DDoS attacks: types, defenses and the current threat situation
DDoS Attacks Fully Explained: Volumetric, Protocol, and Application Layer Attacks—How Botnets Work, the Different Types of DDoS Attacks, and How Businesses Can Protect Themselves Effectively.
Table of Contents (7 sections)
In the first half of 2024, the BSI recorded a massive increase in high-volume DDoS attacks in Germany. What once required complex infrastructure now costs just a few euros per hour on the dark web. DDoS has evolved from a hacker’s tool into a mass-market product—and a weapon in geopolitical conflicts.
What is a DDoS attack?
Distributed Denial of Service (DDoS) is an attack in which a target system (server, network, service) is brought to a standstill by an overload of requests from many distributed sources (hence "distributed"), preventing legitimate users from accessing it.
Difference between DoS and DDoS:
- DoS (Denial of Service): Attack from a single system—easy to block
- DDoS: Attack from thousands or millions of compromised systems (botnet)—very difficult to block because the traffic comes from IP addresses that appear legitimate
Goal: To destroy availability. No data access, no infiltration—just downtime.
Motivations:
- Politically motivated (hacktivism, state actors)
- Extortion ("Ransom DDoS"—pay up or we’ll cripple you)
- Competitive sabotage
- Distraction tactic for other attacks (e.g., during a DDoS, logs are flooded, other attacks are obscured)
- Script kiddie motivation (demonstrating power)
DDoS Types
Layer 3/4 - Volumetric Attacks
Goal: Exhaust network bandwidth (Gbps to Tbps).
Amplification Attacks: The attacker sends small requests to public services—and forges the sender IP as the victim’s IP. The services respond with much larger packets directly to the victim:
| Attack Type | Amplification Factor |
|---|---|
| DNS Amplification | up to 50–100× |
| NTP Amplification | up to 556× |
| SSDP Amplification | up to 30× |
| Memcached Amplification | up to 51,000× |
UDP Floods: Massive volumes of UDP packets sent to random ports. The target responds with an ICMP "Destination Unreachable" message—exhausting CPU and bandwidth.
ICMP Flood (Ping Flood): Overwhelming the target with massive ping requests.
Record-breaking attack: In November 2021, Microsoft recorded a DDoS attack with 3.47 Tbps of bandwidth targeting an Azure customer—the largest attack ever recorded.
Layer 4 - Protocol Attacks
Objective: Exhaust server resources by exploiting protocol vulnerabilities.
SYN Flood: The attacker sends massive amounts of TCP SYN packets (connection requests) but never responds to the SYN-ACK. The target maintains many half-open connections in the "Wait" queue:
Normal: Client → SYN → Server → SYN-ACK → Client → ACK (connection established)
SYN Flood: Attacker → SYN → Server → SYN-ACK → [no response, slot occupied]
Thousands of times simultaneously → Server connection queue fullACK Flood, RST Flood, URG Flood: Various variants using TCP flags.
Layer 7 - Application Layer Attacks
Goal: Exhaust web server or application resources through seemingly legitimate HTTP requests—often effective even with low attack bandwidth.
HTTP GET/POST Flood: Thousands of legitimate-looking HTTP requests overload backend servers or databases.
Slowloris: Keeps many HTTP connections open simultaneously by intentionally sending requests extremely slowly (byte by byte). The server connection pool becomes exhausted.
RUDY (R-U-Dead-Yet): POST requests with extremely small content chunks over a long period of time—keeps Apache/Nginx worker threads blocked.
HTTP/2 Rapid Reset: New attack from 2023—exploits the HTTP/2 streaming mechanism to reset requests en masse and send new ones. Record attack with 398 million requests per second.
Ransom DDoS (RDDoS)
Criminals threaten a company with a DDoS attack and demand a ransom (typically: 1–5 BTC). This is often followed by a small demonstration attack to establish credibility.
BSI Recommendation: Do not pay—there is no guarantee the attack will not occur after payment. Instead: Activate DDoS protection and report the attack.
The Threat Landscape in 2024
BSI Situation Report 2024: In the first half of 2024, the number of high-volume DDoS attacks rose sharply. Particularly affected: public administrations, financial service providers, and critical infrastructure.
Pro-Russian hacktivists (Killnet, NoName057, Anonymous Sudan) launched targeted attacks against German and European targets—politically motivated in the context of the war in Ukraine:
- Bundestag, federal agencies
- Airports (Frankfurt, Berlin)
- Banks (Commerzbank, Deutsche Bank)
- Media and news portals
IoT botnets: Poorly secured IoT devices (routers, cameras, smart home devices) are being recruited en masse into botnets. The Mirai botnet and its variants remain active.
DDoS Protection Measures
Layer 1: Network Capacity and Anycast
Bandwidth: More bandwidth than the attacker has—for volumetric attacks. Hardly feasible for individual companies, but cloud providers have Tbps of capacity.
Anycast Routing: Traffic is distributed globally across many PoPs (Points of Presence). This "dilutes" the attack traffic within the global infrastructure.
BGP Blackholing / RTBH: In an emergency, the attacked IP address is “zero-routed” for external traffic—your own customers can no longer access it, but the attack stops. Last resort.
Layer 2: DDoS Protection Services
Cloud-based scrubbing service: Traffic is first redirected to the DDoS protection provider’s scrubbing center. There, malicious traffic is filtered out, and legitimate traffic is forwarded to the origin:
Internet → [Cloudflare/Akamai/AWS Shield] → [Scrubbing] → Origin ServerWell-known DDoS protection services:
- Cloudflare Magic Transit: Network-layer protection, handles over 200 Tbps
- Akamai Prolexic: Enterprise-grade, suitable for critical infrastructure
- AWS Shield Advanced: Integrated into AWS infrastructure
- Radware DDoS Protection
- Deutsche Telekom / Telekom Security: Local provider for BSI-sensitive companies
On-Premises DDoS Appliances:
- Arbor Networks (NETSCOUT)
- Radware DefensePro
- F5 DDoS Hybrid Defender
Layer 3: CDN and Web Application Firewall
For Layer 7 attacks, CDN providers (Cloudflare, Fastly, Akamai) offer essential protection features:
- Rate Limiting: X requests per IP per time window
- Bot Management: Distinguishing between human users and bots
- Challenge Pages: CAPTCHA or JavaScript challenge for suspicious requests
- IP Reputation: Blocking known botnet IPs
WAF Rules Against Layer 7 Attacks:
- Slowloris: Timeouts for slow connections
- HTTP Flood: Request rate limiting by IP/fingerprint
Layer 4: Incident Response
DDoS Response Plan: Who does what when the attack begins?
Detection → Classification → Escalation → Mitigation → Communication
│
├── Alert in monitoring (network bandwidth, error rate)
│
├── Determine cause: DDoS or genuine traffic spike?
│
├── Activate DDoS protection (contact upstream provider if necessary)
│
├── Notify ISP for BGP blackholing if necessary
│
└── Communication: internal (management), external (customers, BSI/CERT-Bund if necessary)Report to BSI/CERT-Bund: Operators of critical infrastructure (KRITIS) and important facilities under NIS2 are required to report serious DDoS attacks.
Layer 5: Proactive Hardening
Anycast DNS: Distribute DNS servers via Anycast – prevents DNS amplification on your own infrastructure.
BCP38 / Ingress Filtering: Network routers filter packets with spoofed source IPs (spoofed packets)—every ISP should implement this, but unfortunately it is not yet standard.
SYN Cookies: Server-side countermeasure against SYN floods without having to maintain half-open connections.
Redundancy: Multiple data centers, geographic distribution, automatic failover.
DDoS and NIS2
For operators of essential and important facilities under NIS2:
- Art. 21: Security measures must address availability
- Art. 23: Mandatory reporting of significant disruptions (including DDoS if essential services are affected)
- Within 24 hours: Early warning to CSIRT/BSI
- Within 72 hours: Initial assessment of the incident
Costs and Economic Losses
- Direct costs of a DDoS attack: starting at 7 EUR/hour on the dark web
- Costs of damage to victims: on average 50,000–500,000 EUR per hour of downtime (Depending on the industry)
- E-commerce: 100,000 EUR+ per hour of downtime for medium-sized online stores
- Financial sector: Millions of EUR per hour for critical trading platforms
Conclusion
DDoS attacks are easy to buy, hard to stop, and can bring critical business processes to a standstill. The most effective protection combines cloud-based DDoS mitigation (scrubbing services), a well-configured CDN/WAF layer, sufficient network capacity—and a proven incident response plan to ensure a quick and coordinated reaction in the event of an attack.
Sources & References
- [1] BSI Lagebericht zur IT-Sicherheit 2024 - BSI
- [2] Cloudflare DDoS Threat Report 2024 - Cloudflare
- [3] ENISA Threat Landscape 2024 - ENISA
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
M.Sc. Internet-Sicherheit (if(is), Westfälische Hochschule). COO und Prokurist mit Expertise in Informationssicherheitsberatung und Security Awareness. Nachwuchsprofessor für Cyber Security an der FOM Hochschule, CISO-Referent bei der isits AG und Promovend am Graduierteninstitut NRW.
11 Publikationen
- Understanding Regional Filter Lists: Efficacy and Impact (2025)
- Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem (2025)
- A Platform for Physiological and Behavioral Security (2025)
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
- Sharing is Caring: Towards Analyzing Attack Surfaces on Shared Hosting Providers (2024)
- On the Similarity of Web Measurements Under Different Experimental Setups (2023)
- People, Processes, Technology — The Cybersecurity Triad (2023)
- Social Media Scraper im Einsatz (2021)
- Digital Risk Management (DRM) (2020)
- New Work — Die Herausforderungen eines modernen ISMS (2024)
