What Are DDoS Attacks and How Do You Protect Your Servers?

DDoS (Distributed Denial of Service) attacks rose 46% globally in 2024 — per Cloudflare’s report. If you don’t want to open your site one day and see “Server not responding”, you need to set up your defense today. This post breaks down DDoS attack types, how to identify them, and the effective layers of defense.

What is DDoS?

A classic DoS attack hammers your server with thousands of requests from a single source. DDoS does the same from thousands or millions of IPs (typically botnets) simultaneously. The server stays busy, real users can’t reach the site.

Simple analogy: A restaurant seats 50; suddenly 5,000 people pile up at the door — real customers can’t get in. That’s DDoS — saturating bandwidth or CPU.

DDoS attack types

1. Volumetric attacks

Goal: fill your pipe. Measured in Gbps.

• UDP Flood: blasts UDP packets at random ports
• ICMP Flood: floods the network with pings
• DNS Amplification: spoofs requests to DNS servers, redirecting amplified responses to the target (1 GB request → 50 GB response)

Solution: backbone-level scrubbing — the ISP/datacenter cleans traffic before it reaches your server.

2. Protocol attacks

Goal: exhaust server resources (CPU, connection table). Measured in packets/sec.

• SYN Flood: TCP handshake never completes, server holds open connections
• Ping of Death: malformed ICMP packets
• Smurf attack: ICMP packets to broadcast addresses

Solution: SYN cookies, firewall rules, connection rate limits.

3. Application layer (Layer 7) attacks

Goal: tire out the web app. Measured in requests/sec. The most dangerous and hardest to detect.

• HTTP Flood: legit-looking GET/POST requests via botnet
• Slowloris: slowly opens connections and never closes them
• WordPress XML-RPC abuse: uses WP’s own endpoint to hammer the DB

Solution: WAF (Web Application Firewall), bot detection, per-IP rate limiting.

Defense layers (4 levels)

DDoS protection isn’t one tool’s job — you need layered security:

Layer 1 — CDN / reverse proxy

Cloudflare (the free plan suffices) takes traffic first:

• Absorbs volumetric attacks on its 200+ Tbps backbone
• Fingerprints and separates bot traffic
• WAF catches L7 attacks

Setup: ~10 minutes (DNS change).

Layer 2 — datacenter / hosting side

Good hosting providers clean traffic before it reaches your server. KavesNET servers, for example:

• Backbone-level DDoS protection (free, built-in)
• Absorbs volumetric attacks up to 10 Gbps
• Automatically routes traffic through scrubbing centers when anomalies are detected

Works without Cloudflare; using both together is the strongest defense.

Layer 3 — server firewall + rate limit

Simple rules with iptables / nftables or ufw:

# Block more than 100 connections from same IP within 60s
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW \
  -m recent --set --name HTTP

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW \
  -m recent --update --seconds 60 --hitcount 100 --name HTTP -j DROP

Nginx rate limit:

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

location /api/ {
    limit_req zone=api burst=20 nodelay;
    proxy_pass http://backend;
}

Layer 4 — application side

• WordPress: disable XML-RPC, add 2FA + IP whitelist on login
• API: JWT + per-user rate limits
• Bot detection: Cloudflare Turnstile, hCaptcha
• Keep health checks and monitoring on a separate port

What to do during an attack?

If you’re under attack right now, step by step:

1. Analyze traffic: netstat -anp | grep :80 | wc -l for active connection count
2. Cloudflare “Under Attack” mode: one click activates JS challenge
3. Notify hosting: request backbone-level sniffing/scrubbing
4. Temp-block attacker IPs/ranges: fail2ban or manual iptables
5. Save logs: User-Agent, referer patterns help future defense

Common mistakes

• Relying on Cloudflare alone: if your origin IP leaks, Cloudflare is bypassed; you must firewall to allow only Cloudflare IP ranges on 80/443
• Rate limits too aggressive: you’ll block real users (mobile NAT brings many users from one IP)
• No logging: needed for post-mortem
• No backups: ransomware can land during attacks; backups are critical. See our 3-2-1 backup strategy

Who’s at risk?

• E-commerce sites — attack on campaign day = direct sales loss
• Game servers — rival players literally order DDoS attacks (very common!)
• API servers — dependent systems also affected
• News/media sites — political or competitive motivation
• All commercial sites — random extortion attempts

Conclusion

DDoS isn’t a “what if” — it’s a “when”. Caught unprepared, expect 3–7 days of downtime + thousands of dollars in losses. With preparation, that drops to minutes and zero.

The right order: Cloudflare → datacenter protection → server firewall → application side — four layers working together.

KavesNET servers include backbone-level DDoS protection free; combined with Cloudflare, most attacks die before reaching your server. Browse server plans → or contact us for high-risk projects.

Related: VDS vs VPS Difference · 3-2-1 Backup Rule