What Is a DDoS Attack? A Plain-English Guide to Staying Online

A dark security operations room with monitors showing green code
Disclosure: some links in this guide are affiliate links — if you buy through them, ClickOn24 may earn a commission at no extra cost to you. Recommendations are based on our own research and are never paid placements.

Picture a small shop with one front door. Now picture ten thousand people, hired by a rival, all trying to squeeze through that door at once — not to buy anything, just to make sure real customers can’t get in.

That, in one image, is a DDoS attack. And if you run any kind of website, it’s worth understanding before it happens — not after.

Quick answer: A DDoS (Distributed Denial of Service) attack floods a website or server with so much fake traffic — usually from thousands of hijacked devices called a botnet — that it slows to a crawl or goes offline for real visitors. It doesn’t “hack” your data; it blocks access to it.

Key Takeaways

  • DDoS = Distributed Denial of Service: overwhelming a site with junk traffic so real users can’t get through.
  • The traffic comes from a botnet — thousands of infected computers, routers, and smart devices acting together.
  • A DDoS attack does not steal data by itself. It’s about disruption, extortion, or distraction.
  • The three main flavors: volumetric floods, protocol attacks, and application-layer attacks.
  • Small sites are targets too — attacks are cheap to rent and often automated.
  • Your best defenses are layered: a CDN, a web application firewall, rate limiting, and a host with DDoS protection built in.
Lines of green code on a laptop screen in a dark room
Attack traffic is generated by malware-infected devices — often without their owners ever knowing.

What Does DDoS Actually Stand For?

DDoS stands for Distributed Denial of Service.

Break that apart and the whole concept clicks. “Denial of service” means the goal is to deny normal service — to make a website, app, or API unavailable.

“Distributed” means the attack traffic doesn’t come from one machine. It comes from many — often thousands or millions — scattered across the world.

That distribution is what makes DDoS so hard to stop. You can’t just block one bad IP address, because the “attacker” looks like an army of ordinary devices.

What’s the Difference Between DoS and DDoS?

A plain DoS (Denial of Service) attack comes from a single source. One machine hammers your server with requests until something gives.

DoS attacks are easier to stop: identify the source, block it, done.

A DDoS attack distributes the same idea across a huge network of machines. Blocking one source does nothing — there are thousands more behind it.

Almost every serious attack today is distributed. Single-source attacks are mostly a thing of the past.

How Does a DDoS Attack Actually Work?

Nearly every DDoS attack follows the same three-step playbook.

Step 1: Build (or rent) a botnet

Attackers first infect a large number of internet-connected devices with malware — quietly. Laptops, home routers, security cameras, smart TVs, even connected fridges.

Each infected device becomes a “bot,” and together they form a botnet: a remote-controlled army whose owners usually have no idea they’re part of it.

Step 2: Point it at a target

The attacker sends one command, and every bot starts firing requests at the victim’s server, all at once.

From the server’s side, it looks like a sudden tidal wave of visitors — except none of them are real.

Step 3: Overwhelm a bottleneck

Every system has a limit: bandwidth, connection tables, CPU, memory, database queries. The flood aims to max out whichever limit breaks first.

Once that ceiling is hit, legitimate visitors get timeouts, error pages, or an endlessly spinning loader.

DDoS Attack Explained — PowerCert Animated Videos

What Is a Botnet, in Plain English?

A botnet is a network of hijacked devices that a criminal can command remotely, like puppets on strings.

The scary part is how ordinary the recruits are. That cheap security camera you never updated? The old router with the default password? Both are prime botnet material.

Because the devices are legitimate machines on legitimate networks, their traffic is very hard to tell apart from real users — which is exactly the point.

This is also why keeping your own devices updated matters. Weak gadgets don’t just put you at risk; they get drafted into attacks on everyone else.

What Are the Main Types of DDoS Attacks?

Security folks group DDoS attacks into three broad categories, based on which part of the system they target.

1. Volumetric attacks (the brute-force flood)

These aim to saturate your bandwidth — the pipe itself. Think UDP floods and DNS amplification, where attackers trick other servers into blasting huge responses at your address.

Measured in gigabits or even terabits per second, these are the “headline” attacks that make the news.

2. Protocol attacks (exploiting the plumbing)

These abuse weaknesses in networking protocols to exhaust server resources rather than raw bandwidth.

The classic example is a SYN flood: the attacker starts thousands of TCP handshakes but never finishes them, leaving the server holding open connections until it can’t accept new ones.

3. Application-layer attacks (the quiet killer)

These target the application itself — layer 7 in networking terms. The bots send what look like normal requests: loading pages, running searches, submitting forms.

Each request forces your server to do real work (database queries, page rendering), so even a modest flood can take down a site. These are the hardest to detect because the traffic looks so legitimate.

Why Do Attackers Launch DDoS Attacks?

Understanding motive helps you gauge your own risk. The common reasons:

Extortion. “Pay us or we keep your store offline.” Ransom DDoS campaigns target businesses that lose money every minute they’re down.

Competition. Yes, some businesses attack rivals — especially in gaming, e-commerce, and gambling niches.

Hacktivism. Groups knock sites offline to make a political or ideological point.

Distraction. Sometimes a DDoS is a smokescreen: while your team scrambles to restore service, attackers probe for a way to steal data.

Because it’s cheap. “Booter” services on shady corners of the internet rent attack power for a few dollars. A bored teenager can take down an unprotected small site — and sometimes does.

A modern server tower seen from above in blue light
Every server has limits — bandwidth, connections, CPU. A DDoS aims to exhaust one of them.

Does a DDoS Attack Steal Your Data?

By itself, no — and this is one of the most misunderstood parts of the topic.

A DDoS attack is a traffic jam, not a break-in. It blocks the road; it doesn’t pick the lock.

The caveat: attacks are sometimes used as cover. While defenders firefight the flood, a second, quieter intrusion attempt may target logins or vulnerabilities.

So treat a DDoS as a security event, not just a performance problem. Once the dust settles, check your logs for anything else that happened during the chaos.

How Can You Tell If You’re Under a DDoS Attack?

A DDoS can look a lot like an ordinary traffic spike — or a viral post. Signs that point to an attack:

  • The site becomes slow or unreachable suddenly, with no marketing push or viral moment to explain it.
  • Traffic analytics show floods of requests from unusual regions, or thousands of hits on a single URL.
  • Requests come at machine-like, perfectly regular intervals.
  • Your host or monitoring tool alerts on bandwidth or connection limits being maxed.
  • Error rates (502, 503, timeouts) climb while actual sales or signups drop to zero.

A genuine viral spike usually builds over minutes to hours and comes from diverse, human-looking sources. An attack often switches on like a light.

How Much Damage Can a DDoS Attack Do?

For a business, the damage is mostly measured in downtime.

An offline store sells nothing. An offline SaaS app burns customer trust. An offline content site loses ad revenue and rankings momentum.

There are second-order costs, too: emergency engineering hours, potential SLA payouts, and the reputation hit when customers find your site down twice in a week.

For small sites, the biggest cost is often the panic itself — hours lost diagnosing, and hasty decisions made under pressure. Which is why a little preparation goes a long way.

Are Small Websites Really Targets?

Unfortunately, yes — and this surprises a lot of site owners.

Attacks are cheap to rent and increasingly automated. Some campaigns simply sweep ranges of sites looking for anything unprotected.

Small sites also get caught in the blast radius: if a site sharing your server (on cheap shared hosting) gets attacked, your site can go down with it.

You don’t need enterprise-grade defenses for a blog or small store. But you do want the basics — most of which cost nothing.

Blue ethernet cables plugged into a network switch
Layered network defenses filter attack traffic before it ever reaches your origin server.

How Do Websites Defend Against DDoS Attacks?

Real protection is layered. No single tool stops everything, but a few layers together stop almost all of it — the same defense-in-depth approach IBM’s security team describes for enterprises, scaled to normal-website budgets.

Layer 1: A CDN in front of your site

A content delivery network (CDN) spreads your site across many servers worldwide. Attack traffic gets absorbed and diluted across that network instead of hitting your single origin server.

CDNs also cache your pages, which means many requests never reach your server at all. We explain the mechanics in our guide to what caching is and why fast sites are fast.

Layer 2: A web application firewall (WAF)

A WAF inspects incoming requests and filters out known-bad patterns before they reach your application. Good ones detect bot signatures, block abusive IPs automatically, and challenge suspicious visitors.

Layer 3: A reverse proxy

Services like Cloudflare work as a reverse proxy — a front desk that receives all traffic on your behalf, hides your server’s real address, and only forwards clean requests.

If attackers can’t find your origin IP, they can’t aim at it directly.

Layer 4: Rate limiting

Rate limiting caps how many requests one visitor can make per minute. Humans browse at human speed; bots don’t. Sensible limits stop a single bot from hammering your login or search endpoint hundreds of times a second.

Layer 5: A host with protection built in

Good hosting providers run network-level DDoS mitigation for all customers — scrubbing obvious flood traffic before it ever reaches your server.

What Role Does DNS Play in DDoS?

DNS — the internet’s address book — shows up in this story twice.

First, as a victim: if attackers take down your DNS provider, your site becomes unreachable even though your server is fine. The huge 2016 attack on the DNS provider Dyn knocked out major sites across the US for hours.

Second, as a weapon: in DNS amplification attacks, criminals abuse open DNS servers to multiply their attack traffic many times over.

If DNS is fuzzy for you, our plain-English explainer on how DNS works covers it in ten minutes.

What Should You Do During an Attack?

If you’re under attack right now, work the list:

  • Contact your host first. They can see the traffic and often enable mitigation on their side within minutes.
  • Turn on “under attack” mode if you use Cloudflare or a similar service — it adds a challenge page that filters bots.
  • Don’t reboot in circles. Restarting the server rarely helps; the flood just resumes.
  • Preserve logs. You’ll want them for analysis, and possibly for reports to your provider.
  • Watch for secondary attacks. Check admin logins and file changes once service is restored.
  • Communicate. A short status note to customers beats silence.
Program code on a dark monitor
Application-layer attacks disguise themselves as normal requests — the hardest kind to filter.

How Do You Prepare Before an Attack Ever Happens?

Preparation is cheaper than reaction. A weekend checklist:

  • Put your site behind a CDN/proxy service — free tiers exist and are genuinely useful.
  • Choose a host that includes network-level DDoS protection (most reputable ones now do).
  • Enable caching aggressively so most page loads never touch your server.
  • Hide your origin IP: once behind a proxy, make sure DNS records or email headers don’t leak the real address.
  • Harden the basics — our WordPress security guide covers logins, updates, and backups.
  • Know your host’s support channel before you need it at 2 a.m.

If you’re choosing hosting with resilience in mind, our honest budget pick is Hostinger, whose plans sit behind network-level DDoS mitigation by default.
Check Hostinger plans →

Do Cloud Providers Protect You Automatically?

Partly. Big clouds bake basic protection into their networks — AWS Shield Standard, for example, defends against common network-level floods at no extra cost.

Paid tiers add deeper protection and response teams for application-layer attacks.

We’ve covered this side in detail in our guide to DDoS protection with AWS Shield — worth a read if your stack lives on AWS.

The key nuance: cloud protection guards the infrastructure. Your application can still be overwhelmed by layer-7 attacks unless you add a WAF and rate limiting on top.

Famous DDoS Attacks That Shaped the Internet

A few incidents show the scale this can reach.

The 2016 Mirai botnet attacks weaponized hundreds of thousands of cheap smart devices — cameras, DVRs, routers — and took down the DNS provider Dyn, briefly breaking access to huge swaths of the web in the US.

In 2018, GitHub absorbed one of the largest attacks recorded at the time — roughly 1.35 terabits per second — and stayed up thanks to rapid mitigation.

Since then, providers like Google and Cloudflare have reported blocking attacks measured in hundreds of millions of requests per second. The arms race is real — and it’s exactly why outsourcing this fight to big networks makes sense for the rest of us.

Common Myths About DDoS Attacks

“My site is too small to be attacked.” Attacks cost almost nothing to launch and are often indiscriminate. Small sites go down every day.

“A DDoS means I’ve been hacked.” Not by itself. Your data is likely untouched — but stay alert for attacks used as distractions.

“More server power solves it.” You can’t out-buy a botnet. A bigger server just takes slightly longer to fall over. Filtering, not muscle, wins.

“A firewall on my server is enough.” By the time flood traffic reaches your server’s firewall, your bandwidth is already saturated. Protection has to sit in front of your server, on someone else’s bigger network.

“VPNs prevent DDoS attacks on websites.” A VPN hides your device’s address — useful for gamers. It does nothing for a public website, which must be reachable by everyone.

Mistakes Site Owners Make

Exposing the origin IP. Putting a proxy in front of your site, then leaving the server’s real IP visible in old DNS records — attackers just aim past the proxy.

Ignoring the application layer. Network protection alone won’t stop slow, legitimate-looking request floods against your search page.

No monitoring. If your first alert is a customer email, you’ve lost an hour. Free uptime monitors ping your site every minute.

Paying ransoms. Paying tells attackers you’re profitable to attack. Mitigation beats negotiation.

Treating it as one-and-done. Attackers retry. Keep the defenses on after the storm passes.

DDoS and SEO: Does Downtime Hurt Rankings?

Brief downtime — hours — rarely causes lasting SEO damage. Search engines understand that servers hiccup.

Extended or repeated outages are different. If crawlers keep meeting errors over days, rankings can slip, and recovering takes time.

One more reason the CDN layer pays for itself: cached copies of your pages can keep serving visitors (and crawlers) even while your origin struggles.

The Bottom Line

A DDoS attack is a flood, not a burglary: an army of hijacked devices overwhelming your site so real visitors can’t get in.

You can’t prevent someone from attacking — but you can decide, today, whether an attack finds an easy target or bounces off layers of CDN, firewall, and host-level protection.

Set up the free layers this week. Your 2 a.m. self will thank you.

Frequently Asked Questions

What is a DDoS attack in simple terms?

It’s when attackers flood a website with fake traffic from thousands of hijacked devices, overwhelming it so real visitors can’t get through. Think of ten thousand fake customers jamming a shop’s only door.

Is DDoSing illegal?

Yes. In the US, launching a DDoS attack violates the Computer Fraud and Abuse Act, with penalties that can include prison time. Renting a “booter” service is illegal too, and law enforcement regularly takes these services down.

How long does a DDoS attack last?

Anywhere from a few minutes to several days. Many are short bursts designed to demonstrate capability or extort payment; sustained attacks are rarer because they cost attackers more.

Can a DDoS attack steal my passwords or data?

Not directly — it blocks access rather than breaking in. But attacks are sometimes used to distract teams while a separate intrusion is attempted, so review your security logs after any incident.

How much does DDoS protection cost?

The essential layers can be free: Cloudflare’s free tier includes CDN, proxying, and basic mitigation, and reputable hosts include network-level protection. Paid plans add stronger application-layer defenses for business-critical sites.

Can I trace who launched a DDoS attack?

Rarely. The traffic comes from innocent infected devices, not the attacker’s own machines. Attribution usually requires law-enforcement-level investigation of the botnet’s command infrastructure.

What’s the difference between a DDoS attack and a traffic spike?

A real spike builds gradually, comes from human-looking sources, and produces engagement (sales, signups, comments). An attack switches on abruptly, hits odd endpoints at machine-regular intervals, and produces zero engagement.

The bottom line on staying reachable

The internet’s openness is exactly what DDoS abuses — anyone can knock on your door, so someone eventually knocks ten million times. Layer your defenses, pick infrastructure partners who fight this daily, and an attack becomes an inconvenience instead of a catastrophe.

You May Also Like