What is a DDoS attack in one sentence?

A DDoS attack uses many machines at once to flood a service with more traffic or requests than it can handle, making it unavailable to real users.

What is the difference between DoS and DDoS?

A DoS attack comes from a single source; a DDoS (distributed) attack comes from many sources at once, usually a botnet, which makes it far harder to filter by blocking one address.

What are the main types of DDoS attacks?

Volumetric attacks that saturate bandwidth, protocol attacks that exhaust network-layer resources like connection tables, and application-layer attacks that overwhelm expensive endpoints with seemingly legitimate requests.

Can a DDoS attack steal data?

Not directly — DDoS targets availability, not confidentiality. But attackers sometimes use a DDoS as a smokescreen to distract responders while a separate intrusion is underway.

How do you defend against DDoS?

Upstream scrubbing services and CDNs that absorb volume, rate limiting and bot detection at the application edge, generous autoscaling, and a tested incident runbook for when an attack hits.

Glossary · Security

What is a DDoS Attack?

A distributed denial-of-service attack uses a swarm of machines — often a botnet of compromised devices spread across the globe — to bury a website or service under far more traffic than it was built to handle. Unlike attacks that steal data, a DDoS aims to make a service unreachable: real customers get errors and timeouts while the flood drowns out their requests.

Distributed is the key word

A plain denial-of-service attack comes from one machine and is easy to block — you drop traffic from that one address and move on. The “distributed” in DDoS is what makes it dangerous: the traffic arrives from thousands or millions of sources at once, typically a botnet of hijacked routers, cameras, and servers the owners do not even know are infected. There is no single address to block, the traffic can look superficially legitimate, and the sheer scale can exceed what a single data center's pipes can carry. That asymmetry — cheap to launch, expensive to absorb — is the whole problem.

Three layers of attack

Volumetric attacks aim to saturate your bandwidth, sometimes amplified by abusing open internet services so a small request triggers a huge response aimed at the victim. Protocol attacks target network-layer resources — exhausting connection tables and firewall state with half-open connections rather than raw volume. Application-layer attacks are the most surgical: they send requests that look real but hammer the most expensive operations, such as search or report generation, so even a modest request rate can tip a server over. Defending well means having an answer at each layer.

Why it happens

Motives vary. Some attacks are extortion — pay up or stay offline. Some are competitive sabotage timed to a product launch or a high-traffic sales day. Some are hacktivism or simple vandalism, and some are a deliberate distraction: a noisy DDoS keeps the operations team busy at the front door while a quieter intrusion slips in through a side window. That last pattern is why a sudden traffic flood should raise security alarms, not just availability ones — it can be the cover for a more serious breach.

How to defend against it

No application absorbs a large DDoS on its own — the defense starts upstream. Content delivery networks and dedicated scrubbing providers sit in front of your service, soak up volumetric and protocol floods across their global capacity, and forward only clean traffic. Behind that edge you add application-layer rate limiting, bot detection, and caching so that the expensive endpoints are protected, plus generous autoscaling so legitimate spikes do not get mistaken for an attack. Just as important is a rehearsed runbook: knowing who to call and which mitigations to flip on turns a multi-hour outage into a brief blip.

At QUANT LAB

Resilience to DDoS is an architecture decision, and we make it early. The systems we build on cloud infrastructure sit behind a CDN with edge caching and rate limiting by default, scale horizontally under load, and keep expensive operations off the hot path so a request flood cannot easily exhaust them. We also treat availability as part of the threat model during a penetration test, flagging unauthenticated endpoints that do heavy work — the exact spots a low-volume application-layer attack would target. Designing for the flood beats scrambling during one.

A note on the broader picture

DDoS protects nothing if the rest of the stack is soft, and it defends against only one of three classic security goals: availability. Confidentiality and integrity still depend on the defenses behind it — sane authentication, patched software with no unaddressed CVEs, and resistance to application bugs like SQL injection. A mature program treats DDoS mitigation as one slice of a layered defense, not the whole pie.

Long-form deep-dives that use this term

All posts

Related terms

Is your service ready for a flood?

We architect systems that absorb traffic spikes and hold up under application-layer pressure. Book a 30-minute call.

Cloud infrastructure