BLOG

Anatomy of DDoS Attacks: Types, Operation, and Real-World Examples

null
Tomasz Szóstek
01/12/2025
null

DDoS attacks are among the most common and fastest-growing threats in cybersecurity. They involve overwhelming networks, servers, or applications to make services unavailable to legitimate users. The scale of the problem is increasing rapidly—2024 saw a record number of incidents, with the number of attacks exceeding 1 Tbps growing more than tenfold on a quarter-over-quarter basis.

DDoS attacks can be broadly divided into two main types. L3/L4 attacks focus on exhausting bandwidth and infrastructure resources (e.g., TCP SYN Flood, ACK Flood, ICMP Flood). Application-layer (L7) attacks are more precise and harder to detect, as they generate traffic that resembles legitimate user requests, overloading web servers and DNS services (e.g., HTTP Flood, DNS Water Torture, DNS Amplification).

Real-world examples show that modern DDoS campaigns reach extreme scales—from multi-vector volumetric attacks measuring several terabits per second to application-layer attacks generating hundreds of millions of HTTP requests per second. Effective defense today requires distributed infrastructure, advanced traffic analysis, and multi-layered protection mechanisms that ensure service availability even during record-breaking attacks.

What characterizes DDoS attacks? Overview of types and market examples

DDoS (Distributed Denial of Service) attacks are among the most serious and most common threats in today’s cybersecurity landscape. Their goal is to overwhelm server, network, or application resources by flooding them with massive amounts of fake or unwanted traffic, ultimately making services unavailable to legitimate users.

In today’s world—where every second of downtime can result in enormous financial and reputational losses—DDoS attacks have become a daily challenge for companies and organizations worldwide.

In 2024, DDoS activity reached record levels. In the fourth quarter alone, 6.9 million attacks were mitigated, representing an 83% increase year-over-year.

A notable trend is also the rapid rise of hyper-volumetric attacks. In Q4 2024, more than 420 such attacks were recorded, each exceeding 1 Tbps in volume. The number of attacks surpassing 1 Tbps grew by an astonishing 1,885% quarter over quarter (!!).

In this article, I take a closer look at how DDoS attacks work, focusing on their different types and mechanisms.

Types of Distributed Denial of Service (DDoS) Attacks

Network / Transport Layer Attacks (L3/L4 DDoS)

These attacks target the network (Layer 3) and transport (Layer 4) layers, aiming to exhaust bandwidth or computational resources.

TCP SYN Flood

A TCP SYN Flood attack involves sending massive numbers of SYN packets to a server, initiating TCP connections. The attacker typically does not complete the three-way handshake, leaving the server waiting for responses that never arrive. As a result, server resources such as memory and connection tables are gradually exhausted. Once the limit of half-open connections is reached, the server stops responding to legitimate users. This is one of the most popular and easiest DDoS attacks to execute.

TCP ACK Flood

In a TCP ACK Flood attack, the attacker overwhelms the server with a huge number of ACK packets, which are normally used to acknowledge received data in TCP connections. The server must process each packet as part of a potential session—existing or not—consuming significant resources. This overload affects both the network and transport layers. At high traffic volumes, the server may fail to process legitimate requests. ACK Flood attacks are often used to overwhelm infrastructure components such as firewalls and load balancers.

TCP Fragment Flood

In a TCP Fragment Flood attack, the attacker sends large volumes of fragmented TCP packets that must be reassembled by the target server. Packet reconstruction heavily consumes system resources, especially memory and CPU. A high number of fragments can exceed buffer limits, disrupting normal service operation. Legitimate user traffic may be delayed or dropped entirely. This attack is often used to bypass security policies and firewalls that rely on full packet inspection.

Ping of Death

Ping of Death attacks involve sending oversized ICMP packets that, once reassembled, exceed the maximum size allowed by the IP protocol. Historically, such packets caused buffer overflow errors in operating systems, leading to crashes or reboots. While modern systems are largely immune to the classic version of this attack, the concept remains a reminder of how simple packets can impact infrastructure stability. Reports from leading Anti-DDoS vendors indicate that this attack still appears—albeit less frequently—in environments with legacy infrastructure.

ICMP Flood

An ICMP Flood attack generates massive numbers of ICMP packets, typically Echo Requests (“ping”), directed at a target. The server or router must respond to each request, quickly consuming CPU resources and bandwidth. At high traffic volumes, legitimate packets cannot pass through, rendering the service unavailable. This remains one of the simplest yet still effective volumetric attacks.

Application Layer Attacks (L7)

L7 attacks focus on the application layer, consuming application server resources. According to analyses, these attacks accounted for a slightly larger share of overall incidents in 2024—51%.

HTTP Flood

HTTP Flood attacks involve sending large volumes of seemingly legitimate HTTP requests (e.g., GET or POST) to overwhelm a web server. Because the traffic closely resembles normal user behavior, it is difficult to detect using basic filters. Each request must be processed by the application, consuming CPU, memory, and session tables. At scale, server resources are exhausted, causing service unavailability for real users.

HTTP Pipelining Attack

HTTP Pipelining attacks exploit the pipelining feature, which allows clients to send multiple HTTP requests without waiting for responses. Attackers generate long sequences of such requests, overloading server queues and processing logic. Servers may stall while attempting to handle endless request streams, blocking or severely delaying legitimate traffic. Detection is difficult because the requests are formally valid.

DNS Water Torture (NXDOMAIN DDoS Attack)

DNS Water Torture attacks flood DNS servers with queries for non-existent domains. The server must process each request and return an NXDOMAIN response, consuming resources. When directed at authoritative servers, this can affect the availability of entire domains. Legitimate DNS traffic becomes harder to process, leading to service disruptions.

DNS Amplification

In DNS Amplification attacks, the attacker abuses open DNS resolvers by sending queries with a spoofed source IP address belonging to the victim. The victim is then flooded with amplified DNS responses it never requested. Because traffic originates from many DNS servers, the attack is highly distributed and difficult to block. This remains one of the most commonly used volumetric DDoS attacks due to its efficiency and simplicity.

Examples of the Largest DDoS Attacks Recorded by Cloudflare

7.3 Tbps Attack – The Largest Volumetric DDoS Handled by Cloudflare

At the beginning of 2025, Cloudflare described one of the largest DDoS attacks in its history. In just 45 seconds, a single customer IP address (belonging to a large hosting provider) received 37.4 terabytes of malicious traffic, with a peak volume exceeding 7.3 Tbps. The attack targeted tens of thousands of destination ports and originated from over one hundred thousand unique source IPs.

Most of the traffic consisted of a classic UDP flood, but the campaign was multi-vector, including elements such as NTP reflection and QOTD. Thanks to Cloudflare Magic Transit, the attack was fully mitigated before reaching the customer’s servers—without any service downtime.

Source

Record-Breaking Application-Layer Attack

Cloudflare has also published details of an attack based on the HTTP/2 Rapid Reset technique. During the campaign, over 201 million HTTP requests per second were observed. This demonstrates that application-layer attacks are often more sophisticated than classic L3/L4 DDoS attacks. They do not require massive botnets, but rather clever exploitation of protocol weaknesses. Cloudflare identified the pattern, blocked the technique, and immediately deployed improvements to its detection systems.

Source

Thanks to its globally distributed infrastructure, Cloudflare is one of the few providers capable of guaranteeing service availability even in the face of record-breaking DDoS attacks. If you want to learn how to effectively protect your organization against DDoS attacks—contact us.

This article was prepared by a 4Prime expert and edited with the support of artificial intelligence tools.

Text autor:
null
Tomasz Szóstek , Security Engineer , 4Prime IT Security
Tomasz has specialized in networking and cybersecurity for many years. His main areas of interest include Next Generation Firewall (NGFW) and Web Application Firewall (WAF) technologies. He has experience working with leading IT security vendors such as Fortinet, Palo Alto, F5, Juniper, Cloudflare, Cisco, and Check Point.

The attack on your company could have started a month ago.

Check how you can secure your organization today.