TTechclick ⚡ XP 0% All lessons
Radware · DDoS Protection · Attack TypesInteractive · L1 / L2 / L3

DDoS Attack Types & How Radware Mitigates Them — Volumetric, Protocol & Application-Layer

DDoS attacks come in three families that hit different layers — bandwidth-saturating volumetric floods, state-exhausting protocol attacks, and resource-draining application-layer (L7) requests. No single defence covers all three, so real attacks are multi-vector. This lesson maps each attack type to the exact Radware mechanism — Behavioral-DoS, real-time signatures, SYN cookies, rate limiting, L7 challenge and TLS fingerprinting — that stops it in seconds.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live attack demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide (2026) to the three DDoS attack families — volumetric (UDP/ICMP floods and DNS/NTP/memcached amplification), protocol/state-exhaustion (SYN, ACK, fragment floods) and application-layer L7 (HTTP floods, Web DDoS Tsunami, Slowloris, DNS query floods) — and exactly how Radware DefensePro and Cloud DDoS Protection stop each with Behavioral-DoS, real-time signatures, SYN cookies, rate limiting, L7 challenge and TLS fingerprinting.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Three families

Volumetric vs protocol vs application-layer, by layer.

 2

Volumetric & amp

UDP/ICMP floods and DNS/NTP/memcached amplification.

 3

Protocol & L7

SYN/ACK/fragment, HTTP floods, Slowloris, DNS query.

 4

How Radware stops it

Behavioral-DoS, SYN cookies, L7 challenge, scrubbing.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does one defence stop volumetric, protocol and L7 attacks equally well?

Answered in Three families.

2. What makes memcached amplification so dangerous?

Answered in Volumetric & amplification.

3. How does Slowloris bring a server down at almost no bandwidth?

Answered in Protocol & application-layer.

Most engineers think…

Most people picture DDoS as 'a huge flood of traffic that fills your internet pipe'. That mental model only describes one of three families and will trip you up in an interview and in the SOC.

DDoS attacks fall into three families that hit different layers: volumetric floods saturate bandwidth at L3/4, protocol attacks exhaust stateful resources like connection tables, and application-layer (L7) attacks drain web and app server resources with seemingly legitimate requests at tiny bandwidth. Because no single defence covers all three, modern attacks are usually multi-vector. Radware DefensePro and Cloud DDoS Protection answer each layer with a different mechanism — and understanding that mapping is exactly what lets you read an attack, pick the right control, and stop a zero-day flood in seconds without blocking real users.

① The three DDoS families — by layer and by target

The single most important idea: DDoS is not one attack. It is three families that hit different layers and exhaust different resources. Get the family right and the defence almost picks itself.

Volumetric attacks (L3/4) aim at one thing — bandwidth saturation. UDP and ICMP floods, plus reflection/amplification, blast packets until the pipe is full. Protocol / state-exhaustion attacks (L3/4) target the state tables of servers, firewalls and load balancers — SYN floods leave half-open connections, ACK and fragment floods waste reassembly and stateful resources. Application-layer (L7) attacks target web and app server logic with legitimate-looking requests — HTTP floods, Slowloris and DNS query floods.

The interview line: because each family attacks a different resource, no single control stops all three, and real-world attacks combine vectors. You need bandwidth defence, state-exhaustion defence and L7 defence working together.

Legenddiagram titlethreat / attack panelpanel border & labelshow it worksdiagram canvas
Figure 1 — Three DDoS families, three targets
Each family attacks a different resource, so no single control stops all three — real attacks combine them.Three DDoS families, three targetsVolumetric (L3/4)Saturate bandwidth — UDP/ICMP floods, amplificationProtocol / state (L3/4)Exhaust state tables — SYN, ACK, fragment floodsApplication-layer (L7)Drain app resources — HTTP flood, Slowloris, DNS query
Each family attacks a different resource, so no single control stops all three — real attacks combine them.
Quick check · Q1 of 10 · Understand

Why does no single control stop every DDoS attack?

Correct: a. Volumetric floods saturate bandwidth, protocol attacks exhaust state tables, and L7 attacks drain app resources. Different targets need different controls, which is why real attacks are multi-vector.
👉 So far: DDoS has three families — volumetric (saturate bandwidth), protocol (exhaust state tables) and application-layer (drain app resources). No single control stops all three, so real attacks are multi-vector.

② Volumetric & amplification — small requests, terabit floods

Volumetric attacks win by sheer volume. Plain UDP and ICMP floods simply send huge packet rates to exhaust pipe capacity. The frightening multiplier is reflection/amplification: the attacker spoofs the victim's source IP and queries open servers, which then send oversized replies to the target.

The amplification factors you must name

DNS amplification runs about 10–50x. NTP MONLIST (CVE-2013-5211) returns the last 600 client IPs for roughly 556.9x. memcached on UDP port 11211 is the monster — a 203-byte request can trigger a ~100 MB reply, around 50,000x, which powered the 2018 GitHub ~1.3 Tbps attack.

Radware answer: behavioral detection flags volume and rate anomalies, DefensePro auto-generates a real-time signature characterising the flood, and rate limiting kicks in — while volumes beyond the local pipe divert to Radware cloud scrubbing centers.

Figure 2 — How reflection & amplification works
The attacker spoofs the victim's IP so open servers send oversized replies to the target — small request, huge flood.How reflection & amplification worksSpoof IPfake victim source IPSmall queryto openDNS/NTP/memcachedAmplifyDNS 50x · NTP 556x ·50000xFlood targetoversized replies hitvictim
The attacker spoofs the victim's IP so open servers send oversized replies to the target — small request, huge flood.
📈
Amplification factor
tap to flip

Ratio of reflected response size to attacker request size — about 50x for DNS, 556x for NTP MONLIST and ~50,000x for memcached on UDP 11211.

🔗
Half-open connection
tap to flip

A TCP session stuck after SYN/SYN-ACK with no final ACK. SYN floods pile these up to exhaust the server's backlog; SYN cookies defeat them.

🧠
Behavioral-DoS (BDoS)
tap to flip

Radware's baseline-learning engine that detects unknown/zero-day floods and auto-generates a real-time signature — often in under ten seconds.

🌊
Web DDoS Tsunami
tap to flip

An encrypted, randomised HTTPS flood designed to evade rate-based L7 defences — blocked by behavioral TLS fingerprinting without decryption.

Reflection always spoofs the victim's IP

The whole trick of amplification is that the attacker forges the victim's source IP, so open DNS/NTP/memcached servers send their oversized replies straight to the target. In an interview, say 'spoofed victim IP plus a high amplification factor' and you have nailed it.

Quick check · Q2 of 10 · Remember

memcached amplification abuses which UDP port, and why is it so dangerous?

Correct: c. memcached listens on UDP 11211 by default. A ~203-byte spoofed request can trigger a ~100 MB reply (~50,000x), which fueled the 2018 GitHub ~1.3 Tbps attack.
👉 So far: Volumetric = sheer volume. Reflection/amplification spoofs the victim's IP: DNS ~10–50x, NTP MONLIST ~556x, memcached on UDP 11211 ~50,000x — which powered the 2018 ~1.3 Tbps GitHub attack.

③ Protocol & application-layer — bandwidth-light, resource-deadly

These families barely move the bandwidth needle, yet they take services down. Protocol / state-exhaustion attacks abuse how stateful devices track connections. A SYN flood sends spoofed TCP SYNs; the server allocates a half-open connection for each and waits for a final ACK that never comes, exhausting the backlog. ACK floods and fragmented-packet attacks waste reassembly and stateful resources on firewalls and load balancers.

Application-layer (L7)

HTTP/HTTPS floods send valid-looking GET/POST requests to overwhelm app and database tiers. Web DDoS 'Tsunami' floods use encrypted, randomised requests to evade rate rules. Slowloris opens many connections and sends partial headers slowly to tie up every server thread at very low bandwidth — volume alarms stay quiet while threads silently fill. DNS query floods swamp DNS servers with unique lookups.

The interview line: watch the right meter. If bandwidth is flat but connections or request anomalies spike, you are looking at protocol or L7 — not a volumetric flood.

Figure 3 — Protocol vs application-layer attacks
Both are bandwidth-light but resource-deadly — read the right meter to tell them apart.Protocol vs application-layer attacksProtocol (L3/4)SYN flood — half-open backlogACK & fragment floodsExhausts state tablesSpoofed packets, low payloadApplication-layer (L7)HTTP/HTTPS floodsWeb DDoS Tsunami (encrypted)Slowloris — slow partial headersDNS query floods
Both are bandwidth-light but resource-deadly — read the right meter to tell them apart.
'All DDoS is a bandwidth flood' under-read

If you only watch bits-per-second you will miss SYN floods and Slowloris entirely — they barely register on bandwidth. Always check connection-table and request-rate anomalies too, or you will declare 'all clear' while the service is down.

Quick check · Q3 of 10 · Apply

A web server shows thousands of open connections, near-zero bandwidth and a very low request rate. Which attack is this?

Correct: d. Slowloris holds many connections open with slow partial HTTP requests, tying up threads at tiny bandwidth. Volume alarms stay flat while the connection table fills — exactly this signature.
👉 So far: Protocol (SYN/ACK/fragment) exhausts state tables; L7 (HTTP floods, Web DDoS Tsunami, Slowloris, DNS query) drains app resources. Both are bandwidth-light — watch connections and request anomalies, not just bits-per-second.

④ How Radware mitigates each layer — the mechanism per family

Radware maps a specific mechanism to each family. Volumetric: behavioral baselining flags rate/volume deviations, DefensePro synthesises a real-time signature (often under 10 seconds) and applies rate limiting; overflow diverts to cloud scrubbing. Protocol: SYN Protection with SYN cookies answers SYNs statelessly and only allocates state after a completed handshake. Application-layer: L7 behavioral analysis profiles normal request patterns, challenge/authentication weeds out bots, and behavioral TLS/HTTPS fingerprinting blocks encrypted floods without decryption; per-source connection and request limits kill slow-and-low attacks like Slowloris.

Known vs zero-day

The cross-cutting split: 'DoS Shield' handles known floods via signatures, while Behavioral-DoS (BDoS) handles unknown/zero-day floods — it learns a baseline, detects the anomaly and synthesises a fresh signature automatically, minimising false positives on legitimate traffic.

Figure 4 — One Radware engine, a mechanism per family
DefensePro and Cloud DDoS apply a tailored control to each attack family from one behavioral core.One Radware engine, a mechanism per familyDefensePro+ Cloud DDoSReal-time signaturesRate limitingSYN cookies / SYN ProtectionL7 challenge / authTLS fingerprintingCloud scrubbing
DefensePro and Cloud DDoS apply a tailored control to each attack family from one behavioral core.
Figure 5 — Behavioral-DoS — zero-day flood to signature
BDoS learns a baseline, detects the anomaly and synthesises a real-time signature automatically — often in under ten seconds.Behavioral-DoS — zero-day flood to signatureBaselinelearn normal trafficDetectrate/behavior anomalySignatureauto-generated, <10sMitigateblock flood, keepusers
BDoS learns a baseline, detects the anomaly and synthesises a real-time signature automatically — often in under ten seconds.

Arjun Mehta, network security engineer at Sankhya Networks, Pune

A customer's e-commerce site is unreachable; the front-end web servers show thousands of open connections but near-zero bandwidth usage and a very low request rate.

Likely cause

A Slowloris L7 attack — many half-sent HTTP requests holding every server thread open — not a bandwidth flood, which is why volumetric counters stay flat.

Diagnosis

In APSolute Vision he sees a spike in concurrent connections-per-source with abnormally long-lived, incomplete HTTP sessions and a behavioral L7 anomaly, while volumetric counters stay flat.

APSolute Vision ▸ DefensePro ▸ device ▸ Network Protection / BDoS & Connection-Limit
Fix

Enable and tighten the Connection Limit and L7 Behavioral (BDoS/HTTP) protections in the policy, set per-source concurrent-connection and request-timeout thresholds, and turn on challenge/authentication for suspicious clients.

Verify

The connection table drains, the auto-generated signature shows blocked offending sources in the attack log, and a synthetic Slowloris test from a lab IP is dropped while normal shoppers load the site.

Prove mitigation from the attack log, not a hunch

Never close a DDoS ticket on 'traffic looks normal now'. Read the DefensePro attack log: it shows the auto-generated signature, the blocked sources and the attack vector. That single read confirms which family hit you and that it is actually mitigated.

▶ Watch a zero-day volumetric flood get auto-mitigated

How DefensePro stops an unknown flood end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① BaselineDefensePro has learned the customer's normal traffic profile over time — bits/sec, packets/sec and protocol mix.
② AnomalyA spoofed UDP amplification flood arrives; Behavioral-DoS sees the rate and protocol mix deviate sharply from baseline.
③ SignatureBDoS synthesises a real-time signature characterising the flood — source ports, packet size, protocol — in under ten seconds.
④ MitigateMatching flood packets are dropped and rate-limited; if volume exceeds the on-prem pipe, traffic diverts to cloud scrubbing.
Press Play to step through the healthy auto-mitigation path. Then press Break it.
Quick check · Q4 of 10 · Analyze

How does Radware stop a brand-new zero-day flood with no vendor signature available yet?

Correct: b. Behavioral-DoS learns a baseline, spots the deviation and synthesises a fresh real-time signature automatically — often in under ten seconds — without waiting for a vendor update.
👉 So far: Radware maps a mechanism per family: real-time signatures + rate limiting + cloud scrubbing for volumetric, SYN cookies for protocol, L7 challenge + TLS fingerprinting for application-layer — with Behavioral-DoS auto-stopping zero-days in seconds.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which attack type primarily aims to saturate bandwidth?

Correct: a. Volumetric attacks (UDP/ICMP floods and amplification) consume the network pipe with sheer volume. The others are protocol or L7 attacks that exhaust state or app resources at low bandwidth.
Q6 · Understand

Which has the largest amplification factor?

Correct: c. memcached on UDP 11211 can amplify roughly 50,000x — far above NTP MONLIST (~556x) or DNS (~10–50x). ICMP floods are direct volume with no reflection multiplier.
Q7 · Apply

A SYN flood brings a server down by leaving connections in what state?

Correct: b. Spoofed SYNs make the server allocate half-open connections waiting for a final ACK that never arrives, exhausting the backlog. SYN cookies defeat this by deferring state until a valid ACK returns.
Q8 · Analyze

A DNS query flood that swamps a DNS service with unique lookups is best classified as which family?

Correct: b. A DNS query flood targets the DNS service logic with seemingly legitimate lookups — that is application-layer. Contrast with DNS amplification, which is a volumetric reflection attack that spoofs the victim IP.
Q9 · Evaluate

Behavioral TLS fingerprinting lets Radware do what?

Correct: d. Behavioral TLS/HTTPS fingerprinting judges encrypted sessions by behavior, so Web DDoS Tsunami floods are blocked without SSL decryption — no payload inspection required.
Q10 · Evaluate

Which Radware capability stops an unknown/zero-day flood automatically, versus a known one?

Correct: b. Behavioral-DoS baselines normal traffic and synthesises a real-time signature for unknown/zero-day floods, while DoS Shield mitigates known floods via existing signatures. Static ACLs and NAT are not DDoS controls.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does Radware use a different mechanism for each DDoS family instead of one universal control? Then compare with the expert version.

Expert version: Because the three families attack three different resources: volumetric floods saturate bandwidth, protocol attacks exhaust state tables, and application-layer attacks drain app/server resources with legitimate-looking requests. A bandwidth-rate limit does nothing against a Slowloris that uses almost no bandwidth, and a SYN-cookie defence does nothing against a terabit UDP amplification flood. So Radware maps a tailored control to each layer — real-time signatures, rate limiting and cloud scrubbing for volumetric; SYN cookies for protocol; L7 challenge and behavioral TLS fingerprinting for application-layer — all driven by one behavioral core that auto-generates signatures for zero-day floods in seconds.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Volumetric attack
DDoS that saturates bandwidth with high packet/bit volume — UDP/ICMP floods and reflection/amplification.
Protocol attack
DDoS that exhausts stateful resources like connection tables — SYN, ACK and fragment floods.
Application-layer (L7) attack
DDoS targeting web/app logic with legitimate-looking requests — HTTP floods, Slowloris, DNS query floods, Web DDoS Tsunami.
Reflection / amplification
Spoofing the victim's IP so open servers (DNS/NTP/memcached) send large unsolicited replies to the target.
SYN cookie
A stateless handshake technique that defers resource allocation until a valid ACK arrives, defeating half-open SYN floods.
Slowloris
A low-bandwidth L7 attack that holds many connections open with slow partial HTTP requests to tie up server threads.
Behavioral-DoS (BDoS)
Radware's baseline-learning engine that detects zero-day floods and auto-generates real-time signatures, often in under ten seconds.
DoS Shield
Radware signature-based protection against known DDoS floods.
Cloud scrubbing
Diverting attack traffic to off-prem centers that clean it and forward only legitimate traffic to the protected site.

📚 Sources

  1. Radware — DefensePro: Advanced DDoS Defense and Attack Mitigation. radware.com
  2. Radware — DDoS Mitigation Layers with DefensePro (Behavioral-DoS, DoS Shield, SYN Protection). radware.com
  3. Imperva — What is NTP Amplification | Mitigation Techniques. imperva.com
  4. Cloudflare — Memcrashed: Major amplification attacks from UDP port 11211. blog.cloudflare.com
  5. NETSCOUT — What is a SYN flood attack and how to prevent it?. netscout.com
  6. NETSCOUT — What is a Slowloris DDoS Attack?. netscout.com

What's next?

Got the attack families? Next, go deep on Radware Behavioral-DoS internals — how it baselines normal traffic, detects rate and rate-invariant anomalies, and synthesises a real-time signature in under ten seconds without flooding the SOC with false positives.

Next · All interview lessons → Practice on exam.techclick.in →