Skip to main content
Explainer · security

What is a DDoS attack? (Distributed Denial of Service, explained)

A DDoS attack overwhelms a website or service with traffic from many sources at once, so real users can't get through. This guide explains how it works at a conceptual level, why it's so hard to stop — and, more usefully, how sites actually defend themselves and stay online.

What “DDoS” actually means

DDoS stands for Distributed Denial of Service. The goal is right there in the name: deny a service to the people who are supposed to use it. Instead of breaking in or stealing data, a DDoS attack simply tries to make a website, game server, API, or network so overwhelmed that legitimate requests can't get through. The site isn't hacked in the classic sense — it's drowned out.

The key word is distributed. A plain denial-of-service (DoS) attack comes from a single machine, which makes it relatively easy to identify and block: you see one source sending far too much traffic and you cut it off. A distributed attack comes from many sources at once — often thousands or hundreds of thousands of them — so there is no single address to blame, the traffic appears to arrive from all over the world, and the combined firepower is far larger than any one machine could produce.

Where the flood comes from: botnets

The “many sources” in a DDoS attack are usually a botnet — a collection of internet-connected devices that have been quietly compromised and can be directed to send traffic on command. These are often ordinary machines whose owners have no idea they're participating: home routers, IP cameras, DVRs, and other cheap Internet-of-Things gadgets with weak or default passwords. Because the traffic comes from huge numbers of real, scattered devices, it blends into normal internet background noise and can't be filtered by blocking one country or network. That is the heart of why DDoS is hard — and this guide explains how it works so you can defend against it, not launch one.

The general categories of DDoS attack

DDoS attacks are usually grouped by what part of the system they try to exhaust. To defend a site you don't need to know how to run any of them — only what each one targets.

Volumetric attacks — saturating the pipe

The most intuitive category. A volumetric attack simply sends more raw traffic than the target's connection can carry, measured in gigabits or terabits per second. Picture a four-lane highway asked to carry the traffic of forty lanes — nothing gets through, not because any single car is malicious but because the road is full. Bandwidth is the resource being exhausted, and legitimate packets are lost in the crush.

Protocol / state-exhaustion attacks — filling the tables

These target the machinery that tracks connections rather than the bandwidth itself. A classic example is the SYN flood: opening a TCP connection involves a short handshake, and the server sets aside a little memory for each half-open connection while it waits. An attacker sends a torrent of connection openings that are never completed, and the server's connection table fills with these dangling entries until it has no room for real users. Firewalls, load balancers, and servers all keep such state, and any of them can be the bottleneck that gets exhausted.

Application-layer attacks — expensive requests

The subtlest category. Instead of brute volume, these send requests that look perfectly legitimate but are individually expensive to answer — a complex search query, a page that triggers heavy database work, a login endpoint that runs slow password hashing. A modest number can tie up an application while the raw traffic volume stays low enough to slip past bandwidth-based defenses. Because each request resembles a real one, telling attacker from customer is genuinely hard.

Why DDoS attacks are so hard to stop

Several properties combine to make distributed attacks stubborn:

How sites actually defend against DDoS

The reassuring part: defending against DDoS is a mature discipline, and most of it is handled by putting the right infrastructure in front of your service. The guiding principle is to never make your origin server absorb the flood directly.

What a normal person or small site owner should do

You don't need an enterprise budget to be well protected. The practical checklist is short:

  1. Put a CDN or DDoS-protection provider in front of your site. The free tiers of the major providers already include meaningful DDoS mitigation, and this single step handles the large majority of what a hobby or small-business site will ever face.
  2. Don't expose your origin IP. If attackers discover the real address of the server behind your CDN, they can aim the flood straight at it and bypass your protection entirely. Keep the origin hidden, and lock it down so it only accepts traffic from your protection provider.
  3. Apply rate limiting. Even a simple per-IP cap makes application-layer attacks far less effective and protects expensive endpoints like search and login — again, see rate limiting by IP. And learn your host's DDoS-response options before an attack, not during one.

DDoS is about availability, not theft

Keep the threat in perspective. A DDoS attack targets the availability of a service — its ability to answer at all — rather than the confidentiality of its data. Nothing is necessarily stolen; the harm is downtime, lost revenue, and frustrated users. That's different from an attack that reroutes traffic entirely, such as BGP hijacking, or one that aims to steal data. Knowing which kind of threat you're facing is the first step to the right defense.

Frequently asked questions

What is the difference between a DoS and a DDoS attack?

A denial-of-service (DoS) attack comes from a single source trying to overwhelm a target. A distributed denial-of-service (DDoS) attack uses many sources at once — often a botnet of thousands of compromised machines spread around the world. The distributed part is what makes DDoS so much harder to stop: there is no single IP to block, the traffic looks like it comes from everywhere, and the combined volume can dwarf what any one machine could produce.

How do websites stop a DDoS attack?

Most sites do not absorb a large DDoS on their own hardware. They put a specialized provider or content delivery network in front of the origin — Cloudflare, Akamai, AWS Shield and similar — which has the spare capacity to soak up floods, scrub malicious traffic upstream, and spread load across data centers using anycast. Sites also apply rate limiting and web application firewall rules, and keep the true origin IP hidden.

Can a small website or home server be hit by a DDoS?

Yes. You do not have to be a large target — small game servers, forums, streamers and hobby projects are hit regularly. The good news is that the standard defenses are cheap or free: put a CDN or DDoS-protection provider in front of your site, never expose your origin server's real IP, and apply rate limiting so no single client can exhaust your resources.

Related reading