A Distributed Denial-of-Service (DDoS) attack floods a target server, network, or application with traffic from multiple compromised systems until it can no longer serve legitimate users. Unlike a simple denial-of-service attack from one machine, a DDoS attack draws on botnets of hundreds, thousands, or even millions of hijacked devices to generate overwhelming volume, request rates, or protocol-level exhaustion. The scale has grown fast: Cloudflare blocked a 7.3 Tbps attack in May 2025, then a 29.7 Tbps attack in Q3 2025, then a 31.4 Tbps attack in Q4 2025 — three new records in a single year. Attackers don't need custom malware anymore; misconfigured IoT devices, open DNS resolvers, and vulnerable HTTP/2 server implementations are enough. For security and engineering teams, understanding how these attacks work — and which of your own systems are reachable and exploitable — is the difference between an outage headline and a non-event.
How Does a DDoS Attack Work?
A DDoS attack works by directing traffic from a distributed network of compromised machines — a botnet — at a single target simultaneously, exhausting its bandwidth, connection capacity, or compute resources. The attacker typically doesn't own the machines doing the flooding; they've been infected with malware (like Mirai) or are open infrastructure abused via amplification. In a reflection/amplification attack, the attacker spoofs the victim's IP address and sends small queries to open servers — DNS resolvers, NTP servers, memcached instances — that reply with much larger responses directed at the victim. The February 2018 attack on GitHub hit 1.35 Tbps this way: attackers abused exposed memcached servers with no authentication, achieving an amplification factor of roughly 51,000x, meaning a 1-byte request could return a 51,000-byte response aimed at the target.
What Are the Main Types of DDoS Attacks?
The three main categories are volumetric, protocol, and application-layer attacks, each targeting a different layer of the stack. Volumetric attacks (UDP floods, amplification attacks) aim to saturate available bandwidth and are measured in bits per second — Cloudflare's 29.7 Tbps Q3 2025 record was a UDP carpet-bombing attack that spread traffic across an average of 15,000 destination ports per second, making it harder to filter with simple rate limits. Protocol attacks (SYN floods, the HTTP/2 Rapid Reset technique) exhaust server-side connection state or worker threads rather than bandwidth. Application-layer attacks (HTTP floods) mimic legitimate requests to overwhelm web servers or APIs and are measured in requests per second — during the October 2023 HTTP/2 Rapid Reset campaign (CVE-2023-44487), Google absorbed 398 million requests per second, Cloudflare saw 201 million rps, and AWS saw 155 million rps, all from a botnet of only about 20,000 machines.
What Was the Largest DDoS Attack on Record?
The largest DDoS attack on record is a 31.4 Tbps attack that Cloudflare mitigated in Q4 2025, lasting just 35 seconds. It capped a year in which hyper-volumetric attacks (those exceeding 1 Tbps or 1 billion packets per second) increased roughly 700% compared to late 2024, driven largely by the Aisuru botnet, which also powered the 29.7 Tbps attack earlier that year. For comparison, the October 2016 Mirai-driven attack on DNS provider Dyn — which knocked Twitter, Netflix, Spotify, and Reddit offline for hours — peaked around 1.2 Tbps using roughly 100,000 hijacked IoT devices like routers and IP cameras. The nearly 30x jump in peak volume over less than a decade shows how much cheaper it has become for attackers to weaponize distributed, often unsecured, internet-connected infrastructure.
How Is a DDoS Attack Different From a DoS Attack?
A DoS attack originates from a single source, while a DDoS attack is coordinated across many distributed sources, which is what makes it far harder to block by simply blacklisting an IP address. A single-source DoS attack can often be stopped at a firewall or load balancer once the offending address is identified. A DDoS attack spreads the same malicious intent across thousands of geographically dispersed IPs — Cloudflare reported blocking 20.5 million DDoS attacks in Q1 2025 alone, a 358% year-over-year increase — so defenders must distinguish attack traffic from legitimate traffic using behavioral signals, rate anomalies, and traffic scrubbing rather than static IP rules.
How Can Organizations Detect and Mitigate DDoS Attacks?
Organizations detect and mitigate DDoS attacks by combining traffic-scrubbing infrastructure with patched, hardened application and network layers so that even successful floods don't translate into outages. Mitigation providers like Cloudflare and AWS Shield absorb volumetric traffic upstream, but protocol-level and application-layer attacks — like HTTP/2 Rapid Reset — require the underlying server software itself to be patched; nginx, Envoy, and gRPC all shipped emergency fixes for CVE-2023-44487 in October 2023 because the flaw lived in how HTTP/2 implementations handled stream cancellation, not in network volume. Rate limiting, connection timeouts, SYN cookies, and keeping load balancers and web servers on current, non-vulnerable versions all reduce the blast radius of an attack that does get through initial scrubbing.
Why Are DDoS Attacks Increasing in Frequency and Scale?
DDoS attacks are increasing because the pool of exploitable, internet-connected devices keeps growing faster than it's being secured, and botnet-for-hire services have made launching an attack cheap and accessible. Botnets like Aisuru recruit poorly secured routers, cameras, and IoT devices at scale, the same pattern Mirai established in 2016 with roughly 100,000 devices — except modern variants now marshal far larger fleets to hit multi-terabit volumes. At the same time, protocol-level flaws like Rapid Reset show that attackers don't even need a botnet's raw size when a single request pattern can exhaust server resources; a mere 20,000 machines produced a then-record 398 million rps against Google in 2023. Both trends — bigger botnets and smarter exploitation of protocol weaknesses — are pushing volumetric and application-layer records higher every year.
How Safeguard Helps
Safeguard doesn't stop network-layer floods, but it closes the gap that turns a DDoS attempt into a successful outage: unpatched, exposed software. Safeguard's SBOM generation and ingest inventory every HTTP/2, load-balancing, and networking component in your stack, so when a protocol-level flaw like CVE-2023-44487 surfaces, you know within minutes which services run affected versions of nginx, Envoy, or gRPC. Reachability analysis determines whether that vulnerable code path is actually exposed to untrusted internet traffic versus buried behind internal-only services, so teams triage the handful of components that matter instead of every match in the SBOM. Griffin AI correlates exploitability, exposure, and attack-technique intelligence to rank which findings represent real DDoS-amplifying risk, and Safeguard's auto-fix PRs open the dependency bump or config change directly against the affected repo — turning a multi-day patch cycle for a resource-exhaustion vulnerability into a same-day merge.