DDoS Attacks: How They Work and How to Defend

Distributed Denial-of-Service (DDoS) attacks represent one of the most disruptive threat categories in the cybersecurity landscape, capable of taking critical infrastructure, financial services, and commercial platforms offline within minutes. This page covers the technical mechanics of DDoS attacks, the major attack classifications, the service and regulatory context in which defenders operate, and the decision boundaries that distinguish appropriate defensive tiers. The scope is national, with reference to US federal guidance from CISA and NIST.

Definition and scope

A Distributed Denial-of-Service attack is an attempt to exhaust the resources of a target system — bandwidth, processing capacity, connection state tables, or application threads — by flooding it with traffic originating from a distributed network of compromised or coordinated hosts. CISA defines a DDoS attack as one that "prevents legitimate users from accessing information systems, devices, or other network resources" (CISA, Understanding and Responding to DDoS Attacks).

The threat scope is broad. Financial institutions, DNS infrastructure operators, healthcare networks, and government portals are all documented target categories in CISA advisories. Unlike a standard Denial-of-Service (DoS) attack — which originates from a single source and can be blocked by filtering one IP address — a DDoS attack uses thousands or millions of distributed sources simultaneously, defeating simple source-block countermeasures. The cyber-safety-directory-purpose-and-scope covers the broader threat landscape this attack category fits within.

NIST SP 800-53 Rev. 5 addresses availability requirements under control family SC (System and Communications Protection) and SI (System and Information Integrity), both of which establish baseline expectations for resilience against volumetric and application-layer disruptions (NIST SP 800-53 Rev. 5).

How it works

DDoS attacks operate across three primary attack vectors, each targeting a different layer of the network stack:

Volumetric attacks — Saturate available bandwidth by flooding the target with traffic. Measured in gigabits per second (Gbps) or packets per second (Pps). DNS amplification attacks, documented in CISA Technical Alert TA13-088A, exploit the asymmetric response size of open DNS resolvers to amplify traffic by factors as high as 70x the original request volume.
Protocol attacks — Exploit weaknesses in Layers 3 and 4 of the OSI model. SYN flood attacks, for example, exhaust TCP connection state tables by sending large volumes of SYN packets without completing the handshake. ICMP floods and fragmentation attacks fall into this category.
Application-layer attacks — Target Layer 7 (HTTP/S, DNS, SMTP). These attacks send low-volume but computationally expensive requests designed to exhaust server-side resources — database queries, SSL negotiation cycles, or search functions — while appearing as legitimate traffic. HTTP GET/POST floods are the most documented variant.

The infrastructure enabling DDoS attacks consists primarily of botnets — networks of compromised endpoints (including Internet of Things devices, unpatched servers, and consumer routers) that are remotely directed by a command-and-control (C2) server. Botnets are rented on dark-web marketplaces, lowering the technical barrier to launching large-scale attacks.

Amplification mechanics — Protocol amplification exploits services that return responses significantly larger than the triggering request. UDP-based protocols (DNS, NTP, SSDP, Memcached) are most commonly abused for this purpose. A Memcached amplification attack can theoretically achieve an amplification factor of up to 51,000x, according to analysis published by CISA.

NIST SP 800-94 covers intrusion detection and prevention system (IDPS) deployment as a component of DDoS detection at the network perimeter (NIST SP 800-94).

Common scenarios

DDoS attacks manifest differently across sectors, with motivations ranging from financial extortion to political disruption:

Financial services — Banks and payment processors are targeted to extort ransom payments or to mask simultaneous fraud operations. The disruption of authentication portals during a DDoS attack can prevent fraud detection systems from flagging concurrent account takeovers.

DNS infrastructure attacks — Attacks against authoritative or recursive DNS resolvers create cascading availability failures across thousands of downstream services simultaneously. Attacks of this type have taken down major DNS providers, causing extended outages affecting Fortune 500 web properties.

Healthcare and critical infrastructure — CISA's Critical Infrastructure Security guidance identifies 16 critical infrastructure sectors, all of which face elevated DDoS risk. Hospitals, water utilities, and energy grid operators face particular exposure because availability downtime carries direct safety consequences, not only financial losses.

Hacktivist and state-sponsored campaigns — Politically motivated DDoS campaigns have targeted government portals, media outlets, and election infrastructure. The FBI and CISA have jointly issued advisories documenting DDoS activity tied to nation-state actors targeting US federal and state systems.

Gaming and entertainment platforms — High-traffic consumer platforms are frequent targets due to competitive motivations among users and the relatively high visibility of outages.

The cyber-safety-listings catalogs service providers operating in the DDoS mitigation space across these sectors.

Decision boundaries

Selecting a DDoS defensive posture requires distinguishing between attack categories, organizational risk tolerance, and infrastructure architecture. The following boundaries structure that determination:

On-premises vs. cloud scrubbing — On-premises mitigation appliances (rate limiting, traffic shaping, ACL enforcement) are effective against sub-10 Gbps attacks but are overwhelmed by large volumetric attacks that saturate upstream links before traffic reaches the appliance. Cloud-based scrubbing centers — which reroute traffic through high-capacity filtering infrastructure — are required for attacks exceeding the organization's upstream bandwidth capacity.

Always-on vs. on-demand mitigation — Always-on mitigation routes all traffic through scrubbing infrastructure continuously, minimizing detection and response latency. On-demand mitigation activates only after an attack is detected, introducing a response delay measured in minutes. Organizations with sub-second availability requirements (financial trading platforms, 911 dispatch systems) require always-on architectures.

Volumetric vs. application-layer defenses — Defenses optimized for volumetric attacks (blackhole routing, BGP flowspec, upstream filtering agreements with ISPs) are largely ineffective against Layer 7 attacks, which require application-aware inspection — Web Application Firewalls (WAFs), rate limiting per URI, behavioral baselining — to distinguish attack traffic from legitimate user requests.

Regulatory baseline requirements — NIST SP 800-53 Rev. 5 control SC-5 (Denial-of-Service Protection) specifically requires organizations to implement controls that protect against or limit the effects of DDoS attacks, with the implementation tier calibrated to system impact level (Low, Moderate, High) under Federal Information Processing Standard (FIPS) 199 (FIPS 199, NIST). Organizations subject to HIPAA must also demonstrate availability safeguards under the Security Rule's technical safeguard requirements at 45 CFR § 164.312.

The how-to-use-this-cyber-safety-resource page outlines how the broader service directory is structured for organizations navigating mitigation vendor selection and regulatory alignment.

DDoS Attacks: How They Work and How to Defend

Definition and scope

How it works

Common scenarios

Decision boundaries

References

Read Next