A Distributed Denial of Service (DDoS) attack is one of the most destructive threats a website can face. Unlike other cyberattacks that aim to steal data, a DDoS attack simply overwhelms your server with so much bogus traffic that legitimate visitors cannot get through. The result: your site goes offline, your revenue stops, and your reputation takes a hit. In 2025, the largest recorded DDoS attack peaked at 5.6 terabits per second—and attacks are growing larger and more frequent every year.
This complete guide explains how DDoS attacks work, the different types you may encounter, and—most importantly—how to protect your website using CDN-based mitigation, Cloudflare, and server-level defenses. Whether you run a small blog or a large e-commerce platform, these strategies will help keep your site online under attack.
Protect Your Site with InterServer VPS
InterServer VPS includes network-level DDoS protection. Combine with Cloudflare for multi-layer defense. From $2.50/month.
What Is a DDoS Attack?
A Denial of Service (DoS) attack sends more traffic to a server than it can handle, causing it to crash or become unresponsive. A Distributed Denial of Service attack does the same thing but uses thousands or millions of compromised devices (a "botnet") spread across the internet, making the traffic come from so many sources that blocking individual IPs is impossible.
The attacker's goal is simple: exhaust your server's resources—bandwidth, CPU, memory, or connection slots—so that legitimate visitors are denied service. DDoS attacks are used for extortion (pay us to stop), competitive sabotage, hacktivism, or simply as a distraction while a more targeted attack is underway.
Types of DDoS Attacks
DDoS attacks fall into three main categories, each targeting a different layer of your infrastructure:
Volumetric Attacks
These aim to overwhelm your bandwidth with massive amounts of data. The most common types are:
- UDP Flood: Sends massive amounts of UDP packets to random ports, forcing the server to check each one and respond with "destination unreachable."
- ICMP Flood (Ping Flood): Overwhelms the server with ping requests.
- Amplification Attacks: Exploits poorly configured DNS or NTP servers to amplify attack traffic by 50-100x.
Protocol Attacks
These exploit weaknesses in network protocols to exhaust server resources:
- SYN Flood: Initiates thousands of TCP connections without completing the handshake, filling the server's connection table.
- Ping of Death: Sends malformed or oversized packets that crash the server.
- Slowloris: Opens many connections and sends data very slowly, keeping connections open until the server runs out of slots.
Application Layer Attacks
These target specific application functions, making them harder to detect because the traffic looks legitimate:
- HTTP Flood: Sends thousands of HTTP requests (GET or POST) to web pages, exhausting the application server.
- Cache-busting: Requests random URLs to bypass caching layers and force the server to generate each response from scratch.
- WordPress XML-RPC amplification: Exploits WordPress's pingback feature to use thousands of WordPress sites as attack vectors.
| Attack Type | Layer | Difficulty to Mitigate | Best Defense |
|---|---|---|---|
| UDP/ICMP Flood | Network (L3/4) | Easy | CDN/Anti-DDoS hardware |
| SYN Flood | Transport (L4) | Easy | Firewall, SYN cookies |
| Slowloris | Application (L7) | Moderate | Web server timeout config |
| HTTP Flood | Application (L7) | Hard | WAF, rate limiting, CAPTCHA |
| Cache-busting | Application (L7) | Hard | WAF rules, CDN tuning |
Layer 1: CDN-Based DDoS Protection
The most effective DDoS protection happens at the CDN (Content Delivery Network) layer, before traffic ever reaches your server. A CDN sits between your visitors and your origin server, with massive global bandwidth capacity that can absorb volumetric attacks that would overwhelm any single server.
Cloudflare (Recommended)
Cloudflare is the most popular CDN/DDoS protection service, and for good reason. The free plan includes:
- Unmetered DDoS protection against L3/L4 and L7 attacks
- Global CDN with 300+ edge locations
- Free SSL certificate
- Basic Web Application Firewall (WAF)
- Bot fight mode
Setting up Cloudflare takes about 10 minutes:
- Create a free account at cloudflare.com.
- Add your domain. Cloudflare scans your DNS records automatically.
- Review the imported DNS records for accuracy.
- Change your domain's nameservers to the ones Cloudflare provides.
- Wait for DNS propagation (usually 1-24 hours).
- Enable "Always Use HTTPS" and "Automatic HTTPS Rewrites" in the SSL/TLS settings.
- Enable "Under Attack Mode" if you are actively being attacked.
With Cloudflare in front of your server, attackers see Cloudflare's IP addresses, not yours. Even a massive volumetric attack is absorbed by Cloudflare's 280+ Tbps global network capacity.
Other CDN Options
- Fastly: Enterprise-grade CDN with real-time purge and strong DDoS protection. Better for high-traffic, real-time applications.
- AWS CloudFront + AWS Shield: If you are already on AWS, this provides integrated protection. AWS Shield Standard is free; Advanced costs $3,000/month.
- KeyCDN / BunnyCDN: More affordable CDN options, though with less built-in DDoS protection than Cloudflare.
Layer 2: Web Application Firewall (WAF)
A WAF inspects incoming HTTP traffic and blocks malicious requests based on rules. It is essential for defending against application-layer (L7) attacks that CDN bandwidth alone cannot stop. Cloudflare's WAF is included even in the free plan with managed rulesets. For self-hosted WAF options:
ModSecurity
ModSecurity is an open-source WAF that integrates with Apache and Nginx. Install it with the OWASP Core Rule Set (CRS) for comprehensive protection:
sudo apt install libapache2-mod-security2 -y # Apache
sudo apt install libmodsecurity3 nginx-mod-modsecurity -y # Nginx
Download and configure the OWASP CRS:
cd /etc/modsecurity
sudo git clone https://github.com/coreruleset/coreruleset.git
sudo cp coreruleset/crs-setup.conf.example coreruleset/crs-setup.conf
sudo cp modsecurity.conf-recommended modsecurity.conf
Enable the WAF by changing SecRuleEngine DetectionOnly to SecRuleEngine On in modsecurity.conf.
Layer 3: Server-Level Defenses
Even with CDN and WAF protection, you should harden your server against attacks that slip through. These measures also protect against direct attacks on your server's IP address (which bypass the CDN).
Configure Rate Limiting in Nginx
Rate limiting restricts how many requests a single IP can make per second. This is highly effective against HTTP flood attacks:
# In nginx.conf
http {
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
}
# In server block
location / {
limit_req zone=general burst=20 nodelay;
}
location /wp-login.php {
limit_req zone=login burst=5 nodelay;
}
Enable SYN Cookies
SYN cookies protect against SYN flood attacks by allowing the server to continue accepting connections under attack:
sudo sysctl -w net.ipv4.tcp_syncookies=1
Add it permanently to /etc/sysctl.conf to persist across reboots.
Block Malicious IPs with Fail2ban
Fail2ban can ban IPs that show attack patterns. Create a custom jail for excessive HTTP requests:
sudo nano /etc/fail2ban/jail.d/nginx-ddos.conf
[nginx-limit-req]
enabled = true
filter = nginx-limit-req
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/error.log
findtime = 600
bantime = 7200
maxretry = 10
Hide Your Origin Server IP
If attackers discover your server's real IP address, they can bypass the CDN and attack your server directly. Prevent this by:
- Never sending email from your origin server (use a third-party email service).
- Checking historical DNS records (use SecurityTrails to verify your IP was not exposed before CDN setup).
- Configuring your firewall to only accept HTTP/HTTPS traffic from Cloudflare's IP ranges.
To restrict traffic to Cloudflare IPs only in UFW:
# Get Cloudflare IP ranges
for ip in $(curl -s https://www.cloudflare.com/ips-v4); do
sudo ufw allow from $ip to any port 80
sudo ufw allow from $ip to any port 443
done
sudo ufw deny 80
sudo ufw deny 443
Layer 4: Application-Level Defenses
- Implement CAPTCHA: Google reCAPTCHA or Cloudflare Turnstile on forms and login pages stops automated bots.
- Disable XML-RPC: If you run WordPress and do not use the mobile app or trackbacks, disable XML-RPC to prevent amplification attacks.
- Use strong caching: A heavily cached site can weather HTTP flood attacks better because most requests are served from cache without hitting PHP or the database.
- Implement bot detection: Cloudflare's "Bot Fight Mode" or a service like DataDome can distinguish bots from humans.
DDoS Response Plan
If your site is under attack despite preventive measures, follow this response plan:
- Enable Cloudflare "Under Attack Mode"—this presents a JavaScript challenge to all visitors, blocking most bots.
- Check server load—use
topandnginx -Tto identify what is being overwhelmed. - Block top attacking IPs—check access logs for the most active IPs and block them in the firewall.
- Enable rate limiting—temporarily tighten rate limits in Nginx.
- Scale up resources—if on cloud hosting, temporarily upgrade to a larger plan to handle the load.
- Communicate with users—use social media to inform visitors that you are addressing an issue.
- Document the attack—record timing, attack size, and mitigation steps for future reference.
Get DDoS-Protected Hosting with InterServer
InterServer VPS includes network-level DDoS protection and full root access from $2.50/month. Pair with Cloudflare for comprehensive defense.
Affiliate Disclosure: VPSFeedX may earn a commission when you purchase through links on this page. This does not affect the price you pay or our recommendations.
