What Is a DDoS Attack and How Are They Stopped?
A DDoS attack tries to knock a service offline by flooding it with more traffic than it can handle, sent from many machines at once. Here is how a Distributed Denial of Service attack works, and how defenders fight back.
What is a DDoS attack?
A DDoS attack, short for Distributed Denial of Service, is an attempt to make a website, game server, or online service unavailable by overwhelming it with traffic. Rather than breaking in or stealing data, the goal is simpler and blunter: exhaust the target's capacity so that legitimate visitors can no longer get through. Think of a shop doorway jammed by a crowd that has no intention of buying anything, so real customers cannot enter.
The "distributed" part is what gives these attacks their power. The flood does not come from one place. It arrives from thousands of separate machines, each with its own IP address, which makes it very hard to stop by simply banning a single source.
A DDoS attack aims to deny service, not to break in. It succeeds by using resources, bandwidth, connections, or processing, faster than the target can recover, until legitimate users are crowded out.
DoS vs DDoS: what's the difference?
A plain DoS (Denial of Service) attack comes from a single source. That is relatively easy to defend against, because once you identify the offending address you can block it. A DDoS spreads the same idea across many machines at once, so blocking one address barely dents the flood.
The distributed machines are often ordinary computers, servers, or smart devices that have been compromised and quietly enlisted into a botnet, a network of hijacked devices under an attacker's control. The owners usually have no idea their device is taking part.
How DDoS attacks work
DDoS attacks generally fall into a few families depending on what they try to exhaust:
- Volumetric attacks aim to saturate the target's bandwidth with sheer volume of traffic, measured in bits per second.
- Protocol attacks exploit weaknesses in how connections are set up, tying up resources on servers, firewalls, and load balancers.
- Application-layer attacks mimic real users, sending requests that look legitimate but are designed to overwork the application, such as repeatedly hitting a search page.
Many volumetric attacks use amplification. The attacker sends small requests to misconfigured servers while spoofing the victim's address, so those servers fire much larger responses at the target. This trick relies on protocols that reply with far more data than the request contained, and it leans on the way traffic is routed across the internet, a topic we cover in how data travels the internet.
| Type | What it targets | Example idea |
|---|---|---|
| Volumetric | Bandwidth | Flood the pipe with junk traffic |
| Protocol | Connection state | Exhaust server or firewall tables |
| Application-layer | App resources | Hammer an expensive page |
How DDoS attacks are stopped
Defending against a DDoS is largely a matter of scale and smart filtering. A single server cannot outmuscle a global flood, so protection is usually handled by large distributed networks that sit in front of the target. These are often built on anycast, which spreads one IP address across many locations so incoming traffic is absorbed close to its source and shared across enormous capacity.
On top of that raw capacity, defenders apply several techniques:
- Traffic scrubbing: routing traffic through filters that drop malicious packets and forward only clean requests.
- Rate limiting: capping how many requests any one source can make in a period.
- Reputation filtering: blocking addresses and patterns known to belong to botnets.
- Challenge tests: asking suspicious clients to prove they are real before serving them.
A reverse proxy often sits at the front of this defence, hiding the real server and giving defenders a single choke point to filter at. The combination lets big providers soak up floods that would instantly overwhelm an individual machine.
Can a DDoS reveal or target you personally?
DDoS attacks are usually aimed at services and servers rather than individuals, but home connections can be targeted too, for example in online gaming disputes. An attacker who learns your IP could try to flood your connection. This is one practical reason people care about what an IP reveals and about tools like a VPN that keep the address others see separate from their real connection.
For most home users, though, the realistic defence is simple: your router and provider absorb a lot, and reconnecting often gets you a new address. Serious targets, such as businesses, rely on the professional protection services described above.
Why DDoS matters
DDoS attacks are a persistent fact of internet life because they are cheap to launch and disruptive out of proportion to their sophistication. They do not require breaking any encryption or stealing any secrets, only the ability to marshal enough traffic. That is why so much of the internet's plumbing, from anycast to scrubbing centres, is quietly built to withstand them.
Understanding DDoS is part of understanding how the internet stays standing under pressure. If you want to see the single address that identifies your own connection, the friendly checkers at IP Animals will show it to you in a moment.
Frequently asked questions
What is a DDoS attack in simple terms?
A DDoS, or Distributed Denial of Service, attack tries to knock a website or service offline by flooding it with far more traffic than it can handle. The traffic comes from many machines at once, so it is hard to block by simply banning a single source. The goal is disruption, not breaking in.
What is the difference between DoS and DDoS?
A DoS attack comes from a single source, while a DDoS attack is distributed across many machines at once. Because the traffic in a DDoS arrives from thousands of different addresses, it is far harder to filter than a single-source flood, which is why the distributed version is more common today.
How are DDoS attacks stopped?
Defenders use large distributed networks that absorb and filter traffic, dropping malicious requests before they reach the target. Techniques include rate limiting, traffic scrubbing, spreading capacity across many locations, and blocking known bad sources. Big providers can soak up enormous floods that a single server never could.
Is launching a DDoS attack illegal?
In most countries, deliberately flooding a service to take it offline is against the law, even if no data is stolen. Renting attack services or taking part in one can carry serious penalties. Testing your own systems with permission is different from attacking someone else's.