How a DDoS Attack Works and How the Internet Absorbs It
a website is just a machine in a room somewhere, waiting for visitors. on a normal day a few thousand people knock on its door, it answers, and the whole thing feels effortless. then one afternoon the knocking turns into a roar. not thousands of visitors but millions, all arriving in the same second. the machine tries to answer every one of them and that is exactly what kills it. it does not crash because someone broke in. it crashes because it was too polite to say no.
that is a distributed denial of service attack, and once you understand what it really is, the strange shape of the modern internet starts to make sense.
what denial of service actually means
every server has a limit. only so much memory, only so many connections it can hold open, only so much road leading up to its front door. a denial of service attack does not try to steal anything or pick a lock. it tries to use up that limit, jamming the road so completely that real visitors cannot get through. the goal is not to break in. the goal is to make the place useless to everyone else. a shop with its doorway packed wall to wall with people who will never buy anything is closed for business just as surely as if the lights were off.
there is more than one way to exhaust a limit. some attacks aim at sheer volume, filling the road with so much raw data that nothing else fits. others aim at the machine’s attention, holding connections half finished until the server runs out of slots. some hammer the single most expensive page a site has until the back end buckles. they all end the same way. real visitors knocking on a door that no longer has room to answer.
why it has to be distributed
a single computer almost never works anymore. the target is usually bigger than any one machine, and a flood from one address is trivially easy to recognize and block. see one house sending you ten million letters an hour, and you simply stop opening that mailbox. so the word that matters is distributed. the load comes from thousands or hundreds of thousands of places at once, scattered across the world, and that single change is what turns a nuisance into something that can take down very large targets.
the botnet underneath it
most of those places are not volunteers. they are ordinary devices that have been quietly compromised. a home router with a password nobody ever changed. a cheap security camera running software that was never updated. a laptop that clicked the wrong thing months ago. each one keeps working normally, the owner never notices, and in the background it waits for instructions.
a collection of these compromised machines under one hidden command is called a botnet. on its own each device is a trickle nobody would blink at. pointed all at once at the same target, that trickle becomes a tide. the people running it borrow the unused scraps of millions of devices belonging to people who have no idea they are part of anything.
what makes this so durable is the sheer number of small connected gadgets that now exist. every cheap camera, doorbell, and router shipped with a weak default password is a candidate, and there are billions of them in homes that will never patch them. a compromised device shows no symptoms, so nothing prompts the owner to care. the army does not have to be recruited or paid. it is just sitting there, already plugged in.
the trick of amplification
raw numbers are only half the story. attackers also found a way to make a small push produce an enormous shove.
scattered across the internet are helpful servers whose whole job is to answer questions. you ask a short question and they send back a long answer. the abuse comes from a forged return address. a tiny request is sent to one of these servers with the victim’s address written on it. the server, doing exactly what it was built to do, sends its big reply not back to the sender but to the victim.
this is called reflection, because the traffic bounces off an innocent third party. when the answer is far larger than the question, it becomes amplification. a small request can summon a reply hundreds of times its size. a thimble of traffic goes in and the victim is hit with a bucket. multiply that across thousands of reflecting servers and a modest botnet can throw a flood that looks impossibly large for its real size.
the scale this reaches
the numbers are hard to picture. the biggest of these floods are now measured in terabits per second, more junk arriving each second than the entire normal traffic of some countries. these are not surgical events. they are blunt walls of noise, enough to saturate the fattest pipes on the planet for as long as the flood lasts. for a long time the defenders were losing, because no single building full of servers could physically swallow that much traffic. so the answer was not a cleverer lock. it was a different shape for the internet itself.
spreading one address everywhere
normally you think of an address as pointing to one place, the way a street address points to one house. the first piece of the defense breaks that assumption on purpose.
with a technique called anycast, the same address is announced from many locations at once, dozens or hundreds of them, spread around the world. traffic heading for that address is delivered to whichever location is closest. on a normal day this just makes things faster. during a flood it does something far more important. the attack does not pile onto one building. it gets split across every location at the same time, each one absorbing only its local slice. a tidal wave aimed at a single door is spread along a coastline hundreds of miles long, and no single point has to survive the whole thing.
the scrubbing centers
splitting the traffic is not enough on its own, because a lot of what arrives is still garbage that needs to be thrown out. that job happens in places built for it, often called scrubbing centers. think of them as enormous filters the incoming traffic is routed through. clean, ordinary visitors pass on toward the real server. the obvious junk gets dropped before it ever reaches the target.
the hard part is telling the two apart at full speed, because the attacker’s whole goal is to make fake traffic look as much like real visitors as possible. the forged floods get dropped almost on sight. the harder attacks mimic real people, ordinary looking requests just arriving far too often, and for those the system has to study the texture and rhythm of the traffic. it is closer to listening for a wrong note in an orchestra than checking a list.
rate limiting and patience
there is a quieter layer underneath all of this. rate limiting is the simple idea that any single source should only be allowed to ask for so much, so fast. one address hammering the same page a thousand times a second is not behaving like a person, and the system can slow it down without ever deciding whether it is truly malicious. it is bouncers at a hundred doors, each watching for anyone pushing through too hard. on its own it stops little. combined with everything else, it sands down a huge amount of the pressure before it reaches the part that matters.
the giants that soak the floods
put all of this together and you get the real reason large sites stay standing. a handful of enormous companies have built networks so vast, with so many locations and so much spare capacity, that they can step in front of almost any target and take the hit on its behalf.
these are the big content networks, the same ones that already store copies of the world’s most popular sites close to where people live. their everyday job is speed, but that same sprawling footprint turns out to be exactly what you need to absorb a flood. an attack lands on a network with more capacity than the attacker can fill, gets spread thin by anycast, scrubbed of its junk, and the small site hiding behind it never feels the wave.
why it is an arms race
it would be nice to say this is solved, but it never will be. it is an arms race, and the currency is raw capacity. attackers grow their botnets by finding the next wave of cheap, insecure devices. defenders grow their networks by building more locations and buying more bandwidth. each side is simply trying to be bigger than the other on the day it matters. there is no clever final move, only the question of who can muster more capacity in the moment. the defense holds not because it is smarter but because, for now, the largest networks on earth are still larger than the largest floods.
the strange peace at the end
that leaves us somewhere genuinely odd. for years people have worried, with good reason, about how much of the web now sits behind a tiny number of giant companies. that centralization is real, it has real costs, and it is fair to be uneasy about so much of the internet depending on so few hands.
but the same enormous scale that makes those companies feel a little frightening is also the only thing standing between most websites and the floods that would otherwise wash them away. the size that lets a few networks quietly run so much of the web is exactly the size it takes to keep that web on its feet. the giants that centralize the internet are also, strangely, what hold it up. it is not a comfortable peace, but on the day the roar arrives, it is the one that keeps the lights on.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.