How DDoS attacks work
A distributed denial-of-service (DDoS) attack disrupts the operations of a server, service, or network by flooding it with unwanted Internet traffic. At their worst, these attacks can knock a website or entire network offline for extended periods of time.
DDoS attacks work by directing malicious traffic to a target via multiple computers or machines. Often, these machines form a botnet: a group of devices that have been compromised by malware and can be controlled by a single attacker. Other DDoS attacks may involve multiple attackers or DDoS attack tools, such as stress-testing applications (e.g. LOIC) or low-and-slow programs (e.g. Slowloris).
Attackers may use one or more of the following strategies to DDoS their targets:
- Application-layer attacks, also known as layer 7 DDoS attacks, create a denial of service by overwhelming the target’s server and network resources with legitimate-seeming HTTP requests.
- Protocol attacks, or state-exhaustion attacks, overwhelm network equipment and infrastructure by using layer 3 or 4 protocols (e.g. ICMP) to send a flood of unwanted traffic to their target.
- Volumetric attacks use amplification techniques — for example, deploying a botnet or exploiting common networking protocols — to consume all of the target’s available bandwidth.
To learn more about the tactics employed in a DDoS attack, read What is a distributed denial-of-service (DDoS) attack?
How to prevent DDoS attacks
Preventing DDoS attacks can be challenging, particularly during high-traffic periods or across a vast and distributed network architecture. A truly proactive DDoS threat defense hinges on several key factors: attack surface reduction, threat monitoring, and scalable DDoS mitigation tools.
DDoS prevention methods
- Attack surface reduction: Limiting attack surface exposure can help minimize the effect of a DDoS attack. Several methods for reducing this exposure include restricting traffic to specific locations, implementing a load balancer, and blocking communication from outdated or unused ports, protocols, and applications.
- Anycast network diffusion: An Anycast network helps increase the surface area of an organization’s network, so that it can more easily absorb volumetric traffic spikes (and prevent outages) by dispersing traffic across multiple distributed servers.
- Real-time, adaptive threat monitoring: Log monitoring can help pinpoint potential threats by analyzing network traffic patterns, monitoring traffic spikes or other unusual activity, and adapting to defend against anomalous or malicious requests, protocols, and IP blocks.
- Caching: A cache stores copies of requested content so that fewer requests are serviced by origin servers. Using a content delivery network (CDN) to cache resources can reduce the strain on an organization’s servers and make it more difficult for them to become overloaded by both legitimate and malicious requests.
- Rate limiting: Rate limiting restricts the volume of network traffic over a specific time period, essentially preventing web servers from getting overwhelmed by requests from specific IP addresses. Rate limiting can be used to prevent DDoS attacks that use botnets to spam an endpoint with an abnormal amount of requests at once.
DDoS prevention tools
- Web application firewall (WAF): A WAF helps block attacks by using customizable policies to filter, inspect, and block malicious HTTP traffic between web applications and the Internet. With a WAF, organizations can enforce a positive and negative security model that controls incoming traffic from specific locations and IP addresses.
- Always-on DDoS mitigation: A DDoS mitigation provider can help prevent DDoS attacks by continuously analyzing network traffic, implementing policy changes in response to emerging attack patterns, and providing an expansive and reliable network of data centers. When evaluating cloud-based DDoS mitigation services, look for a provider that offers adaptive, scalable, and always-on threat protection against sophisticated and volumetric attacks.
For a more in-depth look at DDoS mitigation tools and strategies, read What is DDoS mitigation?
How Cloudflare helps prevent DDoS attacks
Cloudflare offers integrated L3-7 DDoS protection that helps organizations monitor, prevent, and mitigate attacks before they reach targeted applications, networks, and infrastructure. Some of the key benefits of our layered threat defense include:
- A global Anycast network that spans over 310 cities and 120 countries worldwide, capable of absorbing even the largest DDoS attacks
- Traffic routing and acceleration to help diffuse traffic spikes across our network and minimize latency and congestion
- Always-on, automatic DDoS mitigation that can detect and block malicious traffic in less than three seconds
- A next-generation WAF that offers advanced rate limiting, tailored rulesets, and flexible threat prevention
Under attack? Get immediate DDoS protection via the Cloudflare cyber emergency hotline.