Understanding DDoS Attacks: Principles, Case Studies, and Protection Solutions

Distributed Denial of Service (DDoS) attacks are a common threat on the Internet that can severely impact business services. This article, authored by Tencent Cloud post‑sale engineer Li Binwen, explains the principles of DDoS attacks, presents real‑world case analyses, and discusses how to choose appropriate DDoS protection solutions.

1. DDoS Attack Principles

DDoS attacks involve malicious programs that control a large number of zombie hosts (ranging from nationwide to global scale) to send massive request traffic to one or more targets, exhausting server performance or network bandwidth and rendering the service unavailable.

Typical attack types include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, and reflection attacks such as DNS/NTP/SSDP/memcached.

The consequences of a successful DDoS attack include:

When the attack saturates the enterprise’s bandwidth, users cannot access the service, leading to significant economic loss.

Competitors may use DDoS as a malicious tool, causing business failure in competitive markets.

2. DDoS Case Analysis

Background: Company A’s test service experienced multiple DDoS attacks within a month, with traffic escalating from less than 10 Gbps to over 300 Gbps.

First wave – SYN Flood at 8 Gbps (below the free protection threshold of 10 Gbps), no impact on the service.

Second wave – 40 Gbps, exceeding the free 10 Gbps protection and the CLB’s 1 Gbps bandwidth, causing the primary IP (1.1.1.1) to be blocked and the service to become inaccessible.

Mitigation: Using DNSpod to switch to a backup VIP (2.2.2.2) restored about 90 % of user access within 10 minutes.

Third wave – 160 Gbps; the purchased high‑defense IP with 300 Gbps capacity absorbed the attack without service impact.

Fourth wave – traffic >300 Gbps, the high‑defense IP (3.3.3.3) was blocked, but an automatic CNAME switch to three‑network IPs (Telecom, Unicom, Mobile) restored access within seconds.

These cases illustrate how attack intensity grows from probing to massive floods, and how proper protection can limit downtime from minutes to seconds, or even avoid impact entirely.

3. Comparison of DDoS Protection Solutions

1. Basic (Free) DDoS Protection – applies automatically to Tencent Cloud products (EIP, CLB, etc.). Regular users receive 2 Gbps protection; VIP users receive 10 Gbps.

2. DDoS High‑Defense Package – protects Tencent Cloud resources such as CVM, CLB, WAF, physical servers, NAT IP, etc. Provides at least 30 Gbps protection, with higher capacity dynamically adjusted per region.

3. DDoS High‑Defense IP – supports TCP, UDP, HTTP/HTTPS (including WebSocket). BGP lines offer up to 300 Gbps, and three‑network lines can reach up to 1 Tbps.

Choosing the right solution depends on historical attack data and budget. For mixed cloud and IDC public IPs, high‑defense IP is recommended; for protection below 100 Gbps while retaining original IPs, a high‑defense package is suitable.

4. Additional Considerations

High‑defense package users get three self‑service unblocking attempts per day.

The package only protects Tencent Cloud public IPs; external IPs require a high‑defense IP.

Users can configure protocol‑level blocking (ICMP, TCP, UDP, etc.). If no UDP services are used, it is advisable to block UDP.

When purchasing a high‑defense package, select unlimited unblocking attempts to avoid service disruption.

References:

Tencent Cloud DDoS protection overview: https://cloud.tencent.com/document/product/1021/44463

Configuration of DDoS high‑defense package: https://cloud.tencent.com/document/product/1021/43898

Configuration of DDoS high‑defense IP: https://cloud.tencent.com/document/product/1014/44088