Your network goes silent. Pages stop loading. Customers can't reach you. And somewhere out there, a botnet of thousands of compromised devices is burying your infrastructure under a traffic flood measured in gigabits, or even terabits, per second. Volumetric DDoS attacks don't need to crack your passwords or exploit your code. They just need to send more traffic than your network can handle, and your services collapse on their own.
The threat is as scalable as it is brutal. Attackers can amplify a small spoofed request into a massive response flood using nothing more than open DNS resolvers or misconfigured servers, and they can sustain that pressure for minutes, hours, or days. No business is too small to target, and no industry is off-limits.
Here, you'll learn exactly how volumetric DDoS attacks work, the most common types you'll face, and the warning signs that one is already underway. You'll also find out why traditional defenses like firewalls fall short, how detection and mitigation actually work in practice, and what steps you can take right now to protect your infrastructure before attackers ever pull the trigger.
What are volumetric DDoS attacks?
Volumetric DDoS attacks are flood a of Denial of Service (DoS) attacks that target's network with massive amounts of traffic to exhaust available bandwidth and knock services offline. Think of them as blunt instruments. There's no need to exploit application vulnerabilities when you can just overwhelm the pipes entirely.
- Traffic flood: The core mechanic is simple. Send more traffic than the target can handle. Attackers measure success in bits per second (bps), packets per second (pps), or connections per second (cps), pushing volumes into the gigabits or even terabits per second range.
- Botnet-driven attacks: Attackers recruit thousands of compromised devices (PCs, routers, IoT gadgets) into a botnet. Each device sends traffic toward the target simultaneously, creating a coordinated flood that's hard to block because it comes from so many different sources.
- DNS amplification: Here's a clever trick. Attackers spoof the victim's IP address and send small queries to open DNS resolvers, which respond with much larger packets directed at the victim. The attacker gets a massive traffic multiplier for minimal effort.
- ICMP flood: Also called a ping flood, this bombards the target with Echo Request packets. The target's network gets congested trying to process and respond to each one, eventually grinding to a halt.
- NTP and SSDP amplification: Similar to DNS amplification, attackers exploit Network Time Protocol and Simple Service Discovery Protocol servers as unwitting traffic amplifiers. Spoofed requests trigger large responses that pile onto the victim's connection.
- Layer 3 and 4 targeting: Volumetric attacks hit the network and transport layers of the OSI model. That means congestion, packet loss, and link saturation. Not by breaking your app, but by collapsing the network underneath it.
- Bandwidth saturation: The real danger is upstream impact. A large enough attack doesn't just take down your server. It saturates your upstream provider's links, taking out neighboring services and making mitigation much harder.
- Multi-vector combinations: Skilled attackers don't always stop at volumetric floods. They combine bandwidth exhaustion with application-layer attacks, using the volumetric component to mask or amplify the damage from more targeted strikes.
| Term | What it does | Best for |
|---|---|---|
| Traffic flood | Overwhelms bandwidth with bps/pps/cps volume | Causing outages without exploiting vulnerabilities |
| Botnet-driven attacks | Coordinates thousands of devices to flood a target | Generating distributed, hard-to-block traffic |
| DNS amplification | Spoofs victim IP to trigger amplified DNS responses | Multiplying attack volume with minimal resources |
| ICMP flood | Bombards target with ping packets | Congesting network links quickly |
| NTP and SSDP amplification | Exploits protocol servers as traffic multipliers | High-volume attacks using open servers |
| Layer 3 and 4 targeting | Collapses network and transport layers | Disrupting infrastructure, not applications |
| Bandwidth saturation | Overloads upstream provider links | Taking down services beyond the direct target |
| Multi-vector combinations | Pairs volumetric floods with application-layer attacks | Masking deeper attacks behind traffic noise |
How do volumetric DDoS attacks work?
Volumetric DDoS attacks turn your own network infrastructure against you. The attacker's goal isn't to find a weakness in your code. It's simpler than that: send so much traffic that your connection runs out of room.
Here's how it plays out. An attacker assembles a botnet or finds open amplification servers, then directs a flood of packets at your IP address. Your router and upstream links try to keep up, but the volume blows past what your bandwidth can handle. Legitimate requests get queued, then dropped. Your service goes offline, not because anything broke, but because there's no capacity left.
Amplification attacks add a multiplier effect. Attackers spoof your IP address in their requests, so the amplification servers have no idea they're being weaponized. They just respond normally, sending large packets to what they think is a legitimate requester. Your connection absorbs all of it.
And the attack doesn't need to be sophisticated to succeed. Raw volume does the work.
In simple terms: Attackers flood the Gcore network with more traffic than it can carry, using botnets or amplification tricks to generate massive volumes until your connection is completely full and nothing else gets through.
What are the main types of volumetric DDoS attacks?
Volumetric attacks come in several forms, but they all share the same goal: fill your pipe until nothing else gets through. Here are the main types you'll encounter.
- UDP flood: Attackers send massive volumes of User Datagram Protocol packets to random ports on your server. Because UDP doesn't require a handshake, there's no connection to verify. Your server wastes resources checking each packet and sending back "destination unreachable" responses, which compounds the load fast.
- ICMP flood: Better known as a ping flood, this bombards the Gcore network with Echo Request packets faster than it can respond. The resulting congestion affects all traffic on the link, not just ping responses.
- DNS amplification: The attacker spoofs your IP address and sends small queries to open DNS resolvers. Those resolvers send large responses, sometimes 70 times the size of the original request, directly to you. High amplification ratio, low effort for the attacker.
- NTP amplification: Similar to DNS amplification, but exploiting Network Time Protocol servers. Attackers send a small "monlist" command, and the server replies with a list of recent clients. That response can be hundreds of times larger than the request itself.
- Memcached amplification: Open Memcached servers can amplify traffic by a factor of over 50,000. Attackers send a tiny spoofed request, and the server blasts your connection with a massive data response. This technique has been used in some of the largest recorded attacks.
- SSDP flood: Simple Service Discovery Protocol is built into many consumer devices. Attackers query those devices using your spoofed IP, and each one sends its full service description back to you, turning millions of home routers and smart devices into unwitting amplifiers.
- Botnet traffic flood: Rather than amplifying from a few servers, this approach uses thousands or millions of compromised devices, including PCs, IoT gadgets, and cameras, each sending traffic simultaneously. No amplification needed when you have enough nodes generating raw volume.
| Attack type | What it does | Best for |
|---|---|---|
| UDP flood | Overwhelms ports with connectionless packets | Saturating raw bandwidth quickly |
| ICMP flood | Congests links with ping traffic | Disrupting all traffic on a link |
| DNS amplification | Multiplies traffic through open DNS resolvers | High-volume attacks with few resources |
| NTP amplification | Exploits NTP monlist for large responses | Generating outsized traffic from small queries |
| Memcached amplification | Achieves extreme amplification ratios | Maximum traffic volume per request |
| SSDP flood | Weaponizes consumer devices at scale | Abusing IoT-heavy networks |
| Botnet traffic flood | Coordinates mass devices for raw volume | Sustained, distributed flooding |
What are the warning signs of a volumetric DDoS attack?
Volumetric DDoS attacks don't creep up on you. They hit fast and escalate faster. Here's what to watch for.
- Sudden traffic spike: Your bandwidth jumps dramatically with no business event to explain it. The traffic comes from many different source IPs, which rules out a legitimate surge.
- Network link saturation: Your upstream link hits capacity and legitimate traffic starts dropping. You'll see packet loss and latency spikes across all your services, not just one application.
- High-volume responses from reflectors: Traffic analysis shows large inbound responses from known open resolvers, DNS servers, NTP servers, or Memcached instances, that your systems never actually queried. That's a clear amplification signature.
- Spoofed source addresses: Your traffic logs show packets from IP addresses that don't match any known route or look geographically inconsistent. Spoofed IPs are a hallmark of reflection and amplification attacks.
- Unusual protocol distribution: Your traffic mix shifts sharply. UDP or ICMP packets suddenly dominate where TCP normally would. If the protocol breakdown looks nothing like your baseline, investigate immediately.
- Port scanning anomalies: UDP floods often target random ports. If your firewall or monitoring tools log rapid connection attempts across many ports from many sources, that pattern points to volumetric flooding, not targeted intrusion.
- Degraded performance across services: When a volumetric attack saturates your link, everything suffers, not just the targeted endpoint. Latency increases across unrelated services simultaneously? That's bandwidth exhaustion, not an application bug.
- Upstream provider alerts: Sometimes your hosting provider or ISP spots the attack before your own tools do. An unexpected notification about abnormal traffic volumes is your cue to investigate immediately.
| Warning sign | What it does | Best for |
|---|---|---|
| Sudden traffic spike | Floods bandwidth from many source IPs | Identifying early attack onset |
| Network link saturation | Drops legitimate traffic due to capacity | Confirming bandwidth exhaustion |
| High-volume reflector responses | Reveals amplification through open servers | Detecting DNS, NTP, Memcached abuse |
| Spoofed source addresses | Masks attacker origin with fake IPs | Identifying reflection-based attacks |
| Unusual protocol distribution | Shows abnormal UDP or ICMP dominance | Spotting volumetric flood patterns |
| Port scanning anomalies | Logs rapid multi-port connection attempts | Detecting UDP flood activity |
| Degraded performance across services | Causes latency spikes on unrelated services | Confirming link-level bandwidth exhaustion |
| Upstream provider alerts | Flags abnormal traffic at network edge | Catching attacks before internal tools do |
Why are volumetric DDoS attacks dangerous?
Here's the thing about volumetric DDoS attacks: they don't need to break through your defenses. They just need to overwhelm them. By saturating your bandwidth, attackers can take down your services without exploiting a single vulnerability.
The collateral damage is what really hurts. When your upstream link hits capacity, everything behind it goes dark. It's not just the targeted service that fails. Your entire infrastructure becomes unreachable.
Amplification makes it worse. Attackers send small spoofed requests to open servers and get responses hundreds of times larger directed back at your network. That multiplication effect means even a modest botnet can generate attack traffic measured in terabits per second.
Skilled attackers also layer in application-layer attacks on top of the volumetric flood. While your team focuses on the bandwidth exhaustion, a separate attack quietly targets your application logic. That combination is much harder to defend against than either attack type on its own.
What are notable real-world examples of volumetric DDoS attacks?
Some of the largest traffic floods ever recorded have been volumetric DDoS attacks, and they show just how destructive this attack type can get at scale.
Here are the main ones worth knowing.
- DNS amplification: Attackers spoof the victim's IP address and send small queries to open DNS resolvers, which fire back much larger packets at the target. The amplification ratio can be enormous, turning a modest botnet into a terabit-scale flood. Open resolvers worldwide have made this one of the most widely used volumetric techniques.
- ICMP flood: The target gets bombarded with ICMP Echo Request packets (essentially ping requests) faster than the network can process them. The resulting congestion causes packet loss and link saturation across the affected infrastructure. It's a blunt instrument, but it works against networks without rate-limiting controls.
- Memcached amplification: Attackers send spoofed UDP requests to exposed Memcached servers, which respond with data payloads dramatically larger than the original request. A single Memcached server can amplify traffic by tens of thousands of times. This technique has generated some of the highest recorded attack volumes ever seen.
- NTP amplification: The Network Time Protocol supports a debug command that returns a list of recent clients. Attackers abuse this by sending small spoofed requests to NTP servers, triggering large responses aimed at the victim. Patching or restricting that command on NTP servers largely eliminates the exposure.
- SSDP amplification: The Simple Service Discovery Protocol, used by consumer IoT devices, can be abused to reflect and amplify traffic toward a target. Because millions of home routers and smart devices expose SSDP publicly, the pool of potential reflectors is vast. That's what makes SSDP-based attacks so hard to suppress at the source.
- IoT botnet floods: Networks of compromised IoT devices (cameras, routers, smart appliances) get recruited into botnets that generate raw volumetric traffic at scale. Unlike amplification attacks, these floods don't rely on open servers. The volume comes from sheer device count, and the distributed nature makes source-based blocking largely ineffective.
- Layered volumetric and application attacks: Advanced attackers pair a volumetric flood at Layers 3 and 4 with a simultaneous application-layer attack targeting specific services. The bandwidth exhaustion consumes the defending team's attention while the application attack does targeted damage. This combination is harder to detect and mitigate than either vector alone.
How to detect and mitigate volumetric DDoS attacks?
Detecting and mitigating volumetric DDoS attacks comes down to combining real-time traffic monitoring with layered filtering and automated response systems.
- Establish a traffic baseline. Start by profiling your normal traffic patterns: typical bandwidth consumption, packet rates, and connection volumes across different times of day. Without a baseline, you can't reliably tell an attack apart from a legitimate traffic spike.
- Monitor for anomalies in real time. Deploy traffic analytics that flag sudden deviations from your baseline, like a dramatic spike in packets per second or connections flooding in from an unusual number of source IPs. Flexible thresholds catch attacks faster than static alert rules.
- Identify amplification signatures. Watch for high-volume responses arriving from known reflector types: DNS resolvers, NTP servers, Memcached instances. If your inbound traffic far exceeds your outbound requests, amplification is likely the cause.
- Apply rate limiting immediately. Once you've confirmed an attack, rate-limit traffic from offending sources at the network edge. It won't stop a large-scale flood on its own, but it buys time and reduces load on your downstream infrastructure.
- Use traffic scrubbing. Route suspicious traffic through scrubbing centers that separate legitimate requests from attack traffic, then forward only clean traffic to your origin. Always-on scrubbing detects and responds in seconds rather than waiting on manual intervention.
- Deploy Flowspec rules. Push Border Gateway Protocol (BGP) Flowspec rules to upstream routers to filter spoofed or malformed packets close to the source. This stops attack traffic before it reaches the Gcore network edge and saturates your links.
- Activate IP reputation filtering. Block traffic from known malicious IP ranges and botnet-associated addresses using continuously updated IP reputation feeds. You'll cut volumetric load without affecting legitimate users.
- Use anycast routing to absorb traffic. Distribute attack traffic across a global network of Points of Presence (PoPs) so no single location bears the full load. Geographically distributed absorption capacity is what separates survivable attacks from catastrophic outages.
The key thing is speed. Automated mitigation that responds within seconds is far more effective than manual processes. By the time a human reviews an alert, a terabit-scale flood can already saturate your upstream provider's links.
How to prevent volumetric DDoS attacks before they happen?
Prevention starts before any attack does. That means hardening your infrastructure, shrinking your attack surface, and getting automated protections in place while traffic is still normal.
- Deploy always-on DDoS protection. Don't wait for an attack to flip the switch. Always-on mitigation continuously inspects traffic and responds within seconds, long before a terabit-scale flood can saturate your links. On-demand protection is almost always too slow to matter.
- Establish upstream scrubbing capacity. Your mitigation capacity has to exceed what attackers can throw at you. Work with a DDoS protection provider whose scrubbing network can absorb traffic volumes measured in terabits per second. Your on-premises hardware can't handle that scale alone.
- Close amplification vectors on your network. Restrict or disable open DNS resolvers, NTP servers, and Memcached instances that attackers can exploit for reflection attacks. If your servers respond to spoofed requests, you're contributing to the problem as much as suffering from it.
- Use ingress and egress filtering. Configure your routers to drop packets with spoofed source IP addresses using BCP38 filtering. Spoofed IPs are the foundation of most amplification attacks, so blocking them at the source removes a critical attack mechanism.
- Harden your network edge with rate limits and access controls. Set ICMP rate limits, restrict UDP traffic to expected services, and configure your firewall to drop unexpected protocol traffic. These controls won't stop a massive flood, but they eliminate the low-effort probing that often comes first.
- Build redundancy into your infrastructure. Distribute your services across multiple locations and providers so a single saturated link doesn't take everything offline. Redundant paths and failover routing mean attackers have to overwhelm multiple targets simultaneously.
- Test your defenses before you need them. Run regular DDoS simulation exercises to verify your detection thresholds, scrubbing configurations, and failover paths actually work under load. Discovering a gap during a real attack is the worst possible time to find it.
Here's the honest reality: no single control prevents volumetric attacks entirely. What prevention really means is making your infrastructure resilient enough that an attack fails to cause an outage, and automated enough that your team isn't scrambling to respond manually while the flood is already in progress.
How can Gcore help protect against volumetric DDoS attacks?
Gcore protects against volumetric DDoS attacks through always-on traffic scrubbing that filters malicious floods before they reach Gcore infrastructure. The network can absorb terabit-scale attacks across 210+ global PoPs, so even the largest botnet-driven floods get neutralized at the edge, not at your origin.
Detection and mitigation kick in within seconds. That matters because volumetric attacks can saturate links in under a minute, and manual intervention is never fast enough to stop the damage.
Explore Gcore DDoS protection
Frequently asked questions
How large can a volumetric DDoS attack get in terms of traffic volume?
Volumetric attacks can reach terabits per second, traffic volumes large enough to saturate entire regional internet links. Attackers measure the damage in bits per second, packets per second, or connections per second, depending on which resource they're trying to exhaust first.
Can a firewall stop a volumetric DDoS attack?
No, a firewall alone can't stop a volumetric DDoS attack. By the time traffic reaches your firewall, your upstream bandwidth is already saturated, making on-premises filtering insufficient. Effective mitigation requires upstream scrubbing capacity that can absorb attack traffic before it reaches the Gcore network edge.
How long does a volumetric DDoS attack typically last?
Volumetric DDoS attacks can last anywhere from a few minutes to several days, depending on the attacker's resources and objectives. Short bursts of 10 to 30 minutes are common, but sustained campaigns targeting critical infrastructure can run for 24 hours or longer.
What is the difference between volumetric DDoS attacks and botnets?
Think of it this way: botnets are the weapon, and volumetric DDoS attacks are what happens when that weapon fires. Attackers use botnets (networks of compromised devices) to generate the massive traffic floods that define a volumetric attack.
How does a CDN help defend against volumetric DDoS attacks?
A CDN absorbs volumetric DDoS traffic by spreading it across a global network of Points of Presence, so no single server or link gets overwhelmed. Because the attack volume splits across dozens or hundreds of nodes at once, even terabit-scale floods get diluted before they can saturate Gcore infrastructure.
Are small businesses at risk from volumetric DDoS attacks?
Yes, small businesses are just as vulnerable. Attackers don't discriminate by company size, and botnets can flood any internet-facing service regardless of how much traffic it normally handles. If anything, smaller organizations are easier targets because they're less likely to have dedicated DDoS protection in place.
Related articles
Your database gets compromised. Customer records disappear. Credit card data ends up for sale on the dark web. SQL injection attacks remain one of the most prevalent web application vulnerabilities in 2024, consistently appearing in top ten
You click a link in what looks like a routine email from your bank, and within seconds, $5,000 vanishes from your account, transferred to a stranger while you were simply logged in to your banking app. Many legacy web applications have vuln
Subscribe to our newsletter
Get the latest industry trends, exclusive insights, and Gcore updates delivered straight to your inbox.