DDoS Attacks Explained: How They Work and How to Protect Yourself

In October 2016, a massive cyberattack took down Twitter, Netflix, Reddit, and dozens of other major websites for hours. The attack did not exploit a software vulnerability or steal passwords. Instead, it simply overwhelmed the infrastructure with so much traffic that legitimate users could not get through. This was a Distributed Denial of Service attack, commonly known as a DDoS attack, and it remains one of the most disruptive and difficult-to-prevent threats on the internet today.

Whether you run a personal website, manage business infrastructure, or simply want to understand the threats to your online experience, this guide will explain exactly how DDoS attacks work, the different types, real-world examples, and most importantly, what you can do to protect yourself.

What Is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by flooding it with traffic from multiple sources. The key word is "distributed." Unlike a simple Denial of Service (DoS) attack that comes from a single source, a DDoS attack uses hundreds, thousands, or even millions of compromised devices to generate traffic simultaneously.

The goal is not to break into a system or steal data. The goal is to overwhelm the target's resources, whether that is bandwidth, server processing power, or application capacity, so that legitimate users cannot access the service.

Think of it like a store. If one person stands in the doorway blocking entry, that is a DoS attack and relatively easy to handle. But if ten thousand people flood the parking lot, clog every entrance, and jam the phone lines, that is a DDoS attack. Even though no one is stealing anything, the store cannot function.

Attackers typically build or rent botnets, which are networks of compromised computers, IoT devices, routers, and other internet-connected devices that have been infected with malware. The device owners usually have no idea their equipment is being used in an attack. When the attacker issues the command, every device in the botnet sends traffic to the target simultaneously.

You can check whether your own IP is associated with any known malicious activity using our Blacklist Check tool. If your devices have been compromised and used in a botnet, your IP may appear on security blacklists.

The Three Types of DDoS Attacks

DDoS attacks are generally classified into three categories based on which layer of the network they target. Understanding these categories is essential for choosing the right defense strategy.

Volumetric Attacks

Volumetric attacks are the most common type and the easiest to understand. Their goal is simple: consume all available bandwidth between the target and the rest of the internet.

These attacks generate massive amounts of traffic, often measured in hundreds of gigabits per second or even terabits per second in extreme cases. Common techniques include:

UDP Flood: The attacker sends a massive number of User Datagram Protocol packets to random ports on the target server. The server checks for applications listening on each port, finds none, and sends back an ICMP "Destination Unreachable" packet. Processing this flood of packets and responses consumes all available bandwidth and processing power.

DNS Amplification: The attacker sends small DNS queries to open DNS resolvers with the source address spoofed to be the target's IP. The DNS resolvers send their responses, which are much larger than the queries, to the target. A 60-byte query can generate a 4,000-byte response, amplifying the attack traffic by a factor of 70.

NTP Amplification: Similar to DNS amplification but exploits the Network Time Protocol's monlist command. A small request can generate a response up to 200 times larger, directed at the target.

Protocol Attacks

Protocol attacks exploit weaknesses in network protocols, particularly at layers 3 and 4 of the OSI model. Rather than flooding with raw bandwidth, they consume the processing capacity of network infrastructure like firewalls, load balancers, and servers.

SYN Flood: This exploits the TCP three-way handshake. The attacker sends a flood of SYN (synchronization) packets with spoofed source addresses. The target responds to each with a SYN-ACK and waits for the final ACK that never comes. Each half-open connection consumes resources on the server, and eventually the connection table fills up, preventing legitimate users from connecting.

Ping of Death: The attacker sends malformed or oversized ping packets that cause the target system to crash or freeze. Modern systems are largely patched against this, but variations still appear.

Smurf Attack: The attacker sends ICMP echo requests to a network's broadcast address with the source IP spoofed to be the target. Every device on the network responds to the target, amplifying the attack.

Application Layer Attacks

Application layer attacks (Layer 7) are the most sophisticated and hardest to detect. They target the application itself, sending requests that appear legitimate but are designed to exhaust server resources.

HTTP Flood: The attacker sends what appear to be legitimate HTTP GET or POST requests at extremely high rates. Because each request looks normal, they are difficult to distinguish from real user traffic. The server must process each request, querying databases, generating pages, and consuming CPU and memory.

Slowloris: Instead of flooding with volume, Slowloris opens many connections to the target server and keeps them open as long as possible by sending partial HTTP requests. The server keeps each connection open waiting for the request to complete, eventually exhausting its connection pool so no new legitimate connections can be established.

Application-Specific Attacks: Attackers identify resource-intensive operations on the target application, such as complex search queries, large file downloads, or API calls that trigger heavy database operations, and flood the server with these specific requests.

Real-World DDoS Attack Examples

The Mirai Botnet (2016)

The attack mentioned at the beginning of this article was powered by the Mirai botnet, which exploited IoT devices with default passwords. Security cameras, DVRs, routers, and other devices were hijacked and used to generate a 1.2 Tbps attack against Dyn, a major DNS provider. When Dyn went down, every website depending on their DNS service became unreachable.

GitHub (2018)

In February 2018, GitHub was hit with the largest DDoS attack recorded at the time: 1.35 Tbps. The attack used memcached amplification, a technique where small requests to misconfigured memcached servers generate enormous responses directed at the target. GitHub's traffic went from normal to 1.35 Tbps in less than 10 minutes. Their DDoS mitigation service, Akamai Prolexic, absorbed the attack and had GitHub back online within 20 minutes.

Amazon Web Services (2020)

AWS reported mitigating a 2.3 Tbps DDoS attack in February 2020, the largest volumetric attack ever recorded at the time. The attack used CLDAP (Connection-less Lightweight Directory Access Protocol) reflection, a technique that can amplify traffic by up to 70 times.

Google (2023)

Google disclosed that it mitigated the largest Layer 7 DDoS attack ever recorded, peaking at 398 million requests per second. The attack used a novel HTTP/2 Rapid Reset technique, which exploited a zero-day vulnerability in the HTTP/2 protocol. This single attack generated more requests per second than the total number of article views reported by Wikipedia for the entire month of September 2023.

How DDoS Attacks Affect You

Even if you do not run a website or server, DDoS attacks can impact your daily internet experience:

Service outages: When major platforms, DNS providers, or cloud services are attacked, the websites and apps you use every day may become unavailable.

Gaming disruptions: Online gaming is frequently targeted by DDoS attacks. Players may experience lag, disconnections, or complete inability to connect to game servers.

IP targeting: In some cases, individual users can be targeted. If someone obtains your IP address (through peer-to-peer connections, voice chat, or other means), they can direct a DDoS attack at your home connection. You can check your current public IP at our My IP page and take steps to protect it.

How to Protect Yourself

For Individual Users

Use a VPN. A VPN masks your real IP address, making it nearly impossible for attackers to target you directly. When you connect through a VPN, attackers can only see the VPN server's IP, not yours. We recommend NordVPN for reliable DDoS protection with their dedicated IP and advanced threat protection features. After connecting, use our VPN Leak Test to verify your real IP is hidden.

Keep your IP private. Be cautious about peer-to-peer connections, direct voice chat in games, and any service that exposes your IP to other users. Use our My IP tool to check what information is visible about your connection.

Secure your devices. Update firmware on your router, security cameras, smart home devices, and other IoT equipment. Change default passwords immediately. Disable remote management features you do not use. An unsecured device on your network could become part of a botnet.

Monitor your connection. If you experience sudden, unexplained connectivity problems, especially during online gaming or after a dispute with someone online, you may be the target of a small-scale DDoS. Restarting your router may assign you a new IP address from your ISP, stopping the attack. You can verify your connection performance with our Speed Test.

For Website Owners and Businesses

Use a CDN with DDoS protection. Services like Cloudflare, AWS Shield, and Akamai absorb and filter DDoS traffic before it reaches your origin server. Cloudflare's free tier includes basic DDoS protection, and their Pro and Business plans offer more advanced mitigation.

Implement rate limiting. Configure your web server and application to limit the number of requests any single IP can make within a given time period. This helps mitigate application layer attacks.

Overprovision bandwidth. While you cannot outspend a large-scale DDoS attack, having more bandwidth than your normal traffic requires gives you a buffer to absorb smaller attacks without going down.

Configure firewalls and access control lists. Block traffic from known malicious IP ranges. Filter out traffic patterns that match common DDoS signatures. Use geo-blocking if your service does not need to be accessible from certain regions.

Have an incident response plan. Know who to contact, what steps to take, and how to communicate with users if an attack happens. The first minutes of an attack are critical, and having a plan prevents panic-driven mistakes.

Monitor your IP reputation. Use our Blacklist Check tool regularly to ensure your server IP has not been compromised and added to security blacklists, which could indicate your server is participating in attacks on others.

What to Do If You Are Under Attack

If you believe you are currently experiencing a DDoS attack, take these immediate steps:

1. Do not panic. Most DDoS attacks are short-lived, lasting minutes to hours rather than days.

1. Contact your hosting provider or ISP. They may be able to implement upstream filtering to block attack traffic before it reaches your network. Many hosting providers have DDoS mitigation capabilities they can activate on request.

1. Enable or upgrade DDoS protection. If you have a CDN or DDoS mitigation service, make sure it is active and configured correctly. If you do not have one, services like Cloudflare can be activated relatively quickly even during an attack.

1. Document everything. Record timestamps, traffic volumes, source patterns, and any communications. This information is valuable for post-attack analysis and potentially for law enforcement if you decide to report the attack.

1. Do not pay ransoms. Some DDoS attacks come with ransom demands (known as RDoS or Ransom DDoS). Paying does not guarantee the attack will stop and often encourages further attacks.

1. Report the attack. In many jurisdictions, DDoS attacks are illegal. Report significant attacks to law enforcement, your ISP, and relevant industry organizations.

The Legal Reality

DDoS attacks are illegal in most countries. In the United States, they violate the Computer Fraud and Abuse Act and can result in prison sentences of up to 10 years. In the UK, they fall under the Computer Misuse Act. The European Union's Directive on Attacks Against Information Systems also criminalizes DDoS attacks.

Despite this, DDoS attacks continue to grow in frequency and scale. The barrier to entry is extremely low because "DDoS-for-hire" or "booter" services are readily available, allowing anyone to launch an attack for as little as a few dollars. Law enforcement agencies actively pursue both the operators of these services and their customers.

Frequently Asked Questions

Can a VPN protect me from a DDoS attack?

Yes, a VPN is one of the most effective protections for individual users. By masking your real IP address, a VPN prevents attackers from targeting your connection directly. They can only attack the VPN server, which is built to handle massive traffic volumes. NordVPN offers dedicated DDoS protection features along with their standard privacy benefits. Use our VPN Leak Test after connecting to make sure your real IP is fully hidden.

How can someone get my IP address to DDoS me?

There are several ways attackers can discover your IP address. Peer-to-peer connections in gaming and torrenting directly expose your IP. Some messaging platforms, especially older ones, reveal IP addresses in direct calls. Clicking on specially crafted links can log your IP. Even email headers can contain your IP in some cases. Check what is visible about your connection at our My IP page.

How long do DDoS attacks typically last?

Most DDoS attacks last between a few minutes and several hours. According to security research, the majority of attacks last less than one hour. However, sophisticated attackers may launch sustained campaigns that last days or even weeks, with periodic bursts of activity. The duration often depends on the attacker's motivation and resources.

Can my home router be used in a DDoS attack without my knowledge?

Yes, this is exactly how botnets work. If your router, security camera, smart TV, or any other internet-connected device has a weak password or unpatched vulnerability, it can be hijacked and used to attack others. The Mirai botnet compromised over 600,000 IoT devices this way. Always change default passwords, keep firmware updated, and check if your IP appears on any blacklists with our Blacklist Check.

What is the difference between a DoS and a DDoS attack?

A DoS (Denial of Service) attack comes from a single source, one computer or server sending malicious traffic to a target. A DDoS (Distributed Denial of Service) attack comes from many sources simultaneously, typically a botnet of thousands or millions of compromised devices. DDoS attacks are far more powerful and difficult to mitigate because you cannot simply block a single IP address. The distributed nature means traffic comes from legitimate-looking sources all over the world.

Key Takeaways

• DDoS attacks overwhelm targets with traffic from thousands or millions of compromised devices
• Three main types exist: volumetric (bandwidth flooding), protocol (infrastructure exploitation), and application layer (resource exhaustion)
• Individual users can protect themselves with a VPN like NordVPN and by keeping their IP private
• Website owners should use CDNs with DDoS protection, rate limiting, and incident response plans
• Check your IP exposure with My IP and verify VPN protection with VPN Leak Test
• Monitor your IP reputation with Blacklist Check to ensure your devices are not part of a botnet
• Test your connection health with Speed Test if you suspect an attack
• DDoS attacks are illegal in most countries but remain widespread due to low-cost booter services

Related Articles:

• VPN vs Proxy: Which Is Better for Privacy in 2026?
• Network Security Basics: Protecting Your Home Network
• WebRTC Leaks: What They Are and How to Prevent Them