All posts
·5 min read

How DDoS Attacks Work: A Simple Breakdown

A Distributed Denial of Service attack has one goal: make your service unavailable. The 'distributed' part means the attack comes from many sources simultaneously, which makes simple IP blocking useless.

The three types

  • Volumetric (Layer 3/4): raw bandwidth floods. UDP floods, DNS amplification, ICMP floods. Measured in Gbps or Tbps. Goal: saturate your network pipe.
  • Protocol (Layer 4): exploit weaknesses in TCP/IP. SYN floods exhaust server connection tables. Measured in packets per second.
  • Application (Layer 7): valid HTTP requests targeting expensive endpoints. Measured in requests per second. Hardest to distinguish from real traffic.

Why they're increasingly common

Botnets are cheap to rent. Volumetric attack tools are freely available. For a few dollars, anyone can direct hundreds of gigabits at a target. And with Layer 7 attacks, you don't even need much bandwidth: a few thousand requests per second to a login endpoint can take down an app.

The basic defense architecture

Layer 3/4 attacks are filtered at the network level using anycast routing to absorb traffic across many PoPs. Layer 7 attacks need behavioral analysis and rate limiting at the application layer. Karbon handles Layer 7 as a reverse proxy, scoring and shedding attack traffic before it reaches your origin.