Not all DDoS attacks are the same. They differ in what resource they target, how they're detected, and how they're mitigated. Knowing the attack type in the first 5 minutes of an incident determines which mitigation actions to prioritize.
Volumetric Attacks (L3/L4)
Goal: exhaust bandwidth. Weapon: raw packet volume. These attacks aim to fill your internet link with more traffic than it can carry. Detection: bandwidth spike, PPS spike. Mitigation: upstream scrubbing, null routing, rate limiting at the transit level.
- UDP floods, ICMP floods, DNS/NTP/Memcached amplification attacks.
- Can reach terabits per second using reflection/amplification.
- Akarguard absorbs these upstream — your pipe never saturates.
Protocol Attacks (L3/L4)
Goal: exhaust server/firewall state tables or processing capacity. Weapon: malformed packets or exploited protocol behavior. Detection: CPU spike, connection table exhaustion, ICMP unreachable storms. Mitigation: SYN cookies, state table tuning, packet filtering.
- SYN floods, fragmented packet attacks, Ping of Death (legacy), Smurf attacks.
- Can take down a server with relatively modest bandwidth.
- Stopped at the proxy layer before reaching your origin.
Application Layer Attacks (L7)
Goal: exhaust server compute or application logic. Weapon: valid HTTP requests targeting expensive operations. Detection: CPU/DB spike, increased error rates, normal-looking traffic with high backend load. Mitigation: behavioral analysis, rate limiting, CAPTCHA/JS challenges.
- HTTP floods, Slowloris, cache-busting, credential stuffing, GraphQL abuse.
- Require application awareness to detect — network-level filtering misses them.
- Akarguard's L7 detection model identifies and blocks these at the proxy.