Distributed denial of service attacks have evolved far beyond simple volumetric floods designed to saturate bandwidth. Modern DDoS campaigns target application layers, exploit protocol weaknesses, and combine multiple attack vectors simultaneously. A basic CDN or upstream filtering service blocks the crude attacks but struggles with sophisticated campaigns that mimic legitimate traffic patterns.
The cost of launching a DDoS attack has dropped to almost nothing. Booter services available for a few pounds per hour can direct significant traffic at any target. More capable attackers use botnets comprising hundreds of thousands of compromised IoT devices to generate attack volumes that overwhelm even well-provisioned defences. The barrier to entry is essentially gone.
Application Layer Attacks
Layer 7 DDoS attacks target specific application functions rather than raw bandwidth. Slowloris attacks hold connections open with minimal traffic, exhausting server connection pools. HTTP flood attacks send legitimate-looking requests to resource-intensive endpoints like search pages, login forms, or report generation features. Because each individual request looks normal, rate limiting based on volume alone fails to distinguish attack traffic from genuine users.
API endpoints are particularly vulnerable. A single authenticated API call that triggers a complex database query can consume disproportionate server resources. An attacker who identifies these expensive endpoints can bring down a service with a fraction of the traffic that a volumetric attack would require, making detection and mitigation significantly harder.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “DDoS resilience testing is something most organisations skip entirely. They assume their CDN provider handles everything and never verify that assumption. We test whether applications degrade gracefully under load, whether failover mechanisms activate correctly, and whether attack traffic can bypass edge protections to reach origin servers directly. The results often reveal single points of failure that a real attack would exploit immediately.”
Strengthening Your Resilience
Identify and protect resource-intensive endpoints. Apply stricter rate limiting to search functions, reporting features, and any endpoint that triggers heavy database queries. Implement CAPTCHA challenges on public-facing forms that could be abused for application-layer floods.
Ensure your external network penetration testing scope includes DDoS resilience assessment. Testers should verify that origin server IP addresses are not leaked through DNS history, email headers, or misconfigured services. A direct connection to your origin server bypasses every CDN protection you have paid for.
Run vulnerability scanning services against your internet-facing infrastructure to identify services that could amplify or facilitate DDoS attacks. Open DNS resolvers, misconfigured memcached instances, and NTP servers with monlist enabled on your own infrastructure could be weaponised against others or used to reflect traffic back at your own systems.
Ransom DDoS attacks combine denial of service with extortion. Attackers send a demand letter threatening a sustained DDoS campaign unless payment is made. Some follow through. Others rely on the threat alone to extract payment from organisations that lack confidence in their DDoS defences. Knowing your actual resilience through testing removes the leverage these extortionists depend on.
Build runbooks that define exactly how your team responds when a DDoS attack begins. Document contact details for your ISP, CDN provider, and any DDoS mitigation service. Define traffic diversion procedures and communication templates for stakeholders. Practise the runbook annually so that when an attack hits, your response is rehearsed rather than improvised.
DDoS protection requires more than a CDN subscription. It demands architectural resilience, application-level hardening, and regular testing to verify that your defences work against the attack techniques that real adversaries actually use.