A distributed denial-of-service (DDoS) attack is when an attacker floods your website, server or network with so much traffic that it becomes too overwhelmed to respond to real visitors. The site slows to a crawl or goes offline entirely. No data is stolen — the goal is simply to make your service unavailable.
"Distributed" means the traffic comes from thousands of different sources simultaneously — often a botnet of compromised devices spread across the globe — making it very hard to simply block a single IP address.
How a DDoS attack works
Your web server has finite capacity: it can handle a certain number of simultaneous connections, process a certain number of requests per second, and send a certain amount of bandwidth. An attacker exploits this by sending far more traffic than your infrastructure can handle.
The traffic comes from a botnet — a network of thousands of compromised computers, routers, IoT devices and cloud servers, all under the attacker's remote control. Each device sends what looks like a legitimate request. Your server can't tell the bots from real users, so it tries to respond to all of them and eventually runs out of resources. Real visitors get timeouts or errors.
The main types of DDoS attack
- Volumetric attacks — brute-force bandwidth flooding. The attacker generates so many gigabits per second of traffic that your upstream link is saturated before requests even reach your server. UDP flood and DNS amplification are the classic examples. These require a large botnet or traffic amplification.
- Protocol attacks (state-exhaustion) — exploit weaknesses in network protocol handling. A SYN flood, for example, sends thousands of half-open TCP connection requests that your server reserves memory for but the attacker never completes, exhausting your connection table.
- Application-layer attacks (Layer 7) — the most targeted type. Requests look like legitimate HTTP traffic but target expensive operations: search queries, login pages, checkout flows, API endpoints. A relatively small number of requests can overwhelm a poorly optimised endpoint. Hardest to distinguish from legitimate traffic.
Who gets targeted?
DDoS attacks used to be reserved for large targets — banks, governments, gaming companies. Today, attack tools are cheap to rent (DDoS-for-hire services charge as little as a few dollars per hour) and small businesses are increasingly targeted. Common motivations:
- Competitors trying to knock a rival offline during a sale or event
- Extortion — attackers demand payment to stop the attack
- Hacktivism or protest
- Covering tracks while a separate intrusion happens elsewhere
- Opportunistic disruption (bots scanning for easy targets)
How to protect your site from DDoS attacks
1. Use a CDN with DDoS protection (the single most effective step)
Services like Cloudflare, AWS CloudFront and Fastly sit between the internet and your origin server. They absorb volumetric traffic across their global networks — which have capacity measured in terabits per second, orders of magnitude more than any small business's hosting — and only forward clean traffic to you. Cloudflare's free plan includes basic DDoS mitigation. This is the most impactful control for a small business and requires only a DNS change.
2. Use a WAF
A web application firewall blocks malicious application-layer traffic before it reaches your server. Rate limiting rules (block IPs making more than N requests per second) neutralise most Layer 7 attacks.
3. Rate limiting and IP reputation
Configure rate limits on expensive endpoints (login, search, contact forms). Block known malicious IP ranges. Many WAF and CDN providers maintain real-time threat intelligence to do this automatically.
4. Harden your infrastructure
Keep your software updated, disable unused services, and make sure your server can't be reached directly if you're behind a CDN (so attackers can't bypass your protection by hitting your origin IP directly).
5. Have a response plan
Know your hosting provider's DDoS response process before you need it. Check whether your plan includes any mitigation — cheap shared hosting often doesn't. Know how to quickly enable additional protections (e.g. Cloudflare's "Under Attack" mode) without panicking.
DDoS vs DoS
A DoS (denial-of-service) attack comes from a single source. Blocking that IP ends it. A DDoS comes from thousands of sources simultaneously — you can't block your way out of it. Modern attacks are almost always DDoS.
What DDoS protection doesn't cover
DDoS mitigation protects availability, not the security of your data or code. A site behind Cloudflare can still be attacked via SQL injection, have its email spoofed or expose sensitive DNS records. DDoS protection is one layer — not a substitute for a full security posture check.
FAQ
Can I stop a DDoS attack myself without a CDN?
For small volumetric attacks, firewall rules and rate limits at the server level can help. For anything beyond a few gigabits per second, your upstream bandwidth is saturated before packets reach your server — there's nothing to block. You need a service with enough upstream capacity to absorb the traffic.
How long do DDoS attacks last?
Attacks range from minutes to weeks. Short bursts are common for testing defences or extortion pressure. Prolonged attacks are expensive for the attacker and typically reserved for high-value targets.
Is a slow website always a DDoS?
No — far more often it's a hosting, code or configuration problem. Check your server resources and logs first. A DDoS will usually show an obvious spike in traffic from many sources.