View IP View IP

Distributed Denial of Service (DDoS)

A DDoS attack is a coordinated, malicious attempt to disrupt the normal availability of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Think of it like a flash mob of thousands of fake customers intentionally crowding a storefront entrance, making it physically impossible for real consumers to get inside to shop.

🤖 Bot
🤖 Bot
🛡️ Anycast
Scrubbing Hub
🖥️ Your Server
(Online)

Malicious traffic patterns are intercepted by localized Scrubbing Centers, leaving the origin web infrastructure unburdened.

How it Works: The Botnet Architecture

Attackers rarely leverage a single high-powered machine to launch an attack, doing so makes it incredibly easy for structural firewalls to drop the traffic based on a single IP address rule. Instead, attackers construct or rent a Botnet.

A botnet is a distributed collection of thousands of compromised, internet-facing endpoints (ranging from unpatched Linux servers to vulnerable Internet-of-Things (IoT) devices like smart security cameras or smart home routers) infected with malware. When the command command is issued, every infected node fires structural payloads simultaneously, making the attack look like it's originating globally from completely normal users.

The Three Vectors of Attack

DDoS traffic profiles are typically categorized across three standard layers of the OSI networking stack:

Layer 3 / 4 • Network

1. Volumetric

The Goal: Saturate internet bandwidth pipeline capacity.

Attackers use scaling tactics (like DNS or NTP Amplification) to flood your incoming ports with massive quantities of raw data packets until your ISP’s hardware pipes completely drop connections.

Layer 4 • Transport

2. Protocol-Based

The Goal: Drain underlying OS connection resources.

In a TCP SYN Flood, the botnet sends thousands of partial initialization requests but purposefully refuses to finish the three-way handshake. The operating system kernel burns up its entire connection allocation memory table simply waiting for responses that never arrive.

Layer 7 • Application

3. Application Layer

The Goal: Crash database engine systems.

These stealthy attacks closely mimic legitimate user behaviors (like generating real HTTP GET/POST queries). Instead of clogging your network card, they repeatedly execute heavy backend functions, like a site-wide search query, forcing your database CPU to spike to 100% instantly.

How Modern Mitigations Absorb Attacks

Modern cloud edge protection providers avoid building single massive server targets. Instead, they leverage global Anycast Routing Networks combined with behavioral Web Application Firewalls (WAF).

When a botnet launches an attack against your web infrastructure, the Anycast layer announces your IP address from dozens of data centers worldwide. This automatically shatters the unified attack, routing local segments of the botnet to regional scrubbing nodes. The automated scrubbers strip out bad payloads (like asymmetric SYN packets or erratic Layer 7 footprints) and pass clean, legitimate user traffic back to your origin server.

Behind the Scenes: When building modern web apps, protecting yourself from Application-layer (Layer 7) exhaustion is best handled by implementing proactive Rate Limiting policies directly inside your reverse proxy configuration or application routing middleware.