DDoS Attacks and Amplification
A distributed denial-of-service (DDoS) attack is an attempt to make a network resource, server, or service unavailable by overwhelming it with traffic from multiple sources simultaneously.
Last updated Apr 11, 2026
Continue your mission
A distributed denial-of-service (DDoS) attack is an attempt to make a network resource, server, or service unavailable by overwhelming it with traffic from multiple sources simultaneously.
# DDoS Attacks and Amplification
A distributed denial-of-service (DDoS) attack is an attempt to make a network resource, server, or service unavailable by overwhelming it with traffic from multiple sources simultaneously. The "distributed" element distinguishes DDoS from simple denial-of-service (DoS) attacks: where a DoS attack originates from a single source (easily blocked by an IP filter), a DDoS attack originates from thousands or millions of sources, often compromised systems controlled by the attacker without their owners' knowledge.
DDoS attacks target availability: the "A" in the CIA triad (Confidentiality, Integrity, Availability). They do not steal data directly and do not provide the attacker with access to the victim's systems. Their goal is disruption. An e-commerce site that cannot process transactions is losing revenue. A hospital whose patient portal is inaccessible may redirect patients or delay care. A financial institution that cannot process wire transfers faces operational and regulatory consequences. An API-dependent service that is offline during a DDoS attack may trigger SLA violations with downstream business partners.
The attack surface for DDoS is every internet-connected resource an organization exposes. Web servers, DNS resolvers, API gateways, VPN concentrators, game servers, streaming endpoints, and CDN origin servers are all potential targets. As organizations have moved workloads to cloud infrastructure and microservices architectures, the attack surface for DDoS has grown, but so have the tools available for defense.
In the Planetary Defense Model, DDoS defense spans two domains. TID (Threat Intelligence and Defense) owns the detection of DDoS activity as an atmospheric-layer threat, including early warning signals such as traffic anomalies, dark web chatter about planned attacks, and DDoS-for-hire activity targeting specific organizations. SPH (Security Posture and Hygiene) owns the infrastructure hardening, rate limiting architecture, and network configuration that determines how resistant an organization's services are to volumetric and application-layer attacks. The terrain metaphor is apt: SPH builds the landscape (hardened infrastructure, well-configured services) while TID monitors the weather patterns (threat intelligence, traffic anomaly detection) that precede a storm.
DDoS attacks fall into three mechanically distinct categories, each targeting a different layer of the network stack and requiring different mitigation approaches.
Volumetric attacks operate by generating more traffic than the target's network connection can handle. The target does not need to process the traffic for the attack to succeed. Simply receiving more packets than the uplink can accommodate causes packet loss for legitimate traffic. A server with a 10 Gbps network connection that receives 50 Gbps of DDoS traffic has no bandwidth left for legitimate users regardless of how well-configured the server itself is.
UDP Floods are the simplest volumetric attack. The attacker sends high-volume UDP packets to random ports on the target host. The target must inspect each packet, determine that no application is listening on that port, and send an ICMP Destination Unreachable response. At scale, this process consumes CPU and network bandwidth. UDP is attractive for DDoS because it is connectionless: the attacker can spoof the source IP address, making attribution and filtering more complex.
Amplification attacks are the most dangerous volumetric technique because they allow an attacker with limited bandwidth to generate attack traffic many times larger than their own infrastructure could produce. The mechanics of an amplification attack require three components: a protocol that accepts requests with a spoofed source IP, a response significantly larger than the request (the amplification factor), and a target whose IP is spoofed as the source.
The attacker sends a small request to thousands of servers running the vulnerable protocol, spoofing the target's IP address as the source. Each server sends its large response to the target, not to the attacker. The attacker's traffic volume is multiplied by the amplification factor and redirected at the target.
DNS amplification exploits DNS resolver behavior. A DNS query for a large record (such as a DNS ANY query or a response with large TXT records) can be 28 to 54 times larger than the query that triggered it. An attacker who sends a 40-byte query to an open DNS resolver receives a 1,600-byte response sent to the target. Amplification factor: 40x. DNS amplification attacks regularly generate hundreds of Gbps of attack traffic using open DNS resolvers (publicly accessible DNS servers that respond to queries from any source).
NTP amplification is more extreme. The Network Time Protocol includes a debug command called monlist that returns a list of the last 600 hosts that contacted the NTP server. A 234-byte monlist request generates a response of up to 48 kilobytes: an amplification factor of approximately 556x. A single attacker packet generates 556 packets directed at the target. NTP amplification attacks produced some of the largest recorded DDoS events before the monlist command was disabled in most modern NTP implementations.
Memcached amplification produced the largest DDoS attacks ever recorded. Memcached is a distributed memory caching system designed for internal use within data centers. Some operators inadvertently exposed memcached instances to the public internet. A memcached request of 15 bytes can generate a response of 750 kilobytes: an amplification factor of approximately 51,000x. In 2018, GitHub sustained a 1.35 Tbps memcached amplification attack. A subsequent attack on an unnamed organization reached 1.7 Tbps. Both set records at the time. The attack required the attacker to generate only megabits per second of traffic to produce terabits at the target.
CLDAP amplification uses the Connectionless Lightweight Directory Access Protocol (CLDAP), a UDP variant of LDAP used in Windows environments. CLDAP amplification produces factors of 56 to 70x and has been used in attacks targeting financial institutions and gaming infrastructure.
Protocol attacks target the finite state tables that servers and network devices maintain to track active connections. Unlike volumetric attacks that try to saturate bandwidth, protocol attacks try to exhaust memory and CPU resources by filling state tables with incomplete or malformed connections.
SYN floods exploit the TCP three-way handshake. A normal TCP connection begins with the client sending a SYN packet, the server responding with SYN-ACK and allocating resources for the pending connection, and the client completing the handshake with ACK. In a SYN flood, the attacker sends a high volume of SYN packets with spoofed source IP addresses. The server sends SYN-ACK to the spoofed addresses (which do not respond) and waits for ACK packets that never arrive. Each incomplete connection occupies a slot in the server's connection table. When the table fills, the server cannot accept new legitimate connections. A server with 65,000 available connection table slots can be exhausted by a SYN flood within seconds.
SYN cookies are the primary defense: a technique that allows the server to avoid allocating connection resources until the handshake completes, by encoding state information into the initial sequence number of the SYN-ACK response.
ACK floods and RST floods send high volumes of ACK or RST packets to targets. Servers that receive ACK packets for connections they did not initiate must process each packet to determine it does not belong to any known connection. At sufficient volume, this processing exhausts CPU. RST floods attempt to disrupt active legitimate connections by sending RST (connection reset) packets with spoofed source addresses.
Application-layer attacks, also called Layer 7 attacks, do not try to saturate bandwidth or exhaust network state tables. They generate requests that appear legitimate from a network perspective and target the computational cost of processing those requests at the application level.
HTTP GET/POST floods send high volumes of HTTP requests to the target web server. Each request causes the server to process the HTTP headers, authenticate or authorize if required, execute application logic (database queries, session lookups, computation), generate a response, and transmit it. A server that can handle 5,000 requests per second can be overwhelmed by 50,000 requests per second from a botnet, even though 50,000 HTTP/s would require only modest bandwidth and would not exhaust connection tables.
Slowloris is a low-bandwidth application-layer attack that opens many connections to the target server and keeps them open indefinitely by sending partial HTTP headers very slowly, just fast enough to avoid the server's connection timeout. A web server that allows a maximum of 1,000 simultaneous connections can be rendered unavailable to legitimate users if Slowloris occupies all 1,000 slots with artificially prolonged incomplete requests. The attacker can maintain this with minimal bandwidth.
RUDY (R-U-Dead-Yet) works similarly to Slowloris but targets HTTP POST requests: the attacker declares a large Content-Length but transmits body data one byte at a time, keeping the server's connection open indefinitely while exhausting connection slots across many simultaneous requests.
Asymmetric application attacks identify API endpoints or functions where a small request causes disproportionate server-side processing: complex database queries, bcrypt password hashing per authentication attempt, or deeply nested GraphQL queries. These are nearly impossible to distinguish from legitimate high-volume usage and require application-aware rate limiting to mitigate.
Most large DDoS attacks are conducted using botnets: networks of compromised systems that the attacker controls remotely. The compromised systems send attack traffic at the attacker's direction, often without their owners' awareness.
Mirai is the defining botnet of the modern DDoS era. Released publicly in 2016, Mirai targeted IoT devices (IP cameras, DVRs, routers) that shipped with default or hardcoded credentials, scanning the internet for devices using 62 default username/password pairs and enrolling them via Telnet. At peak, Mirai controlled over 600,000 devices. A Mirai attack on Dyn, a major DNS provider, in October 2016 disrupted Twitter, Netflix, Reddit, and Spotify across large portions of the United States, reaching approximately 1.2 Tbps.
The public release of Mirai's source code enabled hundreds of derivative botnets. The IoT device landscape has not fundamentally improved since 2016, and modern botnets additionally recruit compromised cloud infrastructure, where a single compromised server provides far more bandwidth than a residential IoT device, and where traffic originates from trusted IP ranges that make filtering more complex.
Booter and stresser services (the terms are used interchangeably, with "stresser" being the euphemism operators use to claim legitimate "load testing" use) are subscription services that provide on-demand DDoS attack capability to anyone who pays. Prices range from $20 to $100 per month for entry-level access, with higher tiers providing more attack bandwidth, longer attack duration, and multiple simultaneous targets.
These services lower the barrier to conducting DDoS attacks to near zero. A disgruntled customer, a competitive business actor, an activist group, or an unsophisticated criminal can rent more DDoS attack power than most organizations can withstand without dedicated mitigation infrastructure. FBI and international law enforcement have successfully prosecuted several booter operators and seized infrastructure, but new services replace those taken down.
Availability is not an abstract security metric. For an e-commerce platform, every minute of downtime during peak hours has a calculable revenue cost. For a SaaS company, service unavailability triggers SLA penalties and churn. For a healthcare organization, unavailability of patient record systems can delay clinical decisions. For financial institutions, payment processing unavailability affects customer trust and regulatory standing.
DDoS attacks, unlike ransomware or data breaches, produce their impact immediately and visibly. The attack does not require the attacker to penetrate the target's perimeter or move laterally through the network. The target simply becomes unreachable.
DDoS is increasingly used as one component of multi-stage attacks rather than as a standalone attack. In triple extortion ransomware attacks, DDoS supplements encryption and data exfiltration threats. In nation-state attacks, DDoS has been used to distract incident response teams while more sophisticated intrusion activity occurs in the background. In financial fraud, DDoS attacks on banking infrastructure have been used to cover fraudulent transaction activity that might otherwise trigger fraud detection systems.
The Russian-aligned Killnet group used DDoS extensively in 2022 against NATO member states as a component of information operations accompanying the Ukraine invasion. The attacks were largely disruptive rather than destructive (no significant data was compromised), but they generated disproportionate media attention and diplomatic response.
Amplification attacks are economically asymmetric by design. An attacker who generates 1 Gbps of traffic can produce 51,000 Gbps at the target using memcached amplification, while the attacker's infrastructure cost remains minimal. On-premises mitigation cannot economically scale to that level. Only cloud-based scrubbing services with globally distributed, multi-Tbps aggregate capacity can absorb attacks at the high end of what is currently possible.
DDoS defense maps to two PDM domains, and the failure to address both creates a posture gap that attackers exploit.
SPH (Security Posture and Hygiene) owns the terrain-layer controls that determine how resistant an organization's infrastructure is to attack before mitigation services engage. This includes rate limiting at the application and network layer, SYN cookie configuration on servers and load balancers, elimination of unnecessary open ports and exposed services that increase attack surface, proper DNS configuration to prevent the organization's own resolvers from being used in amplification attacks, and anycast-based infrastructure distribution that limits the impact of volumetric attacks on any single network node.
CDA's Autonomous Posture Command (APC) methodology, with its tagline "Your posture adapts. Your hygiene never sleeps," governs the SPH-layer work. APC-aligned organizations run continuous configuration validation: they know which ports are open, they verify rate limiting is in place, they test SYN cookie behavior, and they validate that their DNS resolvers do not respond to queries from arbitrary sources. These are not one-time configurations. They are continuously validated posture elements.
TID (Threat Intelligence and Defense) owns the atmospheric-layer detection: early warning of DDoS campaigns before they reach the target. Threat intelligence feeds that include DDoS-for-hire activity, dark web forums where attack coordination is discussed, and historical data on groups that have targeted specific sectors allow organizations to anticipate and prepare for attacks. Traffic anomaly detection identifies the early stages of volumetric attacks before they reach full scale, enabling faster escalation to mitigation services.
The practical mitigation architecture for DDoS defense combines multiple layers. Traffic scrubbing centers (operated by Cloudflare, Akamai Prolexic, Radware, and AWS Shield Advanced, among others) sit between the internet and the protected infrastructure, absorbing volumetric attacks by distributing them across globally distributed networks with aggregate capacity measured in tens or hundreds of Tbps. Anycast routing distributes incoming traffic across multiple geographically dispersed network nodes, preventing any single node from being the sole target of a volumetric attack. Cloud-based WAFs with DDoS-aware rate limiting protect the application layer. SYN cookies and connection rate limiting protect the TCP state layer. Upstream network filtering by ISPs or transit providers can drop traffic before it reaches the organization's network.
CDA.Theater missions SPH-R01 and SPH-B01 cover infrastructure hardening and rate limiting configuration. Mission TID-R01 addresses threat intelligence program construction, including DDoS early warning sources.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.