A botnet of 100,000 compromised devices each sends 10 requests/sec at your site. 1M RPS at your origin. Your LB handles 50k. Site is down. No users can reach you until the attack stops or you have defenses.
DDoS (Distributed Denial of Service) attacks come in many flavors — volumetric (fill pipes), protocol (exhaust connections), application (expensive requests). Defenses live at every layer. In 2025, "we use Cloudflare" is not a complete answer — understand what happens at each layer and why.
02
The three layers of attack
Layer
Attack type
Example
Goal
L3/L4 Volumetric
Saturate network bandwidth
UDP floods, amplification (DNS, NTP)
Fill your pipes so legitimate traffic can't reach you
L3/L4 Protocol
Exhaust connection state
SYN floods, Slowloris
Consume server TCP state so new connections fail
L7 Application
Abuse expensive endpoints
100k requests/sec to /search?q=...
Hit endpoints that take DB/CPU work; exhaust backend
03
Defenses at each layer
L3/L4 defenses (volumetric + protocol):
Scrubbing centers (Cloudflare, AWS Shield, Radware). Traffic enters a provider network with terabits of capacity. Bad packets filtered out; clean traffic forwarded.
Anycast. The same IP served from 300 PoPs. Attack traffic distributes across all; no single site is overwhelmed.
SYN cookies. Kernel trick so servers don't allocate state for incomplete handshakes.
Rate-limit at the edge. Drop packets exceeding per-IP thresholds before they reach expensive processing.
L7 defenses (application-layer):
Rate limiting per IP / API key / user (see rate limiting algorithms). 100 RPS max per anonymous IP is a reasonable baseline.
Load shedding at the application: when CPU > 80%, drop new requests fast rather than queue them.
04
Deep dive — amplification attacks
An amplification attack is the scariest volumetric kind because the attacker sends a small packet and gets a huge response sent to the target. Ratio is called the "amplification factor."
DNS amplification (factor ~50×): attacker spoofs source IP as the target, sends a 60-byte DNS query to an open resolver. Resolver sends a 3000-byte response to the target.
NTP amplification (factor ~550×): similar trick with NTP's monlist command.
Memcached amplification (factor up to 50,000×!): exposed memcached servers respond with huge blobs to small requests. GitHub was hit with a 1.35 Tbps attack this way in 2018.
Mitigation: the amplification source (open DNS resolvers, exposed memcached) shouldn't exist — bad configuration on someone else's server. Defense for you: ingress at a scrubbing center absorbs the volume. Your origin never sees it.
Also: never allow open DNS/NTP/memcached on the public internet. Rate-limit outgoing UDP. Be part of the fix.
Attack Scale Per Layer — 100k-Bot BotnetNumbers
Layer
Attack
Bandwidth
Defense capacity
L3 volumetric
UDP flood, 1 KB packets × 100k bots × 1k pps
~800 Gbps
Cloudflare ~250 Tbps · AWS Shield ~3 Tbps
L3 amplification
NTP monlist, 50× factor, 100k bots
~40 Tbps possible
Scrubbing center mandatory
L4 SYN flood
100k bots × 10k pps × 64 B SYN
~50 Gbps + state exhaustion
SYN cookies + LB connection limits
L7 HTTP flood
100k bots × 10 RPS
1M RPS at your LB
Origin LB ~50k RPS · need edge rate-limit
L7 expensive endpoint
100k bots × 1 RPS hitting /search?q=*
100k RPS at the DB
WAF + per-IP limit + bot detection
05
Real-world providers
Cloudflare
Edge + scrubbing + WAF
Free tier includes DDoS protection. Handles tens-of-terabits attacks routinely. "Magic Transit" for full-network protection of origin servers.
AWS Shield
Managed by AWS
Standard tier included with ELB/CloudFront. Advanced tier adds WAF, attack metrics, cost protection.
Akamai Kona
Enterprise scrubbing
Used by banks, governments, Fortune 50. Expensive; global presence.
Google Cloud Armor
For GCP workloads
Per-IP, per-region rules; adaptive protection that learns normal traffic shapes.
06
Used in problems
Rate limiter problem is a core DDoS defense at the application layer. URL shortener uses Cloudflare for edge DDoS protection. Public APIs rate-limit aggressively per key.
