The nature of the attack
A distributed denial of service attack floods a target from many sources at once, aiming to exhaust bandwidth, connection tables, or server CPU so real users cannot get through. Because the traffic comes from thousands of machines, blocking a single source does little.
Layers of defense
- Overprovisioning and anycast spread traffic across many points of presence so no single site absorbs the whole flood.
- Scrubbing centers route traffic through filters that strip attack packets and forward clean traffic onward.
- Rate limiting caps requests per client to blunt application floods.
- SYN cookies defend against handshake floods without holding state for half open connections.
Volumetric floods aim to fill the pipe, so they are best handled upstream by a provider with far more capacity than the origin. Application layer floods are smaller in bandwidth but expensive to serve, so defenses there rely on behavioral analysis and challenges that distinguish bots from humans. A layered plan combines network capacity, filtering, and application controls rather than any single trick.
Key idea
DDoS defense layers upstream capacity, traffic scrubbing, and application rate limits because no single source can be blocked.