12 Types of DDoS Attacks: Traditional and Emerging Threats

Key takeaways

DDoS attacks use large distributed botnets to flood targets with traffic, making services unavailable to legitimate users
There are three main attack categories: volumetric for bandwidth saturation, protocol for resource exhaustion, and application layer for service disruption
Emerging threats such as Advanced Persistent DoS, multiple vector campaigns, and zero day exploits require real time adaptive defenses
Effective defenses combine layered security with firewalls, intrusion prevention systems and web application firewalls, plus traffic baselining, rate limiting and cloud based scrubbing services
Consistent patch management, resource redundancy and a rehearsed incident response plan help reduce downtime

What Is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. These attacks exploit multiple compromised computer systems as sources of attack traffic.

In a DDoS attack, the incoming traffic flooding the victim originates from many different sources—potentially thousands of computers. These attacks use significant amounts of traffic to make services unavailable for legitimate users. This can involve a range of attack methods, characterized by the massive amount of data sent to or requested by the target.

The motive behind a DDoS attack is often to render computer resources inaccessible, and these attacks can be financially damaging, disrupt business activities, and damage reputations. DDoS attacks are relatively easy and inexpensive to launch, but they can be challenging to defend against without proper mitigation strategies in place.

This is part of a series of articles about zero trust security.

In this article:

How does a DDoS attack work?

A DDoS attack is executed by forming a network of zombie computers, often referred to as a botnet, which are used to flood the target system with excessive requests, disrupting legitimate traffic processes. An attacker might infiltrate multiple systems using malware, gaining control over them without the users’ consent.

These infected machines, under the attacker’s command, generate overwhelming traffic, causing the target server or network to become slow or unresponsive. Attackers might opt for various methods to amplify the attack’s impact. Techniques such as sending massive floods of requests, exploiting network protocols, or saturating bandwidth are common.

DDoS attacks are complex because of their distributed nature. Thus, identifying and blocking malicious traffic amidst legitimate traffic becomes highly challenging. It requires network defense systems capable of distinguishing and mitigating harmful traffic swiftly.

What are the common types of DDoS attacks?

These attacks fall into three main categories: volumetric, protocol, and application-layer attacks. OWASP’s guide to DoS attacks provides detailed explanations of these vectors.

Volumetric attacks

Volumetric attacks are the most common type of DDoS attacks. They consume the bandwidth of the target network or service by overwhelming it with massive amounts of traffic. This category of attacks exploits the sheer volume of data sent to the victim and is typically carried out by large-scale botnets.

1. UDP flood attacks

UDP flood attacks exploit the user datagram protocol (UDP), attempting to flood the target with UDP packets. Without validating source IPs, these packets overwhelm the target’s resources by forcing systems to repeatedly check for nonexistent applications, depleting available bandwidth and causing server slowdown. The impact is amplified as the server attempts to respond with error messages, further taxing its capacity and opening it up to potential service denial.

UDP attacks use the stateless nature of the UDP protocol. They can be launched without ensuring a complete connection, allowing thousands of packets to be sent each second, with the victim being unreachable to valid users. Defense requires monitoring network traffic for anomalies, constraining excess UDP traffic, and leveraging network hardware configurations that can block or absorb these excessive packets.

2. ICMP flood attacks

ICMP flood attacks, also known as ping floods, inundate a target with malicious internet control message protocol (ICMP) data packets. These attacks aim to exhaust both outgoing and incoming network bandwidth and processor resources, preventing legitimate network services.

This attack exploits ICMP, particularly the “ping” operation, turning common network diagnostic tools into disruptive force multipliers by exceeding the network’s capacity to process incoming pings.

Handling these attacks can be managed by rate-limiting ICMP traffic and employing network security configurations aimed at identifying and neutralizing excessive pinging. This requires monitoring tools that can flag unusual traffic spikes and firewall setups that discard unnecessary ICMP traffic while ensuring continued service availability for genuine network requests.

3. DNS amplification attacks

DNS amplification attacks reflect a refined form of volumetric attack, leveraging open DNS servers to multiply the volume of data directed at a target. Attackers send DNS requests with the victim’s IP address as the return address to misconfigured DNS servers. These requests are intentionally designed to elicit substantial responses, overwhelming the target with significant volumes of unnecessary data, leading to bandwidth saturation.

DNS amplification is particularly dangerous due to its low initial data input requirement coupled with high output effects. The attacker can send small request data packets, which result in large output responses directed at the target, causing severe traffic overload without requiring such overwhelming input resources. Mitigating such attacks involves securing DNS configurations and using filtering mechanisms to identify and block suspicious DNS traffic.

Protocol attacks

Protocol attacks aim to exploit weaknesses in the protocols used for network communications to deplete the state resources of servers and intermediary communication equipment.

4. SYN flood attacks

SYN flood attacks use the basic functionality of the TCP handshake, overwhelming a target with SYN requests. Typically, a client initiates a connection with a server by sending a SYN message, receiving a SYN-ACK, and completing the handshake with an ACK.

An SYN flood meddles with this by sending repetitive SYN requests without acknowledging the server’s SYN-ACK, causing the server to hold these faux connections, consuming precious resources. This results in server exhaustion, rendering it incapable of processing legitimate new connections.

Mitigation strategies rely on implementing SYN cookies, increasing backlog queues, or deploying selective acknowledgment functions that terminate these faux connections. Regular network traffic assessments allow systems to rebuff unwanted SYN traffic before it compromises operational efficiency.

5. Ping of death

Ping of death attacks exploit internet protocol limitations through unusually large pings. Attackers dispatch ICMP packets exceeding allowable data size boundaries, potentially fragmenting the packet’s payload across multiple datagrams. When reassembled, this inflates beyond the host’s maximum allowable packet size, disrupting operations by crashing the targeted system or freezing it due to buffer overflow.

While legacy systems were more susceptible to this, modern systems have implemented countermeasures. Networks today can ward off ping of death attacks by scrutinizing packet sizes and enforcing constraints on packet reassembly. Firewall policies further recognize and adequately block oversized packet attempts.

6. Smurf attack

Smurf attacks rely on IP broadcast network settings to flood a victim with traffic. This involves sending ICMP requests with the victim’s IP spoofed as the source to a network’s broadcast address. All devices receiving the broadcast solicit a response, swamping the victim with traffic responses.

This vehicular tactic enables attackers to exploit network configurations, achieving denial-of-service if the network isn’t secured against such rebroadcast exploits. Defensive measures against Smurf attacks revolve around disabling IP broadcast functionalities per network standards or settings. Ensuring intermediary network devices can filter ingress traffic promotes effective prevention, mitigating the broadcast echo effect.

Application Layer Attacks

Application layer attacks target the top layer of the Open Systems Interconnection (OSI) model, focusing on services hosted on the application layer to disrupt the delivery of content to legitimate users.

7. HTTP flood attacks

HTTP flood attacks mimic typical web traffic by sending a large number of HTTP requests to a server. These requests, while potentially appearing legitimate, aim to overwhelm the application’s processing capabilities.

HTTP floods use GET or POST requests to target web apps, depleting server resources and obstructing access to genuine users. Because the requests mimic standard user behavior, they prove difficult to discern without sophisticated traffic analysis tools.

Mitigating HTTP flood attacks involves deploying web application firewalls that can filter anomalous traffic and restrict excessive user requests. Behavioral analysis tools help identify abnormal traffic trends, allowing for adaptive security responses.

8. Slowloris

Slowloris is a distinctive application-layer attack aiming to keep web servers occupied by maintaining connections open as long as possible. It sends HTTP requests to the target, slowly and incrementally, preventing the server from closing the connection.

While slow in process, the number of open connections maintained can exhaust server resources, denying access to legitimate client requests while evading detection by traditional firewall configurations.

Protection against Slowloris requires application-layer security techniques that monitor and manage incomplete connections. Limiting the number of allowable connections from a single IP and assigning connection timeouts can mitigate the attack’s impact. Additionally, ensuring servers can handle more simultaneous connections can counteract the Slowloris method.

9. ReDoS (Regular Expression Denial of Service)

ReDoS attacks exploit the complexity of regular expression processes during input validation, causing targeted servers to operate inefficiently by consuming excess CPU power. ReDoS focuses precisely on triggering high-computation or vulnerable regex patterns, slowing server processing, and tipping the system into a denial of service state.

This attack manipulates server capabilities via resource-intensive task execution, rendering services sluggish or unusable. Defending against ReDoS involves optimizing regex patterns to curb inefficiencies and securing coding practices to identify and manage high-risk expressions.

Related content: Read our guide to user management

Tips from the expert:

Anthony Dombrowski Developer Relations

Anthony Dombrowski is a product manager and developer advocate with expertise in developer experience, cybersecurity, and product strategy. He has led initiatives at Ping Identity and DevNetwork to enhance developer tools, authentication processes, and user experiences.

Deploy a layered security approach: Combine anti-DDoS solutions at multiple layers, such as network firewalls, intrusion prevention systems (IPS), and web application firewalls (WAF). This multilayered defense helps detect and mitigate attacks at different stages and across all network layers.
Utilize traffic baselining and anomaly detection: Implement solutions that baseline normal traffic patterns to quickly identify anomalies indicative of a DDoS attack. Advanced behavioral analysis tools can flag unusual spikes in traffic or protocol misuse.
Use blackholing judiciously: Employ “blackholing” as a last resort to drop all traffic to a target under heavy attack. While it renders the target temporarily inaccessible, it prevents the attack from affecting other parts of the network.
Enable rate limiting at entry points: Where applicable, configure routers and firewalls to limit the rate of incoming traffic from a single IP or subnet. This prevents volumetric attacks from overwhelming your infrastructure. Adaptive rate limiting can dynamically adjust thresholds during an attack.
Diversify upstream providers: Use multiple internet service providers (ISPs) to create redundant pathways. This prevents single points of failure and makes it harder for attackers to saturate all available bandwidth.

Emerging DDoS attack trends

10. Advanced Persistent DoS (APDoS)

APDoS campaigns are characterized by prolonged and intense disruptive efforts. These sophisticated attacks involve multivector DDoS techniques, sustained over extended periods, aiming for a debilitating impact on targeted services. APDoS attacks combine high-volume traffic inundation with tactical strikes on critical network infrastructure.

The persistence and complexity of APDoS require extensive network traffic analysis and advanced blocking mechanisms to defend networks. Adapting quickly to evolving attack patterns through intelligent systems capable of real-time threat response ensures the resilience of critical services against such sustained malicious operations.

11. Multi-vector attacks

Multi-vector attacks use various DDoS strategies simultaneously or in sequence to overwhelm defenses. By exploiting multiple weaknesses, attackers increase effectiveness and difficulty in mitigation. These attacks can combine volumetric, protocol, and application layer techniques, targeting different facets of a network to maximize disruption and bypass standard mitigation.

Defense against multi-vector attacks requires security measures across all network layers. Implementing multi-tier security solutions capable of dynamic reconfiguration in response to varied threats is vital.

12. Zero-day DDoS attacks

Zero-day DDoS attacks exploit unpatched vulnerabilities previously unknown to the victim or security vendors, executing attacks before countermeasures are developed. The novelty and unpreparedness linked to these exploits allow attackers to capitalize on gaps in security systems, delivering unexpected, and often severe, impact without prior warning.

Effective mitigation strategies for zero-day DDoS attacks require developing a rapid incident response approach, ensuring constant system monitoring, and keeping up to date with all viable security updates. Staying alert to emerging threats and vulnerabilities via threat intelligence networks enables quicker adaptation and proactive defense against unforeseen exploits.

Related content: Read our guide to vulnerability assessment

Best practices to prevent DDoS Attacks

Organizations can protect their networks against DDoS attacks by using the following practices.

1. Implement redundant network resources

Having redundant network resources ensures continuous operation despite attacks. These resources, like multiple servers or network paths, offer alternative routes for regular traffic, minimizing attack impact. Redundancy strengthens system resilience, acting like a safety net, allowing service continuity while one aspect is affected by a spike in activity.

Detailed capacity planning alongside scalable architectures assures redundancy. Continual testing of this standing infrastructure ensures reliability during high-volume energy strikes. This strategy counters DDoS threats, affording structural continuance, and improves general operational stability during lesser network disruptions.

2. Use anti-DDoS hardware and software solutions

Deploying dedicated anti-DDoS hardware and software solutions provides targeted protection. Specialized devices handle and filter incoming traffic, offloading the burden from main servers. These tools detect and neutralize attack traffic, defending against large-scale disruptions without interrupting legitimate service use.

Investment in these technologies requires thorough network analysis to identify weak points and configure adequate defenses. Continuous solution updates and calibrations enable adapting to emerging threats, improving protection levels.

3. Use cloud-based DDoS protection services

Cloud-based DDoS protection services offer extensive resources to absorb and mitigate attack traffic across distributed global networks. These services direct malicious inflows into expansive datacenters equipped to handle high volumes, preserving target bandwidth and maintaining service accessibility.

With scalable resources, cloud defenses swiftly counteract varied DDoS methods, mitigating attacks’ enormity and maintaining consistent operability. Organizations should select matching cloud providers that can deliver responsive and tailored interventions. Cloud solutions often offer continual threat intelligence updates, ensuring defenses align with emerging attacks.

4. Establish a response plan

A response plan outlines systematic procedures during DDoS incidents, guiding response actions and communications. Having predefined roles and responsibilities enables fast, coordinated mitigation and recovery efforts. Plans include communication strategies, automated recovery procedures, and stakeholder notification lists, ensuring everyone knows their function under attack conditions.

Regularly revisiting and testing the response plan revitalizes its effectiveness, aligning it with current threat landscapes. Practicing simulated incidents increases internal readiness, improving confidence and competence in reactionary capabilities to minimize disruption and downtime.

5. Regularly update and patch systems

Regular updates and patch installations keep systems protected against known vulnerabilities. Ensuring all software components, from operating systems to applications, receive timely patches closes security gaps, preventing exploitation by DDoS and associated vectors.

Efficient patch management requires diligent tracking of vendor updates and prompt testing for safe application to minimize service interruptions. Automated solutions simplify this process, ensuring consistency and rapid response. Adherence to regular update schedules further bolsters resiliency.

NIST outlines these strategies in more depth, covering both prevention and incident response.

Where Frontegg fits in

By offloading routine identity operations from developers to other stakeholders—like security, product, and customer success teams—Frontegg helps minimize the bottlenecks that often delay critical updates and policy changes.

With built-in features like MFA enforcement, SSO configuration, and real-time access controls, security teams can proactively close gaps without relying on engineering to implement every change. Developers get to focus on product innovation. Everyone gets a faster path to security readiness.

Because in today’s threat landscape, the best defense isn’t just blocking traffic. It’s distributing responsibility so every team can move faster when it counts.

Glossary of terms use in the article

UDP: User Datagram Protocol, a connectionless network protocol used for fast transmissions
APDoS: Advanced Persistent Denial of Service, a sustained multivector DDoS attack
WAF: Web Application Firewall, filters and monitors HTTP traffic to and from a web app
SYN: Synchronize, the first step in a TCP handshake used to establish a connection
ICMP: Internet Control Message Protocol, used for diagnostic functions like ping
DNS: Domain Name System, translates domain names to IP addresses
ReDoS: Regular Expression Denial of Service, exploits regex to exhaust server resources

Need a DDoS checklist or summary fast?

Use these AI prompts to further dive into this article and generate more resources from it:

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.