What “DDoS” actually means
DDoS stands for Distributed Denial of Service. The goal is right there in the name: deny a service to the people who are supposed to use it. Instead of breaking in or stealing data, a DDoS attack simply tries to make a website, game server, API, or network so overwhelmed that legitimate requests can't get through. The site isn't hacked in the classic sense — it's drowned out.
The key word is distributed. A plain denial-of-service (DoS) attack comes from a single machine, which makes it relatively easy to identify and block: you see one source sending far too much traffic and you cut it off. A distributed attack comes from many sources at once — often thousands or hundreds of thousands of them — so there is no single address to blame, the traffic appears to arrive from all over the world, and the combined firepower is far larger than any one machine could produce.
Where the flood comes from: botnets
The “many sources” in a DDoS attack are usually a botnet — a collection of internet-connected devices that have been quietly compromised and can be directed to send traffic on command. These are often ordinary machines whose owners have no idea they're participating: home routers, IP cameras, DVRs, and other cheap Internet-of-Things gadgets with weak or default passwords. Because the traffic comes from huge numbers of real, scattered devices, it blends into normal internet background noise and can't be filtered by blocking one country or network. That is the heart of why DDoS is hard — and this guide explains how it works so you can defend against it, not launch one.
The general categories of DDoS attack
DDoS attacks are usually grouped by what part of the system they try to exhaust. To defend a site you don't need to know how to run any of them — only what each one targets.
Volumetric attacks — saturating the pipe
The most intuitive category. A volumetric attack simply sends more raw traffic than the target's connection can carry, measured in gigabits or terabits per second. Picture a four-lane highway asked to carry the traffic of forty lanes — nothing gets through, not because any single car is malicious but because the road is full. Bandwidth is the resource being exhausted, and legitimate packets are lost in the crush.
Protocol / state-exhaustion attacks — filling the tables
These target the machinery that tracks connections rather than the bandwidth itself. A classic example is the SYN flood: opening a TCP connection involves a short handshake, and the server sets aside a little memory for each half-open connection while it waits. An attacker sends a torrent of connection openings that are never completed, and the server's connection table fills with these dangling entries until it has no room for real users. Firewalls, load balancers, and servers all keep such state, and any of them can be the bottleneck that gets exhausted.
Application-layer attacks — expensive requests
The subtlest category. Instead of brute volume, these send requests that look perfectly legitimate but are individually expensive to answer — a complex search query, a page that triggers heavy database work, a login endpoint that runs slow password hashing. A modest number can tie up an application while the raw traffic volume stays low enough to slip past bandwidth-based defenses. Because each request resembles a real one, telling attacker from customer is genuinely hard.
Why DDoS attacks are so hard to stop
Several properties combine to make distributed attacks stubborn:
- Distributed sources. With traffic arriving from countless devices at once, there's no single offender to block. Ban one address and the flood continues from a thousand others.
- Spoofing. Some techniques forge the source address on packets so the traffic appears to come from somewhere it doesn't, which frustrates simple “block the sender” approaches and can misdirect the response.
- Reflection and amplification. At a conceptual level, attackers can bounce traffic off innocent third-party servers so that a small request produces a much larger response aimed at the victim — which is why attack volumes can grow far beyond the attacker's own connection. (Named here only to explain the scale, not as a recipe.)
- Traffic that looks legitimate. Especially at the application layer, malicious requests can be nearly indistinguishable from genuine ones, so crude filtering risks blocking real customers along with the attack.
How sites actually defend against DDoS
The reassuring part: defending against DDoS is a mature discipline, and most of it is handled by putting the right infrastructure in front of your service. The guiding principle is to never make your origin server absorb the flood directly.
- Upstream scrubbing and CDNs. Providers such as Cloudflare, Akamai, and cloud DDoS-protection services sit in front of your site with enormous spare capacity. They soak up floods far from your server, filter (“scrub”) out malicious traffic, and pass only clean requests through. A content delivery network (CDN) also caches content close to users, spreading load and further blunting volumetric attacks.
- Anycast routing. Anycast lets the same IP address be announced from many data centers at once, so traffic is routed to the nearest one. A flood aimed at a single address gets spread across a global network of scrubbing centers, so no one location absorbs all of it — the attack is diluted rather than concentrated.
- Rate limiting. Capping how many requests a single client can make in a given window stops any one source from monopolizing resources, and is especially effective against application-layer attacks. See rate limiting by IP for how it works.
- Web application firewalls (WAFs). A firewall — specifically a WAF — inspects incoming requests and drops patterns associated with attacks before they reach the application, filtering by behavior rather than raw volume.
- IP reputation. Traffic from addresses with a history of abuse can be treated with extra suspicion — IP reputation signals help separate likely attack sources from ordinary visitors.
- Overprovisioned capacity. Far more bandwidth and compute headroom than a normal day needs means small-to-medium floods get absorbed without anyone noticing. Capacity is itself a defense.
- Blackholing as a last resort. When one address is under an overwhelming flood, a network can “blackhole” it — dropping all traffic to that address to protect the rest of the network. It sacrifices the target to save the neighbors, so it's a blunt, last-ditch tool, not a real solution.
What a normal person or small site owner should do
You don't need an enterprise budget to be well protected. The practical checklist is short:
- Put a CDN or DDoS-protection provider in front of your site. The free tiers of the major providers already include meaningful DDoS mitigation, and this single step handles the large majority of what a hobby or small-business site will ever face.
- Don't expose your origin IP. If attackers discover the real address of the server behind your CDN, they can aim the flood straight at it and bypass your protection entirely. Keep the origin hidden, and lock it down so it only accepts traffic from your protection provider.
- Apply rate limiting. Even a simple per-IP cap makes application-layer attacks far less effective and protects expensive endpoints like search and login — again, see rate limiting by IP. And learn your host's DDoS-response options before an attack, not during one.
DDoS is about availability, not theft
Keep the threat in perspective. A DDoS attack targets the availability of a service — its ability to answer at all — rather than the confidentiality of its data. Nothing is necessarily stolen; the harm is downtime, lost revenue, and frustrated users. That's different from an attack that reroutes traffic entirely, such as BGP hijacking, or one that aims to steal data. Knowing which kind of threat you're facing is the first step to the right defense.
Frequently asked questions
What is the difference between a DoS and a DDoS attack?
A denial-of-service (DoS) attack comes from a single source trying to overwhelm a target. A distributed denial-of-service (DDoS) attack uses many sources at once — often a botnet of thousands of compromised machines spread around the world. The distributed part is what makes DDoS so much harder to stop: there is no single IP to block, the traffic looks like it comes from everywhere, and the combined volume can dwarf what any one machine could produce.
How do websites stop a DDoS attack?
Most sites do not absorb a large DDoS on their own hardware. They put a specialized provider or content delivery network in front of the origin — Cloudflare, Akamai, AWS Shield and similar — which has the spare capacity to soak up floods, scrub malicious traffic upstream, and spread load across data centers using anycast. Sites also apply rate limiting and web application firewall rules, and keep the true origin IP hidden.
Can a small website or home server be hit by a DDoS?
Yes. You do not have to be a large target — small game servers, forums, streamers and hobby projects are hit regularly. The good news is that the standard defenses are cheap or free: put a CDN or DDoS-protection provider in front of your site, never expose your origin server's real IP, and apply rate limiting so no single client can exhaust your resources.
Related reading
- Rate limiting by IP — a core defense against application-layer floods and abusive clients.
- What is a CDN? — the layer most sites put in front of their origin to absorb and spread load.
- What is a firewall? — including web application firewalls that filter malicious requests.
- IP reputation and blocklists — how attack sources are distinguished from ordinary visitors.
- BGP hijacking — a very different way to disrupt a service, by rerouting its traffic entirely.
- Networking glossary — plain-English definitions for the terms in this guide.
