DDoS Attack Protection: The Complete Guide for Website Owners
DDoS protection is no longer optional — volumetric floods, protocol exploits, and application-layer attacks hit sites of every size, every day. Whether you run a SaaS dashboard, an e-commerce store, or a corporate blog, understanding how DDoS attacks work is the first step toward making your infrastructure resilient.
Is your site exposed? Run a free ZeriFlow scan →
What Is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack overwhelms your server, network, or application with illegitimate traffic until legitimate users can no longer reach it. The "distributed" part means attackers use thousands — sometimes millions — of compromised machines (a botnet) to generate that traffic, making simple IP blocking useless.
Modern DDoS attacks are often multi-vector: they combine two or three attack types simultaneously to exhaust different resource pools at once. Understanding the distinct layers helps you build layered defenses.
The 3 Types of DDoS Attacks You Need to Know
Volumetric Attacks
Volumetric attacks aim to saturate your bandwidth. Common examples include:
- UDP flood — spoofed UDP packets sent to random ports, forcing the server to respond with ICMP "destination unreachable" messages and consuming bandwidth both ways.
- DNS amplification — attackers send small queries to open DNS resolvers with your IP as the source, and the resolver replies with much larger responses (amplification factor up to 73x).
- NTP amplification — similar technique using the Network Time Protocol's
monlistcommand.
These attacks are measured in gigabits per second (Gbps). The 2018 GitHub attack peaked at 1.35 Tbps — no on-premise hardware survives that unaided.
Mitigation: A scrubbing CDN (Cloudflare, AWS Shield, Akamai) absorbs volumetric traffic at the network edge before it reaches your origin.
Protocol Attacks
Protocol attacks exploit weaknesses in Layer 3 and Layer 4 of the OSI model — they consume server resources or intermediate infrastructure (firewalls, load balancers) rather than raw bandwidth.
- SYN flood — sends thousands of TCP SYN packets but never completes the handshake, filling the server's connection table until it refuses new connections.
- Ping of Death — malformed oversized ICMP packets crash or freeze unpatched systems.
- Smurf attack — ICMP broadcast to many hosts with a spoofed source IP (your server), causing all hosts to reply to you simultaneously.
Mitigation: SYN cookies, connection rate limiting at the firewall, and disabling IP-directed broadcasts neutralize most protocol attacks.
Application Layer Attacks (Layer 7)
Layer 7 attacks target your web application directly. They mimic legitimate HTTP/HTTPS requests, making them the hardest to filter automatically.
- HTTP flood — thousands of bots each send valid-looking GET or POST requests, exhausting your web server threads and database connections.
- Slowloris — keeps many connections open by sending partial HTTP headers very slowly, preventing the server from closing them and blocking new legitimate connections.
- Cache-busting attacks — append random query strings to every URL to bypass your CDN cache, hitting the origin on every request.
Mitigation: Rate limiting per IP, CAPTCHA challenges on suspicious traffic patterns, and a Web Application Firewall (WAF) with behavioral rules.
How to Protect Your Website Against DDoS Attacks
1. Put a CDN / Anycast Network in Front of Your Origin
Services like Cloudflare, Fastly, and AWS CloudFront route traffic through a global anycast network. Volumetric attacks are absorbed at the edge — your origin IP remains hidden and your bandwidth costs don't spike. Even the free tier of Cloudflare provides basic DDoS mitigation that stops the vast majority of commodity attacks.
Action item: Enable "I'm Under Attack" mode in Cloudflare during an active attack. It adds a 5-second JavaScript challenge that filters most bot traffic.
2. Implement Rate Limiting
Rate limiting caps the number of requests a single IP or user agent can make in a given time window. At the application layer this is your first defense against HTTP floods and credential stuffing attacks that piggyback on DDoS traffic.
Configure rate limiting at multiple levels:
- CDN/edge — Cloudflare Rate Limiting, AWS WAF rate-based rules.
- Load balancer — NGINX limit_req_zone, HAProxy stick-table.
- Application — middleware rate limiters (express-rate-limit, Rack::Attack, Django Ratelimit).
3. Deploy a Web Application Firewall (WAF)
A WAF inspects Layer 7 traffic and blocks requests matching malicious patterns — oversized headers, suspicious user agents, known attack signatures. Many cloud WAFs (AWS WAF, Cloudflare WAF, Imperva) include managed rule sets updated daily.
For Layer 7 DDoS specifically, configure rules that:
- Block requests with no User-Agent header.
- Challenge IPs generating more than N requests per second to the same endpoint.
- Drop requests with malformed Content-Type or oversized body payloads.
4. Harden Your HTTP Headers to Reduce Attack Surface
Several security headers directly reduce the application-layer DDoS surface:
| Header | DDoS-relevant effect |
|---|---|
X-Content-Type-Options: nosniff | Prevents MIME confusion that could amplify malformed request processing |
Content-Security-Policy | Restricts which domains can load resources, reducing third-party amplification |
Strict-Transport-Security | Forces HTTPS, eliminating SSL stripping attacks that force expensive TLS renegotiation |
X-Frame-Options | Stops clickjacking that can be used to force browsers to make requests to your server |
ZeriFlow's free scan checks all of these headers in one pass, flagging missing or misconfigured directives that expand your attack surface.
5. Architect for Resilience
Beyond tools, your architecture matters:
- Separate your origin IP from your domain. Never expose your server's real IP in DNS. Use Cloudflare's proxied records.
- Use autoscaling. Cloud-native apps on AWS/GCP/Azure can scale horizontally during a flood — if your database tier doesn't become the bottleneck.
- Implement circuit breakers. If a downstream service is overwhelmed, fail fast rather than queuing requests until memory is exhausted.
- Cache aggressively. Static pages served from CDN cache don't touch your origin at all.
Check your headers and TLS config with ZeriFlow →
How to Test Your DDoS Resistance
You don't need to wait for an attack to discover weak points. Legitimate load and stress testing tools can simulate traffic patterns:
- k6 / Locust / Artillery — open-source tools for simulating high HTTP request volumes from a single machine or a distributed cluster.
- OWASP HTTP POST Tool — specifically designed to simulate Slowloris-style slow-POST attacks.
- Cloudflare Radar — monitors real-world DDoS trends so you know which attack vectors are currently most active.
- Penetration testing firms — for production-grade DDoS simulation, hire a specialist. Many cloud providers offer "load testing" programs through approved partners.
Always test in a staging environment first, get written permission from your hosting provider, and never test production during peak hours.
What to measure: - Time to first response degradation (when does latency climb above 200ms?). - Requests-per-second threshold before HTTP 503 errors appear. - Recovery time after traffic subsides.
DDoS Protection Checklist
Before assuming you're protected, verify each layer:
- [ ] Origin IP hidden behind CDN (no DNS leak)
- [ ] Rate limiting enabled at edge and application layer
- [ ] WAF with managed rule set active
- [ ] HSTS header set (min-age ≥ 31536000)
- [ ] CSP header configured
- [ ] Autoscaling or surge capacity plan documented
- [ ] Incident response runbook exists (who to call, when to enable "I'm Under Attack")
- [ ] Security headers audited within the last 30 days
FAQ
Q: Can a small website really be targeted by a DDoS attack?
A: Yes. Most DDoS attacks are opportunistic — botnets scan the internet constantly, and small sites are often targeted precisely because they lack protections. Extortion-based attacks ("pay us or stay offline") increasingly target SMBs, not just enterprises.
Q: Does Cloudflare's free plan protect against DDoS?
A: It provides meaningful protection against volumetric and protocol attacks. The free plan includes Cloudflare's anycast network and basic DDoS mitigation. However, advanced Layer 7 rules, custom rate limiting, and the WAF require a paid plan.
Q: How long do DDoS attacks typically last?
A: Short bursts of 15–30 minutes are most common — attackers probe defenses, then move on if mitigation kicks in. Sustained attacks lasting days do occur against high-value targets, but they're expensive to maintain and become less common as defenses scale.
Q: What's the difference between a DoS and a DDoS attack?
A: A DoS (Denial of Service) originates from a single machine. A DDoS uses a distributed botnet of many machines. DoS attacks are trivially blocked by a single IP ban; DDoS attacks are not, which is why CDN-based mitigation is necessary.
Q: Do security headers actually help against DDoS?
A: Directly, headers don't stop volumetric floods. But they significantly reduce the application-layer attack surface — for example, a strict CSP prevents injected scripts from turning your visitors' browsers into unwilling DDoS participants against other targets (a technique used in some browser-based botnets).
Conclusion
DDoS protection requires defense in depth: a CDN to absorb volumetric traffic, rate limiting and a WAF to filter Layer 7 attacks, and hardened HTTP headers to minimize the application surface attackers can exploit. No single tool is sufficient.
The good news is that most effective mitigations are either free (Cloudflare free tier, open-source rate limiters) or inexpensive — and auditing your headers takes less than a minute.