- A DDoS attack uses many compromised devices — desktops, servers, or IoT devices — to generate large volumes or specially crafted traffic toward a single target.
- Because traffic originates from many distributed sources, it’s harder to filter and more powerful than a single-source attack.
- The impact can be exhausted network bandwidth, consumed server CPU/memory, or depleted protocol state (connection tables), preventing legitimate users from reaching the service.
How botnets amplify impact
Infected devices in a botnet are typically controlled remotely by attackers; their owners are often unaware. When thousands of these devices simultaneously generate traffic, the aggregate load can:- saturate upstream or on-premises network links,
- overwhelm load balancers, firewalls, or application servers,
- exhaust protocol state (for example, TCP connection tables), and
- trigger cascading failures in dependent services.
DDoS attack categories
DDoS attacks are commonly grouped into three categories: volumetric, protocol (state-exhaustion), and application-layer (Layer 7). Each targets different resources and requires different mitigation strategies.Volumetric attacks
Volumetric attacks try to saturate the target’s network link by generating huge amounts of traffic. Common examples include UDP floods and amplification attacks that leverage spoofed source IPs.
Protocol (state-exhaustion) attacks
Protocol attacks exploit weaknesses in network and transport protocols (OSI layers 3 and 4). Examples include SYN floods, malformed or fragmented packets, and attacks designed to consume connection state in firewalls, load balancers, or servers.
Application-layer (Layer 7) attacks
Application-layer attacks target the application itself (OSI layer 7), often by mimicking valid user behavior to exhaust server-side resources or by exploiting application vulnerabilities (e.g., SQL injection, XSS).
Combine network-level DDoS protection (to absorb volumetric and protocol attacks) with an application-layer WAF to block malicious requests and exploit attempts. In Azure, common implementations are
DDoS Protection Standard together with Application Gateway WAF or Azure Front Door with WAF. See the references below for more details.Defenses and best practices
A layered, defense-in-depth approach is recommended for cloud-hosted applications:- Network-level protections
- Use cloud DDoS protection services or CDNs to absorb and scrub traffic.
- Rate-limit and filter at the edge; apply ingress ACLs and geo-blocking when appropriate.
- Protocol-level hardening
- Tune OS TCP/IP stacks, enable SYN cookies, and configure connection limits on load balancers and firewalls.
- Drop obviously malformed packets or extreme anomalies early.
- Application-layer defenses
- Deploy a WAF and tune rulesets for your application’s traffic patterns.
- Implement robust input validation, authentication, and per-client throttling.
- Use bot management to distinguish legitimate users from automated traffic.
- Maintain an incident response plan and run DDoS drills.
- Monitor traffic baselines with telemetry and set alerts for sudden deviations.
- Use autoscaling where possible, but avoid scaling blindly during attacks without upstream protection — autoscaling can increase cost without addressing upstream network saturation.
Quick reference table
Links and references
- Azure DDoS Protection overview
- Azure Application Gateway WAF overview
- Azure Front Door documentation
- OWASP: Denial of Service (DoS) risks and mitigation guidance