What is a DDoS Attack and How Is It Mitigated?
Learn what a DDoS attack is, volumetric vs protocol vs application-layer types, amplification, and mitigation — with interview Q&A.
Expected Interview Answer
A DDoS (Distributed Denial of Service) attack overwhelms a target’s network, server, or application with traffic from many distributed sources simultaneously, exhausting its bandwidth, connection capacity, or compute resources so legitimate users cannot get through.
Unlike a single-source denial-of-service attack, DDoS traffic comes from many machines at once, often a botnet of compromised devices spread across the internet, which makes it far harder to block with a simple IP-based filter since there is no single source to deny. Attacks generally fall into three categories: volumetric attacks (like UDP floods or DNS amplification) that simply saturate available bandwidth; protocol attacks (like SYN floods) that exhaust connection-state tables on servers or firewalls by exploiting the TCP handshake; and application-layer attacks (like HTTP floods) that mimic legitimate requests but exhaust application resources such as database connections or CPU. Amplification attacks are especially damaging because the attacker spoofs the victim’s IP as the source of a small request sent to an open resolver (like DNS or NTP), which then sends a much larger response to the victim, multiplying the attacker’s effective bandwidth many times over. Mitigation combines scrubbing traffic through a high-capacity CDN or DDoS protection service that absorbs volumetric floods, rate limiting and connection-state protections like SYN cookies for protocol attacks, and application-layer defenses like CAPTCHAs, WAF rules, and behavioral traffic analysis for HTTP-layer floods.
- Distinguishes attack types (volumetric, protocol, application-layer) for targeted defense
- Explains why distributed sources defeat simple IP-blocking mitigation
- Covers amplification attacks and why spoofed source IPs make them dangerous
- Names practical mitigations: scrubbing, SYN cookies, rate limiting, WAF/CAPTCHA
AI Mentor Explanation
A DDoS attack is like thousands of fake fans simultaneously flooding a stadium’s single ticket gate from every direction at once, so real ticket holders cannot squeeze through no matter how orderly the queue system is. A volumetric flood is like an overwhelming crowd simply blocking the physical entrance, a protocol attack is like fake fans starting the entry check but never finishing it, tying up every gate attendant, and an application attack is like fans who pass the gate check but then endlessly ask the concession stand for orders they never complete, exhausting staff. Stadium security mitigates this with extra crowd-scrubbing checkpoints, faster gate-check processes, and staff trained to spot fake queuing behavior, mirroring real DDoS mitigation.
Step-by-Step Explanation
Step 1
Compromise/recruit sources
Attacker controls a botnet of distributed, often compromised devices across many networks.
Step 2
Coordinate the flood
All sources simultaneously send traffic — volumetric, protocol, or application-layer — at the target.
Step 3
Resource exhaustion
The target's bandwidth, connection tables, or application resources are saturated, blocking legitimate users.
Step 4
Mitigation kicks in
Traffic scrubbing, rate limiting, SYN cookies, and WAF/behavioral rules filter attack traffic from legitimate requests.
What Interviewer Expects
- Distinguishes DoS (single source) from DDoS (distributed sources)
- Names the three attack categories: volumetric, protocol, application-layer
- Explains amplification attacks and why spoofed source IPs enable them
- Names concrete mitigations: scrubbing/CDN, SYN cookies, rate limiting, WAF
Common Mistakes
- Using DoS and DDoS interchangeably without noting the distributed-source distinction
- Thinking simple IP blocking is sufficient to stop a distributed attack
- Not knowing amplification attacks rely on spoofed source IP addresses
- Assuming only bandwidth matters, ignoring protocol and application-layer exhaustion
Best Answer (HR Friendly)
“A DDoS attack is when an attacker uses a large number of compromised devices spread across the internet to flood a website or service with traffic all at once, overwhelming it so real users cannot get through — like thousands of fake customers jamming every checkout line in a store simultaneously. Companies defend against this with specialized traffic-scrubbing services that filter out the attack traffic before it reaches the real servers, plus techniques that make it harder for a flood of half-finished or fake requests to tie up resources.”
Code Example
# Check for a suspiciously high number of half-open connections
netstat -n -p TCP | grep SYN_RECV | wc -l
# Enable SYN cookies to protect against SYN flood exhaustion (Linux)
sudo sysctl -w net.ipv4.tcp_syncookies=1
# Rate-limit new incoming connections per source IP with iptables
sudo iptables -A INPUT -p tcp --syn -m limit --limit 5/second --limit-burst 10 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROPFollow-up Questions
- What is a DNS amplification attack and why is it so effective?
- How do SYN cookies protect a server from a SYN flood without losing legitimate connections?
- What role does a CDN or scrubbing center play in absorbing volumetric attacks?
- How is an application-layer HTTP flood harder to distinguish from real traffic than a volumetric flood?
MCQ Practice
1. What primarily distinguishes a DDoS attack from a simple DoS attack?
DDoS traffic comes from many distributed sources simultaneously, unlike a single-source DoS attack.
2. What type of attack exhausts a server's connection-state table using incomplete TCP handshakes?
A SYN flood sends many SYNs without completing the handshake, exhausting connection-tracking resources.
3. What makes DNS amplification attacks especially damaging?
Attackers spoof the victim's IP in small DNS requests, causing large responses to flood the victim, multiplying attack bandwidth.
Flash Cards
What is a DDoS attack? — A distributed flood of traffic from many sources that overwhelms a target's bandwidth or resources.
Three DDoS attack categories? — Volumetric, protocol (e.g. SYN flood), and application-layer (e.g. HTTP flood) attacks.
What is an amplification attack? — A spoofed small request to an open resolver triggers a much larger response sent to the victim.
Common DDoS mitigations? — Traffic scrubbing/CDN, SYN cookies, rate limiting, and WAF/behavioral analysis.