What Is a DDoS Attack and How Does It Work? Layered Protection Strategy
DDoS (Distributed Denial of Service) attacks aim to overwhelm a server or network with excessive traffic, rendering it unable to serve legitimate users. In 2025, the average DDoS attack volume exceeded 1.5 Tbps, and 65% of attacks lasted less than 10 minutes - making detection and response speed cri
Can Kaya
Security Specialist
DDoS (Distributed Denial of Service) attacks aim to overwhelm a server or network with excessive traffic, rendering it unable to serve legitimate users. In 2025, the average DDoS attack volume exceeded 1.5 Tbps, and 65% of attacks lasted less than 10 minutes - making detection and response speed critical. This guide covers DDoS attack types, detection methods, and layered protection strategies.
DDoS Attack Types
DDoS attacks target different layers of the OSI model. Each layer requires different defense mechanisms:
| Layer | Attack Type | Target | Defense |
|---|---|---|---|
| L3 (Network) | ICMP Flood, IP Fragmentation | Bandwidth | Upstream filtering, blackhole routing |
| L4 (Transport) | SYN Flood, UDP Flood, ACK Flood | TCP/UDP connection table | SYN cookies, rate limiting, firewall |
| L7 (Application) | HTTP Flood, Slowloris, API abuse | Web server / application | WAF, bot detection, CAPTCHA |
SYN Flood Attack
A TCP connection is established through a three-way handshake. In a SYN flood attack, the attacker sends thousands of SYN packets but never responds with ACK. The server allocates memory for each half-open connection until the connection table fills up. Enabling SYN cookies in the Linux kernel neutralizes this attack:
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 65536
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
# Connection tracking table size
net.netfilter.nf_conntrack_max = 1000000
net.ipv4.tcp_tw_reuse = 1Layered Protection Strategy
No single defense mechanism is sufficient against all DDoS types. Effective protection requires multiple defense lines from the network edge to the application layer:
-
Layer 1: Upstream / ISP Filtering Volumetric attacks are filtered at your hosting provider's network infrastructure. Hosted Cloud offers data center-level DDoS scrubbing.
-
Layer 2: CDN / Reverse Proxy CDN services like Cloudflare distribute traffic across their global network, protecting the origin server. They absorb the majority of L3/L4 attacks.
-
Layer 3: Firewall (iptables / nftables) Server-level rate limiting, geo-blocking, and connection limiting rules filter L4 attacks.
-
Layer 4: WAF (Web Application Firewall) Detects L7 attacks. Blocks application-layer attacks like HTTP flood, slowloris, and API abuse.
L7 DDoS Protection with Nginx
Nginx's rate limiting and connection limiting modules create an effective first line of defense against L7 attacks. The following configuration limits requests and connections per IP:
http {
# Per-IP request limit (10 requests per second)
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
# Per-IP connection limit
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
server {
limit_req zone=req_limit burst=20 nodelay;
limit_conn conn_limit 50;
# Drop slow clients
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s;
keepalive_timeout 15s;
}
}💡 Tip: The burst=20 parameter allows short traffic spikes. With nodelay, burst requests are processed immediately without queuing. For more on Nginx rate limiting, check our Nginx Reverse Proxy guide.
For comprehensive server security, check our SSH Hardening guide and the built-in DDoS protection features of Hosted Cloud servers. For more detailed firewall configuration, we recommend the Cloudflare DDoS guide.
Frequently Asked Questions
What's the difference between DDoS and DoS attacks?
A DoS attack comes from a single source and is typically bandwidth-limited. A DDoS attack comes from thousands of different sources (botnet) in a coordinated manner, making it much harder to block and generating much higher traffic volumes.
Does Cloudflare's free plan provide DDoS protection?
Yes, Cloudflare's free plan offers L3/L4 DDoS protection. However, advanced L7 protection, WAF rules, and bot management are available on Pro and higher plans. The free plan is sufficient for small to medium-scale attacks.
What should I do during a DDoS attack?
First, notify your hosting provider - they can initiate upstream filtering. If using Cloudflare, enable "Under Attack" mode. Analyze attack traffic and block specific IP ranges or countries with iptables.
Will rate limiting block legitimate users?
Properly configured rate limiting won't affect legitimate users. A limit of 10 requests per second is more than enough for normal browsing behavior. Use the burst parameter to allow short spikes and reduce false positives.
How much bandwidth is needed for DDoS protection?
Increasing server-level bandwidth is ineffective against volumetric attacks - attack volume can always be larger. The correct approach is to distribute and filter traffic using CDN/scrubbing services.
Conclusion
DDoS protection is not a single product or setting but a layered strategy. Use upstream filtering, CDN, firewall rules, and WAF together to cover all attack vectors from L3 to L7. Pre-attack preparation - SYN cookies, rate limiting, and connection limits - shortens your response time when an attack occurs.
DDoS-Protected Server Infrastructure
Keep your servers safe with Hosted Cloud's data center-level DDoS protection.
Explore Secure Server Plans →Can Kaya
Security Specialist
CISSP-certified security expert creating content on cybersecurity, DDoS protection, and server hardening.
Comments coming soon