A distributed denial-of-service (DDoS) attack uses multiple compromised computers to flood one or more targets with traffic, exhausting server resources or network bandwidth until the target can no longer serve legitimate users.
How DDoS attacks work
DDoS attacks are coordinated through a botnet:
An attacker builds a large botnet by illegally taking control of many devices across the internet.
During an attack, the attacker issues commands from a control server, directing all zombie hosts in the botnet to simultaneously send a massive volume of requests or traffic to a specific target — such as a website or server.
The resulting traffic spike exhausts the target's system resources or network bandwidth, causing the service to slow down or crash. The server can no longer process requests from legitimate users, achieving a denial of service.
Risks of DDoS attacks
Financial and brand damage
An attack causes service interruptions that prevent users from accessing your services, leading to direct financial losses from lost orders and customer churn — and lasting damage to your brand's reputation.
An e-commerce platform hit by a DDoS attack may become inaccessible or temporarily go offline, preventing legitimate users from placing orders.
Data breach risk
A DDoS attack can act as a diversion. While creating network chaos, an attacker may simultaneously infiltrate your systems and steal sensitive or proprietary data.
Malicious business competition
DDoS attacks are used as an unfair competitive tactic — paralyzing a competitor's services to capture market share and disrupt the broader industry.
A game service hit by a DDoS attack may see player counts drop sharply, potentially forcing the service offline within days.
How to tell if your service is under attack
Check the asset status on the Assets page in the Traffic Security console. For details, see Asset Center.
Watch for the following signs:
| Sign | What you may observe |
|---|---|
| Service quality degradation | Service lags, responds slowly, or many users are disconnected |
| Abnormal server resources | CPU utilization or memory usage spikes unexpectedly |
| Network traffic surge | Inbound or outbound traffic rises sharply with no clear cause |
| Massive unknown access | Website or application is flooded with requests from unknown sources |
| Difficulty with remote management | Cannot log in to the server, or it responds very slowly |
How Alibaba Cloud protects against DDoS attacks
To choose the right product for your situation, see Selection guide.
Anti-DDoS Origin Basic (Free)
Provides 500 Mbps to 5 Gbps of DDoS mitigation for Alibaba Cloud resources, including ECS, Server Load Balancer, EIP (including EIPs attached to NAT Gateways), IPv6 Gateway, , Global Accelerator, and Web Application Firewall. See the documentation for each cloud product for details.
Anti-DDoS Origin
A transparent protection service for resources deployed on Alibaba Cloud. For details, see What is Anti-DDoS Origin?.
Anti-DDoS Proxy
Uses a proxy model to protect ports and domain names, including hosts not deployed on Alibaba Cloud. For details, see What is Anti-DDoS Proxy?.
Common types of DDoS attacks
DDoS attack vectors generally fall into five categories. Understanding the category helps you identify which layer of your infrastructure is under attack and what mitigation approach applies.
| Attack category | Attack examples | How it works |
|---|---|---|
| Malformed packet | Frag Flood, Smurf, Stream Flood, Land Flood, malformed IP/TCP/UDP packets | Sends defective IP packets to the target. When the system attempts to process these packets, it may crash, resulting in a denial of service. |
| Transport layer | SYN Flood, ACK Flood, UDP Flood, ICMP Flood, RST Flood | Exploits protocol mechanisms to exhaust connection resources. A SYN Flood exploits the TCP three-way handshake: the server allocates listener queue entries for incoming SYN requests, but the attacker never completes the handshake. The listener queue fills up, blocking legitimate connections. |
| DNS | DNS Request Flood, DNS Response Flood, DNS Query Flood (spoofed and real sources), authoritative server attacks, local server attacks | Uses real-looking DNS queries to overwhelm DNS servers. A DNS Query Flood sends massive numbers of domain name queries from zombie hosts, preventing the server from responding to legitimate queries. |
| Connection-based | TCP slow connection attacks, connection exhaustion, LOIC, HOIC, Slowloris, Pyloris, XOIC | Exhausts the server's concurrent connection limit. Slowloris keeps connections open as long as possible by exploiting an HTTP feature: a server that receives only \r\n (instead of the full \r\n\r\n end-of-headers marker) keeps the connection open waiting for the rest of the request. |
| Application layer | HTTP GET Flood, HTTP POST Flood, Challenge Collapsar (CC) attack | Simulates legitimate user requests — similar to search engine crawlers — making them hard to distinguish from normal traffic. CC attacks target backend services directly, affecting web response time, database performance, and disk I/O. Because most attacks today are hybrid, any pattern of frequent simulated-user-behavior requests qualifies as a CC attack. |