The Raptoric Journal/Offensive Security
Offensive SecurityJun 16, 2026 · 11 min read

DDoS attacks: how they work and how to defend

A DDoS attack floods a system with traffic until it goes down. Here is how it works, the main types, and how a company defends itself and prepares to respond.
A team in an operations center watching a sharp spike in network traffic on an availability dashboard.
Written by
R
Raptoric Offensive Security
Share
LinkedInX / TwitterCopy link

A DDoS attack, short for Distributed Denial of Service, is an attempt to make a system, service, or network unavailable by overwhelming it with traffic. The attacker uses a large number of compromised devices to send requests at the same time, until the target gives way. For any company that does business online, an outage is a direct loss of revenue and trust. A site that will not load during a sale, an application that times out for every customer, a service that drops just as it matters most: this is what a successful DDoS attack looks like from the outside. This post explains how DDoS works, the main types, and how to defend against it.

DDoS is one of the most common ways an online service is knocked offline. We build the detection and response that keep it under control through threat detection and response.

How a DDoS attack works

The attacker controls a network of infected devices, called a botnet, and directs all of them to send requests at the target at once. Legitimate traffic is drowned in the flood of fake traffic, so real users cannot reach the service. The devices in a botnet are rarely owned by the attacker. They are ordinary machines, often poorly secured routers, cameras, and other connected devices, taken over without their owners noticing.

What makes this harder to deal with is that the attack is no longer the preserve of skilled adversaries. DDoS is now sold as a service, so attacks can be launched by people with no technical knowledge at all, for little money and against almost any target. A grudge, a competitor, or extortion can all be the motive. That lowers the bar for who can hit you and means defense cannot depend on being too small to notice.

Types of DDoS attack

Attacks differ by the layer they target, and the distinction matters because each type calls for a different defense.1

TypeWhat it targets
VolumetricSaturates network bandwidth with a huge volume of traffic.
ProtocolExhausts server and network-equipment resources, for example a SYN flood.
Application-layerTargets the applications and services themselves with expensive requests, and is harder to tell apart from legitimate traffic.
The three main types of DDoS attack.

Volumetric attacks are the loudest and the easiest to recognize, because they simply try to fill your connection. Protocol attacks are quieter, exhausting the resources of firewalls, load balancers, and servers rather than the bandwidth. Application-layer attacks are the hardest to handle, because each request can look like something a real user would send, so blunt filtering risks blocking real customers along with the attack.

Signs of an attack

A DDoS attack usually shows up as a sudden, unexplained drop in availability. A service turns slow or stops responding, traffic spikes with no business reason behind it, and the sources of that traffic are unusual or geographically scattered. The earlier you recognize these signs, the sooner you can activate protection, which is why monitoring matters. An attack noticed in its first minutes is far easier to absorb than one discovered when customers start complaining. Treat an unexplained surge as a possible attack, not a sign of success, until you have ruled it out.

How to defend against it

A defense is built before the attack, because once traffic is already flooding in it is too late to start putting protection in place. The goal is to have the absorbing capacity and the decisions made ahead of time, so the response is a matter of execution rather than improvisation.

  1. 01
    Protect at the network edge
    Use a CDN and traffic-filtering services that absorb and scrub traffic before it ever reaches you, so the flood is handled upstream.
  2. 02
    Rate limiting and filtering
    Set limits on request rates and rules that block obviously malicious traffic, reducing what reaches your applications.
  3. 03
    Over-provision the critical paths
    Keep headroom in capacity for the services that must stay up, where that is feasible, so a moderate surge does not take them down.
  4. 04
    Prepare a response plan
    Decide in advance who activates protection, who is notified, and how you communicate with customers during an outage.
  5. 05
    Monitor traffic
    Watch traffic continuously so you can recognize an attack in its first minutes rather than its first hour.

None of these steps work in isolation. Edge protection without monitoring leaves you blind to whether it is holding. A response plan without rehearsed roles falls apart under pressure. The defenses reinforce each other, which is why DDoS resilience is treated as part of threat detection and response rather than a single product you switch on.

DDoS and business continuity

A DDoS attack is, at its core, an availability problem, which is the same ground covered by business continuity and disaster recovery. The plan that defines how you keep critical services running through an outage should account for a deliberate flood of traffic, not only hardware failure or a data center going dark. It also belongs in your incident response plan, so the people who decide when to escalate, who to call, and what to tell customers are agreed before the attack rather than during it.

How Raptoric helps

We help companies put detection and a response plan in place that keep DDoS under control, through threat detection and response. Book a scoping call.

Frequently asked questions

What is the difference between a DoS and a DDoS attack?
A DoS attack comes from a single source, while a DDoS attack comes from many distributed devices at once. DDoS is harder to stop because the traffic arrives from hundreds or thousands of addresses, so you cannot simply block one source.
Does a DDoS attack steal data?
Not directly. DDoS targets availability, not the confidentiality of your data. But it is sometimes used as a distraction while the attacker carries out a separate attack, so it should always be taken seriously rather than treated as just noise.
Can we defend against DDoS on our own?
Large attacks are hard to absorb with your own infrastructure alone. That is why external traffic-filtering services and CDNs are used to absorb and scrub the traffic. The key point is that protection has to be in place before the attack, not arranged once it has started.
How do we recognize a DDoS attack?
By a sudden, unexplained drop in availability, a spike in traffic with no business reason, and unusual sources of traffic. Continuous monitoring lets you recognize an attack in its first minutes, when it is far easier to absorb.

Sources

  1. 1ENISA. ENISA Threat Landscape — DDoS. European Union Agency for Cybersecurity, 2024. Link
  2. 2CISA. Understanding Denial-of-Service Attacks. Cybersecurity and Infrastructure Security Agency, 2024. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →