DoS and DDoS Attacks — Types, Botnets, and Mitigation Strategies

What Are DoS and DDoS Attacks and Why Do They Matter?

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks aim to disrupt the availability of systems, services, or networks. MITRE ATT&CK classifies these under T1498 — Network Denial of Service and T1499 — Endpoint Denial of Service, while NIST SP 800-61 includes DDoS as a major incident category requiring a structured response.

DoS and DDoS attacks aim to make a system, service, or network unavailable to legitimate users by overwhelming it with traffic or exploiting resource exhaustion vulnerabilities. A DDoS attack is simply a DoS attack launched from many sources simultaneously — often thousands or millions of compromised devices forming a botnet.

Understanding DoS and DDoS attacks is essential for several reasons:

• Availability is a core security pillar. The CIA triad (Confidentiality, Integrity, Availability) places availability on equal footing with data protection. A system that is down is a system that has failed its security objectives.
• SOC analysts respond to DDoS incidents, coordinate with ISPs and CDN providers, and must distinguish DDoS traffic from legitimate traffic spikes.
• Certification exams including CompTIA Security+ SY0-701 and CEH v13 cover DoS/DDoS attack categories, specific attack types, botnet architectures, and mitigation techniques in detail.
• DDoS attacks are increasingly common. Cloud platforms, IoT device proliferation, and DDoS-for-hire services have made launching attacks easier than ever. Even small organisations are targets.

This page covers the distinction between DoS and DDoS, the three major attack categories, specific attack techniques, botnet infrastructure, and the layered mitigation strategies that keep services online.

The first time I truly understood DoS attacks was during a home lab exercise where I used hping3 to send a flood of SYN packets at my own test server. Within seconds, the server stopped responding to legitimate connections. Watching a system crumble under a flood of traffic — even from a single source — made the concept visceral. Then I read about the Mirai botnet generating over 1 Tbps of traffic from hundreds of thousands of hacked IoT devices, and I realised that what I saw in my lab was a raindrop compared to the tsunami that real-world defenders face.

Ethical and legal warning: Never launch DoS or DDoS attacks against systems you do not own. Even “testing” a friend’s server without written authorisation is a criminal offence. Launching or participating in DDoS attacks violates the Computer Fraud and Abuse Act (US), Computer Misuse Act (UK), Criminal Code Act 1995 (Australia), and laws in virtually every jurisdiction. Use your own lab environment to learn these concepts.

Quick Answer

A DoS attack floods a target from a single source; a DDoS attack uses thousands to millions of compromised devices (a botnet) to overwhelm the target simultaneously. Attacks fall into three categories: volumetric (bandwidth saturation), protocol (resource exhaustion, e.g. SYN floods), and application layer (expensive request abuse, e.g. Slowloris). Defence requires CDN/scrubbing services, SYN cookies, rate limiting, WAFs, and BCP38 ingress filtering at the ISP level.

What Do Real-World DoS/DDoS Attacks Look Like?

The Cloudflare 2025 DDoS Threat Report recorded attack volumes exceeding 5 Tbps, with attack frequency increasing over 50% year-over-year — confirming that DDoS remains one of the fastest-growing cyber threats.

DoS and DDoS attacks affect organisations of every size, from global enterprises to small businesses.

Scenario	Attack type	Impact
GitHub DDoS (2018)	Memcached amplification attack reaching 1.35 Tbps	Briefly took GitHub offline; mitigated by Akamai scrubbing within 10 minutes
Dyn DNS attack (2016)	Mirai botnet DDoS against DNS provider	Twitter, Netflix, Reddit, Spotify, and dozens of major sites unreachable for hours
Australian census (2016)	DDoS attacks on ABS website during the national census	Census website taken offline, public embarrassment, and delayed data collection
DDoS-for-hire extortion	Attacker sends ransom demand: “Pay 2 BTC or we take your site offline”	Small businesses face downtime, revenue loss, and reputational damage
IoT botnet recruitment	Mirai-variant malware compromises IP cameras and routers with default passwords	Devices become DDoS weapons without their owners knowing
Application layer attack	HTTP flood targeting a specific search API endpoint	Server CPU exhausted by expensive database queries; legitimate users see timeouts

DDoS is not just a nuisance — it causes direct revenue loss, reputational damage, and can serve as a smokescreen for other attacks happening simultaneously.

How Do DoS and DDoS Attacks Work?

NIST SP 800-61 (Computer Security Incident Handling Guide) classifies denial of service as a distinct incident category, requiring specialised detection, escalation, and coordination with upstream providers.

Key Definition

Botnet — a network of compromised devices (computers, IoT cameras, routers) remotely controlled by an attacker via a Command-and-Control (C2) infrastructure. Botnets are the primary engine behind modern DDoS attacks, enabling aggregate traffic volumes that no single machine could generate.

To understand denial of service attacks, think of a restaurant analogy. A DoS attack is like one person standing at the counter, placing fake orders continuously so no real customer can be served. A DDoS attack is like a thousand people flooding into the restaurant at once — each one looks like a normal customer, but collectively they overwhelm the staff, fill every seat, and block the entrance. The restaurant has not been broken into — it has been rendered useless.

DoS vs DDoS

Aspect	DoS (Denial of Service)	DDoS (Distributed Denial of Service)
Source	Single attacking system	Thousands to millions of systems (botnet)
Traffic volume	Limited by attacker’s bandwidth	Massive — aggregate bandwidth of entire botnet
Detection	Easier — single source IP can be blocked	Harder — traffic comes from many legitimate-looking IPs
Mitigation	Block the source IP, rate limit	Requires traffic analysis, scrubbing centres, CDN absorption
Example	SYN flood from one server	Mirai botnet sending traffic from 600,000+ IoT devices

Three Categories of DDoS Attacks

DDoS attacks target different layers of the network stack and require different defences:

Category	OSI layers targeted	Goal	Example attacks
Volumetric attacks	Layer 3-4 (Network/Transport)	Saturate bandwidth — fill the pipe with junk traffic	UDP flood, ICMP flood, DNS amplification, NTP amplification
Protocol attacks	Layer 3-4 (Network/Transport)	Exhaust server or network device resources (connection tables, CPU)	SYN flood, Ping of Death, Smurf attack, fragmented packet attacks
Application layer attacks	Layer 7 (Application)	Exhaust server resources by triggering expensive operations	HTTP flood, Slowloris, RUDY (R-U-Dead-Yet), DNS query flood

Volumetric attacks are measured in bits per second (Gbps/Tbps). Protocol attacks are measured in packets per second (Mpps). Application layer attacks are measured in requests per second (RPS) and are the hardest to mitigate because each request looks like legitimate traffic.

Step-by-Step: How Major DDoS Attacks Work

SYN Flood (Protocol Attack)

The SYN flood exploits the TCP three-way handshake. The attacker sends thousands of SYN packets with spoofed source IP addresses. The server responds with SYN-ACK to each and waits for the final ACK — which never arrives because the source IPs are fake. Each half-open connection consumes memory in the server’s connection table. When the table is full, the server cannot accept any new legitimate connections.

Defence: SYN cookies allow the server to respond to SYN packets without allocating memory until the handshake is complete. The server encodes connection state into the SYN-ACK sequence number, only allocating resources when a valid ACK returns.

DNS Amplification (Volumetric Attack)

The attacker sends small DNS queries to open DNS resolvers with the source IP spoofed to be the victim’s IP. The DNS resolver sends the much larger response to the victim. A 60-byte query can generate a 4,000-byte response — an amplification factor of ~65x. By using thousands of DNS resolvers, the attacker transforms their modest bandwidth into a massive flood directed at the victim.

Defence: Rate limiting DNS responses, blocking spoofed source IPs (BCP38/BCP84 ingress filtering), and using anycast DNS infrastructure that absorbs distributed query loads.

NTP Amplification (Volumetric Attack)

Similar to DNS amplification, NTP amplification abuses the monlist command on misconfigured NTP servers. A small request (~234 bytes) triggers a response listing up to 600 recent clients — a response that can be over 100 times larger than the request. With source IP spoofing, all responses are directed at the victim.

Defence: Disable the monlist command on NTP servers (use noquery in ntp.conf), upgrade to NTP versions that have removed monlist, and apply BCP38 ingress filtering.

Slowloris (Application Layer Attack)

Slowloris does not flood the server with traffic. Instead, it opens many HTTP connections and sends partial HTTP headers very slowly, keeping each connection open as long as possible. The server waits for each request to complete, holding a connection slot open. Once all available connections are occupied by Slowloris, no legitimate users can connect. This requires very little bandwidth from the attacker.

Defence: Web servers with event-driven architectures (nginx) are inherently resistant because they handle thousands of concurrent connections efficiently. Timeout configurations, connection limits per source IP, and reverse proxy deployment mitigate Slowloris against vulnerable servers like Apache.

HTTP Flood (Application Layer Attack)

The attacker sends a high volume of legitimate-looking HTTP GET or POST requests to resource-intensive endpoints. For example, hitting a search page with complex queries that trigger expensive database operations. Each request individually looks normal, making it extremely difficult to distinguish attack traffic from real users.

Defence: Web Application Firewalls (WAFs) with rate limiting, CAPTCHA challenges for suspicious traffic patterns, CDN caching to absorb GET floods, and application-level rate limiting on expensive endpoints.

Botnets and Command-and-Control (C2)

Modern DDoS attacks are launched from botnets — networks of compromised devices controlled by an attacker through a Command-and-Control infrastructure. The Mirai botnet (2016) compromised IoT devices (cameras, routers, DVRs) by scanning for devices using default credentials (admin/admin, root/root). At its peak, Mirai controlled over 600,000 devices.

Botnet C2 architectures include:

• Centralised C2 — Bots connect to a single server for commands. Easy to control but vulnerable to takedown.
• Peer-to-peer C2 — Bots communicate with each other in a mesh. Resilient to takedowns but harder to coordinate.
• Domain generation algorithms (DGA) — Bots generate pseudo-random domain names to find their C2 server, making it difficult for defenders to block.

DDoS-for-hire services (also called “booter” or “stresser” services) rent botnet capacity to anyone willing to pay, often for as little as $10-50 per attack. This commoditisation means that even unsophisticated attackers can launch significant DDoS attacks.

How Do DDoS Attacks Fit Into a Security Architecture?

DDoS Attacks Mapped to the OSI Model

Visual Explanation

DDoS Attack Types by OSI Layer

Different attack categories target different layers — each requires different defences

Pause

Layer 7 — Application

HTTP flood, Slowloris, RUDY, API abuse

Layer 6 — Presentation

SSL/TLS exhaustion attacks (SSL flood)

Layer 5 — Session

Telnet and SSH brute force floods

Layer 4 — Transport

SYN flood, UDP flood, TCP state exhaustion

Layer 3 — Network

ICMP flood, IP fragmentation, Smurf attack

Layer 2-1 — Data Link and Physical

MAC flooding, bandwidth saturation

Idle

DDoS Mitigation Pipeline

Visual Explanation

DDoS Mitigation Pipeline

How traffic flows through multiple defence layers from edge to origin server

Pause

Edge Network

First line of defence

Anycast routing

BGP traffic distribution

Geographic load balancing

Scrubbing Centre

Filter malicious traffic

Traffic analysis

Known-bad IP filtering

Rate limiting per source

CDN and WAF

Application protection

Cache static content

Bot detection

CAPTCHA challenges

Origin Shield

Final filtering

SYN cookie validation

Connection rate limits

Application rate limits

Origin Server

Clean traffic only

Serves legitimate users

Monitors for anomalies

Auto-scales if needed

Idle

What Does DDoS Mitigation Look Like in Practice?

Akamai’s State of the Internet report consistently ranks DDoS as the most frequent attack type against web-facing infrastructure, with DNS amplification and SYN floods remaining the most commonly observed techniques.

Understanding SYN Flood with hping3 (Lab Only)

# hping3 — packet crafting tool for understanding SYN floods
# ONLY use in your own lab against your own test server

# Send SYN packets to port 80 at maximum speed with random source IPs
sudo hping3 -S -p 80 --flood --rand-source 192.168.1.100

# Flags explained:
# -S         = Set SYN flag (initiates TCP handshake)
# -p 80      = Target port 80 (HTTP)
# --flood    = Send as fast as possible (no waiting for replies)
# --rand-source = Randomise source IP (simulates spoofed IPs)

# Monitor the target server's connection state:
# On the target machine:
netstat -an | grep SYN_RECV | wc -l
# A rapidly increasing count of SYN_RECV connections confirms the flood

# To see SYN cookies in action (if enabled):
cat /proc/sys/net/ipv4/tcp_syncookies
# 1 = enabled (server handles SYN flood without filling connection table)

Detecting DDoS with tcpdump and netstat

# Monitor incoming traffic patterns for DDoS indicators

# Count connections per source IP (find top talkers)
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20
# A single IP with thousands of connections is suspicious

# Monitor SYN packets in real time
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0' -c 1000 | \
  awk '{print $3}' | sort | uniq -c | sort -rn | head -10
# Rapid SYN packets from many sources = potential SYN flood

# Check for UDP flood
sudo tcpdump -i eth0 udp -c 500 | awk '{print $3}' | sort | uniq -c | sort -rn | head -10

# Monitor bandwidth usage
iftop -i eth0
# Sudden spikes in inbound traffic may indicate volumetric DDoS

Configuring Basic DDoS Mitigation with iptables

# Basic Linux firewall rules for DDoS mitigation
# These are starting points — production environments use dedicated solutions

# Enable SYN cookies (kernel-level SYN flood protection)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Limit new TCP connections per source IP (30 per minute)
sudo iptables -A INPUT -p tcp --syn -m connlimit --connlimit-above 30 -j DROP

# Rate limit ICMP (prevent ICMP flood)
sudo iptables -A INPUT -p icmp --icmp-type echo-request \
  -m limit --limit 1/s --limit-burst 4 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Drop invalid packets (often seen in protocol attacks)
sudo iptables -A INPUT -m state --state INVALID -j DROP

# Limit connections per source IP to 100
sudo iptables -A INPUT -p tcp -m connlimit --connlimit-above 100 -j REJECT

# Log dropped traffic for analysis
sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

Cloudflare / CDN Protection Concept

# Production DDoS mitigation typically uses CDN or scrubbing services
# Cloudflare, Akamai, AWS Shield, or Azure DDoS Protection

# How CDN-based DDoS mitigation works:
# 1. DNS points to CDN (e.g., Cloudflare) instead of origin server
# 2. CDN's global anycast network absorbs volumetric attacks
# 3. CDN's WAF filters application-layer attacks
# 4. Only clean traffic reaches your origin server

# Verify your site is behind Cloudflare:
dig +short example.com
# Should return Cloudflare IPs, not your origin server IP

# Check HTTP headers for CDN presence:
curl -I https://example.com 2>/dev/null | grep -i "cf-ray\|server\|x-cdn"
# cf-ray header = Cloudflare is proxying the request

Understanding LOIC (Conceptual Only)

# LOIC (Low Orbit Ion Cannon) — a well-known DDoS tool
# Referenced here for educational context ONLY — do NOT download or use it

# LOIC was used by hacktivist groups (Anonymous) in early DDoS campaigns
# It sends massive volumes of TCP, UDP, or HTTP requests to a target
# Key characteristic: it does NOT spoof the attacker's IP address
# This means LOIC users are easily identified and prosecuted

# Why you should never use LOIC (or any DDoS tool) against others:
# 1. It is illegal — criminal penalties include imprisonment
# 2. Your IP is logged — you WILL be identified
# 3. Many "free DDoS tools" are themselves malware that compromise your system
# 4. Legitimate testing uses authorised tools in controlled environments

# For learning: use hping3 in your own lab, study DDoS in CTF challenges,
# and read incident reports from Cloudflare, Akamai, and AWS Shield

What Are the Limitations of DDoS Defence?

NIST SP 800-189 (Resilient Interdomain Traffic Exchange) acknowledges that no single organisation can fully mitigate large-scale DDoS attacks independently — effective defence requires coordination across ISPs, CDN providers, and scrubbing services.

Factor	Limitation	How to handle it
Volumetric scale	Modern DDoS attacks exceed 1 Tbps — no single server or network can absorb this	Use CDN/scrubbing services with globally distributed capacity (Cloudflare, Akamai, AWS Shield)
Application layer detection	HTTP floods look like legitimate traffic — each request is valid individually	Behavioural analysis, CAPTCHA challenges, rate limiting per session, and machine learning-based detection
Cost of mitigation	Enterprise DDoS protection is expensive; small businesses may not afford dedicated scrubbing	Free tiers from Cloudflare provide basic protection; cost-benefit analysis of downtime vs mitigation investment
Collateral damage	Aggressive rate limiting or IP blocking may affect legitimate users, especially behind NAT or VPNs	Use graduated responses: CAPTCHA before blocking, whitelist known-good IPs, monitor false positive rates
Encryption overhead	HTTPS traffic cannot be inspected by scrubbing centres without TLS termination	Terminate TLS at the CDN edge and re-encrypt to origin; accept the trust trade-off with your CDN provider
IoT botnet growth	Billions of insecure IoT devices provide an ever-growing pool of DDoS resources	Industry-level response needed: ISP filtering (BCP38), IoT security standards, botnet takedown coordination

A common beginner misconception is that “just blocking IPs” stops DDoS attacks. When attack traffic comes from hundreds of thousands of unique IP addresses — each sending only a few requests — IP-based blocking is impractical. Modern DDoS mitigation requires traffic analysis, pattern recognition, and massive absorption capacity.

What Interview Questions Should You Expect About DoS/DDoS?

DDoS attacks are covered in CompTIA Security+ SY0-701 (Domain 2 — Threats, Vulnerabilities, and Mitigations) and CEH v13, with questions spanning attack classification, botnet architectures, and layered mitigation strategies.

DoS/DDoS questions test your understanding of availability threats and network defence — core knowledge for SOC and infrastructure security roles.

Q1: What is the difference between DoS and DDoS?

Strong answer: “A DoS (Denial of Service) attack comes from a single source and aims to make a system unavailable. A DDoS (Distributed Denial of Service) attack achieves the same goal but uses many sources simultaneously — typically a botnet of thousands or millions of compromised devices. DDoS is harder to mitigate because you cannot simply block one IP address, and the aggregate bandwidth can be massive.”

Q2: What are the three categories of DDoS attacks?

Strong answer: “Volumetric attacks saturate the network bandwidth with massive traffic volume — measured in Gbps. Examples include UDP floods and DNS amplification. Protocol attacks exhaust server or network device resources like connection tables — measured in packets per second. SYN floods are the classic example. Application layer attacks target specific application functions with legitimate-looking requests that trigger expensive operations — measured in requests per second. HTTP floods and Slowloris are examples. Each category requires different mitigation strategies.”

Q3: How does a DNS amplification attack work?

Strong answer: “The attacker sends small DNS queries to open DNS resolvers with the source IP spoofed to be the victim’s IP. The DNS resolver sends the much larger response to the victim instead of the attacker. Because a small query can generate a response 50-70 times larger, the attacker amplifies their bandwidth significantly. By using thousands of resolvers simultaneously, the attacker creates a massive volumetric flood directed at the victim using relatively little of their own bandwidth.”

Q4: Your monitoring shows a sudden spike in traffic and users are reporting the website is slow. How do you determine if it is a DDoS attack or a legitimate traffic surge?

Strong answer: “I would analyse the traffic patterns. Legitimate surges typically show normal geographic distribution, varied user agents, and requests to diverse pages. DDoS indicators include traffic concentrated from unusual geographies, uniform request patterns (same URL, same headers), a high ratio of new connections to established connections, and traffic that does not match normal user behaviour. I would check top source IPs for known botnet addresses, review the ratio of SYN to established connections for SYN flood indicators, and look for amplification signatures like unusually large DNS responses. If confirmed as DDoS, I would engage our CDN provider’s DDoS mitigation and escalate according to our incident response plan.”

How Is DDoS Handled in Real Security Operations?

The ACSC (Australian Cyber Security Centre) publishes specific guidance on preparing for and responding to denial-of-service attacks, emphasising that DDoS preparedness must be established before an incident occurs, not during one.

Day-One SOC Scenarios

As a new SOC analyst, DDoS incidents require rapid detection, classification, and coordinated response:

• DDoS alert triage. Network monitoring tools detect bandwidth anomalies. You classify the attack type (volumetric, protocol, or application layer) because each requires different mitigation. Check if your CDN/scrubbing service is already absorbing the traffic or if manual intervention is needed.
• Coordinating with ISP and CDN. Large volumetric attacks may require upstream mitigation — your ISP can null-route attack traffic or your CDN can activate enhanced scrubbing. SOC analysts often serve as the coordination point between internal teams and external providers during an active incident.
• DDoS as a smokescreen. Sophisticated attackers sometimes use DDoS to distract the security team while conducting a more targeted intrusion elsewhere. During any DDoS incident, maintain monitoring for other suspicious activity — unusual login attempts, data exfiltration, or privilege escalation.
• Post-incident analysis. After the attack subsides, analyse traffic logs to characterise the attack, identify any infrastructure weaknesses exposed, and update DDoS response runbooks.

Australian Context

The Australian Cyber Security Centre (ACSC) provides guidance on DDoS preparedness and response for Australian organisations. The 2016 Australian Bureau of Statistics Census website outage — caused in part by DDoS attacks — highlighted the impact of denial-of-service on critical national services and led to significant investment in government digital infrastructure resilience.

The ASD Essential Eight does not directly address DDoS but the broader ISM (Information Security Manual) includes controls for network availability and resilience. Organisations operating under the Security of Critical Infrastructure Act (SOCI Act) have specific obligations around system resilience and incident reporting that encompass DDoS attacks against critical infrastructure.

Australia’s position as a major target for cybercrime — identified in annual ACSC threat reports — means that DDoS attacks against Australian financial services, government portals, and e-commerce platforms are regular events. Understanding DDoS mitigation is practical knowledge for any security role in the Australian market.

ISPs operating under Australian regulations are increasingly implementing BCP38 source address validation to reduce their networks being used as DDoS amplification sources, aligning with international best practices for DDoS prevention at the network infrastructure level.

Summary and Key Takeaways

DoS and DDoS attacks threaten the availability pillar of security, and their increasing scale and sophistication make them a persistent challenge for organisations of every size.

• DDoS uses distributed sources. The shift from single-source DoS to botnet-powered DDoS means that attacks can generate traffic volumes exceeding 1 Tbps — far beyond what any single server can absorb.
• Three attack categories require different defences. Volumetric attacks need bandwidth absorption (CDN/scrubbing), protocol attacks need stateful inspection and SYN cookies, and application layer attacks need behavioural analysis and rate limiting.
• Amplification multiplies attacker power. DNS and NTP amplification allow attackers to generate massive traffic volumes from modest bandwidth by abusing open resolvers and the asymmetry between small requests and large responses.
• Botnets are the engine of DDoS. The Mirai botnet demonstrated that millions of insecure IoT devices create an enormous, persistent DDoS capability. IoT security is a DDoS prevention issue.
• CDN and scrubbing services are essential. Production DDoS mitigation requires globally distributed infrastructure that can absorb and filter traffic at the network edge before it reaches your origin servers.
• DDoS can be a distraction. Sophisticated adversaries may use DDoS to overwhelm the security team while conducting targeted intrusions. Maintain situational awareness during any DDoS event.
• Prevention starts at the infrastructure level. BCP38 ingress filtering, IoT security standards, and responsible DNS resolver configuration reduce the amplification resources available to attackers.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Related

• Networking Basics for the TCP/IP fundamentals that DDoS attacks exploit
• IDS Evasion for understanding how attackers evade the detection systems used to identify DDoS traffic
• Incident Response for the structured approach to handling DDoS and other security incidents

Frequently Asked Questions

What is the difference between DoS and DDoS?

DoS (Denial of Service) comes from a single source; DDoS (Distributed Denial of Service) comes from many sources simultaneously, typically a botnet. DDoS attacks are much harder to mitigate because traffic arrives from thousands or millions of unique IP addresses, each sending relatively few requests, making simple IP blocking ineffective.

What is a botnet?

A botnet is a network of compromised devices (computers, IoT devices, servers) controlled remotely by an attacker through a Command-and-Control (C2) infrastructure. The individual compromised devices are called bots or zombies. Botnets are used to launch DDoS attacks, send spam, mine cryptocurrency, and conduct other malicious activities at scale.

What is DNS amplification?

DNS amplification is a volumetric DDoS technique where the attacker sends small DNS queries to open resolvers with the victim's IP address spoofed as the source. The resolver sends the much larger response to the victim. With amplification factors of 50-70x, a small amount of attacker bandwidth generates massive traffic directed at the victim.

What is a SYN flood?

A SYN flood sends thousands of TCP SYN (connection initiation) packets with spoofed source IPs. The target server responds with SYN-ACK to each and allocates memory for the half-open connection, waiting for the final ACK that never arrives. When the connection table fills up, the server cannot accept legitimate connections. SYN cookies are the primary defence.

What is Slowloris?

Slowloris is an application layer DoS attack that opens many HTTP connections to a web server and keeps them open by slowly sending partial HTTP headers. The server holds each connection open waiting for the request to complete, eventually exhausting its connection pool. It requires very little bandwidth, making it effective from a single machine.

How do CDN services like Cloudflare mitigate DDoS?

CDN services use a globally distributed network of edge servers with massive aggregate bandwidth capacity. DNS routes traffic to the nearest edge server (anycast). The CDN absorbs volumetric traffic across its entire network, filters malicious requests using traffic analysis and WAF rules, and only forwards clean traffic to the origin server. This effectively distributes the attack across infrastructure designed to handle it.

Is launching a DDoS attack illegal?

Yes. Launching or participating in a DDoS attack is illegal in virtually every jurisdiction. In Australia, it violates the Criminal Code Act 1995. In the US, it violates the Computer Fraud and Abuse Act. In the UK, the Computer Misuse Act. Even using DDoS-for-hire services (booters or stressers) is illegal. Penalties include imprisonment and substantial fines.

What was the Mirai botnet?

Mirai was a malware strain discovered in 2016 that infected IoT devices (IP cameras, routers, DVRs) by scanning for devices using factory default credentials. At its peak, Mirai controlled over 600,000 devices and launched record-breaking DDoS attacks, including the 1.2 Tbps attack against Dyn DNS that disrupted major websites. Mirai's source code was publicly released, spawning many variants.

Can a DDoS attack steal data?

DDoS attacks themselves do not steal data — they disrupt availability. However, DDoS is sometimes used as a smokescreen to distract security teams while a simultaneous data theft attack occurs through other vectors. Additionally, DDoS extortion (ransom DDoS) threatens availability unless payment is made. Always monitor for secondary attacks during a DDoS incident.

Are DoS and DDoS attacks covered on CompTIA Security+ SY0-701?

Yes. CompTIA Security+ SY0-701 covers DoS and DDoS under Domain 2 (Threats, Vulnerabilities, and Mitigations). Topics include attack types (volumetric, protocol, application layer), specific techniques (SYN flood, amplification), botnet architectures, and mitigation strategies. Understanding both the attack mechanisms and the defences is required for the exam.

Related sections

Networking Basics

The TCP/IP fundamentals that underpin DDoS attacks — understanding TCP handshakes, UDP, and ICMP is essential.

Explore Incident Response

The structured approach to detecting, containing, and recovering from DDoS and other security incidents.

Explore IDS Evasion

How attackers evade the intrusion detection systems designed to identify and alert on DDoS traffic patterns.

Explore

More resources

Cloudflare DDoS Learning Centre

Comprehensive and beginner-friendly explanations of DDoS attack types, amplification techniques, and mitigation strategies from a leading CDN provider.

Visit ACSC DDoS Guidance

Australian Cyber Security Centre guidance on preparing for and responding to denial-of-service attacks, tailored for Australian organisations.

Visit NIST SP 800-189 — Resilient Interdomain Traffic Exchange

NIST guidance on BCP38 source address validation and other network-level controls that reduce DDoS amplification attack effectiveness.

Visit

---

Technical content verified in March 2026 against CompTIA Security+ SY0-701 exam objectives, CEH v13 syllabus, Cloudflare 2025 DDoS Threat Report, and ACSC threat advisories.