Comprehensive Overview of DDoS Attack Types and Multi‑Layer Defense Strategies

Introduction: DDoS is a class of attacks, not a single method; defense can be partially automated but still requires expert analysis.

Network Layer Attacks

Syn‑Flood exploits the TCP three‑way handshake by sending spoofed SYN packets, exhausting the protocol‑stack queue; mitigation includes SYN proxy, SYN cookies, and dropping initial SYN packets.

ACK‑Flood sends fake ACK packets that are discarded with RST replies; less harmful than SYN‑Flood.

UDP‑Flood uses forged UDP packets, often targeting DNS.

ICMP‑Flood (Ping flood) is an older method.

Application Layer Attacks

CC (Challenge Collapsar) generates massive legitimate‑looking HTTP requests via botnets or open proxies, consuming server concurrency and bypassing caches, often overwhelming databases.

DNS‑Flood spoofs source IPs to flood authoritative DNS servers, using random queries to avoid cache hits; mitigation can force UDP queries to TCP and apply whitelist filtering.

Slow‑loris and its variants keep HTTP connections open by sending minimal data with large Content‑Length, exhausting connection slots.

DoS attacks caused by software bugs or architectural flaws (e.g., buffer overflows) are not true DDoS but still result in service denial.

Hybrid and Reflection Attacks

Hybrid attacks mix TCP/UDP and network/application layers.

Reflection attacks (e.g., DRDoS) spoof the victim’s IP and trigger large responses from amplifying services such as NTP, SSDP, DNS, increasing traffic volume.

Amplification can reach tens or hundreds of times the original traffic.

Pulse‑type Attacks

Short‑duration bursts (under 5 minutes) create spike‑like traffic that triggers threshold‑based defenses and then stops.

Link‑Flooding Attacks

Target upstream links rather than the victim directly, causing congestion on ISP or IXP routes.

Multi‑Layer Defense Architecture

Four‑layer model: ISP/WAN, CDN/Internet, Data‑Center (DC), and OS/APP layers, each providing specific mitigation capabilities.

ISP/WAN relies on carrier capacity and black‑hole routing for massive attacks.

CDN can absorb web traffic and filter via captchas; however, it does not protect non‑web services.

DC layer deploys ADS (Anti‑DDoS) devices at the data‑center edge to detect, divert, and clean traffic.

OS/APP layer performs final filtering, e.g., disabling vulnerable UDP services, implementing rate‑limiting, captchas, or custom packet tagging.

Effective defense also requires bandwidth provisioning, redundancy, failover mechanisms, and business‑continuity planning.

· Adaptive learning of traffic baselines is limited; large‑scale events may trigger false positives.
· Automation depends on thresholds, not full autonomy.
· Global policies may miss targeted sub‑services.
· Some DDoS variants still need manual identification.
· Default templates may require customization.

Different enterprises (large platforms vs. SMBs) must balance cost‑to‑benefit, choosing between in‑house infrastructure, cloud‑based cleaning services, or on‑demand mitigation.

Service‑specific strategies: web services can use the full four‑layer stack; game services often need DNS redirection, ADS cleaning, and protocol‑level tagging.

Overall, DDoS mitigation is a resource‑competition problem that combines technical controls, product design, and operational readiness.