What Is a DDoS Attack and How Does It Work?

Most cyberattacks try to break in quietly — to steal data or take control without being noticed. A DDoS attack does the opposite. It is loud, disruptive, and immediately obvious: its entire purpose is to knock a website or online service offline by overwhelming it with traffic.

DDoS stands for distributed denial-of-service, and these attacks are among the most common disruptions on the internet. They can take down a company's website, freeze an online store during peak sales, or disrupt critical services for hours at a time — without the attacker ever stealing a single file.

This guide explains DDoS attacks in full: what they are, how they differ from a basic denial-of-service attack, how they work, the main types, why attackers launch them, and how organizations defend against them. It is part of our broader guide to the types of cyberattacks.

What Is a DDoS Attack?

A DDoS attack is an attempt to make a website, application, or network unavailable by flooding it with more traffic than it can handle. The target's servers have a finite capacity — a limited amount of bandwidth, memory, and processing power. A DDoS attack deliberately exhausts that capacity, so legitimate users can no longer get through.

The result is a denial of service: the website times out, the app stops responding, the service goes dark. Crucially, the attacker does not need to breach the system or steal anything. Disruption itself is the goal.

DoS vs DDoS: What's the Difference?

The two terms are closely related. A denial-of-service (DoS) attack comes from a single source — one computer or connection flooding the target. Because it has one origin, a DoS attack is relatively easy to block: identify the source and filter it out.

A distributed denial-of-service (DDoS) attack comes from many sources at once — often thousands of devices spread across the world, all flooding the target simultaneously. This is what makes DDoS far more dangerous. There is no single source to block, the combined traffic is far larger, and the malicious requests are mixed in with legitimate ones. Nearly all serious denial-of-service attacks today are distributed.

How a DDoS Attack Works

The "distributed" part of a DDoS attack depends on a botnet — a network of internet-connected devices that have been infected with malware and can be controlled remotely by an attacker. These devices can be computers, servers, routers, or poorly secured Internet of Things gadgets such as cameras and smart appliances. Their owners usually have no idea their device has been compromised.

To launch the attack, the attacker sends a command to the botnet, and every infected device begins sending traffic or requests to the target at the same moment. A botnet of thousands or millions of devices can generate an enormous flood — far more than the attacker could ever produce alone, and from so many different addresses that it is extremely hard to filter.

Types of DDoS Attacks

DDoS attacks are usually grouped into three categories based on which part of the target they overwhelm.

• Volumetric attacks aim to consume all of the target's available bandwidth by flooding it with a sheer volume of data. They are the most common type and are measured in bits per second.
• Protocol attacks exploit weaknesses in network protocols to exhaust server resources or the capacity of equipment such as firewalls and load balancers, rather than raw bandwidth.
• Application-layer attacks target the application itself — for example, by sending a flood of requests that each force the server to do expensive work. These attacks use less traffic, which makes them harder to detect, because the requests can look legitimate.

Sophisticated attackers often combine all three in a single multi-vector campaign, forcing defenders to counter several techniques at once.

Why Attackers Launch DDoS Attacks

DDoS attacks serve a range of motives. Some are financially driven: attackers demand a ransom to stop or to not launch an attack, a tactic known as a ransom DDoS. Some are competitive sabotage, aimed at a rival's website. Others are ideological — hacktivists using disruption as a form of protest. DDoS is also used as a distraction, generating chaos and tying up the security team while a more serious intrusion happens elsewhere. And because DDoS tools and "booter" services can be rented cheaply online, some attacks are simply vandalism.

Signs of a DDoS Attack

A DDoS attack often looks, at first, like a technical problem. Warning signs include a website or service becoming suddenly slow or completely unavailable, a dramatic and unexplained spike in traffic, a flood of requests from a particular set of addresses or regions, and connectivity problems that do not trace back to an internal fault. Because these symptoms can resemble an ordinary traffic surge, monitoring tools that establish a normal baseline are essential for telling a real attack from a busy day.

How to Mitigate and Prevent DDoS Attacks

No organization can stop attackers from launching a DDoS attack, but it can prepare to absorb one. Effective defenses include:

• DDoS protection services. Specialized providers and content delivery networks absorb and filter attack traffic across vast global infrastructure before it ever reaches the origin server.
• Excess capacity. Provisioning more bandwidth and scalable, cloud-based infrastructure raises the threshold an attack must exceed to cause an outage.
• Traffic monitoring and rate limiting. Establishing a normal baseline enables fast detection, and rate limiting caps how many requests any single source can make.
• Network hardening. Firewalls, load balancers, and properly configured network equipment filter malicious traffic and remove single points of failure.
• A response plan. A prepared playbook — who to contact, how to activate mitigation, how to communicate with users — turns an outage into a managed event.

Conclusion

A DDoS attack is a blunt instrument, but an effective one. By harnessing a botnet of compromised devices, an attacker can flood a target with overwhelming traffic and take a service offline without ever breaching it. The motives range from extortion and sabotage to protest and distraction.

The encouraging news is that DDoS is one of the most defensible attack types. Organizations cannot prevent an attack from being launched, but with DDoS protection services, scalable capacity, vigilant monitoring, and a clear response plan, they can absorb even large attacks with little or no disruption.

Frequently Asked Questions (FAQ)

What is a DDoS attack?

A DDoS (distributed denial-of-service) attack is an attempt to make a website or online service unavailable by flooding it with more traffic than it can handle, using many compromised devices at once.

What is the difference between DoS and DDoS?

A DoS attack floods a target from a single source, which makes it relatively easy to block. A DDoS attack floods the target from many sources simultaneously, making it far larger and much harder to filter.

What is a botnet?

A botnet is a network of internet-connected devices infected with malware and controlled remotely by an attacker. Botnets provide the many distributed sources of traffic that power a DDoS attack.

Does a DDoS attack steal data?

No. A DDoS attack disrupts availability rather than stealing information. However, attackers sometimes use a DDoS attack as a distraction to draw attention away from a separate data-stealing intrusion.

How long does a DDoS attack last?

DDoS attacks can last anywhere from a few minutes to several days. Duration depends on the attacker's resources and motives and on how quickly the target activates mitigation.

How can DDoS attacks be prevented?

While the launch of an attack cannot be prevented, its impact can be minimized with DDoS protection services, scalable infrastructure, traffic monitoring, rate limiting, network hardening, and a tested response plan.