What are DDoS and DoS attacks?
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are malicious attempts to disrupt online services by flooding them with massive amounts of traffic from multiple sources.
In this article:
As shown in Radware's 2026 Global Threat Analysis Report, DDoS attacks continued to grow in scale and frequency throughout 2025. Attackers increasingly combined automated tools, AI-driven bots, and short-lived multi-vector attacks to overwhelm networks, applications, and APIs:
- Network-layer DDoS attacks increased 168.2% year over year.
- Peak network attack volumes reached nearly 30 Tbps.
- The average organization experienced more than 25,351 network-layer attacks in the second half of 2025.
- Organizations faced an average of 139 DDoS attacks per day.
- The technology sector accounted for 45% of all network-layer DDoS attacks, up from 8.77% in 2024.
- North America represented 63.1% of all network-layer DDoS attacks globally.
- Web DDoS attacks targeting applications increased 101.4% compared to 2024.
- 94.4% of Web DDoS attacks stayed below 100,000 requests per second, showing a shift toward smaller but more persistent attacks.
- Most high-impact Web DDoS attacks lasted less than 60 seconds, reducing the effectiveness of manual mitigation.
- The APAC region saw Web DDoS attacks surge 485% year over year.
- Malicious web application and API attacks increased 128% year over year.
- Vulnerability exploitation accounted for 41.8% of application-layer attacks, reaching nearly 58% in Q4 2025.
- Bad bot activity grew 91.8%, driven by generative AI and automated attack tools.
- In the first half of 2025 alone, bad bot traffic reached 89.2% of the total volume recorded during all of 2024.
- Europe accounted for 48.4% of all claimed hacktivist attacks.
- The hacktivist group NoName057(16) claimed 4,693 attacks in 2025, making it the most active group tracked in the report.
Volumetric Attacks
Volumetric attacks aim to consume all available bandwidth between the target and the internet. Attackers generate extremely large amounts of traffic, making the service unreachable for legitimate users.
These attacks often rely on botnets made up of compromised devices such as servers, routers, IoT devices, and personal computers. Attackers may also use amplification techniques that abuse public internet services to multiply traffic volumes.
Common volumetric attacks include:
- UDP floods
- ICMP floods
- DNS amplification attacks
- NTP amplification attacks
- Memcached amplification attacks
Volumetric attacks are typically measured in bits per second (bps). Modern attacks can exceed multiple terabits per second and overwhelm network infrastructure within seconds.
Protocol Attacks
Protocol attacks target weaknesses in network and transport layer protocols. Instead of consuming bandwidth alone, they exhaust server resources, firewalls, load balancers, or connection tables.
These attacks abuse how protocols like TCP, IP, and SSL/TLS establish and maintain connections. Even relatively small traffic volumes can disrupt services if infrastructure resources become exhausted.
Common protocol attacks include:
- SYN floods
- ACK floods
- TCP connection exhaustion attacks
- Fragmentation attacks
- Ping of Death attacks
- Smurf attacks
Protocol attacks are usually measured in packets per second (pps). They can impact networking equipment before traffic even reaches the application itself.
Application-Layer Attacks
Application-layer attacks target specific applications, websites, APIs, or services. These attacks mimic legitimate user behavior, making them harder to detect and filter.
Instead of overwhelming bandwidth, attackers focus on exhausting application resources such as CPU, memory, database connections, or backend services. Requests are often carefully crafted to trigger expensive operations on the server.
Common application-layer attacks include:
- HTTP GET floods
- HTTP POST floods
- API request floods
- Slowloris attacks
- DNS query floods
- Login and search request abuse
Application-layer attacks often require fewer requests than network-layer attacks because each request consumes more server resources. Attackers increasingly use AI-driven bots and distributed automation to make traffic appear legitimate and bypass traditional defenses.
Common DDoS attack tools include tools for IP address spoofing, Ping of Death, ICMP, UDP flood and DNS flood attack, amplification attacks, TCP SYN flood, HTTP flood, reflection attacks, volumetric attacks, and connection-based attacks.
DDoS attack tools are used by attackers to exploit vulnerable networks, systems, and applications, usually for financial gain or political motivation. They can range from simple scripts that target a single server to sophisticated bots and botnets. DDoS attack tools are designed to flood victim's systems with excessive amounts of traffic from multiple sources.
Amplification attacks are one of the most common types of DDoS attacks and leverage vulnerable network protocols to amplify the amount of traffic sent to a target service or device. In an amplification attack, the attacker sends out a small query.
1. LOIC
Low Orbit Ion Cannon (LOIC) is an open-source network stress tool written in C# that sends high volumes of TCP, UDP, or HTTP packets to a target server. It is based on Praetox's original LOIC project and is intended for educational purposes to help server owners develop a defensive security posture. Despite this framing, it has been widely used in coordinated attack campaigns.
- Attack methods supported: TCP floods, UDP floods, and HTTP request floods, configurable by the user
- Hivemind mode: LOIC can connect to an IRC server to be controlled remotely, functioning as a voluntary botnet that allows a central operator to direct multiple instances simultaneously
- Hidden mode: Can be run without a visible graphical interface when operating in Hivemind mode
- Platform: Runs on Windows via the .NET Framework and on Linux and macOS via Mono or Wine
- Coordination dependency: Requires multiple users running the tool simultaneously to generate meaningful attack volumes against hardened targets
2. HOIC
High Orbit Ion Cannon (HOIC) is an open-source tool developed by the hacktivist group Anonymous as a successor to LOIC, designed to launch HTTP-based DoS and DDoS attacks. It provides a simple, user-friendly interface and can be activated with minimal technical skill.
- Attack method: Operates via HTTP flood attacks, sending large volumes of HTTP GET and POST requests to overwhelm a target server's request-handling capacity
- Multi-target capability: Can target up to 256 sites simultaneously, enabling coordinated attacks across multiple domains and subdomains
- Booster scripts: Supports custom booster scripts that help vary request patterns and evade detection mechanisms
- Anonymization: Users frequently combine HOIC with proxies to obscure their geographic location and identity
- Coordination requirement: A significant attack typically requires around 50 users launching the tool against the same target simultaneously
3. Mirai and Variants
Mirai is a botnet malware family that targets internet-connected devices, primarily IoT equipment, to build large-scale distributed networks capable of launching volumetric DDoS attacks. It has a history of executing massive DDoS attacks, including a major incident that disrupted a significant portion of internet infrastructure in the United States. Its source code has been publicly leaked, spawning numerous variants.
- Infection workflow: Mirai scans for potential targets via SYN port probing and brute-force authentication, then uses a loader to deploy architecture-specific malware binaries onto vulnerable devices
- Target devices: Primarily focuses on IoT appliances such as cameras, alarm systems, and personal routers, which historically have weak vendor security and receive less attention from consumers
- Self-concealment: Once running, Mirai deletes itself from the file system, removes itself from the running process list, and randomizes its process name to avoid detection
- Competition blocking: Mirai identifies and terminates processes associated with competing botnets to consolidate control of infected systems
- Ongoing evolution: Recent variants exploit known web vulnerabilities to deliver malware payloads, and the increasing use of AI and machine learning by attackers has lowered the barrier for launching Mirai-style attacks
4. Slowloris
Slowloris is a low-bandwidth denial-of-service tool that exhausts a web server's connection capacity by opening many simultaneous partial HTTP connections and keeping them open indefinitely. Unlike bandwidth-consuming reflection-based attacks, it uses a minimal amount of bandwidth and instead aims to exhaust server resources with requests that mimic slow but legitimate traffic.
- Attack mechanism: Opens numerous connections to a target by sending partial HTTP request headers, then periodically sends additional header fragments to prevent the server from timing out the connections
- Resource exhaustion: Each server thread waits for the slow request to complete, which never occurs; once all available threads are occupied, the server cannot respond to legitimate traffic
- Single-machine capability: Designed to allow a single machine to disable a server without requiring large amounts of traffic or a botnet
- Detection evasion: Because traffic volumes remain low and individual requests superficially resemble legitimate slow connections, many volumetric detection systems do not flag Slowloris activity
5. R.U.D.Y
R.U.D.Y. (R-U-Dead-Yet?) is a slow-rate denial-of-service tool that gradually exhausts web server resources by holding open connections through artificially prolonged HTTP POST submissions. The tool first emerged in hacking forums around 2010 and implements a low and slow DDoS approach, opening a relatively small number of connections over an extended period and keeping those sessions open as long as possible.
- Attack mechanism: Scans target websites for web forms, then sends POST requests with a Content-Length header indicating a very large payload, but transmits the data one byte at a time with roughly 10-second delays between each byte
- Connection persistence: The inflated Content-Length value tricks the server into maintaining open connections indefinitely while waiting for data that never fully arrives, eventually exhausting connection resources
- Evasion enhancements: Newer variants support randomized transmission intervals and SOCKS proxies to mask the attacker's IP address, and can reuse session cookies to more closely resemble legitimate user behavior
- Persistence: Connections re-initiate whenever they time out, allowing attacks to continue for days or weeks
- Ongoing availability: The R.U.D.Y. source code has leaked online, making it accessible to unskilled attackers, and DDoS-as-a-service platforms have further lowered the barrier to its use
6. PyLoris
PyLoris is a scriptable Python-based tool for testing server vulnerability to connection-exhaustion denial-of-service attacks, implementing the Slowloris method. It creates a large number of full TCP connections and keeps them open, causing services to hit the upper limit of their maintained connections.
- Attack method: Uses the Slowloris technique of holding open many simultaneous TCP connections to exhaust server-side connection limits rather than hardware resources
- Scripting API: Includes a scripting interface that allows users to build and run prepackaged attack configurations
- Graphical interface: Provides a GUI in addition to command-line operation, lowering the technical barrier for use
- Protocol flexibility: Features a protocol-agnostic request builder, allowing it to target services beyond standard HTTP
- Broad compatibility: Runs on Windows, Linux, and macOS with a Python 2.x runtime dependency
7. Tor's Hammer
Tor's Hammer is a Layer 7 DDoS tool that targets web and application servers using slow-rate HTTP POST requests delivered within persistent HTTP sessions. It initiates and executes attacks by sending HTTP POST requests at a slow rate, typically between 0.5 and 3 seconds per request, during the same HTTP session.
- Attack mechanism: Floods target servers with incomplete HTTP POST requests, causing connection threads to wait indefinitely for request completion, which exhausts the server's connection-handling resources
- Anonymization via Tor: Supports routing attack traffic through the Tor network using a native SOCKS proxy, enabling attacks to originate from randomized source IP addresses that are difficult to trace
- Result: Web and application servers enter a denial-of-service state for new connections from legitimate traffic as their thread pools become fully occupied
8. HULK
HULK (HTTP Unbearable Load King) is a web server denial-of-service tool that generates high volumes of unique HTTP GET requests to overwhelm a target server's request-handling capacity. Originally written in Python by Barry Shteiman, it has since been ported to Go, where goroutines replace traditional threading to allow for a significantly higher connection pool on the same hardware.
- Obfuscation technique: Generates requests with randomized headers, user agents, and referrers to make traffic appear varied and reduce the effectiveness of signature-based filtering
- Connection pooling: The Go implementation uses lightweight goroutines rather than individual threads, allowing it to sustain a much larger number of concurrent connections with lower resource overhead
- Configuration: Connection pool size is configurable via environment variables, with a default limit of 1,024 concurrent connections
- Target: Designed specifically against web servers and web applications at the application layer
9. GoldenEye
GoldenEye is an HTTP denial-of-service testing tool that works by keeping many simultaneous connections open to a target web server, similar in concept to Slowloris but operating via complete HTTP requests. It uses a combination of HTTP keep-alive directives and randomized request parameters to occupy server connections.
- Attack method: Sends HTTP GET and POST requests with keep-alive headers to maintain open connections, exhausting the server's available connection pool
- Header randomization: Generates random user-agent strings, referrer values, and other headers to make requests appear to come from varied legitimate browsers
- Python-based: Written in Python, making it straightforward to run across platforms with a standard Python installation
10. MHDDoS
MHDDoS is a Python-based attack script that consolidates a large number of Layer 4 and Layer 7 attack methods into a single tool, supporting both network-layer floods and application-layer techniques. Its repository notes that it should not be used against websites without the owner's consent.
- Method breadth: Supports over 50 attack methods, including GET and POST floods, Slowloris, SYN floods, UDP floods, ICMP floods, and multiple amplification techniques such as DNS, NTP, Memcached, and CLDAP amplification
- Bypass capabilities: Includes methods specifically designed to attempt to bypass protections from major providers, as well as CAPTCHA bypass techniques
- Proxy support: Integrates proxy list management to distribute attack traffic across many source addresses, complicating attribution and mitigation
- Tooling utilities: Includes auxiliary tools for DNS record lookup, connectivity checks, and traffic statistics display
- Containerization: Supports Docker-based deployment for rapid setup on virtual private servers
Traditional security measures such as firewalls with ACLs and static signature based protections are not enough to protect against sophisticated DDoS attacks. Many of these attacks target applications and services at the application layer (Layer 4-7) of the OSI model, exploiting non-firewall protected services such as HTTP, FTP, and SMTP.
Attacks that consume resources of stateful devices that need to maintain information and the state of each client connection require solutions to minimize allocated resources as close to completion of the three-way handshake.
One of the most important steps in mitigating against DDoS attack threats is to ensure that all networks and systems are regularly updated and patched with the latest security updates.
Best practices for security networks and applications include changing passwords frequently, regularly scanning for vulnerabilities and patching any vulnerabilities that are found, deploying anti-malware, DDoS protection solutions and services, and deploying web application firewalls (WAFs) with up-to-date access control lists.
Tools that provide real-time monitoring capabilities for detecting malicious requests or data before they reach your application or service are desirable so that you can take action quickly to mitigate any potential damage.
Radware DDoS protection (DefensePro, Cloud DDoS Protection Service) and application delivery (Alteon) solutions mitigate network and application DDoS attacks by using approaches that block attacks without impacting legitimate traffic. By using machine-learning and behavioral-based algorithms, Radware can understand what constitutes a legitimate behavior profile and then automatically block malicious attacks. This increases protection accuracy while minimizing false positives.