---
What is this longread about?
Hello to everyone reading this longread. I haven’t posted on Habr for quite a while, but 2022 turned out to be rather difficult in terms of DDoS attacks. Due to my line of work, I encountered many questions about what DDoS attacks are and whether they should be dealt with (WTF??? of course not, let everything go down… sure). Experienced professionals will probably not find this very interesting.
I should note right away that some readers, especially those involved in the banking sector, may find this text familiar. And yes, it was previously released in some form for a limited audience. However, enough time has passed, the data is still relevant, and since I was largely the author of that original text, I decided to publish a shortened and edited version on Habr—so I can simply share a link next time these questions come up, or use it for my students.
I’d also like to thank Qrator Labs—they did not directly participate in preparing this post, but made a significant contribution to the original version known in those narrow circles. Without them, it wouldn’t have existed
---
Summary of all parts
Since there is quite a lot of material, I decided to split it into several posts for easier reading.
Part 1: What you are reading now. The very basics: what a DDoS attack is and the main types of attacks, with examples.
Part 2: Protection against DDoS attacks.
---
DDoS — what is it?
“…And my дедос picks me up from school…” (c) — quote from an old video “What do you know about information security” (YouTube)
DoS (Denial of Service) is an attack on a computing system aimed at making the system unavailable, i.e., creating conditions where legitimate users cannot access system resources or their access is significantly degraded.
DDoS (Distributed DoS) is a type of DoS attack that achieves service disruption by exhausting computing resources of the target system or external services it depends on (network providers, data sources, etc.).
The goal of DoS/DDoS attacks is to prevent a service from responding properly and promptly to legitimate user requests, up to complete unavailability. Motivations may include unfair competition, hacktivism (ideological motives), extortion, espionage, political expression, or masking other intrusion activities.
---
Types of DDoS attacks
DDoS attacks come in many forms, typically classified by OSI layers:
1. Network-level attacks (L3/L4)
Aim to exhaust bandwidth of the target or its providers. Examples: ICMP flood, UDP flood, Ping of Death, Smurf attack, ARP spoofing.
Includes amplification attacks (DNS, NTP, SSDP), which increase attack power via vulnerable intermediaries.
2. Infrastructure attacks
Target routers, firewalls, etc. Examples: SYN flood, route loop DDoS, BGP misconfigurations.
3. Transport-layer attacks (L4)
Exploit TCP weaknesses (connection setup/teardown). Examples: SYN flood, ACK flood, TCP connection flood.
4. SSL/TLS attacks
Exploit complexity of encrypted protocols (e.g., TLS handshake abuse, renegotiation attacks).
5. Application-layer attacks (L7)
Target applications directly (HTTP, HTTPS, DNS, SMTP, etc.). Types include:
Low-and-slow attacks
High-volume request floods
Attacks mimicking real users
---
Examples of attacks
ICMP flood (L3)
Sends many echo requests to overload the system.
UDP flood
Sends many UDP packets to random ports, forcing the system to process them.
SYN flood (L4)
Exploits TCP handshake by sending many SYN requests without completing connections.
TCP connection flood
Fills the server’s connection table with many active connections.
SSL/TLS attacks
Exploit expensive encryption operations (e.g., repeated renegotiation).
---
Application-layer attacks (L7)
HTTP flood
Overloads web applications with many requests.
HTTPS flood
Same as above but hidden in encrypted traffic, making detection harder.
WordPress Pingback DDoS
Uses vulnerable WordPress servers to amplify attacks.
Full Browser Stack attacks
Simulate real user behavior using full browser environments—very hard to detect.
Slow attacks (Slowloris, RUDY)
Keep connections open with minimal traffic, exhausting server resources.
DNS flood
Overloads DNS servers, preventing domain resolution.
---
Attack vectors
In reality, attackers often combine multiple techniques and change strategies dynamically. Even one successful vector can take down a system.
---
Conclusion
In this longread, I tried to explain the basics of DDoS attacks and their main types. Hopefully, it will be useful for beginners. Thanks to everyone who made it to the end! In the next post, we will discuss how to defend against DDoS attacks and how to choose a protection solution.
What is this longread about?
Hello to everyone reading this longread. I haven’t posted on Habr for quite a while, but 2022 turned out to be rather difficult in terms of DDoS attacks. Due to my line of work, I encountered many questions about what DDoS attacks are and whether they should be dealt with (WTF??? of course not, let everything go down… sure). Experienced professionals will probably not find this very interesting.
I should note right away that some readers, especially those involved in the banking sector, may find this text familiar. And yes, it was previously released in some form for a limited audience. However, enough time has passed, the data is still relevant, and since I was largely the author of that original text, I decided to publish a shortened and edited version on Habr—so I can simply share a link next time these questions come up, or use it for my students.
I’d also like to thank Qrator Labs—they did not directly participate in preparing this post, but made a significant contribution to the original version known in those narrow circles. Without them, it wouldn’t have existed
---
Summary of all parts
Since there is quite a lot of material, I decided to split it into several posts for easier reading.
Part 1: What you are reading now. The very basics: what a DDoS attack is and the main types of attacks, with examples.
Part 2: Protection against DDoS attacks.
---
DDoS — what is it?
“…And my дедос picks me up from school…” (c) — quote from an old video “What do you know about information security” (YouTube)
DoS (Denial of Service) is an attack on a computing system aimed at making the system unavailable, i.e., creating conditions where legitimate users cannot access system resources or their access is significantly degraded.
DDoS (Distributed DoS) is a type of DoS attack that achieves service disruption by exhausting computing resources of the target system or external services it depends on (network providers, data sources, etc.).
The goal of DoS/DDoS attacks is to prevent a service from responding properly and promptly to legitimate user requests, up to complete unavailability. Motivations may include unfair competition, hacktivism (ideological motives), extortion, espionage, political expression, or masking other intrusion activities.
---
Types of DDoS attacks
DDoS attacks come in many forms, typically classified by OSI layers:
1. Network-level attacks (L3/L4)
Aim to exhaust bandwidth of the target or its providers. Examples: ICMP flood, UDP flood, Ping of Death, Smurf attack, ARP spoofing.
Includes amplification attacks (DNS, NTP, SSDP), which increase attack power via vulnerable intermediaries.
2. Infrastructure attacks
Target routers, firewalls, etc. Examples: SYN flood, route loop DDoS, BGP misconfigurations.
3. Transport-layer attacks (L4)
Exploit TCP weaknesses (connection setup/teardown). Examples: SYN flood, ACK flood, TCP connection flood.
4. SSL/TLS attacks
Exploit complexity of encrypted protocols (e.g., TLS handshake abuse, renegotiation attacks).
5. Application-layer attacks (L7)
Target applications directly (HTTP, HTTPS, DNS, SMTP, etc.). Types include:
Low-and-slow attacks
High-volume request floods
Attacks mimicking real users
---
Examples of attacks
ICMP flood (L3)
Sends many echo requests to overload the system.
UDP flood
Sends many UDP packets to random ports, forcing the system to process them.
SYN flood (L4)
Exploits TCP handshake by sending many SYN requests without completing connections.
TCP connection flood
Fills the server’s connection table with many active connections.
SSL/TLS attacks
Exploit expensive encryption operations (e.g., repeated renegotiation).
---
Application-layer attacks (L7)
HTTP flood
Overloads web applications with many requests.
HTTPS flood
Same as above but hidden in encrypted traffic, making detection harder.
WordPress Pingback DDoS
Uses vulnerable WordPress servers to amplify attacks.
Full Browser Stack attacks
Simulate real user behavior using full browser environments—very hard to detect.
Slow attacks (Slowloris, RUDY)
Keep connections open with minimal traffic, exhausting server resources.
DNS flood
Overloads DNS servers, preventing domain resolution.
---
Attack vectors
In reality, attackers often combine multiple techniques and change strategies dynamically. Even one successful vector can take down a system.
---
Conclusion
In this longread, I tried to explain the basics of DDoS attacks and their main types. Hopefully, it will be useful for beginners. Thanks to everyone who made it to the end! In the next post, we will discuss how to defend against DDoS attacks and how to choose a protection solution.
