What is a DDoS Attack? How It Works + Real Attack Examples (2026 Guide)
What is a DDoS Attack? How It Works, All Types, Real Examples & How to Defend Against It (Complete 2026 Guide)
On February 5, 2025, Cloudflare's network absorbed the largest DDoS attack ever recorded — a 31.4 terabits-per-second flood of traffic that lasted just 35 seconds. To put that number in context: if you tried to download that much data on a home internet connection at 100 Mbps, it would take 35 years. Cloudflare's automated systems detected, analysed, and mitigated it before a human engineer had time to respond.
That single attack was 726% larger than the previous world record. And it was one of 47.1 million DDoS attacks that hit the global internet in 2025 — roughly 1.5 attacks every second. Seventy percent of all websites experienced at least one DDoS attack during the year.
DDoS attacks are no longer sophisticated operations requiring nation-state resources. They are a commodity threat — launched via DDoS-as-a-Service platforms for less than $20, powered by AI tools that automate target selection and attack optimisation, and used for everything from hacktivist political statements to ransomware accompaniment to competitor sabotage.
- What a DDoS attack is — and the simple analogy that explains it
- DoS vs DDoS — the critical difference
- How DDoS attacks work — botnets and the full attack chain
- The 3 types of DDoS attack — volumetric, protocol, application layer
- Amplification attacks — how attackers multiply their traffic
- AI-powered DDoS — the 2026 escalation
- Real attacks — GitHub, Dyn, record-breakers
- Who launches DDoS attacks and why
- How to defend against DDoS attacks
What a DDoS Attack Is — The Analogy That Explains It
A Distributed Denial of Service (DDoS) attack overwhelms a target — a website, server, API, or network — with so much fake traffic that it cannot respond to legitimate users. The service becomes unavailable to the people it is supposed to serve.
The best analogy: imagine a small restaurant that can seat 20 people. A competitor sends 200 people to fill every seat and stand in the entrance, ordering nothing and refusing to leave. Real customers cannot get in. The restaurant is not broken — it is overwhelmed. DDoS works exactly this way: the server is not compromised, no data is stolen, no vulnerability is exploited. The attack simply consumes all available resources — bandwidth, CPU, memory, connection limits — until nothing is left for legitimate traffic.
What makes it distributed is that the traffic comes from thousands or millions of different sources simultaneously — making it impossible to block by simply blocking one IP address. And those sources are not willing participants. They are infected devices — computers, routers, smart TVs, security cameras, even baby monitors — recruited into a botnet by malware and weaponised without their owners' knowledge.
DoS vs DDoS — The Critical Difference
A Denial of Service (DoS) attack comes from a single source — one computer sending enough traffic to overwhelm a target. This is easy to defend against: block that one IP address and the attack stops. It is also easy to trace and attribute.
A Distributed Denial of Service (DDoS) attack comes from thousands to millions of sources simultaneously. You cannot block them all without also blocking legitimate traffic from those geographic regions or IP ranges. The distributed nature is what makes DDoS both powerful and hard to mitigate. When a botnet of 1 million devices each sends modest amounts of traffic, the combined effect can overwhelm any single server — even a large one.
How DDoS Attacks Work — Botnets and the Full Attack Chain
What is a Botnet — and How Your Device Could Be Part of One
A botnet is a network of compromised internet-connected devices (called "bots" or "zombies") controlled by an attacker from a command-and-control (C2) server. The devices' owners are unaware their device is participating in attacks.
Devices join botnets through malware infection — a router running unpatched firmware, a security camera with default credentials, a home computer infected by a trojan, or a smart TV that downloaded a malicious update. Once infected, the device periodically checks in with the C2 server for instructions. When the botnet operator decides to launch an attack, they send a command to all bots: "Send traffic to this IP address at maximum rate."
The Mirai botnet (2016) was a watershed moment — it demonstrated that IoT devices (cameras, DVRs, routers) could be recruited by the millions. Mirai infected devices by scanning the internet for devices using default factory credentials and logging in. It recruited 600,000 devices and launched the attack that took down Dyn DNS and made Twitter, Reddit, Netflix, and Amazon unavailable across the eastern United States for hours.
In 2026, botnets have expanded far beyond PCs. An estimated 12.3 million DDoS-capable devices exist globally (A10 Networks) — including millions of IoT devices, cloud VMs rented by attackers, and compromised servers with significant bandwidth.
Here is how a DDoS attack is assembled and launched step by step:
Botnet Assembly
The attacker builds a botnet by spreading malware that recruits vulnerable devices — exploiting default credentials, unpatched firmware, or phishing. Each infected device becomes a bot that connects to the attacker's C2 server.
Reconnaissance
The attacker identifies the target's IP addresses, infrastructure, and bandwidth capacity. Modern DDoS services include reconnaissance attacks (short test floods) to measure what level of traffic causes disruption.
Attack Command
The attacker sends a command to all bots: attack target X with protocol Y at maximum rate. Each bot generates traffic towards the target. With 100,000 devices each generating 1 Mbps, the combined attack is 100 Gbps — enough to overwhelm most servers.
Traffic Flood
The target server is overwhelmed. Its CPU, memory, or network bandwidth hits 100% utilisation. Legitimate requests time out or cannot connect. The website goes down.
Extortion or Hacktivism
The attacker's goal is achieved — whether ransomware accompaniment, competitive sabotage, political disruption, or a ransom demand ("pay us or the attack continues").
The 3 Types of DDoS Attack
Volumetric Attacks — Flood the Bandwidth
Volumetric attacks overwhelm the target's internet connection by flooding it with more traffic than its bandwidth can handle. The goal is to exhaust the available bandwidth so no legitimate traffic can get through. Measured in bits per second (Gbps, Tbps), these are the attacks that make headlines with record-breaking sizes.
Common volumetric techniques include UDP floods (sending large numbers of UDP packets to random ports), ICMP floods (ping floods), and amplification attacks (explained below) that multiply the attacker's traffic by using third-party servers as amplifiers.
Protocol Attacks — Exhaust Server Resources
Protocol attacks exploit weaknesses in network protocols to exhaust server or network device resources — not necessarily by overwhelming bandwidth but by consuming processing capacity. The classic example is a SYN flood.
A normal TCP connection uses a three-way handshake: the client sends SYN, the server responds with SYN-ACK and reserves memory for the connection, then the client sends ACK to complete the connection. In a SYN flood, the attacker sends millions of SYN packets with spoofed source IP addresses. The server sends SYN-ACK responses and waits — but the acknowledgement never comes (because the source IP was fake). The server's connection table fills up with half-open connections, and it runs out of memory to accept new connections from legitimate users.
Application Layer (Layer 7) Attacks — Mimic Real Users
Application layer attacks target specific web applications or APIs rather than the network itself. Instead of sending obviously fake traffic, they send HTTP requests that look like legitimate user activity — browsing pages, submitting forms, calling API endpoints. The attack exploits the fact that these requests are computationally expensive to serve (database queries, file generation, authentication checks) while cheap for the attacker to send.
A botnet of 10,000 devices each sending 10 legitimate-looking page requests per second generates 100,000 requests per second — which can overwhelm application servers that typically handle 1,000-5,000 requests per second. These attacks are the hardest to detect because the traffic looks indistinguishable from real user traffic at the network layer.
Amplification Attacks — How 1 Gbps Becomes 100 Gbps
Amplification attacks are a specific volumetric technique that allows an attacker to generate massive traffic from a small amount of bandwidth. The attacker sends small requests to vulnerable third-party servers, spoofing the source IP to be the victim's IP address. The third-party servers send large responses directly to the victim.
The DNS amplification attack is the most common: a 60-byte DNS query can generate a 3,000-byte response — a 50x amplification factor. An attacker with 1 Gbps of bandwidth can generate 50 Gbps of attack traffic at the victim by routing it through vulnerable DNS resolvers. The attacker never directly sends traffic to the victim — their traffic goes to the amplifiers, who unknowingly forward massive responses to the victim's IP.
Other amplification vectors include NTP (network time protocol — up to 556x amplification), Memcached (up to 51,000x — used in the 2018 GitHub attack), and CLDAP. Cloudflare and other CDN providers operate infrastructure that absorbs and filters this traffic before it reaches customers' origin servers.
AI-Powered DDoS — The 2026 Escalation
AI is transforming DDoS attacks in 2026 in two directions simultaneously. On the attack side, AI-powered DDoS-as-a-Service platforms (using models like GhostGPT and WormGPT) allow non-technical attackers to launch sophisticated attacks with simple prompts. On the defence side, AI is the only scalable response — NETSCOUT's Arbor suite processes 700+ Tbps of real-time traffic and automatically neutralises 80% of attacks without human intervention.
The most significant development is the emergence of adaptive multi-vector attacks: DDoS attacks that monitor the target's mitigation response in real time and dynamically switch attack vectors, protocols, and source patterns to evade whatever defence the target deploys. When the target blocks UDP floods, the attack switches to HTTP requests. When rate limiting kicks in, the attack distributes traffic across more sources. These are manually operated attacks — a human operator watches the mitigation response and adjusts in real time. In 2026, AI is beginning to automate this adaptive loop.
Real DDoS Attacks — From Historical Milestones to 2026
Dyn DNS — October 2016
The Mirai botnet — composed of infected IoT devices (cameras, DVRs, routers) using default passwords — launched a 1.2 Tbps attack against Dyn, a major DNS provider. Because Dyn managed DNS for Twitter, Reddit, Netflix, PayPal, Amazon, and hundreds of other major sites, their unavailability cascaded into internet-wide outages across the eastern United States and Europe. The attack demonstrated two things that permanently changed the DDoS threat landscape: IoT devices could be recruited into enormous botnets, and attacking DNS infrastructure rather than individual websites could take down thousands of services simultaneously.
GitHub — February 2018
A 1.35 Tbps Memcached amplification attack hit GitHub — the world's largest code hosting platform — sending 1.35 Tbps of traffic at peak. Memcached servers (database caching systems) were used as amplifiers — the attacker sent small requests with GitHub's IP spoofed as the source, causing Memcached servers to flood GitHub with large responses. The amplification factor was up to 51,000x — the largest ever recorded at the time. GitHub's CDN provider Akamai absorbed the attack, and the service was fully restored within 20 minutes. The incident prompted emergency deprecation of publicly-accessible Memcached servers and prompted ISPs to implement BCP38 source address filtering more aggressively.
Cloudflare — February 2025 World Record
The largest DDoS attack ever recorded: 31.4 Tbps sustained for 35 seconds, a 726% increase from the previous record. Cloudflare's automated systems detected and mitigated it with no customer impact. The attack originated from a botnet of compromised network devices. This attack demonstrates both how massive DDoS has become and the effectiveness of anycast CDN infrastructure at absorbing even record-breaking attacks — because the attack was distributed across Cloudflare's global network, no individual data centre was overwhelmed.
Who Launches DDoS Attacks and Why
- Hacktivists: Political motivation — attacking governments, corporations, or institutions to protest policies. KillNet (pro-Russia) launched over 4,693 attacks in 2025 — the most by any single actor in history. NoName057(16) targets NATO-aligned governments and infrastructure consistently.
- Ransom DDoS (RDoS): Attackers contact a target, launch a demonstration attack, then demand payment to stop. Ransom DDoS attacks increased 67% and cost organisations an average of $300,000–500,000 per hour of downtime.
- Business competition: Competitors attack each other's e-commerce or gaming platforms, particularly during peak sales periods. This is illegal but common in certain industries.
- Ransomware accompaniment: DDoS attacks are increasingly used alongside ransomware — flooding the victim's network while simultaneously encrypting systems, or adding a DDoS threat as additional extortion pressure.
- Nation-state disruption: Governments use DDoS as a geopolitical tool — disrupting critical infrastructure, government services, or media during conflicts. Europe accounted for 48.4% of all DDoS attacks in 2025, heavily correlated with geopolitical tensions.
- Script kiddies: Low-skill attackers using DDoS-as-a-Service platforms to attack gaming servers, disrupt personal adversaries, or simply because the capability is available and cheap.
How to Defend Against DDoS Attacks
CDN with DDoS Mitigation (Cloudflare, Akamai, Fastly)
A Content Delivery Network distributes your service across data centres worldwide using anycast routing — when an attacker sends traffic to your domain, it is distributed across the CDN's entire global network rather than hitting a single server. No individual location receives the full attack volume. CDNs like Cloudflare absorb attacks at the network edge, scrubbing malicious traffic before it reaches your origin servers. Cloudflare's free tier includes basic DDoS protection — sufficient for most personal projects and small businesses. Enterprise tiers handle terabit-scale attacks automatically.
Rate Limiting and Traffic Filtering
Rate limiting restricts the number of requests a single IP address can make per second. This is effective against unsophisticated application-layer attacks from a limited number of sources. Implement rate limiting at the CDN/WAF layer (not just at the application server — by the time traffic reaches your application server, it may already be too late). Rate limiting should be combined with behavioral analysis — legitimate users rarely send hundreds of identical requests per second, while bots often do.
Web Application Firewall (WAF)
A WAF operates at Layer 7, analysing HTTP requests for patterns that indicate DDoS or attack activity. It can block requests matching known attack signatures, suspicious patterns (too many requests for the same resource, unusual user agents, requests with malformed headers), and requests from known malicious IP ranges. WAFs also protect against the OWASP Top 10 vulnerabilities discussed in the OWASP guide — Layer 7 DDoS protection and web application security in a single service.
Upstream Scrubbing and ISP-Level Filtering
For large organisations, upstream scrubbing services divert attack traffic to specialist mitigation centres that filter it before forwarding clean traffic to your network. This works for volumetric and protocol attacks that would overwhelm your own infrastructure before CDN-level mitigation is possible. Implement BCP38 (source address filtering) with your ISP — this prevents traffic with spoofed source IPs from entering the network, limiting amplification attacks. Work with your hosting provider to have a blackhole routing plan — the ability to discard all traffic to a specific IP if it is under a severe attack, protecting the rest of your infrastructure.
Secure Your Devices to Not Become Part of a Botnet
The most ethical DDoS defence is preventing your devices from being recruited into botnets that attack others. Change default credentials on all IoT devices — routers, smart cameras, smart TVs, NAS drives. Update firmware regularly. Segment IoT devices on a separate network so a compromised camera cannot pivot to your main network or be used to launch attacks against others. The Mirai botnet infected devices using only default passwords — this is entirely preventable.
Comments
Post a Comment