DDoS Attacks and IP Addresses: Complete Guide

Distributed Denial of Service (DDoS) attacks are among the most disruptive cyber threats, using IP addresses to overwhelm targets with massive traffic volumes. Understanding DDoS attacks, how they work, and how to protect against them is crucial for anyone managing internet-facing services. This comprehensive guide explains everything you need to know about DDoS attacks and IP addresses.

What is a DDoS Attack?

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic to a targeted server, service, or network by overwhelming it with a flood of internet traffic from multiple sources. Unlike a DoS (Denial of Service) attack from a single source, DDoS attacks use many compromised systems to generate attack traffic, often utilizing IP spoofing techniques.

How DDoS Attacks Work

Basic concept:

Attacker controls botnet (thousands of compromised devices)
Commands botnet to send traffic to target
Target overwhelmed by volume
Legitimate users can't access service
Service unavailable

Attack flow:

Attacker → Command & Control (C&C) Server
         ↓
    Botnet (infected devices)
         ↓
    Target Server (overwhelmed)

DDoS vs DoS

DoS (Denial of Service):

Single source attack
One IP address
Easier to block
Limited scale
Less common

DDoS (Distributed Denial of Service):

Multiple source attack
Thousands of IP addresses
Hard to block
Massive scale
Very common

Types of DDoS Attacks

Volume-Based Attacks

Goal: Consume bandwidth

Methods:

UDP Flood:

Send massive UDP packets
Random or specific ports
Overwhelm network capacity
Consume all bandwidth

ICMP Flood (Ping Flood):

Send massive ICMP echo requests
Overwhelm with ping packets
Consume bandwidth
Exhaust resources

DNS Amplification:

Spoof victim's IP
Send DNS queries to open resolvers
Small query → Large response
Amplification factor: 28-54x
Victim flooded with responses

NTP Amplification:

Exploit NTP monlist command
Amplification factor: 556x
Small request → Huge response
Devastating bandwidth consumption

Characteristics:

Measured in: Gbps (Gigabits per second)
Attack size: 10-1000+ Gbps
Duration: Minutes to hours
Impact: Network saturation

Protocol Attacks

Goal: Exhaust server resources

Methods:

SYN Flood:

Send massive SYN packets
Spoof source IP addresses
Server allocates resources
Waits for ACK that never comes
Connection table exhausted

Process:

Attacker: SYN (spoofed source)
Server: SYN-ACK (to spoofed IP)
Server: Waits for ACK
Server: Resources tied up
Repeat millions of times

Ping of Death:

Send oversized ICMP packets
Exceeds maximum packet size
Causes buffer overflow
System crash or hang

Smurf Attack:

Spoof victim's IP
Send ICMP to broadcast address
All hosts respond to victim
Amplification attack
Network congestion

Characteristics:

Measured in: Packets per second (PPS)
Attack size: 10-100+ million PPS
Duration: Minutes to hours
Impact: Resource exhaustion

Application Layer Attacks (Layer 7)

Goal: Exhaust application resources

Methods:

HTTP Flood:

Send massive HTTP requests
GET or POST requests
Appear legitimate
Overwhelm web server
Application crashes

Slowloris:

Open many connections
Send partial HTTP requests
Keep connections alive
Never complete requests
Exhaust connection pool

DNS Query Flood:

Massive DNS queries
Overwhelm DNS server
Prevent legitimate lookups
Service unavailable

Application-Specific:

WordPress XML-RPC attacks
API endpoint flooding
Database query floods
Resource-intensive operations

Characteristics:

Measured in: Requests per second (RPS)
Attack size: 10,000-1,000,000+ RPS
Duration: Hours to days
Impact: Application unavailability
Hardest to detect and mitigate

DDoS Attack Vectors

Botnets

What is a botnet?

Network of infected devices
Controlled by attacker
Used for DDoS attacks
Can be rented/sold

Common botnet types:

Mirai:

Targets IoT devices
Default credentials
Cameras, DVRs, routers
Massive DDoS capability

Emotet:

Banking trojan turned botnet
Email-based infection
Modular architecture
DDoS functionality

Botnet size:

Small: 1,000-10,000 bots
Medium: 10,000-100,000 bots
Large: 100,000-1,000,000+ bots
Record: 2.4 million (Mirai)

Amplification Attacks

How amplification works:

Attacker sends small request
Spoofs victim's IP as source
Server sends large response to victim
Amplification factor multiplies attack

Common amplification protocols:

Example DNS amplification:

Attacker query: 60 bytes
DNS response: 3,000 bytes
Amplification: 50x
1 Gbps attack → 50 Gbps at victim

Reflection Attacks

How reflection works:

Attacker spoofs victim's IP
Sends requests to third-party servers
Servers respond to victim
Victim receives unwanted traffic
Hides attacker's identity

Reflection + Amplification:

Most powerful combination
Small attack → Massive impact
Hard to trace
Common in modern DDoS

Notable DDoS Attacks

Record-Breaking Attacks

Google (2020):

Size: 2.54 Tbps
Method: CLDAP reflection
Duration: 6 months (campaign)
Mitigated successfully

Amazon AWS (2020):

Size: 2.3 Tbps
Method: CLDAP reflection
Duration: 3 days
Mitigated successfully

GitHub (2018):

Size: 1.35 Tbps
Method: Memcached amplification
Duration: 20 minutes
Peak: 126.9 million PPS

Dyn DNS (2016):

Size: 1.2 Tbps
Method: Mirai botnet
Impact: Major internet outage
Affected: Twitter, Netflix, Reddit, etc.

Impact Examples

Dyn Attack Impact:

DNS provider overwhelmed
Major websites unreachable
East Coast US affected
Lasted several hours
Mirai botnet responsible

Spamhaus (2013):

Size: 300 Gbps (at the time, record)
Method: DNS amplification
Impact: Internet slowdown
Cloudflare helped mitigate

IP Addresses in DDoS Attacks

Source IP Spoofing

Why spoof IPs:

Hide attacker identity
Enable amplification
Bypass IP-based blocking
Complicate attribution

How it works:

Attacker modifies packet headers
Sets false source IP
Victim's IP used in amplification
Responses flood victim

Detection:

Impossible source IPs
Geographic inconsistencies
TTL anomalies
Packet timing

Distributed Sources

Attack characteristics:

Thousands of source IPs
Global distribution
Residential IPs
Mobile IPs
IoT devices
Cloud instances

Makes blocking difficult:

Can't block all sources
Legitimate IPs mixed in
Constantly changing
Overwhelming volume

Target IP Addresses

Single IP target:

Specific server
Website
API endpoint
Game server

Multiple IP targets:

Entire subnet
Multiple servers
Infrastructure
Distributed attack

Detecting DDoS Attacks

Traffic Anomalies

Volume spikes:

Sudden traffic increase
10x-1000x normal
Sustained high volume
Unusual patterns

Geographic anomalies:

Traffic from unexpected countries
Unusual distribution
Concentrated sources
Bot-like patterns

Protocol anomalies:

Unusual protocol mix
Malformed packets
Unexpected packet sizes
Protocol violations

Performance Indicators

Server symptoms:

Slow response times
Timeouts
High CPU/memory usage
Connection exhaustion
Service crashes

Network symptoms:

Bandwidth saturation
Packet loss
High latency
Network congestion
Router/firewall overload

Monitoring Tools

NetFlow/sFlow:

Traffic flow analysis
Source/destination tracking
Volume monitoring
Pattern detection

SNMP:

Interface statistics
Bandwidth utilization
Error rates
Device health

IDS/IPS:

Snort
Suricata
Attack signatures
Anomaly detection

DDoS-specific:

Arbor Networks
Cloudflare Analytics
Fastly Real-time Stats
Custom dashboards

Mitigating DDoS Attacks

Network-Level Mitigation

Rate limiting:

Limit connections per IP
Limit requests per second
Threshold-based blocking
Gradual degradation

IP filtering:

Blacklist known attackers
Whitelist legitimate sources
Geo-blocking
ASN blocking

Traffic shaping:

Prioritize legitimate traffic
QoS policies
Bandwidth allocation
Connection limits

Application-Level Mitigation

Web Application Firewall (WAF):

Filter malicious requests
Rate limiting
Bot detection
Challenge-response (CAPTCHA)

Caching:

CDN caching
Reduce origin load
Serve static content
Edge caching

Load balancing:

Distribute traffic
Multiple servers
Auto-scaling
Failover

Infrastructure Protection

Overprovisioning:

Excess bandwidth
Extra server capacity
Redundant infrastructure
Absorb attack traffic

Network segmentation:

Isolate critical services
DMZ configuration
Internal firewalls
Limit attack spread

Anycast:

Distribute traffic globally
Multiple PoPs
Closest server responds
Attack distributed

DDoS Protection Services

Cloud-based scrubbing:

Cloudflare:

Global network
Automatic mitigation
Free tier available
Enterprise solutions

Akamai:

Massive capacity
Scrubbing centers
Enterprise-focused
High-volume protection

AWS Shield:

Standard (free)
Advanced (paid)
Integration with AWS
Automatic protection

Fastly:

Edge cloud platform
Real-time mitigation
Developer-friendly
Modern architecture

On-premise solutions:

Arbor Networks
Radware
F5 Networks
Cisco

DDoS Attack Prevention

Network Hardening

Disable unnecessary services:

Close unused ports
Remove amplification vectors
Disable DNS recursion
Secure NTP
Disable SSDP

Implement BCP 38:

Ingress filtering
Prevent IP spoofing
Verify source addresses
ISP-level filtering

Rate limiting:

Connection limits
Request rate limits
Bandwidth limits
Per-IP limits

Application Hardening

Input validation:

Validate all input
Reject malformed requests
Limit request size
Timeout long requests

Resource limits:

Connection timeouts
Request timeouts
Memory limits
CPU limits

Caching:

Cache aggressively
Reduce database load
Static content CDN
API response caching

Monitoring and Alerting

Baseline normal traffic:

Establish patterns
Know normal volumes
Geographic distribution
Protocol mix

Set up alerts:

Traffic spikes
Error rate increases
Response time degradation
Resource exhaustion

Incident response plan:

Detection procedures
Escalation path
Mitigation steps
Communication plan

Response to DDoS Attack

Immediate Actions

1. Confirm attack:

Verify it's DDoS
Not legitimate traffic spike
Not infrastructure failure
Identify attack type

2. Activate DDoS protection:

Enable cloud scrubbing
Activate WAF rules
Implement rate limiting
Contact DDoS provider

3. Communicate:

Notify stakeholders
Update status page
Inform customers
Coordinate with ISP

4. Log everything:

Capture traffic samples
Save logs
Document timeline
Preserve evidence

During Attack

Monitor continuously:

Track attack metrics
Measure mitigation effectiveness
Watch for attack evolution
Monitor infrastructure health

Adjust mitigation:

Tune rules
Add filters
Scale resources
Optimize configuration

Maintain communication:

Regular updates
Stakeholder briefings
Customer notifications
Team coordination

Post-Attack

Analysis:

Attack vectors used
Peak volumes
Duration
Mitigation effectiveness
Lessons learned

Improvements:

Update defenses
Patch vulnerabilities
Enhance monitoring
Improve response plan

Documentation:

Incident report
Timeline
Actions taken
Recommendations

Legal and Ethical Considerations

DDoS is Illegal

Laws:

Computer Fraud and Abuse Act (US)
Computer Misuse Act (UK)
Cybercrime laws worldwide
Severe penalties

Penalties:

Criminal charges
Fines
Imprisonment
Civil liability

Legitimate Testing

Authorized testing only:

Written permission
Controlled environment
Professional services
Compliance with laws

DDoS testing services:

Legitimate providers
Authorized testing
Controlled attacks
Measure resilience

Conclusion

DDoS attacks represent a significant threat to online services, using IP addresses and network protocols to overwhelm targets with traffic. Understanding attack types, detection methods, and mitigation strategies is essential for protecting internet-facing services.

Related Articles

Security and Attacks

• IP Spoofing - Address forgery in DDoS
• IP Blacklisting - Blocking attack sources
• Firewall Basics - First line of defense
• IP Reputation - IP reputation systems

Network Protocols

• ICMP - ICMP flood attacks
• TCP/IP Model - Protocol vulnerabilities
• BGP - BGP hijacking
• Routing - Route manipulation

Infrastructure

• CDN - DDoS mitigation via CDN
• Load Balancing - Traffic distribution
• Anycast - DDoS resilience
• Internet Service Providers - ISP protection

Monitoring

• Network Troubleshooting - Detecting attacks
• IP Logging - Attack analysis

Explore More

• Security & Privacy - Complete security hub
• Enterprise - Enterprise security

Key takeaways: - DDoS uses distributed sources to overwhelm targets - Three main types: volume, protocol, application - IP spoofing enables amplification attacks - Botnets provide attack infrastructure - Detection requires monitoring and baselines - Mitigation needs multiple layers - Cloud scrubbing services highly effective - Prevention includes hardening and rate limiting - Incident response plan essential - DDoS attacks are illegal - Professional protection services recommended

DDoS attacks are a persistent threat that requires proactive preparation, robust defenses, and professional mitigation services. No organization is immune, but proper planning, monitoring, and protection significantly reduce risk and impact. Invest in DDoS protection before you need it—recovery from an unprepared attack is far more expensive than prevention.