What Is a DDoS Attack and How to Protect Against It

What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is an attempt to make a site or online service unavailable by flooding it with a huge amount of fake traffic. Imagine thousands of people trying to enter a small shop at the same time - real customers cannot get in because the door is blocked. In the same way, a DDoS attack overwhelms your server with requests so that legitimate visitors cannot reach your site.

The word "Distributed" is key - the attack does not come from one source but from thousands or millions of compromised devices (a botnet) around the world. This makes blocking harder, since you cannot simply block a single IP.

Types of DDoS attacks

Volumetric attacks (Layer 3/4)

These attacks try to flood your server or network infrastructure with massive data volumes. The goal is to consume all available bandwidth so legitimate traffic cannot get through.

• UDP Flood: Sends huge volumes of UDP packets to random server ports. The server burns resources trying to process every packet.
• ICMP Flood (Ping Flood): Floods the server with ICMP echo request packets. Simple but effective for smaller sites.
• DNS Amplification: Uses open DNS servers to amplify the attack - a small request generates a large response sent to the victim.

Protocol attacks (Layer 3/4)

These attacks exploit weaknesses in network protocols to exhaust server resources or network equipment like firewalls and load balancers.

• SYN Flood: Sends a massive volume of TCP SYN requests without completing the handshake. The server holds half-open connections that consume memory.
• Ping of Death: Sends malformed or oversized packets that can crash the server.
• Smurf Attack: Uses broadcast addresses to amplify ICMP traffic to the victim.

Application attacks (Layer 7)

The most sophisticated attack type, targeting web applications. These attacks mimic legitimate traffic and are hard to distinguish from real visitors.

• HTTP Flood: Sends legitimate HTTP GET or POST requests in huge volumes. Each request looks normal, but together they overload the server.
• Slowloris: Opens many connections to the server and holds them open by sending incomplete requests. The server keeps all connections active until resources run out.
• Application-specific attacks: Target specific site functions - search, login, API endpoints - that require more server resources to process.

How to recognize a DDoS attack?

DDoS attacks manifest through several symptoms you should recognize as early as possible:

• Site is extremely slow: Pages load far slower than usual or cannot load at all.
• Server is unavailable: You get 502 Bad Gateway, 503 Service Unavailable, or timeout errors.
• Unusual traffic spike: Analytics shows a huge visit spike that cannot be explained by normal reasons.
• High CPU/RAM on the server: Server resources are at 100% with no obvious reason.
• Requests from unusual locations: If your site targets the United Kingdom or Europe and you suddenly receive thousands of visits from China or Brazil, that is suspicious.

Protection via Cloudflare

Cloudflare is the most prominent DDoS protection service and is available with a free plan that covers basic protection. How it works:

How Cloudflare protects your site

Cloudflare acts as an intermediary between your site and visitors. All traffic passes through the Cloudflare network with more than 300 data centers worldwide. Malicious traffic is filtered before it reaches your server.

• Anycast network: Distributes the attack across many locations instead of all traffic hitting one server.
• WAF (Web Application Firewall): Filters malicious requests at the application layer.
• Rate Limiting: Limits the number of requests from one IP within a time window.
• Bot Management: Uses machine learning to distinguish legitimate visitors from bots.
• Under Attack Mode: A special mode that shows a JavaScript challenge page before access, blocking most automated attacks.

Setting up Cloudflare

• Create a free account at cloudflare.com.
• Add your domain and change nameservers at the registrar to Cloudflare nameservers.
• Turn on "Proxy" status (orange cloud) for all DNS records you want to protect.
• Set SSL mode to "Full (strict)" for HTTPS encryption.
• Configure Security Level to "Medium" or "High" for sensitive sites.

Hosting-level protection

A quality hosting provider is your first line of defense against DDoS. What to look for:

• Network firewall: A hardware firewall that filters malicious traffic before it reaches the server.
• DDoS mitigation: Automatic DDoS detection and blocking at the network level.
• Account isolation: On shared hosting, CloudLinux/CageFS ensures an attack on one account does not affect others.
• ModSecurity/WAF: A Web Application Firewall at the server level that protects against Layer 7 attacks.
• Rate limiting: Limiting the number of connections per IP at the web server (LiteSpeed/Apache).

Additional protective measures

At the application level

• CAPTCHA on forms: Prevents automated form submissions. Google reCAPTCHA or hCaptcha are free options.
• Login rate limiting: Limit the number of login attempts (Wordfence for WordPress, Fail2ban on the server).
• Caching: Cached pages consume far fewer resources per request. Learn more in our site speed guide, which makes your site more attack-resistant.
• Disable XML-RPC: On WordPress sites, xmlrpc.php is a common attack target. Disable it if you do not use it.

At the server level

• Fail2ban: Automatically blocks IPs showing malicious behavior (too many failed logins, too many requests).
• iptables/nftables rules: Set basic rules to block obviously malicious traffic.
• TCP SYN cookies: Kernel-level protection against SYN Flood attacks.
• Connection limits: Limit the maximum number of concurrent connections per IP.

What to do during a DDoS attack?

• Do not panic: Most DDoS attacks last from a few minutes to a few hours. They rarely last longer than a day.
• Activate Cloudflare Under Attack Mode: If you use Cloudflare, enable this mode immediately.
• Contact your hosting provider: Notify them of the attack - they can apply additional measures at the network level.
• Analyze logs: Inspect access logs to identify attack patterns (IP ranges, user-agent strings, targeted URLs).
• Document the attack: Record start time, duration, attack type, and actions taken for future reference.

Conclusion

DDoS attacks are a reality of the modern internet, and no site is fully immune. However, with the right protections - Cloudflare, quality hosting, WAF, and basic security practices - you can significantly reduce risk and minimize attack impact. Prevention is always cheaper than cure - put protections in place before you need them. See also our complete site protection guide.