Infrastructure · Security

DDoS Protection Guide: Attack Types, Mitigation, and How to Choose

DDoS protection works by detecting flood traffic and filtering it out before it reaches your server, usually by routing traffic through high-capacity scrubbing centers that drop the malicious packets and pass the clean ones through. There are three attack types to defend against — volumetric floods that saturate bandwidth, protocol attacks that exhaust connection tables, and application-layer attacks that mimic real users — and because no single tool stops all three, effective protection layers edge scrubbing, anycast, a web application firewall, and rate limiting together. The two decisions that matter most are capacity, since 2026 attacks routinely reach multiple terabits per second, and whether protection is always-on or activated on demand. No defense is absolute, so the right level should match your actual risk.

Key takeaways

  • Three attack types, three defenses. Volumetric, protocol, and application-layer attacks each need different mitigation — what stops one won’t stop another.
  • Scrubbing is the core mechanism. Traffic is routed through filtering centers that drop malicious packets and return only clean traffic to your origin.
  • Capacity decides survival. With attacks hitting multiple terabits per second, the provider’s scrubbing capacity is what absorbs the largest floods.
  • On-server defense isn’t enough. Local rate limiting can’t absorb a volumetric flood — you need upstream or provider-level capacity.
  • Match protection to risk. A small site may need only a free CDN tier; a frequent target needs dedicated capacity and a managed response team.

A distributed denial-of-service attack is one of the few threats that can take a well-built service offline without breaching it at all — it simply buries it in traffic. In 2026, with attacks regularly measured in terabits per second and botnets cheap to rent, protection has moved from optional to baseline. This guide explains how the attacks work, how mitigation stops them, and how to choose a level of protection that fits your risk without overpaying.

What is a DDoS attack?

A DDoS attack is a coordinated attempt to disrupt a server, service, or network by flooding it with traffic from many sources at once — typically a botnet of compromised devices or abused internet servers used as reflectors. The goal is exhaustion: consume the target’s bandwidth, CPU, memory, or application thread pools until legitimate requests can no longer be served. It differs from a plain denial-of-service attack, which comes from a single source, precisely in that distribution — thousands of origins make it far harder to simply block the attacker and far easier to generate overwhelming volume.

The consequences are immediate and measurable: degraded performance, downtime, breached service-level agreements, and direct financial loss while a service is unreachable. A defining trait of the modern landscape is that many attacks are short, high-intensity bursts lasting only two or three minutes, which has a sharp implication for defense — by the time a human reacts to an alert and activates mitigation manually, the burst is often over and the damage done. Effective protection has to be automated.

The three types of DDoS attacks

Attacks fall into three categories defined by which resource they exhaust, and the distinction matters because the defense that stops one does little against another. Volumetric attacks saturate your bandwidth, protocol attacks exhaust connection-handling resources, and application-layer attacks overwhelm the application itself. The table summarises them.

The three DDoS attack types and how to mitigate each (2026).
Type (layer)What it doesExamplesMeasured inMitigation
Volumetric (L3)Saturates bandwidthUDP flood, DNS/NTP amplificationGbps / TbpsScrubbing + anycast
Protocol (L4)Exhausts connection tablesSYN flood, Ping of DeathPackets/secSYN cookies, filtering
Application (L7)Overwhelms app logicHTTP flood, SlowlorisRequests/secWAF + behavioral limits

Two points cut against intuition. Protocol attacks don’t need much bandwidth to be devastating — a 500-megabit-per-second SYN flood can crash a server provisioned for ten gigabits of legitimate traffic, because it fills the connection table long before bandwidth becomes the limit. And application-layer attacks are the hardest of all to stop, because they mimic legitimate user behaviour: an HTTP flood hitting a search or login endpoint looks like real requests, which is why these vectors slip past rate limits and even trip up major providers’ rules. Worse, sophisticated campaigns combine all three into multi-vector attacks that shift tactics as defenses react, which is why coverage across every layer matters.

How big is the DDoS threat in 2026?

The scale has grown beyond what most infrastructure can absorb unaided. The current era is genuinely hyper-volumetric: one provider blocked a 7.3-terabit-per-second flood that delivered 37 terabytes in about 45 seconds, with reports of peaks higher still, and analyses citing attacks past 30 terabits per second. Multi-terabit attacks in the three-to-four-terabit range are now common rather than exceptional, a volume that overwhelms any single under-provisioned site instantly.

The techniques have grown as fast as the volumes. AI-driven botnets are cheap to rent and easy to deploy, turning sophisticated multi-vector campaigns into a commodity. Carpet-bombing spreads moderate traffic across many target IPs at once to evade per-address detection thresholds while achieving huge aggregate volume, IoT botnets marshal millions of poorly secured devices, and AI-assisted attacks adapt their patterns in real time to slip past static filters. One 2026 finding captures the shift: a majority of attacks now require machine-learning behavioural models to detect accurately, because static rate limiting alone lets them through.

How does DDoS protection work?

At its core, protection means getting between the flood and your server and removing the bad traffic before it lands. The dominant mechanism is the scrubbing center: your traffic is routed — via BGP announcements or DNS — through a provider’s high-capacity filtering network, where malicious packets are dropped and only clean traffic is tunnelled back to your origin. The diagram shows the idea.

How traffic scrubbing worksAttack + realmixed trafficScrubbingfilter & drop badOrigin serverclean traffic onlylegitimate — passes throughmalicious — dropped
Mixed traffic is diverted through the scrubbing layer; malicious packets are filtered out, and only clean traffic reaches the origin.

The full process runs in four stages — detect the anomaly, divert traffic to the scrubbing path, filter out the attack, and return clean traffic — and several techniques do the filtering. Anycast routing dilutes a volumetric flood across many geographically distributed edge nodes so no single point absorbs it all; a web application firewall and behavioural rate limiting catch application-layer abuse; SYN cookies defeat connection-table exhaustion; and blackhole routing can drop traffic to a targeted address entirely as a last resort. A key configuration choice sits on top: always-on protection routes all your traffic through the provider continuously for the fastest possible mitigation at the cost of a little latency, while on-demand protection activates only during an attack, adding no normal-traffic latency but introducing a switchover delay that the short-burst attacks described earlier can outrun.

The layers of defense

The settled wisdom is that no single tool stops every attack, so effective protection is layered, with each layer handling what it’s best at. At the network edge, high-capacity scrubbing and anycast absorb volumetric and protocol floods. A content delivery network adds another absorptive layer for web traffic, diluting attacks across its edge while also offloading legitimate surges — the overlap with performance that our CDN guide explores. In front of the application, a web application firewall with behavioural rate limiting and bot management handles the Layer 7 attacks that volumetric defenses miss entirely.

On the server itself, local tools — firewall rules, rate limiting, and intrusion utilities — provide useful detection and can handle small attacks, but they cannot absorb a volumetric flood, because the traffic saturates the upstream link before your server ever gets to filter it. That’s the single most important architectural point: on-server defense is a complement, not a substitute, and serious volumetric protection requires upstream capacity, whether from your provider or an ISP scrubbing agreement. Layered correctly, each tier covers a different failure mode so that one gap doesn’t collapse the whole defense.

Choosing DDoS protection

With the mechanisms understood, selecting protection comes down to a handful of specifications matched to your exposure. The terminal below frames the decision.

choosing-ddos-protection
# Match protection to your risk and traffic
Capacity … 100+ Tbps scrubbing to absorb today’s largest floods
Layer coverage … must cover BOTH L3/4 (volumetric) AND L7 (application)
Time-to-mitigate … seconds, automated — short bursts outrun manual response
Always-on vs demand  always-on for frequent targets; on-demand to avoid latency
Billing … UNMETERED, not metered (a terabit attack = billing crisis)
Managed SOC … yes, if you lack 24/7 security staff
Small / low-risk … a free CDN tier often suffices
# Hide the origin behind the edge — direct-to-origin attacks bypass the proxy.

A few of these deserve emphasis. Capacity is decisive — with multi-terabit attacks common, a provider needs scrubbing capacity well into the hundreds of terabits to absorb the largest floods, which is why the leading networks advertise figures in that range. Layer-seven coverage is non-negotiable, since volumetric protection alone leaves the hardest-to-detect attacks unhandled. And the billing model is an easy trap: metered protection that charges by attack volume turns a terabit-scale flood into a financial crisis on top of the operational one, so unmetered, flat-rate protection is strongly preferable. One more architectural detail — keep your true origin hidden behind the edge network, because an attacker who discovers it can bypass the proxy and hit your server directly.

DDoS and your mail and web servers

For a dedicated server running web or mail services, the threat is concrete. Attackers target web ports, mail ports, and the dedicated IP addresses themselves, and UDP-heavy or high-profile services draw the most fire. The same principle applies as everywhere else: on-server hardening helps with small attacks and detection, but a real volumetric flood against your IP has to be absorbed upstream, which makes the provider’s network-level protection the decisive factor rather than anything you configure on the box.

That’s why DDoS protection belongs in the buying decision rather than as an afterthought — our dedicated server buying guide treats it as a core spec line. Choose a provider whose network can absorb volumetric attacks before they reach your server, confirm whether protection is included or an add-on, and verify it’s unmetered so a large attack doesn’t generate a surprise bill. For a mail server in particular, sustained reachability is the whole point, so upstream protection that keeps the IP online through an attack is what preserves both deliverability and uptime.

Can you fully stop a DDoS attack?

Honestly, no — and any provider claiming otherwise is overselling. A sufficiently large attack will overwhelm under-provisioned defenses, and even major providers’ rules sometimes fail to catch sophisticated application-layer vectors, as simulation testing repeatedly shows. Protection reduces risk and absorbs the great majority of attacks; it doesn’t grant immunity. That reality argues for two things: layering defenses so no single failure is catastrophic, and testing them with periodic simulations, because protections that look solid on paper often reveal gaps under real load.

It also argues for matching protection to actual risk rather than buying the maximum. A small, low-profile site is well served by provider-included protection or a free CDN tier, and spending on enterprise scrubbing for it is wasted. A frequent or high-value target — a gaming service, a financial platform, anything that attracts attention — genuinely needs high scrubbing capacity, full-layer coverage, and a managed response team, and relying on on-server tools alone there is negligent. The skill is calibrating to your threat profile: enough capacity and coverage to absorb what realistically targets you, without paying for protection your risk doesn’t warrant.

Matching protection to your risk

DDoS protection comes down to a clear chain of decisions: understand which of the three attack types threaten you, route traffic through scrubbing capacity large enough to absorb modern volumes, layer edge, network, and application defenses so each covers what the others miss, and keep mitigation automated because the attacks are too fast for manual response. Above all, calibrate the level to your real exposure rather than to fear or to a vendor’s maximum tier.

For senders and businesses that want that protection built into their infrastructure rather than bolted on, our dedicated servers in Toronto pair network-level DDoS mitigation with managed operations, so volumetric attacks are absorbed upstream before they reach your server — and the bandwidth guide covers the capacity side of keeping a service reachable. Layer your defenses, automate the response, size the capacity to the threat, and a DDoS attack becomes an absorbed event rather than an outage.

Frequently asked questions

What are the three types of DDoS attacks?
Volumetric attacks saturate bandwidth with floods like UDP and DNS amplification, measured in gigabits or terabits per second. Protocol attacks exhaust connection tables and network equipment with techniques like SYN floods, measured in packets per second, and can crash a server with surprisingly little bandwidth. Application-layer attacks overwhelm the application itself with requests that mimic real users, measured in requests per second, and are the hardest to detect and stop.
How does DDoS scrubbing work?
Your traffic is routed — through BGP announcements or DNS — into a provider’s high-capacity scrubbing network. There, the malicious attack traffic is filtered and dropped while the legitimate traffic is identified and tunnelled back to your origin server. The process runs in four stages: detect the anomaly, divert traffic to the scrubbing path, filter out the attack, and return only clean traffic. Anycast routing spreads volumetric floods across many edge locations so no single point is overwhelmed.
Is on-server DDoS protection enough?
No, not for volumetric attacks. Local tools like firewall rules and rate limiting are useful for detection and small attacks, but they can’t absorb a flood that saturates your upstream link before your server even processes it. Serious volumetric protection requires upstream capacity from your provider or an ISP scrubbing agreement. On-server defense is a complement to network-level protection, not a substitute for it.
Should I choose always-on or on-demand protection?
Always-on routes all traffic through the provider continuously, giving the fastest mitigation at the cost of slight added latency — best for frequent targets. On-demand activates only during an attack, adding no normal-traffic latency but introducing a switchover delay. Because many modern attacks are short bursts of two to three minutes, that delay can let an attack succeed before mitigation engages, so always-on or fully automated protection is safer for likely targets.
How much DDoS protection do I actually need?
Match it to your risk. A small, low-profile site is usually well served by provider-included protection or a free CDN tier, and enterprise scrubbing would be wasted. A frequent or high-value target — gaming, finance, or anything attracting attention — needs high scrubbing capacity, full coverage across all three attack layers, and a managed response team. No protection is absolute, so layer your defenses and test them rather than assuming any single tool grants immunity.