding it with overwhelming traffic from many sources at once. Because the traffic comes from large numbers of distributed machines, it is hard to block by simply filtering one address. The goal is to exhaust the target bandwidth, connections, or server resources so legitimate users cannot get through.

Q: What is the difference between a DoS and a DDoS attack?

A DoS, or Denial of Service, attack comes from a single source, while a DDoS attack is distributed across many sources simultaneously. The distributed nature makes a DDoS far harder to mitigate, because there is no single origin to block and the combined volume can be much larger. Attackers typically achieve this scale using a botnet.

Q: What is a botnet?

A botnet is a network of internet-connected devices that have been compromised with malware and can be controlled remotely by an attacker. The attacker directs all these machines to send traffic at a target at the same time, generating the volume behind a DDoS attack. Owners of the infected devices usually have no idea their machine is participating.

Q: What are the main types of DDoS attacks?

DDoS attacks are commonly grouped into three categories: volumetric attacks that saturate bandwidth with sheer traffic, protocol attacks that exhaust server or network-equipment resources such as SYN floods targeting the TCP handshake, and application-layer attacks that target a specific application by mimicking legitimate requests. Some volumetric attacks use amplification, exploiting protocols like DNS or NTP to turn a small request into a large response aimed at the victim.

Q: How are DDoS attacks mitigated?

Common defenses include rate limiting (capping how many requests a source can make), traffic scrubbing (filtering out malicious traffic before it reaches the target), and using anycast networks or CDNs to absorb and spread the load across many distributed servers. The aim is to distinguish and drop attack traffic while keeping legitimate requests flowing. If you suspect a site is being hit, you can check whether it is actually down for everyone.

~/sheets/what-is-a-ddos-attack.md

Overwhelming a Service Until It Cannot Respond
A DDoS (Distributed Denial of Service) attack tries to make a website or service unavailable by flooding it with overwhelming traffic from many sources at once. Because the traffic comes from large numbers of distributed machines, it cannot be stopped by simply blocking one address. The goal is to exhaust the target bandwidth, connections, or server resources so legitimate users cannot get through.
If you think a site is being hit, you can check whether it is actually down for everyone with our Is It Down tool, and look up the network behind an address with IP Lookup. For what an exposed IP enables, see IP address security.
DoS vs DDoS
A DoS (Denial of Service) attack comes from a single source, while a DDoS attack is distributed across many sources at the same time. The distributed nature makes a DDoS far harder to mitigate, because there is no single origin to block and the combined volume can be much larger. Attackers usually reach that scale using a botnet.
What Is a Botnet?
A botnet is a network of internet-connected devices that have been compromised with malware and can be controlled remotely by an attacker. The attacker directs all of these machines to send traffic at a target simultaneously, generating the volume behind a DDoS attack. The owners of the infected devices usually have no idea their machine is taking part, which is one reason poorly secured routers and IoT devices are a risk.
The Three Main Types of DDoS Attack
DDoS attacks are commonly grouped into three categories. Volumetric attacks saturate bandwidth with sheer traffic. Protocol attacks exhaust server or network-equipment resources, such as a SYN flood that targets the TCP handshake. Application-layer attacks target a specific application by mimicking legitimate requests so they are hard to tell apart from real users. Some volumetric attacks also use amplification, exploiting protocols like DNS or NTP to turn a small request into a large response aimed at the victim.
How DDoS Attacks Are Mitigated
Common defenses include rate limiting (capping how many requests a single source can make), traffic scrubbing (filtering out malicious traffic before it reaches the target), and using anycast networks or a CDN to absorb and spread the load across many distributed servers. The aim is to distinguish and drop attack traffic while keeping legitimate requests flowing. Keeping devices patched and not exposing unnecessary open ports also reduces the pool of machines attackers can recruit.
Frequently Asked Questions
What is a DDoS attack?
A DDoS, or Distributed Denial of Service, attack tries to make a website or service unavailable by flooding it with overwhelming traffic from many sources at once. Because the traffic comes from large numbers of distributed machines, it is hard to block by simply filtering one address. The goal is to exhaust the target bandwidth, connections, or server resources so legitimate users cannot get through.
What is the difference between a DoS and a DDoS attack?
A DoS, or Denial of Service, attack comes from a single source, while a DDoS attack is distributed across many sources simultaneously. The distributed nature makes a DDoS far harder to mitigate, because there is no single origin to block and the combined volume can be much larger. Attackers typically achieve this scale using a botnet.
What is a botnet?
A botnet is a network of internet-connected devices that have been compromised with malware and can be controlled remotely by an attacker. The attacker directs all these machines to send traffic at a target at the same time, generating the volume behind a DDoS attack. Owners of the infected devices usually have no idea their machine is participating.
What are the main types of DDoS attacks?
DDoS attacks are commonly grouped into three categories: volumetric attacks that saturate bandwidth with sheer traffic, protocol attacks that exhaust server or network-equipment resources such as SYN floods targeting the TCP handshake, and application-layer attacks that target a specific application by mimicking legitimate requests. Some volumetric attacks use amplification, exploiting protocols like DNS or NTP to turn a small request into a large response aimed at the victim.
How are DDoS attacks mitigated?
Common defenses include rate limiting (capping how many requests a source can make), traffic scrubbing (filtering out malicious traffic before it reaches the target), and using anycast networks or CDNs to absorb and spread the load across many distributed servers. The aim is to distinguish and drop attack traffic while keeping legitimate requests flowing. If you suspect a site is being hit, you can check whether it is actually down for everyone.
Last updated: April 2026