When the Internet Goes Silent: The Many Flavors of Denial of Service Attacks

Let me start with a pet peeve: Denial of Service (DoS) does not automatically mean Distributed Denial of Service (DDoS). A DoS attack is any attack that makes a service unavailable to its intended users. It can come from a single source, a handful of sources, or yes, thousands of distributed sources. When people say "DoS" and mean "DDoS," they're technically being imprecise, and in the world of network engineering, precision matters. A kid with a single compromised server running a flood script is doing DoS. A botnet of 100,000 IoT devices hitting your infrastructure? That's DDoS, and it's a whole different beast.

The Taxonomy of "Please Stop Hitting Yourself"

DoS attacks come in more flavors than a artisanal ice cream shop, and understanding the differences helps you defend against them.

Volume-based attacks are the simplest to understand: send so much traffic that you overwhelm the target's bandwidth. These are your UDP floods, ICMP floods, and other "spray and pray" techniques. They're crude, but if someone sends 100 Gbps at your 10 Gbps connection, physics wins and your connection dies.

Protocol attacks exploit weaknesses in layer 3 and 4 of the OSI model. SYN floods are the classic example: an attacker sends thousands of TCP SYN packets to initiate connections but never completes the handshake, leaving your server with a table full of half-open connections and no memory to accept legitimate ones. It's like someone calling your business, waiting for you to say hello, then staying silent until you hang up, over and over, tying up all your phone lines.

Application layer attacks are the sneakiest because they look almost legitimate. These target layer 7, sending requests that appear normal but are crafted to consume maximum resources. A HTTP flood might request the same dynamic page over and over, forcing your database to do expensive queries. Or an attacker might request a large file repeatedly, exhausting your server's ability to serve it. These are harder to detect because they mimic real user behavior, just at scale and with malicious intent.

Botnets: When Toasters Attack

Here's where DDoS really earns its name. A botnet is a collection of compromised devices, often numbering in the tens or hundreds of thousands, all controlled by a single entity. These aren't sophisticated servers, they're your IoT devices, compromised home routers, old Windows machines that never got patched, and yes, occasionally actual toasters with IP addresses.

The Mirai botnet in 2016 was a wake-up call. It compromised hundreds of thousands of IoT devices using default credentials (seriously, change your defaults, people) and used them to launch massive attacks. The beauty, from an attacker's perspective, is that each device only needs to send a little bit of traffic. When you multiply that by 100,000 devices, suddenly you're generating hundreds of gigabits of attack traffic, and no single source looks particularly suspicious.

Amplification: When the Internet Becomes Your Weapon

Amplification attacks are particularly elegant in their nastiness. The attacker doesn't send traffic directly to you, they send small requests to legitimate servers with your IP address spoofed as the source. Those servers respond to you with much larger responses. It's like mailing someone a postcard that says "send me your complete works" and giving the recipient's return address as someone else's.

DNS amplification was one of the first widely used techniques. Send a small DNS query for a large TXT record, spoof the source IP to be the victim, and the DNS server happily sends a response 50 times larger to the victim. Multiply this across thousands of open DNS resolvers, and you've got yourself a significant problem.

The Dyn attack in October 2016 was a masterclass in how devastating these can be. Dyn, a major DNS provider, was hit with an assault that peaked at 1.2 Tbps. The attack took down major sites like Twitter, Netflix, Reddit, and GitHub. It used the Mirai botnet combined with DNS amplification to create a perfect storm of traffic. The internet had a very bad day.

Then came memcached amplification in 2018, which made previous attacks look quaint. Memcached, a caching system, had a UDP protocol that could amplify requests by a factor of 50,000. Yes, you read that right. Send 15 bytes, get 750 KB back. GitHub got hit with 1.35 Tbps using this technique. The attack was so massive that it was visible in global internet traffic statistics.

The Unfortunate Truth: You Can't Block Physics

Here's the part nobody wants to hear: when you're under a large-scale DDoS attack, you can't really "stop" it in the traditional sense. If someone is sending 500 Gbps at your 10 Gbps connection, no amount of filtering at your router is going to help, the pipe is full before packets even reach your filtering logic.

The real solution is scale and absorption. You need more bandwidth than the attacker can muster, and you need to distribute the load across enough infrastructure that the attack becomes a rounding error. This is why major cloud providers and CDNs can shrug off attacks that would completely obliterate a single-homed network.

CDNs like Cloudflare, Akamai, and Fastly have become critical infrastructure not just for performance, but for DDoS mitigation. They scrub attack traffic as close to the edge as possible, filtering out malicious requests before they reach your origin servers. When you're present in 200+ points of presence globally, spreading an attack across that footprint makes it manageable.

Blackhole Communities: The Nuclear Option

When an attack is too large to handle, sometimes the best option is to make the target disappear entirely. BGP blackhole communities let you tell upstream providers "stop routing traffic to this IP address entirely."

It works through BGP communities, special tags attached to route advertisements. When you advertise a route with a blackhole community tag to your upstream provider, they null-route that traffic, dropping it before it ever enters their network and consuming your bandwidth. It's the network equivalent of "if we can't defend it, let's make sure the attacker can't hit it either."

The downside is obvious: your service is still down, just now by your choice rather than the attacker's. But at least you're not paying for gigabits of attack traffic, and your other services stay online.

Detection and Mitigation Tools

FastNetMon has become a popular tool for detecting DDoS attacks in real-time. It analyzes network traffic using various methods (NetFlow, sFlow, port mirroring) and can detect anomalies that indicate an attack is underway. The beauty of FastNetMon is that it can automatically trigger mitigation actions, like signaling your routers to enable blackhole routing or activating your DDoS mitigation provider.

The key is detection speed. The faster you know you're under attack, the faster you can respond. Modern DDoS mitigation is about automation, you don't have time to manually analyze traffic patterns when you're being hit with 100 Gbps.

Working With the Good Guys

This is where I want to talk about the real work being done to make the internet safer. My friend Tom Scholl, who I've had the honor of working with, is doing incredible work in this space. Amazon and AWS have been working with the US Department of Justice to take down DDoS-for-hire services at the source. As detailed in their announcement, they're not just defending against attacks, they're working to eliminate the infrastructure that makes these attacks possible in the first place.

This is what actually moves the needle. You can have all the mitigation in the world, but if DDoS-as-a-service sites continue to operate freely, offering attacks for $20, the problem never goes away. Taking these services down, arresting the operators, and making it clear that this isn't a victimless crime, this is what makes the internet better for everyone.

The DOJ has been increasingly aggressive about prosecuting DDoS operators and the infrastructure that supports them. When you combine law enforcement action with technical mitigation, you start to change the calculus for attackers. It's no longer just a game with no consequences.

Defense in Depth

There's no single solution to DDoS. The best defense is layered: have enough bandwidth and infrastructure to absorb small to medium attacks, use a CDN to distribute and scrub traffic at the edge, implement rate limiting and connection limiting at the application layer, use services like FastNetMon for rapid detection, have blackhole routing ready to deploy when needed, and work with upstream providers who take abuse seriously and will help filter traffic.

Most importantly, you need a plan before you're under attack. In the middle of a 200 Gbps assault is not the time to be figuring out how to contact your upstream provider's NOC or how to configure BGP communities.

The Future of DDoS

Attacks keep getting bigger. The record-breaking attack is broken annually now. As bandwidth increases, as more devices come online, and as amplification vectors are discovered and exploited before being patched, the tools available to attackers only grow more powerful.

But the defenders are getting better too. Machine learning is improving detection, global CDN networks are expanding, and cooperation between providers is increasing. The legal framework for prosecuting these crimes is maturing. Organizations like the DOJ, working with companies like Amazon, are showing that there are real consequences for these actions.

The war between attackers and defenders is eternal in the digital realm, but at least we're getting better at fighting back.

I hope you enjoyed this article, and if you didn't please don't DDoS me.