Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
IOC Pattern Matching
Identify Mirai, LOIC & botnets via payload-level indicator matching.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Status Pages
Auto-updated public incident pages for your users.
Real-Time Analytics Dynamic Baselines Threat Intel Multi-Node Maintenance Audit Log
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape Free Certifications NEW
Popular Guides
memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners White Label Referral Program Pay with Crypto System Status
Legal & Support
Contact Us Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs — see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs Small Operators
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services

Security Encyclopedia

DDoS Attack Vector Encyclopedia

The definitive guide to every DDoS attack type - how they work, real-world impact, and how to defend against them. Built for security engineers, SOC analysts, and infrastructure teams.

35+ Attack Types Covered
Updated 2025
Used by 10,000+ security teams
35 attacks

OSI Reference

Attack Layer Comparison

DDoS attacks target different layers of the OSI model. Understanding which layer an attack targets is critical for selecting the right mitigation strategy.

OSI LayerNameProtocol ExamplesAttack Vectors
7ApplicationHTTP, DNS, SMTP, FTP
HTTP FloodSlowlorisSlow POSTHTTP/2 Rapid ResetDNS Query FloodDNS Water TortureSSL/TLS ExhaustionWP XML-RPCAPI Abuse
6PresentationSSL/TLS, MIME
SSL/TLS Exhaustion
5SessionNetBIOS, PPTP
Rarely targeted directly
4TransportTCP, UDP
SYN FloodSYN-ACK FloodACK FloodRST FloodFIN FloodUDP FloodTCP Fragment
3NetworkIP, ICMP, GRE
ICMP FloodSmurf AttackPing of DeathIP Null AttackGRE FloodCarpet Bombing
2Data LinkEthernet, ARP
MAC flooding (LAN only)
1PhysicalCables, Radio
Not applicable to DDoS

Historical Trends

Attack Volume Timeline

DDoS attack sizes have grown exponentially over the past two decades. What was once considered massive is now routine.

YearPeak Attack SizeNotable IncidentScale
2000800 MbpsMafiaboy attacks Yahoo, CNN, eBay
200724 GbpsEstonia cyberattacks
2010100 GbpsWikiLeaks-related attacks
2013300 GbpsSpamhaus DNS amplification
2014400 GbpsNTP amplification era begins
20161.2 TbpsMirai botnet attacks Dyn DNS
20181.7 TbpsMemcached amplification hits GitHub
20202.3 TbpsAWS Shield mitigates CLDAP reflection
20213.47 TbpsMicrosoft Azure UDP flood
2023~3.5 Tbps / 398M rpsHTTP/2 Rapid Reset (CVE-2023-44487)
20245.6 TbpsRecord UDP flood, mitigated by Cloudflare

Defense Planning

Mitigation Strategy Matrix

Not every defense works against every attack. This matrix maps attack vectors to effective mitigation techniques. = Highly effective   = Partially effective   - = Not applicable

Attack VectorRate LimitingBGP BlackholeScrubbing CenterSYN CookiesWAF RulesAnycastProtocol Valid.Flowtriq
UDP Flood--
ICMP Flood--
DNS Amplification--
NTP Amplification--
Memcached Amp.--
SYN Flood-
ACK Flood-
HTTP Flood--
Slowloris--
HTTP/2 Rapid Reset--
DNS Water Torture---
SSL/TLS Exhaustion--
Carpet Bombing--
Multi-Vector

Reference

DDoS Glossary

Amplification Factor
The ratio of response size to request size in a reflection/amplification attack. A factor of 50x means a 1-byte request generates a 50-byte response directed at the victim.
Anycast
A network addressing method where the same IP is announced from multiple locations. Incoming traffic is routed to the nearest node, distributing DDoS traffic across a global network.
BGP Blackhole
A routing technique that discards all traffic destined for a specific IP prefix by advertising a null route via BGP. Stops an attack but also blocks legitimate traffic.
Botnet
A network of compromised computers (bots/zombies) controlled by an attacker to generate distributed attack traffic. Modern botnets can include IoT devices, servers, and cloud instances.
C2 (Command & Control)
The infrastructure used by attackers to send instructions to a botnet. C2 channels can use IRC, HTTP, DNS, or custom protocols to coordinate attacks.
Clean Pipe
A DDoS mitigation service that filters malicious traffic and only forwards clean, legitimate traffic to the protected network.
Dynamic Baseline
An automatically calculated normal traffic profile that adapts to changing patterns over time. Flowtriq uses dynamic baselines to detect anomalies without manual threshold configuration.
GRE (Generic Routing Encapsulation)
A tunneling protocol that encapsulates packets inside IP. Abused in DDoS to bypass simple filtering rules or to tunnel attack traffic through network defenses.
IOC (Indicator of Compromise)
Observable artifacts such as IP addresses, domains, packet signatures, or behavioral patterns that indicate a security breach or ongoing attack.
IP Spoofing
Forging the source IP address in packets to disguise the attacker's identity or to redirect amplified responses to the victim. Essential for most reflection attacks.
PCAP (Packet Capture)
A file format and process for recording raw network packets. Used for forensic analysis of DDoS attacks to identify attack vectors, sources, and payload patterns.
PPS (Packets Per Second)
A key metric for measuring DDoS attack intensity. While bandwidth (bps) measures volume, PPS measures the processing load on network devices.
Reflection Attack
An attack where the attacker sends spoofed requests to third-party servers, which then send responses to the victim. When combined with amplification, this is extremely powerful.
Scrubbing Center
A specialized data center that filters DDoS traffic by diverting suspicious traffic for cleaning, then forwarding only legitimate traffic to the origin server.
SYN Cookie
A TCP defense mechanism where the server encodes state information in the SYN-ACK sequence number instead of allocating memory, preventing SYN flood resource exhaustion.
Tbps (Terabits per second)
Unit of measurement for network throughput. Modern record-setting DDoS attacks are measured in terabits per second - enough to saturate major internet backbone links.

FAQ

Frequently Asked Questions

What is a DDoS attack vector?

A DDoS attack vector is the specific method or technique used to flood a target with malicious traffic. Each vector exploits different protocols, layers, or services - from volumetric UDP floods to application-layer HTTP attacks. Understanding attack vectors is critical for building effective defenses.

What are the three main types of DDoS attacks?

The three main categories are: (1) Volumetric attacks that saturate bandwidth (e.g., UDP floods, amplification attacks), (2) Protocol attacks that exploit weaknesses in network protocols (e.g., SYN floods, Smurf attacks), and (3) Application layer attacks that target specific services (e.g., HTTP floods, Slowloris).

What is the most common DDoS attack vector?

UDP floods and SYN floods remain the most common DDoS attack vectors. However, amplification attacks (DNS, NTP, Memcached) have grown significantly due to their ability to generate massive traffic volumes with minimal attacker resources.

What is a DDoS amplification attack?

An amplification attack exploits protocols that return responses much larger than the request. The attacker spoofs the victim's IP address and sends small queries to vulnerable servers, which then send amplified responses to the victim. Memcached amplification can achieve a 51,000x amplification factor.

How does Flowtriq detect DDoS attacks?

Flowtriq monitors packets-per-second and traffic patterns in real time at every node. It uses dynamic baselines to learn normal traffic, then detects anomalies within 1 second. It classifies the specific attack vector, captures PCAP evidence, and sends instant alerts via Slack, Discord, PagerDuty, and more.

What is the largest DDoS attack ever recorded?

As of 2024, the largest recorded DDoS attack peaked at 5.6 Tbps, a UDP flood targeting an East Asian ISP mitigated by Cloudflare. The previous record was a 3.47 Tbps attack mitigated by Microsoft Azure in 2021.

What is carpet bombing in DDoS?

Carpet bombing is an advanced DDoS technique that spreads attack traffic across many destination IPs in a subnet rather than focusing on a single target. This makes detection harder because per-IP traffic may stay below thresholds, even though aggregate traffic is devastating.

What is the HTTP/2 Rapid Reset attack?

Discovered in 2023 (CVE-2023-44487), HTTP/2 Rapid Reset exploits the HTTP/2 stream multiplexing feature. Attackers rapidly open and immediately cancel streams, overwhelming servers with reset processing overhead. It achieved record-breaking request rates of 398 million requests per second.

Real-Time Protection

Stop attacks before they stop you

Flowtriq detects all 35+ attack vectors in under 1 second. Classify threats automatically, capture forensic PCAP data, and get instant alerts across every channel that matters.

Start Free Trial

7-day free trial · No credit card required · $9.99/node/month

Export your results