What Is a DDoS Attack? Types, Examples, Defense

In Q4 2025 Cloudflare mitigated a single attack that peaked at 31.4 terabits per second. It lasted about 35 seconds. To put that in scale, that is more traffic in half a minute than most enterprises move in a day, all of it aimed at one target by a coordinated swarm of compromised machines. That swarm, and the fact that the flood arrives from tens of thousands of sources at once, is what separates a distributed denial-of-service attack from an ordinary denial-of-service one.

A distributed denial-of-service (DDoS) attack is an attempt to make a service unavailable by overwhelming it with traffic sent from many machines at the same time. The "distributed" part is the whole point. A plain denial-of-service attack comes from one source, which makes it easy to block with a single firewall rule. A DDoS attack comes from thousands of sources at once, usually a botnet of hijacked devices, so there is no single address to block and the defender has to separate attack traffic from legitimate users in real time. This guide covers what a DDoS attack is, the three categories every defender should be able to name, the record-setting cases worth knowing, how the attacks map to MITRE ATT&CK, and how mitigation actually works. For the single-source case and the general definition, see the dedicated denial-of-service (DoS) article; this piece stays on the distributed, botnet-driven attack.

What is a DDoS attack?

A DDoS attack works by exhausting a finite resource. Every online service has limits: bandwidth on its uplink, connection slots in its TCP stack, worker threads in its application, memory, CPU. The attacker's goal is to consume one of those limits completely so that legitimate requests get dropped. The service does not need to be breached or have data stolen. It just needs to be too busy to answer.

The distinction from a plain DoS attack is mechanical, not just a matter of degree. A single-source flood saturates whatever bandwidth that one machine can produce, and a defender drops it by blocking one IP. A DDoS attack spreads the source across thousands of machines, so the aggregate volume can be orders of magnitude larger and no single block stops it. The attacker also hides among the crowd: when each bot sends a small, plausible-looking slice of the flood, telling attacker from customer becomes the hard problem.

The firepower almost always comes from a botnet. The operator infects a fleet of devices, anything from Windows desktops to home routers, IP cameras, and cloud virtual machines, then issues one command and every bot opens fire at the same target simultaneously. The 2025 record-setting campaigns were driven by botnets built from compromised consumer devices, including a wave of hijacked Android TV boxes. Renting that firepower is a commodity: booter and stresser services sell DDoS-on-demand by the minute, which is why the barrier to launching one is low and the volume available keeps climbing.

Three things define the impact: the volume of traffic, the number of sources it comes from, and the layer of the stack it targets. That last one, the layer, is how defenders classify the attack and decide how to fight it.

The three types of DDoS attack

Every DDoS attack falls into one of three categories, defined by which layer of the network stack it tries to exhaust. The category determines the signature, the volume profile, and the mitigation. Getting the category right is the first move in any DDoS response, so this is the model to know cold.

Volumetric attacks aim to saturate bandwidth. They generate so much raw traffic that the target's internet uplink fills and legitimate packets cannot get through, like a traffic jam that blocks the on-ramp before anyone reaches the building. Volume is measured in bits per second. The signature technique is reflection and amplification: the attacker sends small spoofed requests to misconfigured third-party servers using the victim's IP as the return address, and those servers reply with much larger responses aimed at the victim. DNS amplification (roughly 28 to 54 times the request size) and NTP amplification (around 556 times) are the classic vectors. Memcached reflection is the extreme case, with an amplification factor reported up to about 51,000 times, which is what made the 2018 GitHub attack possible. A plain UDP flood is the simpler volumetric form.

Protocol attacks, also called state-exhaustion attacks, target the connection-tracking resources of servers, load balancers, and firewalls rather than raw bandwidth. The textbook example is the SYN flood: the attacker opens half-finished TCP handshakes by the thousand, sending the opening SYN but never completing the connection, so the target fills its table of pending connections and has no slots left for real clients. These attacks are measured in packets per second, because the damage is in the count of connection attempts, not the byte volume. The Ping of Death, a malformed oversized packet that crashed older stacks, is the legacy member of this family; modern systems are patched against the original, though unpatched embedded and IoT devices can still fall to malformed-packet attacks.

Application-layer attacks, or Layer 7 attacks, target the application itself, the web server or API at the top of the stack. The signature is the HTTP flood: a torrent of requests that look exactly like legitimate page loads or API calls, each one cheap for a bot to send but expensive for the server to answer because it triggers database queries, rendering, or backend calls. These attacks are measured in requests per second and are the hardest to mitigate, because every request is individually valid and there is no malformed packet or spoofed address to filter on. The HTTP/2 Rapid Reset attacks of late 2023 (CVE-2023-44487) were the most severe of this class on record.

The practical point: a 2 Tbps volumetric flood and a 200-million-request-per-second Layer 7 flood are both DDoS attacks, but they break different things and you fight them with different controls. Volume gets absorbed and scrubbed upstream. State exhaustion gets countered at the protocol level. Application floods get sorted by behavior, because the packets themselves look fine.

DDoS attacks that set records

Names and numbers matter here, because these cases define the scale defenders plan for and they show up in threat reports and exam questions. The figures below are pinned to primary sources.

The Dyn attack (October 21, 2016). A Mirai-based botnet of compromised IoT devices flooded the DNS provider Dyn using an estimated 100,000 malicious endpoints, knocking Twitter, Reddit, Netflix, Spotify, GitHub, and PayPal offline across the eastern United States. It is the case that taught the industry that consumer IoT junk, cameras and routers running default passwords, was enough raw material to take down core internet infrastructure. The same Mirai lineage hit security journalist Brian Krebs with a roughly 620 Gbps attack in September 2016.

The GitHub memcached attack (February 28, 2018). GitHub absorbed a 1.35 Tbps volumetric flood, the largest recorded at the time, built entirely on memcached reflection. The attackers abused thousands of exposed memcached servers as amplifiers, turning small spoofed requests into a flood up to roughly 51,000 times larger. GitHub stayed down for under ten minutes because it routed traffic through an upstream scrubbing service. It is the textbook reflection-amplification case.

The AWS CLDAP attack (February 2020). AWS reported mitigating a 2.3 Tbps reflection attack abusing CLDAP servers, disclosed in its Q1 2020 threat report and roughly 44 percent larger than any network volumetric event the service had seen before. It held the public bandwidth record for several years.

HTTP/2 Rapid Reset (October 2023). A new application-layer technique, tracked as CVE-2023-44487, abused the HTTP/2 stream-cancellation feature to make servers do work and then immediately throw it away, at scale. Google measured a peak of 398 million requests per second, the largest Layer 7 attack on record at disclosure; Cloudflare measured 201 million and AWS 155 million. It is the clearest recent proof that requests per second, not raw bandwidth, is where the application-layer fight is won or lost.

The 2025 multi-terabit records. Bandwidth records have climbed fast: 3.8 Tbps mitigated by Cloudflare in October 2024, and then a series of escalations through 2025 culminating in a 31.4 Tbps attack disclosed in Cloudflare's Q4 2025 threat report, the current public record. A December 2025 campaign attributed to the Aisuru-Kimwolf botnet, built largely from compromised Android TV devices, peaked around 24 Tbps. The trend line is the takeaway: botnet firepower is growing faster than most single targets can absorb alone, which is why upstream mitigation has become the default.

MITRE ATT&CK mapping

DDoS behavior maps cleanly onto ATT&CK, which lets you turn "this looks like a flood" into specific, named techniques for detection and reporting.

• Impact (TA0040) is the tactic. The attacker's objective is availability, not access or theft.
• Network Denial of Service (T1498) covers volumetric and protocol floods that exhaust network bandwidth or device resources. Its sub-techniques are Direct Network Flood (T1498.001), traffic sent straight from the sources, and Reflection Amplification (T1498.002), the spoofed-request amplification used in the DNS, NTP, memcached, and CLDAP cases above.
• Endpoint Denial of Service (T1499) covers attacks that exhaust the resources of a specific service or host, which is where application-layer HTTP floods and SYN-flood state exhaustion sit.

If your detections and reporting cover T1498 with both sub-techniques plus T1499, you are covering the full DDoS surface regardless of which specific vector you are facing.

How to detect and mitigate a DDoS attack

A DDoS attack is loud by nature, so detection is rarely the hard part; the hard part is separating attack traffic from real users fast enough to keep the service up. Mitigation is a layered job, and the layer that matters depends on the attack category.

Detection. The first signals are operational: a sudden, unexplained spike in traffic, a service slowing or timing out, and a flood concentrated from unusual geographies or toward a single endpoint. Baselining normal traffic is what makes the spike obvious, and netflow and traffic-analysis tooling surfaces the volume anomaly and the spread of sources. An intrusion detection system tuned for flood signatures and rate anomalies flags protocol and volumetric attacks early, before the uplink saturates.

Absorb and scrub (volumetric). You cannot block a multi-terabit flood at your own firewall, because the flood fills the pipe before it reaches you. Volumetric defense happens upstream: traffic is routed to a scrubbing provider or content delivery network with enough aggregate capacity to absorb the flood, clean out the attack packets, and forward only legitimate traffic. Anycast networks spread the incoming flood across many data centers so no single location takes the full hit. This is why large volumetric attacks are mitigated by providers, not by the target's own edge.

Filter at the protocol level (state-exhaustion). SYN floods are countered with SYN cookies, which let the server validate a handshake without holding state for every half-open connection, plus stateful filtering and connection rate limits on firewalls and load balancers. The goal is to refuse to allocate a resource until the client proves it is real.

Sort by behavior (application-layer). Layer 7 floods cannot be filtered on packet shape because the requests are valid. Mitigation relies on behavioral analysis, rate limiting per client, challenge mechanisms like CAPTCHAs or JavaScript challenges that bots fail, and a web application firewall tuned to the application's normal request patterns. The defender is profiling behavior, not packets.

Network hygiene that shrinks the problem. Several controls cut DDoS risk at the source. Sound network security practice, including egress and ingress filtering, blocks the spoofed source addresses that reflection attacks depend on; if networks did not forward spoofed packets, reflection amplification would not work. Keeping your own devices out of botnets, by patching and killing default credentials, starves the attacks of firepower. And a rehearsed incident response plan, with the scrubbing provider already contracted and the runbook written, is what turns a multi-hour outage into a few minutes.

The throughline: identify the category first, then apply the matching layer. Trying to absorb a Layer 7 flood with more bandwidth, or to behaviorally analyze a volumetric flood your pipe cannot even carry, is the common and costly mistake.

Frequently Asked Questions

What is a DDoS attack in simple terms?

A DDoS, or distributed denial-of-service, attack floods a website or service with traffic from thousands of compromised machines at the same time until it can no longer serve legitimate users. The machines are usually part of a botnet controlled by one attacker. Because the traffic comes from so many sources at once, there is no single address to block, which is what makes it harder to stop than a single-source attack.

What is the difference between a DoS and a DDoS attack?

A denial-of-service (DoS) attack comes from a single source, so a defender can usually block it with one firewall rule. A distributed denial-of-service (DDoS) attack comes from many sources at once, typically a botnet of thousands of hijacked devices, so the aggregate volume is far larger and no single block stops it. The distributed nature also lets the attacker hide among legitimate-looking traffic.

What are the three types of DDoS attacks?

DDoS attacks fall into three categories by the layer they target. Volumetric attacks saturate bandwidth and are measured in bits per second, often using reflection and amplification. Protocol or state-exhaustion attacks like SYN floods exhaust connection tables and are measured in packets per second. Application-layer (Layer 7) attacks like HTTP floods overwhelm the web app with valid-looking requests and are measured in requests per second.

What was the largest DDoS attack ever recorded?

As of mid-2026 the largest publicly disclosed DDoS attack is a 31.4 terabits-per-second flood that Cloudflare mitigated, disclosed in its Q4 2025 threat report. Bandwidth records have escalated quickly, from GitHub's 1.35 Tbps memcached attack in 2018 and AWS's 2.3 Tbps CLDAP attack in 2020 to multi-terabit attacks driven by large botnets of compromised consumer devices.

How do you stop a DDoS attack?

You stop a DDoS attack by first identifying its category, then applying the matching defense. Volumetric floods are absorbed and scrubbed upstream by a provider or CDN with enough capacity. Protocol floods like SYN floods are countered with SYN cookies and stateful filtering. Application-layer floods are sorted by behavioral analysis, rate limiting, and a web application firewall, because the requests themselves look legitimate.

What is a reflection and amplification DDoS attack?

In a reflection-amplification attack the attacker sends small requests to misconfigured third-party servers while spoofing the victim's IP address as the sender, so the servers send their much larger responses to the victim. DNS, NTP, and CLDAP servers are common amplifiers, and memcached can amplify a request up to roughly 51,000 times, which is how the 2018 GitHub attack reached 1.35 Tbps. Blocking spoofed source addresses upstream is the core countermeasure.

Can a single firewall stop a DDoS attack?

Usually not. A volumetric DDoS attack fills the internet uplink before traffic ever reaches the firewall, so the firewall is already cut off from the internet by the time it could act. Protocol and application-layer attacks can overwhelm the firewall's own connection-tracking resources. Effective DDoS defense relies on upstream scrubbing and capacity, behavioral filtering, and protocol-level protections rather than a single edge device.

The bottom line

A DDoS attack makes a service unavailable by flooding it from many sources at once, almost always a botnet, so that there is no single address to block and attack traffic hides among real users. The attack falls into one of three categories, and the category is the first thing to identify: volumetric floods saturate bandwidth and are measured in bits per second, protocol floods exhaust connection state and are measured in packets per second, and application-layer floods overwhelm the app with valid-looking requests measured in requests per second.

The defense follows the category. Absorb and scrub volume upstream, because your own pipe cannot carry it. Counter state exhaustion at the protocol level with SYN cookies and stateful filtering. Sort application floods by behavior, because the packets look fine. Underneath all of it, block spoofed source addresses, keep your own devices out of botnets, and rehearse the response before the flood arrives. The records keep climbing, now past 31 Tbps, but the response model does not change: name the category, then fight it at its layer.