Continue your mission
A Distributed Denial of Service (DDoS) attack is an attempt to make a target system, service, or network unavailable by overwhelming it with traffic or resource requests from multiple sources simultaneously.
# DDoS Protection and Mitigation
A Distributed Denial of Service (DDoS) attack is an attempt to make a target system, service, or network unavailable by overwhelming it with traffic or resource requests from multiple sources simultaneously. The "distributed" element is critical: unlike a single-source denial of service attack that a firewall can block by blacklisting one IP address, DDoS attacks originate from hundreds, thousands, or millions of compromised systems spread across global infrastructure. Blocking individual sources is operationally futile when the attack arrives from every direction at once.
DDoS attacks target availability, the third pillar of the CIA triad (Confidentiality, Integrity, Availability). The goal is not to steal data or gain access. The goal is to prevent legitimate users from reaching a service. For organizations whose revenue, operations, or reputation depends on continuous service availability, this makes DDoS one of the most consequential threat categories they face.
The attack surface is broad. Any internet-facing service is a potential target: websites, APIs, DNS infrastructure, VoIP systems, online games, financial trading platforms, healthcare portals, and critical infrastructure systems. The barrier to launching a DDoS attack has dropped significantly: attack-for-hire services (booters and stressers) can be purchased for as little as $10 per hour, making DDoS accessible to actors without technical sophistication.
The scale of modern DDoS attacks is staggering. Cloudflare mitigated a 5.6 Tbps attack in October 2024, the largest volumetric DDoS ever publicly recorded. The memcached amplification attacks of 2018 reached 1.7 Tbps. These volumes exceed the capacity of all but the largest internet carriers and scrubbing providers. Effective DDoS mitigation is not a problem individual organizations can solve with on-premises hardware alone.
DDoS attacks fall into three broad categories, each exploiting a different vulnerability in the target or the network.
Volumetric Attacks: Volumetric attacks attempt to consume all available bandwidth between the target and the internet. The goal is saturation: if a target's upstream connection is 10 Gbps and the attack delivers 50 Gbps, legitimate traffic cannot reach the target regardless of how well the target's own systems are configured. Volumetric attacks frequently use amplification techniques that allow attackers to generate massive traffic volumes from relatively small botnets.
UDP flood is the most common volumetric technique. Attackers send high volumes of UDP packets to random ports on the target. The target must process each packet to determine whether an application is listening, generating significant CPU and bandwidth consumption.
DNS amplification is one of the most dangerous volumetric variants. Attackers send DNS queries with the target's IP address forged as the source to open DNS resolvers. The resolvers send large DNS responses to the forged source address. A single DNS query of 40 bytes can generate a response of 4,000 bytes, providing a 100:1 amplification ratio. NTP amplification works similarly, using the NTP monlist command to generate responses up to 556 times larger than the query. Memcached amplification, responsible for the 2018 record attacks, achieved amplification ratios exceeding 51,000:1 by sending small requests to misconfigured memcached servers that returned cached data sets in enormous responses.
Protocol Attacks: Protocol attacks exploit weaknesses in network protocols to consume server resources rather than bandwidth. A target can be taken down by a protocol attack even on a well-provisioned network connection.
SYN flood exploits the TCP three-way handshake. The attacker sends large volumes of SYN packets with forged source addresses. The target allocates a half-open connection entry for each SYN and sends a SYN-ACK to the (non-existent) source address. The target waits for the final ACK, which never arrives. With enough SYN packets, the target's connection table fills with half-open connections and it cannot accept legitimate new connections.
Ping of Death sends oversized ICMP packets that exceed the maximum IP packet size. Legacy systems that improperly handle packet reassembly crash or become unresponsive. Modern systems are patched against classic Ping of Death, but variants targeting specific implementations still appear.
Application-Layer Attacks: Application-layer attacks (also called Layer 7 attacks) are the most sophisticated and the hardest to mitigate. Instead of overwhelming bandwidth or connection tables, they mimic legitimate user behavior and exhaust server-side resources at the application level. Because the attack traffic looks like normal HTTP requests, volumetric detection methods miss it.
HTTP flood sends large volumes of seemingly legitimate HTTP GET or POST requests to the target web server. The server must process each request, potentially executing database queries, rendering templates, and generating responses. A relatively small HTTP flood can exhaust server CPU and database connection pools.
Slowloris keeps HTTP connections open by sending partial request headers slowly, preventing the server from completing and closing the connection. The server waits for the incomplete request to finish, gradually filling its connection pool with Slowloris sessions until no new connections can be accepted.
Targeted API abuse exploits specific endpoints with expensive operations. An attacker who identifies an API endpoint that triggers a complex database query or external service call can exhaust server resources with far fewer requests than a generic HTTP flood requires.
Availability is a business function. Every minute an internet-facing service is unavailable has a direct cost. For e-commerce, that cost is measured in lost transactions. For financial services, it is measured in failed trades. For healthcare, it can be measured in delayed patient care. For gaming and streaming, it is measured in subscriber churn.
A 2024 analysis by Cloudflare found that the average enterprise faces DDoS attempts weekly. The distribution of targets has shifted: DDoS is no longer primarily directed at large enterprises. Content delivery infrastructure, DNS providers, cloud hosting platforms, and mid-market businesses are all regularly targeted. DDoS-for-hire services have commoditized the attack to the point where a disgruntled former customer, a competitor, or an ideologically motivated actor with no technical background can launch a sustained attack.
The business calculation is not symmetric. A DDoS attack that costs $50 to launch can cause thousands or hundreds of thousands in damage to the target. This asymmetry drives attack economics: the barrier to attack is low, and the incentive to launch is high.
Regulatory and contractual considerations compound the business risk. Service Level Agreements (SLAs) for cloud services, financial platforms, and healthcare portals often include availability guarantees with financial penalties for downtime. A DDoS attack that causes an SLA breach can trigger penalty payments on top of direct revenue losses. PCI DSS Requirement 6.4 and the broader availability requirements in HIPAA both recognize the need for DDoS resilience, though neither mandates specific technical controls.
The common misconception about DDoS is that it only matters for large targets. In practice, mid-market organizations are often softer targets precisely because they lack the mitigation infrastructure of large enterprises. A DDoS attack that would be a minor annoyance for a large CDN-backed application can be catastrophic for an organization running its own web server on a limited upstream connection.
Upstream Scrubbing via Transit Providers: Large internet transit providers (AT&T, Lumen, NTT, Tata) operate scrubbing centers that can absorb volumetric attacks before they reach the customer's infrastructure. The customer configures BGP routing to divert traffic through the scrubbing center during an attack. Scrubbing centers inspect traffic in-line, discard attack traffic, and forward clean traffic to the destination. This approach handles very large volumetric attacks because scrubbing centers are connected at multiple Tbps. The tradeoff is latency: traffic takes a longer path through the scrubbing center.
CDN-Based Protection: CDN providers with large distributed networks absorb DDoS traffic by distributing it across their global edge infrastructure. Cloudflare, Akamai, and AWS CloudFront each operate networks with multi-Tbps capacity distributed across hundreds of points of presence. When DDoS traffic hits a Cloudflare edge node, it is absorbed and filtered before reaching the origin server. Because the attack is distributed across the CDN's global network, no single point receives enough traffic to be overwhelmed.
Cloudflare's Magic Transit extends CDN-grade protection to arbitrary IP prefixes, not just web traffic, making it applicable to DNS infrastructure, VoIP, and other non-HTTP services. AWS Shield Standard is included with all AWS services and provides automatic protection against common volumetric attacks. AWS Shield Advanced adds customized detection, 24/7 DDoS Response Team support, and cost protection for EC2 and ELB scaling costs during an attack.
On-Premises Scrubbing Appliances: Organizations with very sensitive latency requirements or compliance constraints that prevent routing traffic through third-party infrastructure can deploy on-premises scrubbing appliances (Arbor Networks, Radware, F5 Silverline). These appliances sit inline or in a diversion path and filter attack traffic locally. The fundamental limitation is capacity: on-premises hardware cannot absorb volumetric attacks that exceed the organization's upstream bandwidth.
Anycast Routing: Anycast is a network addressing technique where the same IP address is announced from multiple geographic locations. Traffic from any given source is routed to the nearest anycast node. During a DDoS attack, incoming traffic is spread across all anycast nodes globally, so no single node receives the full attack volume. Anycast is the architectural foundation of CDN-based DDoS mitigation. It is also used to harden DNS infrastructure against volumetric DNS amplification attacks.
Rate Limiting and Traffic Shaping: Rate limiting at the application layer mitigates HTTP flood and API abuse attacks by setting thresholds on requests per second from individual source IPs, ASNs, or geographic regions. Challenge mechanisms (CAPTCHA, JavaScript challenges, browser fingerprinting) distinguish automated attack traffic from legitimate users. Modern WAFs (Web Application Firewalls) incorporate behavioral analysis that identifies attack patterns across request sequences rather than individual requests.
RTBH (Remote Triggered Black Hole Filtering): In severe volumetric attacks, BGP RTBH instructs upstream routers to discard all traffic destined for a specific target IP address. This stops the attack but also stops legitimate traffic, making it a last resort for protection of other infrastructure when a single destination is under catastrophic attack. RTBH is sometimes called a "nuclear option" because it completes the attacker's goal of denying service to the targeted address.
In the Planetary Defense Model, availability is terrain. A DDoS attack is not an attempt to penetrate the terrain; it is an attempt to bury it under so much pressure that nothing can move across it. This maps cleanly to the Security Posture and Hygiene (SPH) domain, where the Autonomous Posture Command (APC) methodology governs how defenses adapt to active pressure: "Your posture adapts. Your hygiene never sleeps."
The Vulnerability and Surface Defense (VSD) domain is the second owner of DDoS risk. CSR (Continuous Surface Reduction) asks: "Every surface you expose is a surface we eliminate." Applied to DDoS, this means reducing exposed attack surfaces before an attack occurs. Organizations that expose DNS resolvers to the public internet create amplification infrastructure for attackers. Organizations that run internet-facing services on a single origin IP without CDN protection have created a single point of failure. Organizations with over-provisioned API endpoints that execute expensive operations without rate limiting have built an application-layer attack surface.
Missions VSD-H03 (DNS Security Hardening) and SPH-B01 (Network Security Hardening) both address DDoS resilience as components of their control sets. VSD-H03 specifically addresses DNS infrastructure hardening: disabling open resolver behavior, deploying DNSSEC, and configuring anycast DNS. SPH-B01 addresses rate limiting configuration, CDN integration, and upstream scrubbing provider selection.
CDA's operational recommendation diverges from the standard vendor narrative in one important way: DDoS mitigation is not a product purchase, it is an architecture decision. Organizations that put their entire service behind a CDN and properly configure rate limiting have addressed 90% of their DDoS risk before buying any dedicated mitigation product. The remaining 10% (large-scale volumetric attacks against non-HTTP infrastructure) requires upstream scrubbing. CDA's Theater of Operations models this as a two-phase deployment: architect for resilience first, then add scrubbing capacity for the residual risk.
The adversary context: DDoS is primarily a Human adversary technique in the PDM's threat taxonomy, used for extortion, competitive sabotage, ideological disruption, and as a smokescreen to divert security team attention while a different attack vector is pursued. The smokescreen use case is underappreciated: a DDoS attack that occupies the entire security team's bandwidth for four hours is sometimes the precursor to a more targeted intrusion elsewhere in the environment.
CDA Theater missions that address topics covered in this article.
Building the business case for cybersecurity investment in Healthcare organizations.
Preparing for cybersecurity compliance audits specific to Education sector.
Operational runbook for dns security configuration procedures.
Written by Evan Morgan
Found an issue? Help improve this article.