The different types of DDoS Attacks
As the volume, sophistication and frequency of Distributed Denial of Service (DDoS) attacks expands, knowing how to spot, mitigate, and even better - prevent them - is critical. Understanding the different types of DDoS attacks is a great place to start.
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is a malicious attack aimed at overwhelming a target system (network, server, service) with a flood of traffic. This type of attack can render the target (a service or server) unavailable to legitimate users. The flood of illegitimate traffic from various sources aims to effectively incapacitate the target system.
What are the consequences of DDoS attacks?
The consequences of DDoS go far beyond just a temporary outage. Here is how these attacks can affect your business. They can:
Lead to Financial Losses: Every minute of downtime means lost earnings from customers who cannot purchase products or access services on your site. Prolonged or repeated attacks add to massive costs that damage your bottom line.
Hinder Normal Business Operations: Operational delays, canceled orders, and stalled projects harm productivity and satisfaction. When certain services are unavailable during an attack, it becomes challenging to run your business.
Cause Reputational Damage: Customers today expect consistent and reliable digital experiences from companies. A DDoS attack drawing out website downtime reflects poorly on your brand in the eyes of these clients. It may cause them to lose trust in your business and switch to competitors.
Increase Security Risks: When attacks overwhelm your existing security, it exposes vulnerabilities that hackers can exploit further. This elevates risks of data theft or network infiltration even after the DDoS ends. Sensitive customer data may get stolen due to security gaps attacks help uncover, deepening the damage.
Cause operational distractions. Traffic influxes force teams to spend operational and resource bandwidth. Bad actors are then able to ‘sneak’ in, while defenders are distracted.
What are the different types of DDoS attacks?
You can group DDoS attacks based on the targeted Open Systems Interconnection (OSI) layer. Most common attacks happen at the Network (OSI layer 3), Transport (OSI layer 4), and Application (OSI layer 7) layers.
Layer 3 and 4 DDoS attacks
Layers 3 and 4 are the infrastructure layer. Common DDoS attack vectors at these layers include SYN floods, UDP floods, and Internet Control Message Protocol (ICMP) attacks.
Layer 3 is the network layer responsible for deciding which physical path data should move through the network. Layer 4 provides data transfer between hosts and ensures data integrity and completeness of transfer performed by the Transport Control Protocol (TCP).
Attacks targeting these two layers generate massive traffic volume and aim to overload the network's available capacity or group of hosts. The good news is these styles of attacks have clear signatures and are easier to detect and mitigate.
To help see the difference in attacks between these levels, you can use the chart below:
Attack Type | Description |
ICMP Flood (Ping Flood) | Attackers send excessive ICMP Echo Requests to exhaust network resources. |
Smurf Attack | Attackers spoof ICMP requests to a broadcast address, causing all devices to reply to the victim. |
IP Fragmentation Attack | Fragmented IP packets are sent out to exhaust the victim’s reassembly buffers. |
Volumetric Floods | High-bandwidth traffic (like UDP packets) is used to saturate links. |
SYN Flood | Attackers send a flood of TCP “handshake” requests without completing connections. This fills up server connection queues. |
ACK Flood | Attackers send endless TCP ACK packets, overwhelming firewalls and servers, and forcing unnecessary resource processing. |
UDP Flood | Random ports are bombarded with UDP packets, forcing the victim to repeatedly check for non-existent applications. |
NTP / DNS Amplification | Attackers use publicly accessible servers to reflect and amplify traffic toward a victim, massively multiplying attack volume. |
What is the difference between layer 3 and 4 DDoS attacks?
While attacks at both level 3 and level 4 of the OSI model are volumetric DDoS attacks, they have slightly different strategies. Layer 3 attacks aim to overwhelm all bandwidth and routing capacity in a system/network. Layer 4 attacks work by depleting server resources by exploiting transport protocols like TCP or UDP.
Layer 7 DDoS attacks
An application-layer DDoS attack is a malicious attempt to overwhelm web applications by exploiting Layer 7 of the OSI model. It targets specific application vulnerabilities to disrupt service availability.
Unlike network-layer attacks that flood infrastructure, application-layer incidents overwhelm specific application processes, consuming significant computing power. By mimicking legitimate user traffic and patterns, these attacks can maximize impact while requiring very little attacker bandwidth. These attacks require the most computing power of any of the DDoS attacks because they're fully formed requests. It's the most costly but can be the hardest to detect because it mimics legit traffic.
Attack Type | Description | Business Impact |
HTTP Flood | Attackers send a massive number of HTTP GET or POST requests to overwhelm the web server. Requests may appear normal but are designed to consume resources. | High CPU usage, slow responses, or total site outage. |
Slowloris Attack | Keeps many HTTP connections open by sending partial headers slowly, preventing the server from freeing up resources. | Web server connection pool exhaustion. |
HTTP Cache-Busting | Sends unique query strings or URLs to bypass caching layers, forcing servers to generate new responses for every request. | Increased origin load and degraded performance. |
DNS Flood (Application-Level) | Floods DNS resolvers or authoritative servers with requests, exhausting their ability to resolve legitimate queries. | DNS lookup failures and website unavailability. |
SSL/TLS Exhaustion | Forces repeated SSL/TLS handshakes, consuming CPU resources required for encryption/decryption. | CPU saturation on HTTPS endpoints. |
API Abuse / Targeted Floods | Overwhelms specific APIs or endpoints with repeated valid calls (e.g., login or search functions). | Database or backend overload, API downtime. |
WordPress XML-RPC / Pingback Attack | Exploits open WordPress features to send multiple HTTP requests from many sites simultaneously. | Amplified load on web application servers. |
Bot-Based Application Floods | Uses distributed bots to mimic legitimate browsing patterns, evading rate limits and CAPTCHA checks. | Hard-to-detect degradation of application performanc |
What is the difference between volumetric, protocol and application layer attacks?
Another way to categorize DDoS attacks is by their overarching characteristics or methods, rather than by the layer of the OSI model where they occur. Three common types include volumetric attack, protocol attacks, and application layer attacks:
1. Volumetric Attacks
This method aims to consume a network's bandwidth resources to cause disruption. Attackers generate high volumes of junk traffic to flood links and exhaust bandwidth capacity. Common examples of this approach include UDP floods, which bombard targeted systems with UDP packets, and ICMP floods, which do the same using ICMP ping requests.
2. Protocol Attacks
Protocol attacks attempt to exploit weaknesses in specific network protocols rather than relying on sheer traffic amounts. An example is a SYN flood, where attackers send multiple SYN requests to open connections but never finalize the handshake process. This causes half-open connections to pile up, eating away at available resources. Another example is the Ping of Death attack, which sends fragmented or oversized ICMP packets to crash systems.
3. Application Layer Attacks
At the application layer, attacks target particular services and software vulnerabilities. Examples include HTTP floods and Slowloris attacks. HTTP flood attacks bombard specific ports or URLs with overwhelming requests. Slowloris attacks tie up resources by opening many connections and keeping them open as long as possible but sending minimal data.
What can you do to protect yourself/your org from DDoS attacks?
Understand traffic patterns: The first line of defense is to create a traffic profile. This profile includes what “good” traffic looks like and sets expectations for expected traffic volumes across your network. Monitoring your traffic through this profile allows you to configure rules to accept as much traffic as your infrastructure can handle without impacting your end users.
Use rate limiting: Rate limiting provides a baseline, and you can then put advanced detection methods in place to receive traffic that has been validated by analyzing additional variables. It takes one minor security blip to cause irreparable harm to your network and servers and send your employees through the five emotional stages of a DDoS attack. So do your diligence from the onset.
Minimize exposure: One of the easiest ways to mitigate DDoS attacks is to shrink the surface area that can be attacked, ultimately reducing the options for attackers and enabling you to architect countermeasures and protections in one place. You should ensure that you are not exposing your applications and hosts to ports, protocols, and other applications from which you do not expect communication. In most cases, you can achieve this by placing your infrastructure resources behind a proxy Content Delivery Network (CDN), which restricts direct internet traffic to certain parts of your infrastructure. In other cases, you can use a firewall or Access Control Lists (ACLS) to control traffic reaching specific applications.
Deploy an application-based firewall: If your application has internet access, you get attacked multiple times daily. On average, an application with internet connectivity gets attacked every 39 seconds. A good practice is to use a Web Application Firewall (WAF) against attacks. WAFs can provide critical visibility that enables rate limiting: where the number of requests a ‘user’ or client can make within a certain period of time, is limited. This helps stop abuse ( like a DDoS) attack in its tracks.
Scale by design: While not the best solution in isolation, increasing your bandwidth (transit) capacity or server (computational) capacity to absorb and mitigate attacks may be an option. When designing and building your applications, make sure you have redundant connectivity to the internet that allows you to handle spikes in traffic. A common practice is to use load balancing to continually monitor and shift loads between available resources to prevent overloading any one point. Additionally, you can create your web applications with a CDN in mind, providing an additional layer of network infrastructure for serving content often closer to your end-users. Most DDoS attacks are volumetric and consume massive amounts of resources, and your application must scale up or down quickly on computation. The distributed nature of a CDN essentially spreads out the attack to the point that it becomes easily absorbed. CDNs also unlock additional methods to thwart the most sophisticated attacks. Developing an attack profile allows CDNs to remove or slow down malicious traffic. Finally, when using a CDN, the cache can absorb much of the impact of certain attacks by nature of serving the content without it needing to go back to origin - an added layer of security.
What are the different types of DDoS mitigation solutions?
Being able to 1) Identify DDoS attacks early, 2) Know how to prevent them and 3) Have solutions in place to mitigate them should be part of any good security program. The chart below provides a complete overview of the attack types, key characteristics and how to prevent them.
Category | Layer 3/4 DDoS Attacks | Layer 7 DDoS Attacks |
OSI Layers Targeted | Network (Layer 3) and Transport (Layer 4) | Application (Layer 7) |
Primary Goal | Saturate bandwidth or network infrastructure | Exhaust server, application, or database resources |
Attack Volume | Extremely high traffic volume (Gbps to Tbps scale) | Typically low to moderate volume, but high complexity |
Common Attack Types | SYN Flood, UDP Flood, ICMP Flood, Amplification (DNS/NTP) | HTTP Flood, Slowloris, SSL/TLS Exhaustion, API Floods |
Traffic Characteristics | Raw packets, often spoofed or reflected | Legitimate-looking HTTP/HTTPS requests |
Detection Difficulty | Easier to identify via traffic anomalies (sudden spikes) | Harder to detect because it mimics real user behavior |
Typical Targets | Routers, firewalls, load balancers, network interfaces | Web servers, APIs, application logic, and databases |
Impact | Network congestion, connectivity loss | Service slowdown, application timeouts, complete site crash |
Mitigation Focus | Network-level filtering, rate limiting, scrubbing centers | Application-layer defenses, WAFs, behavioral analytics |
Examples of Tools/Defenses | ISP-level DDoS protection, BGP blackholing, cloud scrubbing | Web Application Firewall (WAF), CDN edge protection, bot management, application DDoS Protection |
How Fastly can help
Fastly DDoS Protection deploys rapidly and immediately protects any application from disruptive and distributed attacks. Leveraging our network’s massive bandwidth and adaptive techniques, it automatically keeps you performant and available without any required configuration. Fastly DDoS Protection is best for teams trying to enhance resiliency, create consistency in their cloud spend, or move towards a solution provider that operates more like a partner than just a vendor.
Fastly DDoS Protection works with modern software delivery workflows, not against them, automatically protecting your apps and APIs from disruption. No matter your architecture, you can deploy Fastly’s DDoS Protection to gain speedy, scalable defenses without any upfront tuning – or any required tuning, even as you ship changes on demand. This facilitates better cross-functional work between teams, as security doesn’t impact DevOp's ability to ship code smoothly to production.
Learn about Fastly's DDoS Protection