DDoS attacks and botnets explained

When a website goes dark without warning, a DDoS attack is often the culprit. Distributed denial-of-service attacks are one of the most disruptive tools available to malicious actors: rather than breaking into a system, the goal is simply to make it unreachable. They do this by flooding it with more traffic than it can handle, from thousands or millions of sources simultaneously.

Behind most large-scale DDoS attacks is a botnet: a network of compromised devices that attackers quietly assemble over time and then unleash on demand. Together, DDoS attacks and botnets represent a threat that ranges from a nuisance for small apps to an existential risk for large platforms.

In this article, you'll learn:

• What a DDoS attack is and how it differs from a regular DoS attack
• The main types of DDoS attacks
• What a botnet is and how attackers build one
• Why DDoS attacks are so difficult to defend against
• How to protect your application

Let's start from the top.

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from a large number of sources at once. The goal is not to steal data or gain access: it is to exhaust the target's resources (bandwidth, CPU, memory, or connection limits) until it can no longer serve legitimate users.

The "distributed" part is what separates a DDoS from a plain denial-of-service (DoS) attack. A DoS attack comes from a single machine or IP address, which makes it straightforward to identify and block. A DDoS attack distributes the traffic across thousands or hundreds of thousands of different sources, making it much harder to filter out without also blocking real users.

DDoS attacks can target:

• Web applications and APIs
• DNS servers
• Network infrastructure (routers, firewalls)
• Gaming and streaming platforms
• Financial services and e-commerce platforms

The consequences range from brief slowdowns to hours or days of complete outage, with real costs in lost revenue, damaged reputation, and emergency response time.

How does a DDoS attack work?

At a high level, a DDoS attack works by directing a flood of requests or data at a target until its resources are exhausted. The mechanics depend on the type of attack, but the core pattern is always the same: volume, distribution, and persistence.

A typical DDoS attack unfolds like this:

1. The attacker assembles or rents access to a large pool of compromised devices (a botnet) or uses amplification techniques to multiply traffic from fewer sources.
2. The attacker issues a command to begin the attack, specifying the target IP address or domain and the attack method.
3. Thousands of devices simultaneously send requests or traffic to the target.
4. The target's servers, network connections, or upstream infrastructure become saturated and start dropping legitimate requests.
5. The service becomes slow, unresponsive, or completely unavailable to real users.
6. The attacker sustains the flood for as long as desired, often hours or days, before stopping or shifting to a new target.

The target's defenses, if any are in place, must distinguish malicious traffic from legitimate traffic in real time, under enormous load, without blocking real users in the process.

Types of DDoS attacks

DDoS attacks fall into three broad categories, each targeting a different layer of the network stack.

Volume-based attacks

The simplest and most common type. The attacker tries to consume all available bandwidth between the target and the internet. The attack is measured in bits per second (bps) and can reach hundreds of gigabits or even terabits per second in large incidents.

Common examples include:

• UDP floods: The attacker sends a large number of UDP packets to random ports on the target host, which must process each one and send back ICMP "destination unreachable" responses, consuming resources on both sides.
• ICMP floods (ping floods): A high volume of ICMP echo requests overwhelms the target's ability to respond.
• Amplification attacks: The attacker spoofs the target's IP address and sends small requests to publicly accessible servers (DNS, NTP, memcached) that respond with replies many times larger. The amplified responses all hit the target, multiplying the attacker's bandwidth without requiring them to generate it directly.

Protocol attacks

These attacks exploit weaknesses in network protocols rather than raw bandwidth. They consume resources on network devices like firewalls, load balancers, and servers themselves. Measured in packets per second (pps).

• SYN floods: The attacker sends a large number of TCP SYN (connection initiation) packets but never completes the three-way handshake. The target holds open a half-open connection for each one, quickly exhausting the connection table.
• Ping of death: Sending malformed or oversized packets that crash or destabilize the target system when it tries to reassemble them.
• Smurf attacks: Broadcasting ICMP requests with a spoofed source IP (the victim's address), causing all devices on the network to respond to the victim simultaneously.

Application layer attacks (layer 7)

The most sophisticated and hardest to detect. These attacks target the application itself rather than the network, sending requests that look legitimate but are computationally expensive to process. Measured in requests per second (rps).

• HTTP floods: The attacker sends a very high volume of HTTP GET or POST requests. Because each looks like normal web traffic, it is difficult to distinguish from real users.
• Slowloris: The attacker opens many connections to the web server and sends partial HTTP requests very slowly, keeping connections open and eventually exhausting the server's connection limit without sending much traffic at all.
• DNS query floods: Overwhelming a DNS server with a high volume of lookup requests, making it unable to resolve domain names for legitimate users.

What is a botnet?

A botnet is a network of internet-connected devices that have been secretly compromised by malware and are under the remote control of an attacker, often called a "bot herder." The individual devices in a botnet are called bots or zombies. Their owners typically have no idea the devices are infected or that they are being used to attack others.

Botnets are the primary infrastructure behind large-scale DDoS attacks, but they are also used for spam campaigns, credential stuffing, ad fraud, cryptocurrency mining, and distributing further malware.

What devices make up a botnet?

Almost any internet-connected device can be recruited into a botnet:

• Desktop and laptop computers
• Smartphones and tablets
• Home routers and modems
• IoT devices: security cameras, smart TVs, printers, thermostats, baby monitors
• Cloud servers and virtual machines (when compromised)

The rise of IoT devices has dramatically expanded the potential size of botnets. Many IoT devices ship with weak default credentials, no automatic updates, and minimal security hardening, making them easy targets.

How do attackers build a botnet?

Building a botnet is a process of quiet, patient compromise across a large number of devices.

1. Infection: The attacker spreads malware through phishing emails, malicious downloads, drive-by downloads from compromised websites, exploitation of unpatched software vulnerabilities, or brute-forcing weak credentials on internet-exposed devices (routers and cameras are common targets).
2. Installation: Once on a device, the malware installs itself persistently, often disguising itself as a legitimate process, and establishes a connection back to the attacker.
3. Command and control (C2): The infected device connects to a command-and-control server operated by the attacker. This is how the attacker issues instructions to the entire fleet. Modern botnets often use peer-to-peer C2 architectures to make them harder to dismantle (there is no single server to take down).
4. Dormancy: Infected devices typically sit idle for extended periods, performing no visible malicious activity. This makes detection harder and allows the botnet to grow.
5. Activation: When the attacker is ready, they issue a command to some or all of the botnet to begin attacking a specific target.

Some attackers build their own botnets from scratch. Others rent access to existing botnets through "DDoS-for-hire" services (sometimes marketed as "stressers" or "booters"), lowering the barrier to launching attacks significantly.

Why DDoS attacks are hard to defend against

Several properties of DDoS attacks make them genuinely difficult to mitigate:

• ‍Traffic appears to come from legitimate sources. Because botnet devices are real computers and phones belonging to real people, their traffic often looks indistinguishable from legitimate users at the network level.‍
• The scale can exceed any single server's capacity. A sufficiently large botnet can generate more traffic than even well-resourced targets can absorb, regardless of how well-tuned the target's servers are.‍
• Mitigation can harm real users. Blocking IP ranges, rate limiting, or adding friction (CAPTCHAs, JavaScript challenges) to filter attack traffic all carry the risk of also blocking legitimate users, especially when the attack traffic and real traffic come from similar regions or device types.‍
• Attackers can adapt. Sophisticated attackers monitor whether their attack is being mitigated and shift tactics in response: changing attack vectors, rotating source IPs, or targeting different layers.‍
• Amplification attacks multiply traffic cheaply. DNS and NTP amplification can achieve amplification factors of 50x or more, meaning an attacker with modest bandwidth can generate enormous traffic volumes.

How to protect against DDoS attacks

No single measure prevents DDoS attacks entirely, but layering defenses reduces both the likelihood and the impact.

Use a DDoS protection service or CDN

The most effective defense for most applications is routing traffic through a service that specializes in absorbing and filtering DDoS traffic before it reaches your infrastructure. Services like Cloudflare, AWS Shield, Akamai, and Fastly operate at a scale large enough to absorb most attacks and maintain dedicated infrastructure for traffic scrubbing.

A content delivery network (CDN) also helps by distributing your traffic across many global points of presence, making it harder for an attack to concentrate enough volume on any single point.

Rate limit and throttle aggressively at the edge

Configure your load balancers, API gateways, and firewalls to limit the number of requests per IP, per user, and per endpoint. While rate limiting alone cannot stop a distributed attack with millions of source IPs, it reduces the impact of smaller attacks and buys time for other mitigations to kick in.

Implement anycast network diffusion

Anycast routing distributes incoming traffic across multiple geographically dispersed data centers, diluting the flood so that no single location bears the full load. This is a technique used by large CDN and DNS providers and is particularly effective against volumetric attacks.

Protect your DNS

DNS is a common DDoS target and a critical dependency. Use a DNS provider with built-in DDoS protection and redundancy. Consider Anycast DNS and ensure your TTLs are sensibly configured so you can redirect traffic quickly in an emergency.

Keep attack surface small

Expose only the services that need to be public. Put internal services, admin panels, staging environments, and databases behind firewalls or VPNs. Every publicly reachable endpoint is a potential target, so minimizing what is exposed reduces the available attack surface.

Harden IoT and edge devices

If you operate IoT devices or expose devices to the internet, change default credentials immediately, disable unused services, keep firmware up to date, and segment IoT devices from the rest of your network. A device you operate could be recruited into a botnet targeting someone else, and a compromised internal device could be used against your own infrastructure.

Have an incident response plan

When a DDoS attack hits, decisions need to be made quickly under pressure. Prepare runbooks in advance that cover how to contact your DDoS protection provider, how to implement emergency rate limiting, how to communicate with users, and who has the authority to make mitigation trade-offs (such as temporarily blocking entire geographic regions).

DDoS attacks vs. other denial-of-service techniques

DDoS attacks are sometimes confused with related threats that cause outages through different mechanisms.

• ‍DoS vs. DDoS: A DoS attack originates from a single source. It is easier to block (just drop traffic from that IP) but limited in scale. A DDoS attack is distributed across many sources, making blocking much harder.‍
• Application abuse vs. DDoS: Some outages result from accidental traffic spikes (a viral post, a popular product launch) or from a single poorly-optimized client hammering an API. These can look similar to a layer 7 DDoS but have different causes and different solutions. True DDoS attacks are deliberate and sustained.‍
• Ransom DDoS (RDoS): Some attackers send a ransom demand threatening a DDoS attack unless payment is made. Sometimes the threat is credible and backed by a brief demonstrative flood; sometimes it is a bluff. Paying is generally not recommended, as it marks the target as willing to pay and invites repeat demands.

Final thoughts

DDoS attacks are fundamentally a problem of scale. Attackers can marshal more traffic than most targets can absorb, from sources that are nearly impossible to block without collateral damage, on demand and for very little cost. The best defenses are layered: move traffic scrubbing upstream to providers built for it, reduce your exposed attack surface, rate limit at the edge, and have a plan ready for when an attack hits.