Infrastructure · Security
DDoS Protection Guide: Attack Types, Mitigation, and How to Choose
DDoS protection works by detecting flood traffic and filtering it out before it reaches your server, usually by routing traffic through high-capacity scrubbing centers that drop the malicious packets and pass the clean ones through. There are three attack types to defend against — volumetric floods that saturate bandwidth, protocol attacks that exhaust connection tables, and application-layer attacks that mimic real users — and because no single tool stops all three, effective protection layers edge scrubbing, anycast, a web application firewall, and rate limiting together. The two decisions that matter most are capacity, since 2026 attacks routinely reach multiple terabits per second, and whether protection is always-on or activated on demand. No defense is absolute, so the right level should match your actual risk.
Key takeaways
- Three attack types, three defenses. Volumetric, protocol, and application-layer attacks each need different mitigation — what stops one won’t stop another.
- Scrubbing is the core mechanism. Traffic is routed through filtering centers that drop malicious packets and return only clean traffic to your origin.
- Capacity decides survival. With attacks hitting multiple terabits per second, the provider’s scrubbing capacity is what absorbs the largest floods.
- On-server defense isn’t enough. Local rate limiting can’t absorb a volumetric flood — you need upstream or provider-level capacity.
- Match protection to risk. A small site may need only a free CDN tier; a frequent target needs dedicated capacity and a managed response team.
A distributed denial-of-service attack is one of the few threats that can take a well-built service offline without breaching it at all — it simply buries it in traffic. In 2026, with attacks regularly measured in terabits per second and botnets cheap to rent, protection has moved from optional to baseline. This guide explains how the attacks work, how mitigation stops them, and how to choose a level of protection that fits your risk without overpaying.
What is a DDoS attack?
A DDoS attack is a coordinated attempt to disrupt a server, service, or network by flooding it with traffic from many sources at once — typically a botnet of compromised devices or abused internet servers used as reflectors. The goal is exhaustion: consume the target’s bandwidth, CPU, memory, or application thread pools until legitimate requests can no longer be served. It differs from a plain denial-of-service attack, which comes from a single source, precisely in that distribution — thousands of origins make it far harder to simply block the attacker and far easier to generate overwhelming volume.
The consequences are immediate and measurable: degraded performance, downtime, breached service-level agreements, and direct financial loss while a service is unreachable. A defining trait of the modern landscape is that many attacks are short, high-intensity bursts lasting only two or three minutes, which has a sharp implication for defense — by the time a human reacts to an alert and activates mitigation manually, the burst is often over and the damage done. Effective protection has to be automated.
The three types of DDoS attacks
Attacks fall into three categories defined by which resource they exhaust, and the distinction matters because the defense that stops one does little against another. Volumetric attacks saturate your bandwidth, protocol attacks exhaust connection-handling resources, and application-layer attacks overwhelm the application itself. The table summarises them.
| Type (layer) | What it does | Examples | Measured in | Mitigation |
|---|---|---|---|---|
| Volumetric (L3) | Saturates bandwidth | UDP flood, DNS/NTP amplification | Gbps / Tbps | Scrubbing + anycast |
| Protocol (L4) | Exhausts connection tables | SYN flood, Ping of Death | Packets/sec | SYN cookies, filtering |
| Application (L7) | Overwhelms app logic | HTTP flood, Slowloris | Requests/sec | WAF + behavioral limits |
Two points cut against intuition. Protocol attacks don’t need much bandwidth to be devastating — a 500-megabit-per-second SYN flood can crash a server provisioned for ten gigabits of legitimate traffic, because it fills the connection table long before bandwidth becomes the limit. And application-layer attacks are the hardest of all to stop, because they mimic legitimate user behaviour: an HTTP flood hitting a search or login endpoint looks like real requests, which is why these vectors slip past rate limits and even trip up major providers’ rules. Worse, sophisticated campaigns combine all three into multi-vector attacks that shift tactics as defenses react, which is why coverage across every layer matters.
How big is the DDoS threat in 2026?
The scale has grown beyond what most infrastructure can absorb unaided. The current era is genuinely hyper-volumetric: one provider blocked a 7.3-terabit-per-second flood that delivered 37 terabytes in about 45 seconds, with reports of peaks higher still, and analyses citing attacks past 30 terabits per second. Multi-terabit attacks in the three-to-four-terabit range are now common rather than exceptional, a volume that overwhelms any single under-provisioned site instantly.
The techniques have grown as fast as the volumes. AI-driven botnets are cheap to rent and easy to deploy, turning sophisticated multi-vector campaigns into a commodity. Carpet-bombing spreads moderate traffic across many target IPs at once to evade per-address detection thresholds while achieving huge aggregate volume, IoT botnets marshal millions of poorly secured devices, and AI-assisted attacks adapt their patterns in real time to slip past static filters. One 2026 finding captures the shift: a majority of attacks now require machine-learning behavioural models to detect accurately, because static rate limiting alone lets them through.
How does DDoS protection work?
At its core, protection means getting between the flood and your server and removing the bad traffic before it lands. The dominant mechanism is the scrubbing center: your traffic is routed — via BGP announcements or DNS — through a provider’s high-capacity filtering network, where malicious packets are dropped and only clean traffic is tunnelled back to your origin. The diagram shows the idea.
The full process runs in four stages — detect the anomaly, divert traffic to the scrubbing path, filter out the attack, and return clean traffic — and several techniques do the filtering. Anycast routing dilutes a volumetric flood across many geographically distributed edge nodes so no single point absorbs it all; a web application firewall and behavioural rate limiting catch application-layer abuse; SYN cookies defeat connection-table exhaustion; and blackhole routing can drop traffic to a targeted address entirely as a last resort. A key configuration choice sits on top: always-on protection routes all your traffic through the provider continuously for the fastest possible mitigation at the cost of a little latency, while on-demand protection activates only during an attack, adding no normal-traffic latency but introducing a switchover delay that the short-burst attacks described earlier can outrun.
The layers of defense
The settled wisdom is that no single tool stops every attack, so effective protection is layered, with each layer handling what it’s best at. At the network edge, high-capacity scrubbing and anycast absorb volumetric and protocol floods. A content delivery network adds another absorptive layer for web traffic, diluting attacks across its edge while also offloading legitimate surges — the overlap with performance that our CDN guide explores. In front of the application, a web application firewall with behavioural rate limiting and bot management handles the Layer 7 attacks that volumetric defenses miss entirely.
On the server itself, local tools — firewall rules, rate limiting, and intrusion utilities — provide useful detection and can handle small attacks, but they cannot absorb a volumetric flood, because the traffic saturates the upstream link before your server ever gets to filter it. That’s the single most important architectural point: on-server defense is a complement, not a substitute, and serious volumetric protection requires upstream capacity, whether from your provider or an ISP scrubbing agreement. Layered correctly, each tier covers a different failure mode so that one gap doesn’t collapse the whole defense.
Choosing DDoS protection
With the mechanisms understood, selecting protection comes down to a handful of specifications matched to your exposure. The terminal below frames the decision.
# Match protection to your risk and traffic Capacity … 100+ Tbps scrubbing to absorb today’s largest floods Layer coverage … must cover BOTH L3/4 (volumetric) AND L7 (application) Time-to-mitigate … seconds, automated — short bursts outrun manual response Always-on vs demand always-on for frequent targets; on-demand to avoid latency Billing … UNMETERED, not metered (a terabit attack = billing crisis) Managed SOC … yes, if you lack 24/7 security staff Small / low-risk … a free CDN tier often suffices # Hide the origin behind the edge — direct-to-origin attacks bypass the proxy.
A few of these deserve emphasis. Capacity is decisive — with multi-terabit attacks common, a provider needs scrubbing capacity well into the hundreds of terabits to absorb the largest floods, which is why the leading networks advertise figures in that range. Layer-seven coverage is non-negotiable, since volumetric protection alone leaves the hardest-to-detect attacks unhandled. And the billing model is an easy trap: metered protection that charges by attack volume turns a terabit-scale flood into a financial crisis on top of the operational one, so unmetered, flat-rate protection is strongly preferable. One more architectural detail — keep your true origin hidden behind the edge network, because an attacker who discovers it can bypass the proxy and hit your server directly.
DDoS and your mail and web servers
For a dedicated server running web or mail services, the threat is concrete. Attackers target web ports, mail ports, and the dedicated IP addresses themselves, and UDP-heavy or high-profile services draw the most fire. The same principle applies as everywhere else: on-server hardening helps with small attacks and detection, but a real volumetric flood against your IP has to be absorbed upstream, which makes the provider’s network-level protection the decisive factor rather than anything you configure on the box.
That’s why DDoS protection belongs in the buying decision rather than as an afterthought — our dedicated server buying guide treats it as a core spec line. Choose a provider whose network can absorb volumetric attacks before they reach your server, confirm whether protection is included or an add-on, and verify it’s unmetered so a large attack doesn’t generate a surprise bill. For a mail server in particular, sustained reachability is the whole point, so upstream protection that keeps the IP online through an attack is what preserves both deliverability and uptime.
Can you fully stop a DDoS attack?
Honestly, no — and any provider claiming otherwise is overselling. A sufficiently large attack will overwhelm under-provisioned defenses, and even major providers’ rules sometimes fail to catch sophisticated application-layer vectors, as simulation testing repeatedly shows. Protection reduces risk and absorbs the great majority of attacks; it doesn’t grant immunity. That reality argues for two things: layering defenses so no single failure is catastrophic, and testing them with periodic simulations, because protections that look solid on paper often reveal gaps under real load.
It also argues for matching protection to actual risk rather than buying the maximum. A small, low-profile site is well served by provider-included protection or a free CDN tier, and spending on enterprise scrubbing for it is wasted. A frequent or high-value target — a gaming service, a financial platform, anything that attracts attention — genuinely needs high scrubbing capacity, full-layer coverage, and a managed response team, and relying on on-server tools alone there is negligent. The skill is calibrating to your threat profile: enough capacity and coverage to absorb what realistically targets you, without paying for protection your risk doesn’t warrant.
Matching protection to your risk
DDoS protection comes down to a clear chain of decisions: understand which of the three attack types threaten you, route traffic through scrubbing capacity large enough to absorb modern volumes, layer edge, network, and application defenses so each covers what the others miss, and keep mitigation automated because the attacks are too fast for manual response. Above all, calibrate the level to your real exposure rather than to fear or to a vendor’s maximum tier.
For senders and businesses that want that protection built into their infrastructure rather than bolted on, our dedicated servers in Toronto pair network-level DDoS mitigation with managed operations, so volumetric attacks are absorbed upstream before they reach your server — and the bandwidth guide covers the capacity side of keeping a service reachable. Layer your defenses, automate the response, size the capacity to the threat, and a DDoS attack becomes an absorbed event rather than an outage.