What Is a DDoS Attack?
A Distributed Denial-of-Service (DDoS) attack is a coordinated effort by multiple compromised hosts — forming a botnet — to overwhelm a target's resources and make it unavailable to legitimate users. Unlike a simple DoS attack launched from a single source (which is trivial to block by IP), DDoS attacks originate from thousands to millions of endpoints simultaneously, making source-based blocking ineffective.
The goal is always resource exhaustion: either flooding a network link with raw bandwidth, consuming stateful processing capacity in routers and firewalls, or burning server CPU cycles on processing malicious requests. In 2025, the largest recorded DDoS peaked at 5.6 Tbps; by 2026, campaigns routinely exceed 1 Tbps as IoT botnets grow and reflection attack surfaces expand.
Understanding the attack taxonomy is the prerequisite to building an effective defense. DDoS attacks fall into three fundamental categories based on which OSI layer they target.
The Three Categories of DDoS Attacks
Security practitioners organize DDoS attacks by the network layer they exploit:
- Volumetric attacks (L3/L4) — Saturate bandwidth by sending massive volumes of packets. Defense metric: bits per second (bps).
- Protocol attacks (L3/L4) — Exhaust connection state tables in firewalls, load balancers, and routers. Defense metric: packets per second (pps).
- Application-layer attacks (L7) — Mimic legitimate HTTP requests to exhaust web server threads, database connections, or application-specific resources. Defense metric: requests per second (rps).
This taxonomy matters because each category requires a different mitigation technique. A scrubbing center that can absorb 10 Tbps of volumetric traffic may still succumb to a 50,000 rps HTTP flood targeting a slow database query endpoint.
L3/L4 Network-Layer Attacks
SYN Flood
The SYN flood is the classic protocol attack. It exploits the TCP three-way handshake: an attacker sends a massive stream of SYN packets with spoofed source IPs. The server replies with SYN-ACK and waits for the final ACK that never arrives. Each half-open connection occupies a slot in the server's connection state table — typically limited to 65,535 simultaneous connections on Linux without tuning.
A 10 Gbps link can carry approximately 14.8 million 64-byte SYN packets per second. A single compromised server with a 1 Gbps uplink can generate 1.48 million pps; a 10,000-node botnet can theoretically send 14.8 billion pps — far exceeding any server's ability to process them.
Modern mitigation uses SYN cookies: the server encodes the connection state in the TCP sequence number rather than allocating a slot. No memory is consumed until the final ACK arrives with the valid cookie value.
UDP Flood
UDP is stateless and connectionless, making it trivially easy to spoof. Attackers send high-rate UDP packets to random ports on the target. The victim OS must check each packet, find no listening service, and send an ICMP "port unreachable" reply — consuming CPU and outbound bandwidth simultaneously. A 100 Gbps UDP flood from a botnet saturates both the inbound network link and the server's packet-processing pipeline.
ICMP Flood (Ping Flood)
Sending a high volume of ICMP Echo Request packets forces the target to process and respond to each one. While bandwidth-limited modern links reduce the effectiveness of ICMP floods as standalone attacks, attackers chain them with other vectors in multi-vector campaigns. ICMP floods with large payloads (65,507 bytes maximum) also stress kernel buffer allocation.
Amplification Attacks: When 1 Gbps Becomes 500 Gbps
Amplification attacks abuse stateless UDP protocols that return much larger responses than the request that triggers them. The attacker spoofs the victim's IP as the source, sending small requests to thousands of open servers. Those servers reply to the victim with amplified responses — turning a small attack into a massive one.
NTP Amplification
The NTP monlist command (deprecated but still present on unpatched servers) returns up to 600 IP addresses that recently queried the server. A 234-byte request generates a 48,000-byte response — an amplification factor of 206×. With 100,000 open NTP servers, a 1 Mbps botnet uplink can generate approximately 200 Gbps of attack traffic aimed at the victim.
DNS Amplification
Open DNS resolvers respond to ANY queries with large DNS responses containing all record types. A 40-byte DNS query for a domain with many records can return a 3,000-byte response — a 70× amplification factor. DNS amplification remains widespread because there are millions of misconfigured open resolvers on the public internet.
⚠ Amplification Attack Reality Check
The largest DDoS ever recorded (5.6 Tbps, November 2024, targeting a Cloudflare customer) was a UDP flood — not an amplification attack. Volumetric attacks from massive IoT botnets now rival reflection amplification in peak bandwidth.
Memcached Amplification
Memcached servers listening on UDP port 11211 can return up to 1 MB in response to a 15-byte stats request — an amplification factor exceeding 51,000×. The 2018 GitHub attack reached 1.35 Tbps using Memcached amplification from ~17,000 servers. Memcached should never be exposed to the public internet, yet misconfigured instances persist.
L7 Application-Layer Attacks
Application-layer attacks are the most insidious because individual requests look legitimate. No bandwidth anomaly triggers upstream ISP alarms. The damage is measured in server CPU exhaustion, database connection pool depletion, and backend service timeouts.
HTTP Flood
An HTTP flood sends a large volume of GET or POST requests to a target URL — typically an expensive endpoint like a search page, product listing, or API that triggers complex database queries. Unlike volumetric attacks, HTTP floods can be conducted from a small botnet at low bandwidth: 10,000 requests per second at 2 KB each is only 160 Mbps, but if each request triggers a 500ms database query, it saturates a server with 5,000 concurrent threads.
Sophisticated HTTP floods rotate User-Agent strings, accept headers, and referrer values to defeat simple signature matching.
Slowloris
Slowloris, developed by Robert Hansen in 2009, keeps web server connections open by sending partial HTTP headers at extremely slow rates — one byte every 15 seconds, just fast enough to prevent timeout. With keep-alive connections, a single Slowloris instance on a 56k modem can occupy all available Apache connection slots (typically 150-500 by default), making the server inaccessible to legitimate users without consuming significant bandwidth.
Mitigation requires setting aggressive connection timeouts and using event-driven servers (nginx, Caddy) instead of thread-per-connection architectures (Apache prefork).
Slow POST Attack
Similar to Slowloris but targeting HTTP POST requests. The attacker sends a legitimate POST header with a large Content-Length value, then sends the body at extremely low rates. Web application frameworks typically read the entire POST body before processing — holding server threads open indefinitely.
Credential Stuffing as DDoS
Large-scale credential stuffing campaigns — where attackers test billions of username/password combinations leaked from data breaches — simultaneously function as L7 DDoS attacks. Each login attempt triggers authentication logic, session generation, and database queries. A 50,000 requests/second credential stuffing campaign will exhaust authentication server capacity even if the success rate is near zero.
Attack Metrics: Why Mpps Often Matters More Than Tbps
Network engineers instinctively think about bandwidth (bps), but modern DDoS attacks often win on packets per second (pps), not raw bandwidth.
Every packet — regardless of size — consumes CPU cycles for processing: interrupt handling, kernel network stack traversal, routing table lookup, and connection state management. A router that can forward 100 Gbps of large packets may only forward 5 Gbps of 64-byte minimum-size packets before its packet-per-second forwarding rate is exhausted.
Mpps Math
A 10 Gbps link carries a maximum of 14.88 Mpps of minimum-size (64-byte) Ethernet frames. At 1,500-byte MTU, the same 10 Gbps link carries only 833,000 pps. A SYN flood using 64-byte packets at 14.88 Mpps sends 10 Gbps of traffic but consumes packet-processing slots at 18× the rate of large-packet traffic on the same bandwidth.
This is why Zlycloud's infrastructure reports both Tbps and Mpps capacity — and why mitigation systems must handle hundreds of Mpps, not just peak bandwidth.
Modern DDoS Mitigation Stack
BGP Anycast Routing
The foundation of cloud DDoS mitigation is BGP anycast: announcing the same IP prefix from multiple Points of Presence (PoPs) simultaneously. When an attack begins, traffic destined for the protected IP is naturally distributed across all PoPs by BGP routing. Instead of 5 Tbps hitting a single data center, it's 50 Gbps hitting each of 100 PoPs — manageable at each location.
BGP anycast also provides geographic traffic steering: users are routed to the nearest PoP, reducing latency while attack traffic is absorbed close to its source rather than transiting the entire internet.
Scrubbing Centers
During an attack, traffic can be redirected to dedicated scrubbing centers — high-capacity facilities with specialized DDoS mitigation hardware and software. Traffic enters the scrubbing center, malicious packets are discarded, and clean traffic is forwarded to the origin via a GRE tunnel or private MPLS circuit.
Modern scrubbing centers use purpose-built ASICs (Mellanox, Marvell) capable of processing hundreds of Gbps at line rate with per-packet filtering rules.
Challenge-Based Mitigation
For L7 attacks, network-layer scrubbing is insufficient. Challenge-based mitigation presents clients with computational or behavioral challenges:
- CAPTCHA challenge — Requires human visual recognition. High friction for legitimate users; ineffective against human-assisted botnets.
- JavaScript challenge — Browser executes a JS script that solves a computational puzzle and sets a challenge cookie. Transparent to real users; blocks headless browsers and simple HTTP clients.
- Proof-of-Work (PoW) — Client must solve a hash-based puzzle (SHA-256 with target difficulty) before the request is forwarded. Increases CPU cost per request for attackers while adding only ~100ms latency for legitimate users.
AI/ML Behavioral Baseline and Adaptive Rate Limiting
Static rules and signature matching struggle against adaptive attacks. Modern DDoS mitigation platforms use machine learning to establish baseline behavioral profiles for each protected application:
- Normal requests per second per endpoint
- Geographic distribution of legitimate users
- Typical request size distributions
- Expected protocol field values (TTL ranges, window sizes, TCP option sequences)
- Session-level behavior (time on page, navigation patterns)
When observed traffic deviates from baseline — spikes in rps, anomalous geographic distribution, malformed TCP options — the ML model adjusts mitigation thresholds automatically without requiring human intervention. Adaptive rate limiting targets specific source ASNs, URI paths, or request patterns rather than blanket blocking that harms legitimate users.
This approach is particularly effective against low-and-slow attacks that never trigger simple rate thresholds but steadily degrade performance. The ML baseline detects a 15% increase in response latency correlated with a 20% increase in requests from datacenter IP ranges — a pattern invisible to threshold-based rules.
Attack Type Comparison
| Attack Type | Layer | Protocol | Amplification | Detection Method | Mitigation Technique |
|---|---|---|---|---|---|
| SYN Flood | L4 | TCP | None | Half-open connection ratio | SYN cookies, rate limiting |
| UDP Flood | L3/L4 | UDP | None | Bandwidth anomaly, pps spike | Upstream null-route, anycast scrubbing |
| ICMP Flood | L3 | ICMP | None | ICMP packet rate | Rate limiting, ICMP blocking at edge |
| NTP Amplification | L3/L4 | UDP/NTP | 206× | Source port 123, large UDP | BCP38 filtering, rate-limit port 123 |
| DNS Amplification | L3/L4 | UDP/DNS | 70× | Source port 53, large UDP | RPZ, rate-limit DNS responses |
| Memcached Amp. | L3/L4 | UDP/11211 | 51,000× | Port 11211 traffic | Block UDP 11211 at transit, BCP38 |
| HTTP Flood | L7 | HTTP/S | None | rps anomaly, endpoint targeting | Rate limiting, JS challenge, PoW |
| Slowloris | L7 | HTTP | None | Slow header completion rate | Connection timeout, event-driven server |
| Credential Stuffing | L7 | HTTP/S | None | Auth failure rate, IP diversity | CAPTCHA, MFA, IP reputation |
Zlycloud's DDoS Mitigation Approach
Zlycloud's DDoS Protection is built on a global anycast network spanning 2,800+ Points of Presence across 120+ countries, with aggregate scrubbing capacity exceeding 10 Tbps. Traffic entering the network is inspected at line rate using a combination of:
- Flow-based analysis — NetFlow/sFlow telemetry identifies volumetric anomalies within 2 seconds of attack onset.
- Hardware-accelerated packet inspection — Custom ASIC pipelines filter SYN floods, UDP amplification, and protocol anomalies at hundreds of Mpps without introducing latency.
- Behavioral ML models — Trained on tens of billions of daily requests, updated continuously to detect novel attack patterns.
- Automatic mitigation activation — Attack detection and mitigation activation occurs within under 10 seconds, limiting exposure time dramatically compared to the industry average of 10–15 minutes for manual intervention.
For L7 attacks, Zlycloud's Web Application Firewall and Bot Shield work in tandem with DDoS protection — applying JS challenges, proof-of-work, and behavioral scoring without requiring dedicated L7 mitigation hardware at the origin.
"The most dangerous DDoS attacks in 2026 are multi-vector: they combine a volumetric UDP flood to stress the network with a simultaneous L7 HTTP flood targeting a specific endpoint, while a Slowloris campaign occupies remaining server connections. Single-layer defenses fail against this approach."
Building a resilient defense requires defense-in-depth: network-layer scrubbing to handle volumetric attacks, protocol-layer defenses for state exhaustion, and intelligent L7 inspection for application attacks. No single control is sufficient against modern multi-vector campaigns.
For a deeper look at the web application threats that often accompany DDoS campaigns, see our guides on OWASP Top 10 2026 and ML-powered bot detection.
Stop DDoS Attacks Before They Reach Your Infrastructure
Zlycloud absorbs multi-terabit attacks at the network edge with sub-10-second mitigation activation. Protect your applications, APIs, and origin servers with our 10 Tbps scrubbing network across 2,800+ PoPs.
Start Free Trial →