What Is a DDoS Attack? How It Works, Types, and How to Stop One in 2026

## What Is a DDoS Attack?

A DDoS (Distributed Denial-of-Service) attack is a cyberattack that floods a target server, network, or application with massive amounts of traffic from multiple sources to overwhelm its capacity and make it unavailable to legitimate users. DDoS attacks are one of the most common and disruptive cyber threats — over 13 million DDoS attacks were recorded in 2024 alone, a 20% increase year-over-year, and the largest attacks now exceed 5 Tbps.

*Last updated: March 31, 2026*

---

## How Does a DDoS Attack Work?

A DDoS attack works in three stages. First, an attacker builds or rents a botnet — a network of thousands to millions of compromised devices (computers, IoT devices, servers) infected with malware. Second, the attacker commands the botnet to simultaneously send traffic to the target. Third, the target's bandwidth, CPU, memory, or application resources are exhausted, causing slowdowns or complete outages for legitimate users.

| Stage | What Happens | Scale | |-------|-------------|-------| | 1. Botnet assembly | Attacker infects devices with malware or rents a botnet | 10,000 to 10+ million devices | | 2. Attack command | C2 server directs all bots to flood the target | Coordinated across global IPs | | 3. Resource exhaustion | Target cannot handle the traffic volume | Seconds to hours of downtime |

The key difference between a DoS and DDoS attack is distribution. A DoS attack comes from a single source and can often be blocked by filtering one IP address. A DDoS attack comes from thousands or millions of distributed sources, making it far harder to mitigate because you cannot simply block all the IPs without also blocking legitimate users.

---

## Types of DDoS Attacks

DDoS attacks fall into three main categories based on which layer of the network they target.

| Type | OSI Layer | How It Works | Traffic Volume | Example Attacks | |------|-----------|-------------|---------------|-----------------| | Volumetric | Layer 3-4 | Floods bandwidth with massive traffic | Very high (Gbps to Tbps) | UDP flood, DNS amplification, NTP amplification, ICMP flood | | Protocol | Layer 3-4 | Exploits protocol weaknesses to exhaust server resources | Moderate to high | SYN flood, Ping of Death, Smurf attack, fragmented packet attack | | Application layer | Layer 7 | Mimics legitimate requests to exhaust application resources | Low volume but high impact | HTTP flood, Slowloris, DNS query flood, API abuse |

### Volumetric Attacks

Volumetric attacks are the most common type, accounting for over 60% of all DDoS attacks. They work by flooding the target's internet connection with more traffic than it can handle. The goal is simple: consume all available bandwidth.

**UDP flood** sends massive volumes of UDP packets to random ports on the target. The server must check for applications listening on each port and respond with ICMP "destination unreachable" packets, consuming resources.

**DNS amplification** exploits open DNS resolvers. The attacker sends small DNS queries with the target's spoofed IP address. The DNS server responds with much larger answers directed at the target — amplification factors of 28-54x are common, meaning a 1 Gbps attack stream can generate 28-54 Gbps hitting the target.

**NTP amplification** exploits the Network Time Protocol's monlist command. Amplification factors reach 556x — one of the highest of any reflection attack.

The largest DDoS attacks on record have all been volumetric: Cloudflare mitigated a 5.6 Tbps attack in late 2024, and attacks exceeding 1 Tbps are now routine.

### Protocol Attacks

Protocol attacks exploit weaknesses in Layer 3 and Layer 4 network protocols to consume server resources or intermediate equipment capacity (firewalls, load balancers).

**SYN flood** is the most well-known protocol attack. It exploits the TCP three-way handshake by sending a flood of SYN (connection initiation) packets but never completing the handshake. The target server allocates resources for each half-open connection until its connection table is exhausted. SYN floods can bring down a server with relatively low traffic volume.

**Ping of Death** sends malformed or oversized ICMP packets that crash the target system. Modern systems are largely patched against this, but variants still appear.

### Application Layer Attacks

Application layer (Layer 7) attacks are the most sophisticated and hardest to detect because they mimic legitimate user traffic. They target specific applications — web servers, APIs, DNS services — with requests that appear normal but are designed to exhaust backend resources.

**HTTP flood** sends seemingly legitimate HTTP GET or POST requests at a rate the web server cannot handle. Because each request looks normal, traditional volumetric filters miss them entirely.

**Slowloris** opens many connections to the target web server and sends partial HTTP headers very slowly, keeping connections open indefinitely and exhausting the server's connection pool — all with minimal bandwidth.

**API abuse** targets resource-intensive API endpoints (search queries, database lookups, report generation) to exhaust backend compute and database resources. This is increasingly common as organizations expose more APIs.

---

## DDoS Attack Statistics in 2026

| Metric | Value | |--------|-------| | Total DDoS attacks (2024) | Over 13 million | | Year-over-year increase | ~20% | | Largest recorded attack | 5.6 Tbps (Cloudflare, late 2024) | | Average attack duration | 30-60 minutes | | Attacks lasting over 1 hour | ~15% of all attacks | | Most targeted industries | Gaming, financial services, SaaS, telecom, government | | Cost of 1 hour downtime (enterprise) | $100,000 - $500,000+ | | DDoS-for-hire cost | As low as $10-50 per attack | | Botnet size (large attacks) | 100,000 - 10+ million devices | | IoT devices in botnets | Over 40% of botnet nodes |

---

## Real-World DDoS Attacks

**GitHub (2018)** — hit with a 1.35 Tbps memcached amplification attack, the largest at the time. GitHub used Akamai Prolexic to mitigate within 10 minutes. No extended outage occurred due to rapid failover.

**AWS (2020)** — Amazon Web Services mitigated a 2.3 Tbps DDoS attack targeting an AWS customer. This was the largest publicly reported attack at the time, using CLDAP (Connection-less Lightweight Directory Access Protocol) reflection.

**Cloudflare (2024)** — mitigated a 5.6 Tbps UDP flood originating from a Mirai-variant botnet of over 13,000 IoT devices. The attack lasted approximately 80 seconds and was automatically detected and mitigated.

**Dyn DNS (2016)** — a Mirai botnet of ~100,000 IoT devices attacked Dyn's DNS infrastructure, taking down Twitter, Netflix, Reddit, Spotify, and dozens of other major sites for hours. This attack demonstrated how DNS dependency creates single points of failure.

**Estonia (2007)** — a sustained multi-week DDoS campaign targeted Estonian government, banking, and media websites during a political dispute. This is considered the first major state-level cyber conflict and led to the establishment of NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE) in Tallinn.