What is a DDoS attack and how to defend against it in 2025

What is a DDoS attack and how does it work

A DDoS attack (Distributed Denial of Service) is one of the most dangerous forms of cyberattack, consisting of overloading network infrastructure, a server, or an application with massively generated traffic. In practice, this means that legitimate users cannot access services because the system’s resources are “flooded” with artificially generated requests.

How it works

Most often, the attacker does not act alone. They use a so-called botnet – a network of computers and devices (e.g. routers, IP cameras, printers, or IoT devices) that have previously been infected with malware and can be remotely controlled by the attacker. Each of these devices sends a relatively small stream of traffic, but the cumulative effect of thousands or millions of such sources overwhelms the victim’s server and makes it unavailable.

We can distinguish several levels at which a DDoS attack causes effects:

• Network infrastructure – clogging the internet link.
• System layer – overloading CPU, RAM, connection tables.
• Application layer – “normal-looking” HTTP/HTTPS requests which, in huge numbers, cause application or database failure.

Evolution of attacks

Just over a decade ago, DDoS mostly meant simple floods of ICMP or UDP packets. Today, multi-vector attacks dominate, combining different techniques simultaneously, as well as attacks aimed at the application layer. They are often difficult to distinguish from legitimate traffic – for example, they may look like ordinary requests from users visiting a website.

Current DDoS attacks are increasingly sophisticated, automated, and harder to stop, as they use, among others, amplification mechanisms (increasing traffic using intermediary servers) and dynamically changing attack vectors.

Impact on users

From the perspective of a person using a given service, a DDoS attack may mean:

• inability to open a website,
• 503 errors or overload messages,
• extended system response time,
• complete unavailability of the service.

Such symptoms are the first signal that the infrastructure may have become the target of an attack.

The most common types of DDoS attacks

Not every DDoS attack looks the same. Different techniques have different objectives, exploit different vulnerabilities, and require varied defense methods. Understanding the types of attacks is crucial, as it allows you to prepare for them in an informed and multilayered way.

Flooding – volumetric attacks (layers 3 and 4 of the OSI model)

This is the oldest and still one of the most common forms of DDoS. It consists of flooding the victim with packets (e.g. TCP SYN, UDP, or ICMP) in such quantity that the link or server cannot keep up with processing them.

• SYN Flood – sending a huge number of TCP connection initiation requests that are never finalized. The server creates “half-open” sessions and quickly exhausts its resources.
• UDP Flood – the attacker sends UDP packets to random ports, forcing the server to respond with ICMP “Port Unreachable” messages.
• ICMP Flood (Ping Flood) – massive sending of ICMP Echo requests, which clog the link and overload network devices.

This type of attack is responsible for the largest traffic volumes (measured in Tbps) according to Cloudflare and Netscout reports from recent years.

Amplification and Reflection – amplifying the attack

This is a more sophisticated method, in which the attacker uses intermediary servers to magnify the power of the attack.

• The attacker sends a small request to a vulnerable server (e.g. DNS, NTP, SSDP, Memcached), spoofing the victim’s IP address.
• The server responds with a much larger packet, sending it directly to the victim.
• The result: the attacker puts in minimal effort, and the victim receives massive traffic.

The record-breaking attack on GitHub in 2018 (1.35 Tbps) was the result of amplification using Memcached servers.

Application layer attacks (layer 7 of the OSI model)

The most dangerous, because they are the hardest to distinguish from normal traffic. Instead of simple packets, they generate legitimate HTTP/HTTPS requests, which, in huge numbers, overload:

• application servers,
• databases,
• APIs.

Example: hundreds of thousands of “GET /” requests to an online store’s homepage. Each looks like a normal user visit, but at scale it causes the entire application to crash.

This category also includes “low & slow” attacks, such as Slowloris, where the attacker opens HTTP connections and keeps them open for a long time, sending minimal amounts of data to keep server resources occupied.

Exploits and protocol attacks

Sometimes DDoS is not about volume, but about exploiting flaws in the implementation of network protocols.

• IP packet fragmentation – sending incomplete packets, which the server must reassemble, consuming resources.
• Unusual TCP flags – e.g. Xmas Tree attacks, sending packets with unusual flag combinations that cause errors in handling the TCP/IP stack.

Although less spectacular in terms of volume, they can be just as effective, as they hit weak points of the infrastructure.

Multi-vector attacks

More and more often attackers do not limit themselves to a single technique. Within one attack they may combine:

• flooding (packet floods),
• amplification (e.g. via DNS),
• and application layer attacks (HTTP flood).

Such a combination makes defense much more difficult: while the company blocks one vector, the others continue to paralyze the infrastructure. According to Netscout reports, in 2022 more than 70% of major attacks were multi-vector in nature.

How does DDoS differ from DoS?

The terms DoS and DDoS are sometimes used interchangeably, but the difference between them is fundamental. Although both have the same goal – to disrupt the operation of an online service – they differ in scale, execution method, and difficulty of defense.

DoS – Denial of Service

A DoS attack is the simplest form of an attack on service availability. It is usually conducted from a single source, e.g. a computer or server controlled by the attacker. In practice, it looks like this:

• a single machine sends a huge number of requests to the server,
• the server quickly becomes overloaded and stops responding,
• the attack is relatively easy to detect and block (e.g. by cutting off traffic from a specific IP address).

An analogy could be a situation where one person stands at a store checkout and constantly asks the cashier questions, preventing other customers from being served.

DDoS – Distributed Denial of Service

A DDoS attack is a distributed attack on service availability, carried out from many sources simultaneously. Most often, a botnet is used – a network of thousands of infected computers, routers, or IoT devices.

• traffic comes from different IP addresses, countries, and networks,
• the scale of the attack can be gigantic, often measured in terabits per second,
• distinguishing “bad” traffic from legitimate requests is much more difficult.

An analogy is a crowd of people storming a store entrance – even if one customer behaves normally, the staff is unable to handle the entire mass of people at once.

Key differences: DoS vs DDoS

Why does this difference matter?

Understanding the difference is crucial for companies and administrators, because defense strategies for DoS and DDoS differ.

• In the case of DoS, a quick reaction is usually enough – blocking traffic from a single source.
• In the case of DDoS, more advanced mechanisms are needed: flow analysis, filtering, traffic distribution, integration with external scrubbing centers.

Why DDoS is dangerous – consequences for companies

DDoS attacks belong to the category of threats that have a direct and immediate impact on business operations. Unlike many security incidents that may remain unnoticed for a long time (e.g. data theft), the effects of DDoS are visible right away: the website doesn’t work, the application crashes, customers cannot complete transactions.

Financial losses

The cost of downtime for online services is counted in thousands, and in some industries – in hundreds of thousands of dollars per minute. According to a Netscout report, the average cost of one hour of system unavailability in the financial or e-commerce sector can reach even USD 300–500k. On top of that come additional expenses:

• emergency support from external providers,
• overtime and reallocating IT team resources,
• investments in strengthening security afterwards.

Loss of reputation and customer trust

Even if the attack is short, customers remember the issue. In industries such as banking, online retail, or SaaS, constant availability is the foundation of trust.

• If online banking stops working during peak hours, users begin to question its reliability.
• If an online store is unavailable on Black Friday, customers go to the competition – and often do not return.

Research shows that about 40% of users, after experiencing an outage, prefer to switch to a competitor’s services – even if they had been loyal customers before.

Operational problems

DDoS also means an enormous burden on IT and SOC/NOC teams.

• Administrators must react immediately, which means halting other projects and strategic activities.
• It is often necessary to involve additional specialists or external support.
• Multi-vector attacks may require continuous adjustment of filter rules and monitoring for many hours or even days.

This not only means costs, but also the risk of errors resulting from working under pressure.

Legal and regulatory risk

For organizations providing critical services (e.g. energy, telecommunications, public administration), DDoS may also mean regulatory consequences.

• Under the Act on the National Cybersecurity System (KSC) and the NIS2 directive, operators of essential services are obliged to report incidents.
• Failure to fulfill these obligations carries financial penalties.
• In the financial sector, an outage may also be treated as a breach of supervisory requirements (e.g. KNF in Poland).

Business conclusions

DDoS is no longer an “administrator’s problem.” It is a real threat to financial results, brand reputation, and regulatory compliance. Therefore, decisions regarding protection against such attacks must be made at the board and CIO/CISO level – not only within the IT department.

How to recognize that a DDoS attack is in progress

One of the biggest challenges with DDoS attacks is that at first glance they can look like an ordinary failure or a sudden spike in service popularity. In practice, however, there are a number of characteristic signals that make it possible to distinguish an attack from natural traffic fluctuations.

Typical technical symptoms

• Sudden and sharp spike in network traffic – incoming traffic to servers or applications increases unnaturally, often within a few minutes.
• Server errors and timeouts – users see overload messages (e.g. error 503 – Service Unavailable), applications slow down or stop responding altogether.
• High resource utilization – sudden increase in CPU load, RAM usage, or TCP connection tables on servers.
• Unusual sources of requests – sudden influx of traffic from regions that previously did not generate significant traffic (e.g. exotic countries).
• Problems with dependent services – e.g. databases, DNS, or APIs start responding slower or stop working.

Difference between an attack and a surge in popularity

An increase in the number of users (e.g. during a marketing campaign or promotion) also causes greater load, but it can be recognized:

• traffic comes from predictable sources (e.g. the target country of the campaign),
• the increase is gradual, not sudden and steep,
• the structure of requests is more diverse, not repetitive.

By contrast, a DDoS attack is often characterized by:

• uniformity of traffic (e.g. repetitive GET requests),
• multiple sources (botnet),
• no connection with marketing or seasonal events.

The role of monitoring and traffic analysis

Recognizing a DDoS attack primarily requires proper network monitoring. Key tools include:

• NetFlow/IPFIX/sFlow – flow data allows anomalies in traffic to be identified.
• Baseline – the system compares current traffic with the typical historical level. If differences are radical, an alert is generated.
• SIEM and NDR systems – support event correlation, automatically indicating a potential attack.

Solutions such as Sycope can detect anomalies in traffic in real time, significantly shortening response time.

Why is quick recognition crucial?

The sooner administrators identify that the problem is not a technical failure but a DDoS attack, the sooner they can implement appropriate mitigation measures – from simple ACL filters to advanced scrubbing mechanisms. Delay in recognition means longer downtime and greater business losses.

Which industries are the most common targets of DDoS attacks?

DDoS attacks can affect any organization that has online systems and services. However, industry reports clearly show that certain sectors are particularly vulnerable – mainly due to their critical role in the economy, large base of online customers, or political significance.

Public administration and government sector

Government websites, e-administration services, and communication platforms are often the targets of politically or ideologically motivated attacks.

• Example: attacks by the NoName057(16) group on Polish administration services (including ePUAP, Port of Gdynia, NBP).
• Motivation: destabilizing citizens’ trust in state institutions, demonstrating the weakness of systems.

Critical infrastructure

Energy, transport, telecommunications, or water supply – these are sectors where disruptions can have real consequences for millions of people.

• A DDoS attack on the systems of an energy or transport operator can cause not only financial losses but also paralyze part of critical services.
• According to ENISA reports, critical infrastructure is on the priority target list of state-sponsored groups.

Banking and financial sector

Banks and financial institutions are among the most frequently attacked sectors:

• online payment and e-banking systems are directly dependent on constant availability,
• even a short-term attack results in huge losses and a decline in customer trust.

In Poland, such attacks have targeted, among others, the NBP and commercial banks.

Online commerce and SaaS

E-commerce and SaaS providers are a lucrative target for cybercriminals:

• during peak periods (Black Friday, holidays), an attack can mean millions in lost sales,
• some attacks take the form of extortion (“pay or we’ll take down your store”).

According to Cloudflare reports, the e-commerce sector ranks in the global TOP 3 most attacked industries.

Media and ISPs

News portals and internet providers are attacked not only for profit, but also for political or image-related reasons.

• Example: DDoS attacks on news portals in Poland and Europe after publications concerning the war in Ukraine.
• ISPs often become targets of attacks aimed at testing their defensive capabilities.

Why these industries?

• High visibility – attacks on the public sector, media, or banks are publicized and socially visible.
• Direct financial losses – e-commerce, banks, and SaaS generate revenue online, so every downtime = real loss.
• Strategic importance – administration and critical infrastructure are elements of state security.

The most notorious DDoS attacks of recent years

DDoS attacks are no longer incidents that happen “somewhere far away on the internet.” Between 2020 and 2025, a number of record-breaking and high-profile events showed that DDoS is a weapon used not only by cybercriminals, but also by hacktivist groups and state-sponsored actors. Below is a summary of the most important cases from recent years.

2020 – New Zealand: NZX stock exchange paralyzed

In the summer of 2020, the New Zealand Stock Exchange (NZX) was paralyzed by a multi-day wave of DDoS attacks. Trading had to be suspended several times, and the country’s financial market plunged into chaos. This attack showed that even key financial institutions in highly developed countries can be helpless against well-planned DDoS campaigns.

2021 – Record-breaking attacks on Cloudflare, Google, and Amazon

In 2021, several global cloud infrastructure providers – including Cloudflare, Google, and Amazon – reported neutralizing attacks of unprecedented scale.

• Cloudflare recorded an HTTP flood attack reaching 17.2 million requests per second (RPS).
• Google registered a volumetric UDP attack peaking at 2.54 Tbps.
• Amazon Web Services also confirmed attacks exceeding 2 Tbps.

These were the first signals that the world was entering an era of attacks measured not in gigabits, but in terabits per second.

2022 – Yandex: largest application attack in history

In 2022, Russian tech giant Yandex reported the largest application-layer attack at the time – exceeding 20 million requests per second.
Behind the campaign was the Mēris botnet, built from tens of thousands of vulnerable MikroTik devices. This attack showed how dangerous massively exploited vulnerabilities in network equipment can be.

2022–2023 – Poland under fire from NoName057(16)

With Russia’s invasion of Ukraine, pro-Russian hacktivist groups became active. One of the most active is NoName057(16), which carried out intense attacks on institutions in Poland:

• NBP,
• ePUAP,
• Polish Radio,
• Port of Gdynia.

The aim was not data theft, but destabilizing public trust and disrupting the functioning of state institutions.

2023 – Cloudflare record: 201M RPS

In August 2023, Cloudflare announced it had repelled the largest HTTP/HTTPS attack in history. The record-breaking traffic reached 201 million requests per second and was aimed at, among others, the gaming and gambling industries.
This was a breakthrough moment – the application layer (L7) became the dominant battleground in DDoS attacks.

2025 – Record-breaking attack in Poland (~1.3 Tbps)

In 2025, industry media reported the largest DDoS attack in Poland’s history, with a volume reaching 1.3 Tbps. Although the specific target was not disclosed, it is known that the attack was neutralized thanks to telecom operators and specialized mitigation mechanisms. This event showed that Poland has appeared on the map of global DDoS records.

September 25, 2025 update: Cloudflare recently reported autonomously mitigating the largest DDoS attack ever recorded — peaking at 22.2 Tbps and 10.6 billion packets per second (Bpps). That’s twice as large as anything previously seen on the Internet.

Lessons from recent years

• The scale of attacks is growing exponentially – from hundreds of Gbps to Tbps and hundreds of millions of RPS.
• Botnets based on IoT devices and network equipment are increasingly used.
• Motivations are varied: financial, political, ideological.
• Poland – alongside global giants – has become one of the visible targets in the cyberwar.

Is a DDoS attack legal? What does the law say

Although technically a DDoS attack may look like “just” generating a large amount of network traffic, under the law it is a computer crime. In most countries – including the EU and the US – carrying out, commissioning, or even providing tools to perform such attacks is illegal and punishable by imprisonment.

Legal basis in the European Union

The key regulation is Directive 2013/40/EU on attacks against information systems, which obliges member states to criminalize denial-of-service attacks:

“Member States shall ensure that illegal system interference, by intentionally causing serious hindrance to or interruption of the functioning of an information system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data, is punishable.” (Art. 4)

In addition, the NIS2 Directive (EU 2022/2555) extends corporate responsibility for cybersecurity and introduces mandatory reporting of major incidents, including DDoS attacks.

Legal basis in the United States

In the US, the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 applies:

“Whoever intentionally causes damage without authorization to a protected computer, including by knowingly transmitting a program, information, code, or command, and thereby causing the transmission of a denial-of-service attack, shall be punished…”

Penalties may include:

• up to 10 years of imprisonment for serious violations,
• significant fines and potential civil liability.

Examples of law enforcement actions

DDoS attacks are prosecuted not only individually but also as part of larger international operations.

• In 2025, Europol reported dismantling groups offering so-called DDoS-for-hire (stressers, booters), arresting administrators and seizing domains used to provide such “services.”
• In the US and EU, several coordinated takedowns have targeted botnets and commercial DDoS platforms, showing that law enforcement treats these attacks as organized cybercrime.

Why is this important for companies?

Legal awareness is crucial for two reasons:

• Prevention – even “experimenting” with DDoS tools by employees (e.g. for performance testing without authorization) can result in criminal liability.
• Incident response – companies should know that an attack can and must be reported to law enforcement, and not treated as an “unavoidable technical failure.”

How to report a DDoS attack and where to seek help

A DDoS attack is not just a technical problem for IT administrators – it is a security incident with legal and business consequences. That’s why every organization should know where and how to report such an incident, and where to look for assistance.

1. Internet Service Provider (ISP)

The first point of contact is usually your telecom or hosting provider. They can:

• apply blackholing – redirect traffic to a “black hole” to protect the rest of the infrastructure,
• implement flowspec filtering at the operator’s network level,
• assist in redirecting traffic to scrubbing centers.

It is essential to have incident reporting procedures and emergency contacts with your ISP as part of your incident response plan.

2. National CERT / CSIRT

Most countries in the EU and the US have designated Computer Emergency Response Teams (CERTs/CSIRTs) that coordinate responses to large-scale cyber incidents. Examples include:

• ENISA-supported national CSIRTs across EU member states,
• US-CERT (CISA) in the United States.

Reporting to a CERT/CSIRT enables:

• coordinated response (e.g. notifying other operators and stakeholders),
• access to additional intelligence on attack vectors,
• support with incident reporting obligations under regulations such as NIS2 (EU) or CISA directives (US).

3. Law enforcement

In both the EU and the US, a DDoS attack is a criminal offense. It is important to:

• secure logs from network devices and servers,
• collect evidence (e.g. traffic samples, screenshots of error messages),
• report the case to local or federal law enforcement (e.g. Europol/Eurojust in the EU, FBI/Secret Service in the US).

The more technical evidence collected, the higher the chance of identifying perpetrators – especially in the case of organized groups or DDoS-for-hire services.

4. External experts and service providers

Many specialized cybersecurity companies operate worldwide (e.g. Cloudflare, Akamai, Netscout Arbor) and telecom providers offer managed DDoS protection. They can:

• take over and scrub traffic in specialized scrubbing centers,
• advise on network and application-level configurations,
• provide 24/7 incident response support.

It’s recommended to have an SLA in place with a protection provider before an attack occurs.

5. Internal incident response procedures

Every organization should maintain a DDoS response playbook, covering:

• who reports the incident and to which authority,
• emergency contact details for ISP, CERT, and law enforcement,
• how to secure logs and preserve evidence,
• who is responsible for communication with customers and the media.

Why reporting matters

• Technical support – the incident can be contained faster with coordinated help.
• Legal compliance – failure to report may breach obligations under NIS2 in the EU or federal/state cybersecurity requirements in the US.
• Threat intelligence – reports help CERTs and regulators track attack trends and improve protection of critical infrastructure.

Basic protective measures against DDoS attacks

Defending against DDoS requires a multilayered approach. There is no single “magic” solution that can protect a company against every scenario. The best results come from combining monitoring, filtering, service distribution, and well-prepared incident response procedures.

Network traffic monitoring and analysis

The very first and absolutely fundamental element is visibility.

• Deploy tools that analyze network flows (NetFlow, IPFIX, sFlow).
• Build a baseline, i.e. a profile of “normal” traffic within the organization.
• Set up automatic alerts when deviations from the norm occur.

Solutions such as Sycope make it possible to detect anomalies in real time, before the attack manages to paralyze services.

Anomaly analysis and rapid detection

NDR (Network Detection & Response) and SIEM systems can correlate events and identify unusual traffic patterns. This allows the organization to quickly recognize whether it is dealing with a natural surge in popularity (e.g. from a marketing campaign) or with a DDoS attack.

Filtering and blocking

Once an attack is detected, limiting traffic is crucial:

• Access Control Lists (ACLs) – simple rules blocking traffic from specific sources.
• Rate limiting – restricting the number of requests from a given address.
• Flowspec and blackholing – mechanisms at the operator level that can block malicious traffic before it reaches the victim’s network.

Service distribution (CDN, Anycast)

DDoS attacks often focus on a single point of infrastructure. Distributing services minimizes this risk:

• CDN (Content Delivery Network) – stores copies of content in multiple locations, reducing response time and spreading out traffic.
• Anycast – the same IP address is announced in multiple places around the world, and traffic is directed to the nearest server.

Automatic mitigation

The largest security providers offer scrubbing centers, which take over the victim’s traffic, filter it, and return only “clean” traffic. This solution is particularly important in the case of volumetric attacks (Tbps), which cannot be handled within local infrastructure.

Incident response plan

Even the best technologies are not enough if the organization has no plan of action. A playbook should include:

• clear division of responsibilities (SOC, NOC, PR department),
• a list of contacts (ISP, CERT, law enforcement, security providers),
• procedures for internal and external communication,
• a schedule of tests and simulation exercises.

Why are basic measures so important?

Although many companies invest in enterprise-class solutions, research shows that the lack of elementary detection mechanisms and response procedures is still one of the main reasons why DDoS attacks succeed. Even the simplest measures – such as monitoring and baselining – can give administrators the valuable minutes needed for effective defense.

Summary and conclusions

DDoS attacks in 2025 are not just a technical problem for administrators – they are a real business, legal, and reputational threat. Their power and complexity continue to grow: from simple floods of a decade ago to today’s multi-vector attacks measured in terabits per second and hundreds of millions of requests per second.

The conclusions are clear:

• Every organization with online services must reckon with the risk of DDoS, regardless of industry.
• Monitoring and detection are the foundation of defense – without early detection, there is no chance of an effective response.
• Multilayered protection (filtering, CDN, Anycast, scrubbing) provides the greatest effectiveness.
• The legal aspect is equally important – attacks must be reported and documented, as failure to do so may constitute a breach of regulations (e.g. NIS2 in the EU, national cybersecurity laws).
• A proactive approach and a prepared response plan make the difference between short downtime and a long-lasting business crisis.

It is important to remember that DDoS attacks will not disappear – on the contrary, they will become more frequent and more sophisticated. Therefore, companies that invest today in the right tools and procedures will have an advantage and minimize their risk.