Skip to main content
ThreatsFirewallSIEM

What is DDoS (Distributed Denial of Service)?

A Distributed Denial of Service (DDoS) attack floods a target network, service, or application with traffic or requests from many coordinated or compromised sources at once, exhausting bandwidth, connection-table capacity, or application resources so legitimate users cannot reach the service. The distributed part is what makes it hard to stop with a simple IP block, since the traffic originates from thousands of sources rather than one.

Definition

DDoS (Distributed Denial of Service)
A Distributed Denial of Service (DDoS) attack floods a target network, service, or application with traffic or requests from many coordinated or compromised sources at once, exhausting bandwidth, connection-table capacity, or application resources so legitimate users cannot reach the service. The distributed part is what makes it hard to stop with a simple IP block, since the traffic originates from thousands of sources rather than one.

How DDoS (Distributed Denial of Service) Works

DDoS attacks cluster into three broad categories that target different layers of the stack. Volumetric attacks aim to saturate available bandwidth outright, often using reflection and amplification, where an attacker spoofs the target's source IP and sends small requests to open DNS resolvers, NTP servers, or misconfigured memcached instances, each of which replies with a response many times larger than the request, multiplying the traffic that lands on the victim. Protocol attacks target the connection-handling logic of network infrastructure itself, the classic example being a SYN flood that opens huge numbers of half-finished TCP handshakes to exhaust a server's or firewall's connection state table without ever completing a real session. Application-layer attacks operate at Layer 7, sending traffic that looks like legitimate requests, HTTP GET floods against a specific expensive endpoint, or a Slowloris-style attack that opens many connections and sends data slowly enough to hold worker threads open indefinitely, both of which can take a service down with far less raw bandwidth than a volumetric attack requires.

The distributed sources behind large attacks are usually a botnet, a network of compromised devices under a single attacker's control. The Mirai botnet, built from poorly secured IoT devices like consumer routers and cameras, demonstrated how large these networks can get and how much traffic they can generate, and Mirai-derived variants remain active in the DDoS-for-hire market years later.

Mitigation is layered by attack type. Upstream scrubbing services (Cloudflare, Akamai, AWS Shield) absorb and filter volumetric traffic before it ever reaches the origin network, typically using anycast routing to spread the flood across globally distributed scrubbing centers. SYN cookies let network infrastructure survive protocol-level floods without exhausting connection state. CDN and WAF layers absorb application-layer floods by caching content and applying rate limiting and bot-detection logic closer to the client. At the network provider level, remotely triggered black hole (RTBH) routing lets an ISP null-route traffic destined for a specific IP under sustained volumetric attack, sacrificing that one destination's availability to protect the rest of the network.

DDoS (Distributed Denial of Service) in SOC Operations

DDoS detection usually starts with a sudden, sustained deviation from a service's normal traffic baseline: a spike in connection attempts, bandwidth utilization, or request rate against a specific public-facing asset, visible in NGFW throughput graphs, flow data (NetFlow or sFlow), or CDN traffic dashboards well before it shows up as a user-reported outage. The analyst's first job is distinguishing an actual attack from a legitimate traffic surge, a product launch, a viral link, a scheduled batch job, since the response paths differ completely; checking whether the traffic pattern matches known attack signatures (reflection amplification from unusual source ports, an unnatural concentration of requests against one expensive endpoint) versus organic growth in referrer diversity and session behavior is the key differentiator. Once an attack is confirmed, the SOC's role is largely coordination and verification rather than blocking every source individually, which is impractical against thousands of distributed origins. That means confirming upstream scrubbing or CDN mitigation has actually engaged, verifying that legitimate traffic is still reaching the service through the mitigation path, and working with network or ISP contacts if RTBH null-routing becomes necessary for a severe volumetric flood. Analysts also treat DDoS with a healthy suspicion of intent beyond mere disruption: a flood against one service is a well-documented diversion tactic used to pull SOC attention away from a quieter, concurrent intrusion elsewhere in the environment, so during an active DDoS incident it is standard practice to keep monitoring other high-value systems rather than fixating entirely on the noisy attack.

Free

Practice DDoS (Distributed Denial of Service) in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating ddos (distributed denial of service) scenarios with zero consequences, free.

More Threats Terms

Career Path

Threat Hunter Career Guide: Salary & Skills

Threat Hunters do not wait for alerts. You develop hypotheses based on threat intelligence and adversary behavior models…

Read more
Career Path

Incident Responder Career Guide: Salary & Skills

Incident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…

Read more
Career Path

SOC Analyst (Tier 2) Career Guide: Salary & Skills

Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…

Read more
Comparison

SOCSimulator vs Hack The Box: Comparison

Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…

Read more
Tool

Firewall Training Console: SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more
Tool

SIEM Training Console: SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more
Technique

MITRE ATT&CK® Techniques: Detection Training Library

Browse all MITRE ATT&CK® techniques with detection strategies and example alerts.

Read more
Career Path

Cybersecurity Career Paths: 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more
Playbook

SOC Investigation Playbooks: Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more
Feature

Shift Mode: Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more
Feature

Operations: Guided Training Operations

Structured CTF-style investigation operations covering real-world attack scenarios.

Read more
Blog

SOCSimulator Blog: Security Training Insights

Articles on SOC analyst skills, detection engineering, and career development.

Read more