What Is a DDoS Attack?

← Back to Blog

What Is a DDoS Attack? A Simple Explanation

DDoS stands for Distributed Denial of Service. That sounds complicated, but the idea is actually very simple. Let's use a real-world example to understand it.

Imagine a small restaurant with 50 seats. On a normal day, real customers walk in, eat their food, pay, and leave. Everything works fine. Now imagine that someone sends 10,000 fake customers to flood the entrance all at once. They crowd the doorway, fill every seat, and block the hallway. Real customers who actually want to eat can't even get through the door. The restaurant hasn't been robbed or broken into — it's simply overwhelmed and can't serve anyone.

A DDoS attack does exactly the same thing to a website or an online service. Attackers flood a server with so much fake traffic that real users can't connect. The website becomes slow, shows error messages, or goes completely offline.

The word "Distributed" is important. It means the attack doesn't come from one computer — it comes from thousands or even millions of different devices at the same time. This makes it extremely hard to stop, because you can't just block one source. The fake traffic is coming from everywhere.

How Does a DDoS Attack Work?

A DDoS attack follows a predictable pattern, and it starts long before the actual flood of traffic begins.

Step 1: Build a botnet. The attacker first needs an army of devices to launch the attack from. They do this by spreading malware — malicious software that secretly infects computers, security cameras, home routers, and other internet-connected devices. Each infected device becomes a "bot" or "zombie" that the attacker can control remotely. Together, these devices form a botnet — a network of thousands of compromised machines spread across the world. Most device owners have no idea their equipment has been recruited.

Step 2: Pick a target and attack. The attacker sends a single command to the entire botnet: "Send as many requests as you can to this target." All the infected devices obey simultaneously.

Step 3: The target gets overwhelmed. The server receives millions of requests per second. Its internet connection fills up, its processor maxes out, or its connection table overflows. It simply can't handle the volume.

Step 4: Real users are locked out. Anyone trying to visit the website gets timeouts, error pages, or no response at all. The service is effectively down — even though the server itself hasn't been compromised.

The devices most commonly recruited into botnets are IoT devices — security cameras, baby monitors, DVRs, smart light bulbs, and home routers. Why? Because they often ship with default passwords that owners never change, they rarely receive security updates, and they're connected to the internet 24/7. Your home security camera could be attacking a website right now without you knowing.

Types of DDoS Attacks

Not all DDoS attacks work the same way. They generally fall into three categories, each targeting a different part of the infrastructure.

Type	Goal	Examples
Volumetric	Flood the network bandwidth	UDP flood, ICMP flood, DNS amplification
Protocol	Exhaust server resources	SYN flood, Ping of Death, fragmented packets
Application Layer	Overwhelm the application	HTTP flood, Slowloris, slow POST

Volumetric Attacks (the most common)

These attacks aim to use up all the target's internet bandwidth. One particularly clever technique is DNS amplification. Here's how it works: the attacker sends a tiny DNS query (maybe 60 bytes) to a public DNS server, but forges the return address to be the victim's IP. The DNS server dutifully sends its large response (sometimes 4,000+ bytes) to the victim. One small query produces a response 50 to 100 times larger — that's the "amplification." Multiply that by thousands of DNS servers and millions of queries, and you get a tidal wave of traffic hitting the victim.

This is exactly why blocking DNS ANY queries matters. ANY queries return the largest possible DNS responses, making them the perfect amplification tool. Blocking them reduces the amplification factor dramatically.

Protocol Attacks

These target the networking layer of a server. The most famous example is the SYN flood. Normally, when your computer connects to a server, there's a three-step handshake: "I want to connect" → "OK, go ahead" → "Thanks, I'm connected." In a SYN flood, the attacker sends millions of "I want to connect" messages but never completes the handshake. The server allocates memory for each half-open connection, waiting for a reply that never comes, until it runs out of resources.

Application Layer Attacks (Layer 7)

These are the sneakiest. Each individual request looks perfectly legitimate — it's just a normal page visit or API call. The problem is volume. Think of 10,000 people each ordering one item at a fast-food counter. Each order is completely normal, but the counter simply can't serve them all at once. These attacks are the hardest to defend against because it's difficult to distinguish real users from attackers.

Real-World DDoS Attacks

DDoS attacks aren't hypothetical — they happen every day, and some have been massive.

In October 2016, the Mirai botnet attacked Dyn, a major DNS infrastructure provider. The botnet was made up almost entirely of IoT devices — cameras and DVRs with default passwords. When Dyn's DNS went down, so did Twitter, Netflix, Reddit, GitHub, Spotify, and dozens of other major websites. The websites themselves were fine — their DNS was unreachable, so nobody could find them. It was like erasing every restaurant from Google Maps: the restaurants still exist, but nobody can get directions.

By 2023, the largest recorded attacks exceeded 1 Tbps (terabit per second) — enough data to download about 125,000 movies every second.

The gaming industry is the number one DDoS target worldwide. Competitive gamers use DDoS attacks to knock opponents offline during matches, and disgruntled players attack game servers out of frustration. It's so common that "booting" someone offline is part of gaming culture.

How DNS Relates to DDoS

DNS and DDoS are connected in three important ways. Understanding these connections helps explain why DNS infrastructure is both a target and a defense.

1. DNS as a DDoS Weapon

As explained above, open DNS resolvers can be abused as traffic amplifiers. An attacker sends small queries with a forged source address, and the DNS server sends large responses to the victim. This is why responsible DNS services block ANY queries by default and implement per-IP rate limiting — to prevent their infrastructure from being weaponized.

2. DNS as a DDoS Target

If the DNS infrastructure goes down, every website that depends on it becomes unreachable — even if the web servers are running perfectly. The 2016 Dyn attack proved this dramatically. This is why redundant, distributed DNS infrastructure matters. If your DNS has multiple servers in different locations, an attack on one location doesn't take everything down.

3. DNS as DDoS Protection

Here's the part most people don't think about: DNS filtering can actually prevent your devices from participating in DDoS attacks. Remember how botnets work — malware on your device connects to a command-and-control (C2) server to receive instructions. That connection starts with a DNS lookup. If your DNS blocks the C2 domain, the malware can't phone home, can't receive commands, and your device can't be used in the attack.

How to Protect Yourself

For Home Users

• Use DNS filtering to block botnet C2 domains automatically. If your devices can't contact the command server, they can't be weaponized — even if they are infected with malware.
• Change default passwords on every IoT device in your home — cameras, routers, smart plugs, baby monitors. "admin/admin" is the first thing attackers try.
• Keep firmware updated. Manufacturers patch security vulnerabilities, but only if you install the updates. Enable auto-update when available.
• Choose a DNS provider with built-in DDoS protection — one that uses rate limiting and distributed infrastructure so your DNS resolution stays fast even during attacks.

For Businesses

• Use a DDoS mitigation service (Cloudflare, AWS Shield, Akamai) that can absorb massive traffic volumes before they reach your servers.
• Implement rate limiting at both the DNS level and the HTTP level. Limit how many requests a single IP can make per second.
• Use anycast DNS — a technology that distributes your DNS across multiple servers worldwide. Traffic is automatically routed to the nearest healthy server, making it extremely hard to overwhelm all of them at once.
• Have an incident response plan. Know who to call, what to do, and how to communicate with your users when an attack happens. Because at some point, it will.

What UnveilDNS Does to Help

Our DNS infrastructure is built with DDoS resilience and botnet prevention in mind:

• Per-IP rate limiting on all DNS protocols — prevents any single source from flooding the service. Thresholds are configurable.
• ANY query blocking enabled by default — eliminates the most common DNS amplification vector, so our servers can't be used as attack amplifiers.
• Botnet C2 domain blocking — our blocklists and real-time domain classification identify and block command-and-control domains, preventing your devices from being recruited into botnets.
• Multi-node architecture with load balancing — traffic is distributed across multiple DNS nodes. If one is under stress, the others continue serving requests normally.