DDoS Protection Explained: Volumetric, Protocol, and Application Attacks

If your network connects to the public internet, it will be hit by a DDoS attack. The only questions are how big, how often, and whether you'll stay online when it happens. In 2026, attackers routinely launch terabit-per-second floods using botnets of compromised IoT devices, residential routers, and even cloud VMs.

The good news: defending against DDoS is a well-understood discipline. The bad news: you have to defend against three very different categories of attack, each requiring different tools.

This guide explains what DDoS attacks actually look like, how the three main types work, and what an effective defense looks like.

What Is a DDoS Attack?

DDoS stands for Distributed Denial of Service. The goal is simple: make your service unavailable by overwhelming it — with traffic, with malformed packets, or with expensive requests. "Distributed" means the attack comes from many sources at once, often thousands or millions of compromised devices.

DDoS attacks are categorized by which layer of the network they target:

• Volumetric (Layer 3/4) — flood the pipe.
• Protocol (Layer 3/4) — abuse stateful protocols.
• Application (Layer 7) — overwhelm the application logic.

Volumetric Attacks

The simplest and most common type. Volumetric attacks try to saturate your bandwidth — if your transit link is 10 Gbps and the attacker pushes 50 Gbps, no legitimate packet can squeeze through.

Common Volumetric Techniques

• UDP floods — blast random UDP packets at random ports.
• ICMP floods — flood with ping packets.
• Reflection / amplification — send a small request with a spoofed source IP to a service like DNS, NTP, memcached, or CLDAP. The service replies (much larger) to the victim. Amplification factors can exceed 50,000x for memcached.
• Carpet bombing — instead of one target IP, the attacker spreads traffic across an entire /24, evading per-IP rate limits.

How to Defend

• Upstream scrubbing — your transit provider absorbs the flood before it reaches your network.
• BGP blackholing — announce the attacked /32 with a community that tells upstream to drop all traffic to it.
• Anycast — distribute your service across many PoPs so no single one is overwhelmed.
• Massive bandwidth headroom — buy more capacity than you'll ever need, expensive but effective.

Protocol Attacks

Protocol attacks abuse the way TCP, UDP, and other protocols work to exhaust state on your servers, firewalls, or load balancers — even at relatively low bandwidth.

Common Protocol Techniques

• SYN floods — open millions of half-open TCP connections, exhausting connection tables.
• ACK floods — send TCP ACK packets with spoofed sources, forcing your firewall to look up nonexistent connections.
• Ping of Death / fragmented packets — send malformed fragments that crash old IP stacks.
• SSDP / DNS / NTP reflections (overlap with volumetric).

How to Defend

• SYN cookies — modern OSes encode connection state in the SYN-ACK so they don't need to keep half-open connections.
• Stateful firewalls / scrubbers — inline appliances that track legitimate connections and drop garbage.
• Connection rate limiting — cap connections per source per second.
• BGP FlowSpec — push fine-grained drop rules upstream.

Application-Layer (Layer 7) Attacks

The most sophisticated and hardest to detect. Layer 7 attacks send valid-looking requests to your application — but at a rate or pattern designed to exhaust resources.

Common Layer 7 Techniques

• HTTP floods — millions of GET or POST requests to expensive endpoints (search, login, shopping cart).
• Slowloris — open many connections and send headers very slowly, tying up worker threads.
• Slow POST — send a Content-Length header and then drip the body slowly.
• Cache-busting — append random query strings to bypass CDN caches and hammer the origin.
• API abuse — call expensive APIs in bulk, draining database or compute capacity.

How to Defend

• Web Application Firewall (WAF) — fingerprint and block bad traffic by signature, behavior, or rate.
• Bot detection — JavaScript challenges, browser fingerprinting, CAPTCHA.
• Rate limiting per session — cap per-user request rate.
• Caching aggressively — keep dynamic responses out of the origin path.
• Origin shielding — only allow your CDN/WAF IPs to reach your origin.

How DDoS Scrubbing Works

Scrubbing is the dominant defense against volumetric and protocol attacks. The flow:

1. Detection — flow telemetry (sFlow, NetFlow, IPFIX) detects an anomaly.
2. Diversion — BGP route advertisement reroutes traffic for the attacked prefix to a scrubbing center.
3. Cleaning — the scrubbing center filters out malicious traffic and forwards only legitimate packets.
4. Re-injection — clean traffic flows back to your network through a GRE tunnel or direct cross-connect.

Modern scrubbing infrastructures handle multi-Tbps attacks across globally distributed PoPs.

Always-On vs On-Demand

Always-On

All your traffic flows through the scrubber, all the time. Highest protection, slight latency overhead, more expensive.

On-Demand

Traffic flows directly until an attack is detected, then BGP diverts. Cheaper, but the diversion takes 30–120 seconds — during which you may be partially down.

Best practice: always-on for critical services, on-demand for less critical ones.

BGP Blackholing (RTBH)

Remotely Triggered Blackhole is the simplest DDoS response: drop all traffic to the attacked IP. You announce a /32 with a special community (typically 666 or a provider-specific value), and your upstream drops everything destined for that IP.

This stops the attack from saturating your pipe — but it also takes the attacked service completely offline. It's a sacrifice play, useful when only one IP is being targeted and the alternative is the entire network going down.

What to Look for in a DDoS-Protected Provider

• Network capacity — provider must have multi-Tbps scrubbing capacity to handle modern attacks.
• Detection time — under 30 seconds is good, under 10 is excellent.
• Mitigation time — how fast does the scrubber start cleaning?
• Layer 7 protection — pure network scrubbing won't stop HTTP floods.
• Always-on option — for revenue-critical services.
• BGP community support — for blackholing and FlowSpec.
• Reporting — post-attack reports help you understand what happened.
• SLA — uptime guarantees during attacks.

What to Look for in Your Own Network

• BCP 38 / source-address validation — don't be a source of reflection attacks.
• SYN cookie support — turn it on at every public-facing host.
• Sane connection limits — on every load balancer, firewall, and origin server.
• Monitoring and alerting — you need to know an attack is happening.
• Run-books — predefined steps for common attack types.

DDoS Protection at Noded

Noded includes DDoS protection on every IP transit port, with multi-Tbps scrubbing capacity, BGP blackhole communities, and on-demand diversion. For revenue-critical workloads, we offer always-on scrubbing with sub-10-second mitigation. Combined with our bare metal and VPS hosting, you get end-to-end protection from the network edge to the application.

Worried about an upcoming launch or recurring attacks? Talk to our team — we'll review your traffic profile and recommend the right protection level.

Frequently Asked Questions

How big is a typical DDoS attack in 2026?

Most attacks are still under 10 Gbps, but record-setting attacks now exceed 5 Tbps and 100 million packets per second. Application-layer attacks of millions of requests per second are routine.

Can a CDN protect me from DDoS?

For HTTP traffic, yes — major CDNs absorb most volumetric and many Layer 7 attacks. For non-HTTP services (game servers, custom protocols), you need a dedicated scrubber.

What is the difference between DoS and DDoS?

DoS comes from a single source; DDoS comes from many sources simultaneously. Modern attacks are essentially always distributed.

How long do DDoS attacks last?

Most are short — under 10 minutes — designed as smoke screens or extortion. Some last for days, especially during disputes or politically motivated campaigns.

Is DDoS protection expensive?

It varies. Basic always-on scrubbing typically adds 10–30% to bandwidth costs. Specialized always-on with Layer 7 WAF can be more. The cost of not having it — measured in lost revenue and reputation — is usually far higher.