DDoS Attacks Explained: How They Work and How to Protect Your Website

A Distributed Denial of Service (DDoS) attack is one of the most disruptive threats a website can face. The concept is brutally simple: overwhelm your server with so much traffic that it cannot serve legitimate visitors. Your website slows to a crawl, then stops responding entirely. For businesses that depend on their website for revenue, leads, or operations, even a few hours of downtime can cause significant financial damage.

DDoS attacks have grown in both frequency and sophistication over the past decade. They are cheaper to launch than ever before, harder to trace, and capable of generating traffic volumes that would overwhelm most unprotected servers in seconds. Understanding how these attacks work is the first step toward defending against them.

What Is a DDoS Attack?

A DDoS attack differs from a simple Denial of Service (DoS) attack in one critical way: it is distributed. Rather than a single source sending malicious traffic, a DDoS attack uses thousands or even millions of compromised devices — collectively called a botnet — to flood the target simultaneously from locations around the world.

These compromised devices are typically computers, servers, IoT devices (cameras, routers, smart home devices), and even mobile phones that have been infected with malware without their owners' knowledge. The attacker controls the botnet through a command-and-control infrastructure, directing all compromised devices to send traffic to the target at the same time.

The distributed nature of the attack makes it extremely difficult to block. You cannot simply blacklist a single IP address when the attack comes from hundreds of thousands of different addresses across dozens of countries. Legitimate traffic and attack traffic become mixed together, making it hard to filter one without affecting the other.

Types of DDoS Attacks

DDoS attacks target different layers of the network stack, and each type requires different mitigation strategies:

Volumetric Attacks

The most common type, volumetric attacks aim to saturate the target's bandwidth — the physical capacity of the network connection to the server. These attacks generate massive amounts of traffic, measured in gigabits per second (Gbps) or packets per second (pps). Common volumetric techniques include UDP floods, ICMP floods, and DNS amplification attacks where the attacker sends small requests to open DNS resolvers that respond with much larger replies directed at the target. Modern volumetric attacks regularly exceed 1 Tbps (terabit per second), far beyond what any single server or even most hosting providers can absorb.

Protocol Attacks

Protocol attacks exploit weaknesses in network protocols (Layer 3 and Layer 4) to consume server resources or the resources of intermediate infrastructure like firewalls and load balancers. SYN floods are the classic example: the attacker sends a massive number of TCP connection requests (SYN packets) without completing the handshake, filling the server's connection table until it cannot accept any new connections — including legitimate ones. Other protocol attacks include Ping of Death, fragmented packet attacks, and Smurf attacks.

Application Layer Attacks

The most sophisticated type, application layer attacks (Layer 7) target specific features of your web application. They mimic legitimate user behaviour — loading pages, submitting forms, making API calls — but at a volume and rate designed to exhaust your server's CPU, memory, or database connections. Because each request looks legitimate in isolation, these attacks are the hardest to detect and filter. HTTP floods, Slowloris attacks (which hold connections open for as long as possible), and attacks targeting resource-intensive endpoints like search pages or login forms are common examples.

Real-World Impact

The consequences of a successful DDoS attack extend well beyond temporary downtime:

• Revenue loss: E-commerce sites, SaaS platforms, and any business that generates revenue through their website lose money for every minute they are offline. For some businesses, this translates to thousands of dollars per hour.
• Reputation damage: Customers who cannot access your site lose confidence in your reliability. If downtime becomes a pattern, they look for alternatives.
• SEO impact: Extended downtime can cause search engines to temporarily or permanently lower your rankings. Google's crawlers that encounter repeated errors will reduce crawl frequency and may de-index affected pages.
• Distraction for other attacks: DDoS attacks are sometimes used as a smokescreen to distract security teams while attackers carry out a separate, more targeted intrusion — data theft, malware installation, or account compromise.
• Hosting costs: If your hosting is billed by bandwidth or compute usage, a DDoS attack can generate massive unexpected charges before you have time to respond.

How CDNs and WAFs Protect Against DDoS

A Content Delivery Network (CDN) with built-in DDoS protection is the most effective defence for most websites. Here is why:

A CDN places servers (edge nodes) in data centres around the world. When you route your traffic through a CDN, visitors connect to the nearest edge node rather than directly to your origin server. The CDN absorbs and distributes traffic across its global network, which has orders of magnitude more bandwidth capacity than any single server.

During a DDoS attack, the CDN's distributed infrastructure absorbs the flood of traffic across many locations rather than allowing it to concentrate on your origin server. Attack traffic hitting an edge node in Tokyo does not affect the edge node serving your visitors in Miami.

A Web Application Firewall (WAF), often integrated with the CDN, inspects incoming requests and filters out malicious ones before they reach your server. WAFs use a combination of known attack signatures, rate limiting rules, behavioural analysis, and challenge mechanisms (like CAPTCHAs or JavaScript challenges) to distinguish between legitimate visitors and attack traffic.

Cloudflare, one of the most widely used CDN and DDoS protection providers, reports mitigating attacks exceeding 70 million requests per second. This level of protection is available even on their free plan for basic volumetric attacks, making enterprise-grade DDoS mitigation accessible to businesses of any size.

Rate Limiting and Traffic Shaping

Rate limiting restricts the number of requests a single IP address or user session can make within a given time window. It is particularly effective against application-layer attacks where individual requests look legitimate but arrive at an abnormal rate.

Implement rate limiting at multiple levels:

• CDN/WAF level: Block or challenge IP addresses that exceed request thresholds. Cloudflare, AWS WAF, and similar services provide configurable rate limiting rules.
• Web server level: Nginx's limit_req module and Apache's mod_ratelimit can throttle requests before they reach your application.
• Application level: Implement rate limiting on sensitive endpoints — login pages, API endpoints, search functions, and form submissions — where application-layer attacks typically concentrate.

Be careful not to set rate limits so aggressively that you block legitimate users. A visitor loading a page with 30 images generates 31 requests almost simultaneously — that is normal behaviour, not an attack. Rate limits should target abnormal patterns: hundreds of requests per second from a single source, or rapid sequential requests to expensive endpoints.

Cloudflare Protection: A Practical Guide

Cloudflare is the most accessible DDoS protection option for small and medium businesses because it offers meaningful protection on its free plan. Here is how to configure it effectively:

• Proxy your DNS: Ensure your DNS records are proxied through Cloudflare (orange cloud icon) rather than DNS-only. Proxied records hide your origin server's IP address and route traffic through Cloudflare's network where it can be filtered.
• Enable "Under Attack" mode when needed: This mode presents a JavaScript challenge to all visitors before allowing them through. It adds a brief delay for legitimate users but effectively blocks most automated attack traffic. Use it during active attacks and disable it when the attack subsides.
• Configure firewall rules: Block traffic from countries you do not serve, challenge suspicious user agents, and rate limit endpoints that are frequently targeted.
• Hide your origin IP: If your origin server's real IP address is known, attackers can bypass Cloudflare by targeting it directly. Change your origin IP after setting up Cloudflare, and ensure it is not leaked through email headers, API responses, or historical DNS records.
• Enable Bot Fight Mode: Available on all plans, this feature automatically challenges traffic from known bot networks.

What to Do During an Active Attack

If your website is currently under a DDoS attack, here is a prioritised response plan:

• Confirm the attack: Check server logs and monitoring dashboards. A sudden spike in traffic from many different IP addresses, particularly to specific endpoints, indicates a DDoS rather than a legitimate traffic surge or server misconfiguration.
• Activate DDoS protection: If you are behind Cloudflare or a similar CDN, enable "Under Attack" mode immediately. If you are not behind a CDN, contact your hosting provider — they may be able to implement upstream filtering or null-route attack traffic at the network level.
• Communicate with stakeholders: Notify your team, your hosting provider, and affected customers. Transparency during incidents builds more trust than silence.
• Monitor and adapt: Attackers often change tactics during an attack. Monitor your traffic patterns and adjust your filtering rules as the attack evolves.
• Document everything: Record timestamps, traffic patterns, and actions taken. This documentation is valuable for post-incident analysis, insurance claims, and potential law enforcement reporting.
• Post-attack hardening: After the attack subsides, review what worked and what did not. Implement permanent protections — CDN, rate limiting, origin IP hiding — so you are better prepared for the next one.

Prevention Is Cheaper Than Recovery

The best time to implement DDoS protection is before an attack, not during one. Onboarding a CDN, configuring a WAF, and implementing rate limiting are straightforward tasks that can be completed in an afternoon. The cost — often free for basic protection — is negligible compared to the cost of downtime, emergency response, and reputation damage.

If your website is a meaningful part of your business, DDoS protection is not optional. It is infrastructure — as fundamental as your server, your SSL certificate, and your backups. The threats are real, the tools are available, and the cost of inaction is measurable.