In the fourth quarter of 2024, Cloudflare blocked a DDoS attack of 5.6 terabits per second, the largest ever measured. For comparison: an average enterprise internet connection has a capacity of 500 megabit to 1 gigabit per second. An attack like this flattens everything that isn't specifically built for this type of volumetric assault.
The NBIP, the Dutch organisation behind the national DDoS scrubbing service NaWas, mitigated almost 2,000 DDoS attacks for its participants in 2024. In the third quarter alone, that was 688 attacks, a 60 percent increase compared to the previous quarter. The attacks are not only getting larger, they're also getting more complex.
But what exactly is a DDoS attack, how does protection against it work, and what do you need?
What is a DDoS attack?
DDoS stands for Distributed Denial of Service. An attacker sends traffic from tens, hundreds, or millions of compromised systems (a botnet) to a single target simultaneously. The target becomes overloaded and can no longer process legitimate requests. The service goes down.
The difference from a regular DoS attack (Denial of Service) is the scale. A DoS attack comes from a single system. A DDoS attack comes from a distributed network of systems, hence the D. That distribution makes it harder to block: you can't just block a single IP address and be done.
There are three main types of attacks:
Volumetric attacks
The goal is simple: saturate the bandwidth. The attacker sends more traffic than your internet connection can handle. UDP flood, ICMP flood, DNS amplification. In amplification attacks, a small request is converted into a large response directed at the target. DNS amplification can provide a factor of 50 to 70 magnification. You send 1 Mbps, the target receives 50 to 70 Mbps.
Protocol attacks
These attacks target vulnerabilities in network protocols. SYN flood is the most well-known example: an attacker sends a large number of TCP connection requests (SYN packets) without ever completing the connection. The server reserves memory for each half-open connection until the system becomes saturated.
Application layer attacks (Layer 7)
These attacks target the application itself. HTTP floods that mimic legitimate traffic, Slowloris attacks that keep connections open to exhaust server resources. They are often smaller in volume but harder to detect because they look like regular user traffic.
DDoS attack types: how do they work?
Source: NBIP NaWas Annual Report 2024 · Cloudflare DDoS Threat Report Q4 2024
How does DDoS protection work?
DDoS protection works through filtering and absorption. The goal is to detect attack traffic, separate it from legitimate traffic, and block it before it reaches your infrastructure.
Scrubbing centers
Most professional DDoS protection works through scrubbing centers. Your traffic is rerouted to a network of nodes with enormous bandwidth and analysis capacity. That network filters out the attack traffic and forwards only clean traffic to your server.
The Dutch NaWas (National Washing Service) from NBIP works on this principle. Participating ISPs and networks can redirect traffic to NaWas as soon as an attack starts. The scrubbing service filters the traffic and returns it clean. This is a cooperative model for the Dutch internet market.
Cloudflare, Akamai, AWS Shield Advanced, and similar services offer the same principle commercially through their worldwide networks of datacenters (Points of Presence). These networks have hundreds of terabits per second in absorption capacity combined, enough to handle even the largest known attacks.
BGP rerouting
For large volumetric attacks, BGP rerouting (Border Gateway Protocol) is used. Your IP addresses are rerouted at the routing level through the scrubbing network. This can be activated within minutes but requires coordination with your internet provider or a managed mitigation provider.
Rate limiting and traffic shaping
At the application level, rate limiting can help with Layer 7 attacks. Limit the number of requests per IP address per time unit. This addresses automated attacks coming from many IP addresses but sending relatively few requests per address.
A Web Application Firewall (WAF) with DDoS rules goes a step further. It analyses the traffic pattern, compares it against known attack signatures, and can block or challenge suspicious requests (via CAPTCHA or JavaScript challenge).
What do you need?
The right protection depends on your risk profile and the nature of your services.
Small websites and applications
If you're running a business website or small application without critical availability requirements, a CDN with basic DDoS protection (Cloudflare Free/Pro, BunnyCDN) combined with rate limiting on your web server is sufficient. This handles most automated attacks fired at random targets.
Critical applications and e-commerce
If availability directly affects revenue or service delivery, you want more serious mitigation. Cloudflare Business or Enterprise, Akamai, Imperva, or comparable services. These offer specific rules for application layer attacks, better protection against advanced botnets, and higher SLAs on mitigation time.
Critical infrastructure and datacenter
For networks with their own IP ranges, a managed DDoS mitigation service at the network level is necessary. This combines BGP rerouting, scrubbing center capacity, and 24/7 monitoring. In the Netherlands, connecting to NaWas through your provider is an effective option.
Choosing DDoS protection: by risk profile
Source: NCSC Factsheet DDoS Protection · Digital Trust Center · NBIP
Preparation: before the attack starts
DDoS protection is not something you enable when the attack has already started. At that point, it's too late for configuration changes and contracts. Preparation is key.
Make sure you have a DDoS response plan. Who gets called when the site is unreachable? Who has access to the mitigation service? What are the escalation procedures? This doesn't need to be an extensive document, but the answers should be documented before they're needed.
Test your mitigation. Many professional DDoS protection services offer simulations or are willing to perform a controlled test. That way you know if the rerouting works and how quickly it can be activated.
Monitor your baseline. If you don't know what normal traffic looks like, you'll recognize an attack late. Establish a baseline of your normal traffic patterns and configure alerts for significant deviations.
The bottom line
DDoS attacks are no longer the domain of hacktivists and nation-state actors. They're a commodity: botnets are available for hire for a few euros per hour and are deployed by competitors, organized crime, and script kiddies. The barrier to launching an attack is low. The barrier to being protected doesn't have to be.
The basic principles are consistent: filter attack traffic as close to the source as possible, ensure sufficient absorption capacity, and have a clear response plan. For most organisations, a CDN with DDoS protection is the first step. For organisations with critical availability requirements, a managed mitigation service with scrubbing center is the right choice.
And for Dutch networks: check if your internet provider is connected to NaWas. That's a cost-effective way to absorb volumetric attacks at the network level.
Want to know how we integrate DDoS protection? See our compliance approach or high-traffic solutions.