Introduction: Questions you always wanted to ask about DDoS
DDoS is one of those topics that everyone in the industry has heard about, but few feel confident they fully understand. Maybe you’ve sat in a meeting where terms like “RTBH,” “FlowSpec,” or “amplification” were thrown around and thought, I should probably know all this… but I feel lost!
This FAQ is written exactly for that moment. Whether you’re a junior defender taking your first steps in network security, starting your cybersecurity career, or simply someone who wants a clear, no-nonsense explanation — this guide is for you.
We’ve gathered the most common questions about DDoS attacks and answered them in plain language, with links to deeper resources when you’re ready to dive further. Think of it as a friendly knowledge base that covers everything from “What is a DDoS attack?” to “How do you test if your defences actually work?”
The goal is simple: to help you feel more confident about the fundamentals of DDoS — and to show you how solutions like FastNetMon can make defending your network easier.
1. What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is when multiple compromised devices flood a target network, service, or website with traffic, overwhelming its resources and making it inaccessible to legitimate users.
2. Why are DDoS attacks so common?
DDoS attacks are relatively cheap to launch, widely available as a service (’DDoS-for-hire’), and effective at causing disruption. Attackers may be motivated by financial gain, politics, activism, or extortion.
3. What types of DDoS attacks exist?
- Volumetric attacks: Flooding bandwidth (UDP floods, amplification).
- Protocol attacks: Exploiting weaknesses in protocols (SYN floods, fragmented packets).
- Application-layer attacks: Targeting specific applications or APIs (HTTP floods).
Full classification is here.
4. What is the difference between volumetric, protocol, and application-layer DDoS attacks?
- Volumetric attacks aim to saturate available bandwidth with massive amounts of traffic (e.g., UDP floods).
- Protocol attacks exploit weaknesses in network protocols (e.g., SYN floods, fragmented packets).
- Application-layer attacks target specific services, like HTTP or DNS queries, to exhaust server resources.
Learn more about the attack types: Understanding Volumetric & Amplification DDoS Attacks
5. What should I do if my network is under a DDoS attack?
- Use automated detection tools like FastNetMon.
- Apply (automatic) filtering or blackholing to stop attack traffic.
- Work with your upstream provider if the attack exceeds your capacity.
- Investigate the attack post-mortem and apply further defences if necessary
More details about how to defend against a DDoS attack can be read here.
6. What is BGP Blackhole routing or RTBH?
BGP Blackhole routing is a mitigation strategy where attack traffic is redirected to a null route before it reaches the target, protecting the rest of the network.
Read more: FastNetMon’s guide to BGP Blackhole automation
7. What is BGP Flow Spec?
BGP Flow Spec allows fine-grained filtering rules to be distributed across routers, enabling more targeted mitigation than blackholing.
Read a detailed guide here.
8. What is a multi-layered DDoS defence strategy?
It combines different techniques (rate-limiting, filtering, blackhole routing, FlowSpec, scrubbing centres) to cover multiple attack vectors and different scenarios.
Read our blog on Building a Multi-Layered DDoS Defence Architecture.
9. Who launches DDoS attacks and why?
- Hacktivists and politically motivated groups.
- Criminals extorting businesses.
- Competitors trying to disrupt rivals.
- State-sponsored actors.
- Other individuals and organisations with varying motivations.
Read more about the various motivations behind DDoS attaks here.
10. Can DDoS attacks be completely stopped?
No, but with the right detection and layered defence strategy, their impact can be reduced to near zero.
11. Who is at risk of being targeted by a DDoS attack?
Any online service is a potential target: ISPs, hosting providers, gaming platforms, e-commerce sites, financial institutions, and even government agencies. In 2025, the list became longer with some previously unheard targets: DDoS attacks are now targeting journalists, universities, NGOs. What has changed?
12. What is the largest DDoS attack ever recorded?
Attacks exceeding several terabits per second (Tbps) have been observed in recent years, often exploiting amplification vectors like DNS or NTP. At the time of writing, the largest attack was 11.5 Tbps recorded by Cloudflare; however, new hypervolumetric attacks surface constantly.
13. What is a botnet? And what’s their role in modern DDoS campaigns?
A botnet is a network of infected devices (IoT, PCs, servers) controlled by attackers. Botnets like Mirai and Agobot pioneered techniques for large-scale DDoS, adding automation and modular attack capabilities.
Botnets are often the backbone of many DDoS campaigns. They allow attackers to generate distributed traffic, making it harder to block by IP or geography.
Read everything about the anatomy of a botnet.
14. How are botnets built?
They compromise devices such as IoT gadgets, PCs, and servers that have been typically infected by malware, then control them remotely to generate coordinated attack traffic.
Meet the botnets breaking the Internet and learn all about them.
15. How does BGP Blackhole / RTBH help mitigate DDoS attacks?
RTBH is one of the most common ways to mitigate an attack. BGP Blackhole routing lets ISPs or networks discard malicious traffic targeting a specific IP prefix before it reaches the victim’s infrastructure. This ‘sacrifices’ the attacked service but protects the rest of the network.
Read through: BGP Blackhole automation for DDoS mitigation
16. What is BGP Flow Spec, and how does it compare to Blackhole in DDoS mitigation?
BGP Flow Spec allows for more granular filtering than Blackhole routing. Instead of discarding all traffic to a prefix, it enables filtering by packet attributes (protocol, port, source/destination). This keeps legitimate traffic alive while dropping malicious flows. Read more about when to use blackholing and when Flow Spec or other methodologies are preferred: To blackhole or not to blackhole?
17. How can rate-limiting or threshold-setting help mitigate DDoS attacks?
Rate-limiting caps the number of requests a server accepts within a timeframe. While useful against application-layer floods, it risks blocking legitimate users during peak load if thresholds aren’t tuned properly.
Rate limiting, however, is a different methodology compared to threshold-based mitigation, such as RTBH. Threshold-based DDoS mitigation is a reactive mechanism. It involves continuously monitoring traffic levels—such as packets per second, bits per second, or flows per second, and taking action only when those levels exceed a predefined threshold
Read about each, and how to use them → How to set a threshold for RTBH/BGP Blackhole – FastNetMon
18 What’s the risk of false positives in automated DDoS mitigation?
Aggressive filtering may block legitimate traffic, leading to service disruption. The challenge lies in balancing speed of mitigation with accuracy in distinguishing real customers from attackers.
You can try FastNetMon baseline calculation.
19. What’s the difference between mitigation at the ISP level vs. the enterprise level?
→ ISP-level mitigation protects upstream bandwidth and absorbs larger attacks before they hit the customer.
→ Enterprise-level mitigation focuses on filtering at the edge or inside the organisation’s network, which is effective but limited in scale.
For deeper reading on layered strategies and the importance of upstream protections check out DDoS and your digital transformation strategy.
20. How can I test if my DDoS defences work?
By running controlled DDoS simulations (’red teaming’), traffic stress testing, and tabletop exercises with their incident response team. Testing validates both technology and operational playbooks.
21. What are DDoS-for-hire services?
So-called ‘booter’ or ‘stresser’ services rent out DDoS capabilities for as little as $10/hour. This lowers the barrier of entry for attackers and significantly increases attack frequency. Here’s more about DDoS booters and IP stressers explained by experts
22. What is the difference between DoS and DDoS?
A Denial of Service (DoS) attack originates from a single source, while a DDoS attack uses multiple distributed sources, often part of a botnet. This makes DDoS attacks harder to stop.
22. What is an RDDoS attack?
RDDoS, or Ransom DDoS, is a specific type of attack where adversaries demand payment (usually in cryptocurrency) under the threat of launching or continuing a DDoS attack against the target. Unlike ransomware, attackers don’t encrypt data – they weaponise downtime as leverage.
More on the topic → DoS, DDoS and RDoS explained
Have more questions?
This FAQ is just the beginning. If you want to dive deeper or have a DDoS question we didn’t cover, join the conversation on our social channels. We share insights, answer questions, and keep you updated on the latest in DDoS defence — drawing on over a decade of experience helping networks around the world stay secure.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com