Key Points
- A distributed denial of service (DDoS) attack floods a target server, network, or application with traffic from many compromised machines simultaneously.
- Attackers build a botnet (a network of malware-infected devices) and then direct it to overwhelm a target using one of three attack categories: volumetric, protocol, or application-layer.
- The three main DDoS attack types differ in what they exhaust: bandwidth, network-layer state tables, or web server compute resources.
- Network access control and certificate-based device authentication prevent compromised devices on your network from joining a botnet and being weaponized against others.
When a website goes dark for hours, or an online service becomes unreachable, a DDoS attack is often the cause. Understanding how does a DDoS attack work, and what stages make it destructive, is the first step toward defending against one.
Small and midsize businesses spend an average of $120,000 to recover from a single DDoS attack, and the volume of these attacks is accelerating fast.
This guide covers how DDoS attacks are built and launched, the three main attack types, and what your network can do to reduce exposure, including making sure the devices on your own network are never used as weapons against someone else.
What Is a DDoS Attack?
A distributed denial of service (DDoS) attack is a type of denial of service attack that uses multiple hosts to simultaneously attack a single target.
In practice, this means an attacker coordinates hundreds, thousands, or even millions of machines to flood a target with traffic, connection requests, or malformed packets until that target becomes unresponsive or crashes entirely. Legitimate users are denied access because the server’s resources are completely consumed.
DDoS attacks have grown dramatically in scale. Cloudflare mitigated a record 31.4 Tbps attack in Q4 2025, and the total number of DDoS incidents grew 121% year over year in 2025 to 47.1 million attacks.
DoS vs. DDoS: What’s the Difference?
The two attacks share the same goal: knocking a target offline. They differ in scale and in how difficult they are to stop.
A DoS attack originates from a single source: one machine flooding one target. Because the attack is constrained by the bandwidth of that single device, it is relatively straightforward to block by identifying and filtering the originating IP address.
A DDoS attack is harder to stop because it distributes the attack across many sources. Traffic comes from potentially millions of different IP addresses scattered across the globe, making simple IP-blocking ineffective. The attacking machines are typically not the attacker’s own devices; they are compromised third-party systems the attacker controls remotely.
How Does a DDoS Attack Work? Step by Step
A DDoS attack follows a consistent pattern regardless of type. Understanding each stage helps explain why these attacks are both powerful and difficult to attribute.
Stage 1: Building the Botnet
A botnet is a network of computers that have been compromised by malware and linked together so an attacker, or “bot-herder,” can control them remotely.
Attackers infect machines by exploiting software vulnerabilities, deploying phishing campaigns, or using malware distributed through compromised websites. Any internet-connected device is a potential recruit: laptops, smartphones, routers, IP cameras, and internet of things (IoT) sensors. The device owner typically has no idea their system has been compromised.
Stage 2: Command and Control
Once the botnet is assembled, the attacker uses a command-and-control (C2) server to direct the infected machines. The C2 server sends instructions to each bot simultaneously, specifying the target address, attack type, attack duration, and traffic volume. Modern botnets often use peer-to-peer (P2P) architectures to make the C2 infrastructure harder to dismantle, since there is no single point to shut down.
Stage 3: Attack Launch and Traffic Flooding
At the attacker’s command, every infected device in the botnet begins sending traffic toward the target. The cumulative effect quickly overwhelms the target’s bandwidth, processor capacity, or connection state tables. Legitimate users find the service slow or entirely unreachable.
Attacks can last minutes, hours, or days. Multi-wave attacks are common: the attacker backs off, then resumes once defensive measures are relaxed, or shifts to a different attack vector to bypass newly applied filters.
Understanding the Three DDoS Attack Types
Industry analysts and standards bodies classify DDoS attacks into three categories based on what they exhaust. Understanding the distinction matters because each requires different defensive measures.
| Attack Type | OSI Layer(s) | What It Exhausts | Example Technique |
| Volumetric | Layer 3/4 | Available bandwidth | UDP Flood, DNS Amplification |
| Protocol | Layer 3/4 | Connection state tables | SYN Flood, Smurf Attack |
| Application-layer | Layer 7 | Web server compute resources | HTTP Flood |
Volumetric Attacks
Volumetric attacks aim to saturate a target’s available bandwidth by sending massive volumes of traffic, often measured in gigabits or terabits per second. The goal is to consume so much network capacity that no legitimate traffic can get through.
UDP Flood: Attackers send large quantities of user datagram protocol (UDP) packets to random ports on a target server. Because UDP is a connectionless protocol, the server must check each port for a listening application and send a response for every packet that has none. The process quickly exhausts server resources.
DNS Amplification: The attacker sends small queries to open DNS resolvers, spoofing the victim’s IP address as the source. The resolvers then send their large responses to the victim, flooding the victim with a traffic volume significantly beyond what the attacker alone could generate.
Protocol Attacks
Protocol attacks, also called network-layer or Layer 3/4 attacks, target the state tables that network infrastructure maintains to track open connections. Rather than saturating bandwidth, these attacks exhaust the connection-tracking capacity of firewalls, load balancers, and servers.
SYN Flood: A SYN flood exploits the TCP three-way handshake. The attacker sends a high volume of SYN (synchronize) packets with spoofed source IPs. The server responds with SYN-ACK packets and allocates resources for each half-open connection, waiting for the final ACK that never arrives. The backlog queue fills and the server can no longer accept legitimate new connections.
Smurf Attack: This method broadcasts ICMP echo requests to a network, spoofing the victim’s IP as the source. Every device on the network responds directly to the victim, amplifying traffic from a single attacker into a large-scale flood.
Application-Layer Attacks
Application-layer attacks, sometimes called Layer 7 DDoS attacks, target the application tier rather than network bandwidth or state tables.
HTTP Flood: The attacker sends a massive number of seemingly legitimate HTTP GET or POST requests to a web server, exhausting its processing capacity. Because the requests look like normal user traffic, they are harder to filter than raw UDP floods.
Application-layer attacks are particularly difficult to defend against because the malicious traffic is designed to look like legitimate requests. A single attacker can trigger database queries, search operations, or API calls that consume far more server resources than a simple network packet.
How to Detect a DDoS Attack
Recognizing a DDoS attack in progress is not always obvious. Common warning signs include:
- Unusual traffic spikes: Traffic volume suddenly increases far beyond normal peaks, often from a geographically diverse set of source addresses.
- Slow or unavailable services: Web pages, APIs, or applications become sluggish or stop responding entirely.
- Abnormal request patterns: Requests cluster around specific endpoints, such as a login page or a single API route, at rates no human population would generate.
- Resource exhaustion on infrastructure: Firewalls, load balancers, or servers show CPU or memory saturation without a clear application-side cause.
Modern traffic analysis tools and anomaly detection can identify these patterns early, but the window between detection and response is often short; attacks can saturate a target in seconds.
How to Prevent DDoS Attacks
No single measure fully neutralizes DDoS risk. Effective prevention strategies use multiple controls, including:
- Rate limiting: Cap the number of requests a single source IP can make per second to reduce the impact of volumetric and HTTP flood attacks.
- Traffic scrubbing: Route traffic through a scrubbing center that distinguishes legitimate packets from attack traffic before forwarding clean traffic to the origin.
- Anycast diffusion: Distribute traffic across multiple global points of presence so no single server absorbs the full attack volume.
- Firewall rules and access control lists (ACLs): Block known bad IP ranges and limit which protocols and ports are exposed to the internet.
- Over-provisioning bandwidth: Maintain reserve capacity above normal peak load to provide time to activate other mitigations before a service degrades.
How Device Identity Reduces Your Botnet Exposure
Botnets don’t only recruit devices from outside your organization — compromised machines inside your network can send attack traffic outward, contribute to amplification attacks, and serve as pivot points for deeper intrusion.
Controlling which devices can join your network in the first place is one of the most effective ways to reduce your vulnerability. Device identity and network access control (NAC) directly determine which machines are allowed on your network.
Certificate-based 802.1X authentication, enforced through JoinNow Cloud RADIUS, addresses this at the point of entry. Every device must present a valid cryptographic certificate issued by JoinNow Dynamic PKI to gain network access. A device with an expired, revoked, or absent certificate cannot join; it is blocked at authentication, before it can communicate with anything on the network.
This posture-at-authentication model means a compromised device that lacks a current certificate (or one that has been revoked for falling out of compliance) simply cannot connect. It cannot send botnet traffic from inside your network, and it cannot reach internal services that could be amplified or weaponized.
For a deeper look at how 802.1X network admission works, see our guide to 802.1X authentication configuration. For context on how MAC address spoofing intersects with these controls, read our post on how MAC spoofing attacks work.
Protect Your Network from DDoS Attacks With SecureW2
DDoS attacks start with someone else’s compromised device. The best defense is making sure none of those compromised devices belong to your network. Certificate-based authentication with real-time compliance checking gives IT teams confidence that every connected device is known, managed, and authorized.
Schedule a demo to see how JoinNow Cloud RADIUS and JoinNow Dynamic PKI enforce device identity at authentication and keep your network from contributing to the next wave of botnet traffic.
Frequently Asked Questions
How long do DDoS attacks last?
Attack duration varies widely. Short attacks last a few minutes and are often used to test defenses or distract security teams from another intrusion. Sustained attacks targeting public services or high-profile infrastructure can continue for hours or days. Multi-wave attacks, where attackers pause, monitor the target’s response, and resume, can extend effective disruption across days or weeks. Recovery time depends on the attacker’s persistence, the target’s mitigation capacity, and how quickly scrubbing services can clean traffic.
Is a DDoS attack illegal?
Yes. Launching a DDoS attack is a criminal offense in most jurisdictions. In the United States, it falls under the Computer Fraud and Abuse Act (CFAA), which criminalizes unauthorized impairment of protected computers. Similar statutes exist in the European Union, the United Kingdom, and most other countries. Penalties can include significant prison time and fines. Purchasing DDoS-as-a-service, commonly sold as “booter” or “stresser” services, is also illegal under the same statutes.
What is the difference between a DoS attack and a DDoS attack?
A denial of service (DoS) attack originates from a single machine. A DDoS attack coordinates many compromised machines simultaneously. The practical consequence is scale and defenses: a DoS source can be identified and blocked by IP address, while DDoS traffic arrives from thousands of distributed sources that cannot all be blocked without also blocking legitimate users. DDoS attacks are generally far more difficult to mitigate and cause greater disruption.
What is a botnet, and how does it relate to DDoS attacks?
A botnet is a collection of internet-connected devices (computers, smartphones, routers, IoT devices) that have been infected with malware and are remotely controlled by an attacker without the owners’ knowledge. Botnets are the primary infrastructure behind volumetric and protocol DDoS attacks. The attacker’s C2 server directs all infected devices to send traffic toward a target simultaneously, producing attack volumes no single machine could generate alone.
How can you tell if you’re being DDoSed?
The clearest signal is a sudden, severe drop in service availability accompanied by a spike in inbound traffic that bears no relation to legitimate usage patterns. Network monitoring tools that establish baseline traffic profiles can flag anomalies automatically. Internet service providers (ISPs) and cloud-based mitigation services often detect these patterns upstream, before traffic reaches the origin server. If your web application becomes unreachable while your infrastructure logs show massive connection or bandwidth spikes from geographically diverse sources, a DDoS attack is a likely explanation.
