How DDoS Protection Actually Works: A Technical Guide for Website Owners (2026)

DDoS protection works by detecting malicious traffic floods and filtering them before they reach your server. A mitigation system uses network-level controls (scrubbing centers, BGP FlowSpec rules, and Anycast distribution) and application-layer defenses (web application firewalls and rate limiting) to separate attack traffic from legitimate visitors. The goal is to drop the attack while keeping legitimate users connected. For hosting buyers, this is the difference between a site that stays online during an attack and one that becomes unreachable.

Understanding how this works matters because DDoS attacks are not rare events for production websites. A single volumetric flood can saturate a 1 Gbps uplink in seconds. An application-layer attack can exhaust PHP-FPM workers or database connections without consuming much bandwidth. The protection you get from your hosting provider determines whether your site absorbs the hit or goes offline.

What Is a DDoS Attack?

A DDoS attack is a coordinated attempt to make a service unavailable by overwhelming it with traffic from many sources. Botnets, compromised IoT devices, and abused public services are common sources. The attack traffic mixes with legitimate requests, so the defender must distinguish between the two.

There are three main categories.

Volumetric attacks

Volumetric attacks aim to consume all available bandwidth. UDP floods, ICMP floods, and DNS amplification attacks fall into this category. A UDP flood sends large volumes of packets to random ports. The target server spends resources processing these and sending ICMP port unreachable responses. DNS amplification sends small queries to open resolvers with a spoofed source address. The resolver sends large responses to the victim, multiplying traffic volume.

Protocol attacks

Protocol attacks exploit weaknesses in network protocols or exhaust connection tables. A SYN flood sends TCP connection requests without completing the handshake. The server allocates resources for each half-open connection until the backlog fills. A Ping of Death sends oversized ICMP packets that cause buffer overflows on older systems. Smurf attacks send ICMP echo requests to a broadcast address with the victim's source IP, causing every host on the subnet to reply to the victim.

Application-layer attacks

Application-layer attacks target the web server, application code, or database layer. HTTP floods request legitimate-looking URLs repeatedly. Slowloris opens many connections and sends partial HTTP requests slowly, keeping connections open. RUDY does the same with POST requests. These attacks use minimal bandwidth but exhaust thread pools, PHP workers, or database connections. They are harder to filter because the traffic looks like normal requests.

How DDoS Protection Works at the Network Level

Network-level protection handles volumetric and protocol attacks before they reach the server. The infrastructure sits upstream from the hosting environment, typically at the provider's edge or at dedicated scrubbing facilities.

Scrubbing Centers and Traffic Filtering

A scrubbing center is a specialized facility that receives diverted traffic, inspects packets, removes malicious traffic, and forwards clean traffic back to the destination. The diversion happens via BGP routing changes. When an attack is detected, the provider announces a more specific route for the attacked IP prefix, directing traffic to the scrubbing center instead of the normal path.

Inside the scrubbing center, appliances perform deep packet inspection. They check packet headers, payload signatures, and traffic patterns against known attack signatures. Legitimate traffic is tunnelled back to the origin server via GRE or delivered directly through clean pipes. The process adds minimal latency, typically under 5 milliseconds, but preserves session state for legitimate users.

Scrubbing centers work best for large volumetric attacks. A single center might handle several hundred gigabits per second. Providers with multiple scrubbing centers distribute load across regions. If one center is near capacity, traffic diverts to another location with available headroom.

BGP FlowSpec and RTBH

BGP FlowSpec (RFC 5575, updated in RFC 8955) is a protocol that propagates traffic filtering rules through BGP announcements. Instead of blocking an entire IP prefix, FlowSpec lets operators define precise rules based on destination IP, source IP, port, protocol, packet length, and TCP flags. These rules spread across all BGP-peered routers within seconds.

FlowSpec is surgical. A provider can drop only UDP traffic to port 53 during a DNS amplification attack, while leaving TCP traffic to port 443 untouched. This precision matters for production services that cannot afford a total outage.

RTBH (Remotely Triggered Black Hole) is the emergency option. When a destination is under severe saturation and FlowSpec rules are not enough, the provider announces a null route for the attacked prefix. All traffic to that IP is dropped at the edge. This stops the attack completely but also makes the service unreachable. RTBH is the last resort when the alternative is cascading failure across shared infrastructure.

Anycast Distribution and Edge Mitigation

Anycast is a network addressing technique that routes traffic to the nearest server in a distributed group. A single IP address is announced from multiple locations. Each user reaches the closest edge node, which reduces latency under normal conditions.

During a DDoS attack, Anycast distributes the attack load across all available nodes. Instead of one data center absorbing the full impact, the attack traffic spreads across the entire network. If one node is overwhelmed, it stops announcing its route and traffic reroutes to the next nearest node. This resilience is why large providers use Anycast for DNS and CDN services.

For hosting customers, Anycast means that a DDoS attack against a single IP is shared across the provider's entire edge network. The capacity of any one location is not the limiting factor. The total network capacity is.

The 2.5 Tbps Protection Number: What It Actually Means

Mitigation capacity numbers represent the total filtering throughput available across a provider's network. They are not dedicated to one customer. A 2.5 Tbps capacity means the provider can inspect and filter up to 2.5 terabits per second of traffic across all scrubbing centers and edge nodes combined.

This number is more relevant than it might appear. The vast majority of DDoS attacks peak below 10 Gbps. Even large attacks that make headlines rarely exceed 1 Tbps. A 2.5 Tbps capacity handles the overwhelming majority of attacks without saturation. Only the most extreme events (which have historically exceeded 3 Tbps) would test this limit, and those are rare enough that most websites never encounter them.

For ServerSpan customers, this capacity is included with all VPS and web hosting plans. The VPS page states comprehensive DDoS Mitigation included up to 2.5 Tbps. The web hosting page confirms up to 2.5 Tbps DDoS Mitigation included. There is no separate add-on. It is part of the network infrastructure that every customer uses.

Application-Layer (L7) Defense: WAFs and Rate Limiting

Network-level filtering cannot inspect HTTP requests. A volumetric filter might drop a UDP flood, but it cannot distinguish between a legitimate HTTP GET and a malicious HTTP flood. That distinction happens at the application layer.

A Web Application Firewall (WAF) inspects HTTP headers, request payloads, and URL patterns. It blocks requests that match known attack signatures, such as SQL injection patterns or cross-site scripting attempts. Modern WAFs also use behavioral analysis to detect anomalies, such as a single IP requesting the same URL hundreds of times per second.

Rate limiting caps the number of requests an IP address or session can make within a time window. For example, an nginx rate limit configuration might allow 10 requests per second from a single IP to a login endpoint, with a burst allowance of 20 requests. Excess requests receive a 429 response. This stops automated login attempts and HTTP floods without affecting normal browsing.

Challenge pages add another layer. When traffic exceeds a threshold, the WAF can serve a JavaScript challenge or CAPTCHA to suspicious requests. Legitimate browsers pass the challenge automatically. Automated bots typically fail. This is effective against low-and-slow attacks that do not trigger volumetric thresholds.

For self-managed VPS customers, these tools must be configured manually. A WAF like ModSecurity or a reverse proxy with rate limiting rules can be installed on the server. The tradeoff is that these local defenses consume CPU and memory. During a large attack, the server might exhaust resources processing the defense itself. Network-level mitigation handles the volume before it reaches the server, which is why provider-level protection is essential for production workloads.

What Happens During a DDoS Attack? Step-by-Step Timeline

Understanding the timeline helps hosting buyers evaluate whether a provider's response process is adequate.

Baseline: Traffic monitoring systems collect telemetry from NetFlow, sFlow, or IPFIX data. They establish baselines for bits per second, packets per second, connection counts, and request rates per endpoint. These baselines are specific to each customer and time of day.

Detection: When traffic exceeds a baseline threshold, the system triggers an alert. Flow-based systems with 1-minute sampling might detect a spike within 60 seconds. Real-time streaming telemetry can detect anomalies faster.

Classification: The system identifies the attack vector. Is it a UDP flood to a specific port? A SYN flood exhausting connection tables? An HTTP flood targeting a login endpoint? Classification determines which mitigation technique to apply. Misclassification leads to ineffective rules or false positives.

Initial mitigation: For small attacks, the system pushes FlowSpec rules or rate limits automatically. These take effect within seconds. For application-layer attacks, the WAF might activate challenge pages for suspicious IPs. This stage aims to stop the attack without service disruption.

Escalation: If the attack grows beyond edge filtering capacity, traffic is diverted to scrubbing centers. A BGP announcement redirects the attacked prefix to the scrubbing facility. Clean traffic returns via a tunnel or direct routing. This adds a few milliseconds of latency but maintains availability.

Emergency: If total network capacity is at risk, the provider may activate RTBH for the affected prefix. This is a deliberate decision to sacrifice one customer's availability to protect the rest of the network. Professional providers communicate this action in real time and work to restore service as soon as capacity is available.

Verification: After mitigation activates, the provider monitors whether legitimate traffic still flows. False positives are corrected by adjusting rules. The attack volume is tracked to confirm the mitigation is effective.

Post-attack: The incident is logged. Attack vectors, source ASNs, and rule effectiveness are documented. This feeds back into baseline tuning and threshold adjustments.

DDoS Protection Checklist for Hosting Buyers

When evaluating hosting providers, ask the following questions. The answers reveal whether the protection is real or marketing.

• Is DDoS mitigation included or an add-on? Some providers advertise protection but charge a separate fee for activation. Others include only basic firewalling and call it DDoS protection. Verify what is included in the base price.
• What is the total mitigation capacity? A provider with 10 Gbps of capacity cannot handle a 100 Gbps attack. Ask for the total network capacity, not just the marketing headline.
• Is there L7 protection or only L3 and L4? Network-level filtering stops volumetric attacks but does not inspect HTTP requests. If you run a web application, you need both. Ask whether the provider offers a WAF, rate limiting, or challenge pages.
• Are there traffic limits or overage charges during an attack? Some providers count attack traffic toward your bandwidth quota. If you have a 10 TB monthly limit and an attack sends 50 TB, you might receive an unexpected bill. Ask about billing during DDoS events.
• Does the provider have multiple scrubbing locations? A single scrubbing center is a single point of failure. Multiple locations with Anycast distribution provide redundancy and better geographic coverage.
• What is the typical time-to-mitigation? Ask for average detection and mitigation times. Under 60 seconds is reasonable for automated systems. Under 5 minutes is acceptable for manual escalation. Anything longer leaves your site exposed.
• Is there a documented incident response process? Ask how the provider communicates during an attack, who makes the RTBH decision, and how quickly you can expect updates. A clear process indicates operational maturity.

Why Free DDoS Protection Is Rare (And Why It Matters)

Genuine DDoS protection requires expensive infrastructure. Scrubbing centers need dedicated hardware, high-capacity uplinks, and trained operators. BGP FlowSpec and Anycast routing require upstream provider relationships and ASN management. A 2.5 Tbps network capacity involves significant transit and peering costs.

A provider that offers free DDoS protection may be offering one of two things. The first is basic firewall rules, such as IP blocking or port filtering. These stop casual attacks but do nothing against volumetric floods or distributed botnets. The second is protection that is actually bundled into the base price and marketed as free. This is acceptable, but the capacity and quality still matter.

Budget providers and mass-market hosts often fall into the first category. They block obviously abusive IPs or null-route prefixes under attack. This is not DDoS mitigation. It is damage control. Your site is still offline during the attack, and the provider has no infrastructure to absorb the volume.

How ServerSpan's Protection Differs from Standard Firewalling

ServerSpan includes up to 2.5 Tbps of DDoS mitigation with all VPS and web hosting plans. This is not a firewall rule or an IP blacklist. It is a network-level mitigation system that uses scrubbing centers, BGP FlowSpec, and application-layer filtering.

The VPS hosting plans use KVM and LXC virtualization with full root access, so customers can layer their own defenses on top of the provider's network protection. The web hosting plans use the DirectAdmin control panel and include the same network-level mitigation at the edge. This means shared hosting customers receive protection that is typically reserved for dedicated infrastructure.

The why-us page documents public comparisons to several providers, including DigitalOcean and Hostinger, using their published pricing and feature data. For a full breakdown of plan differences and what is included at each level, see the comparison at ServerSpan's why-us page.

If you are choosing hosting for a production workload, evaluate whether the provider's protection handles the attack types your application is likely to face. Network-level mitigation is essential for any public-facing service. Application-layer filtering is essential for web applications. ServerSpan's VPS hosting and web hosting pages detail the protection included with each plan.

FAQ

Will DDoS protection slow down my site?

Network-level mitigation adds minimal latency, typically under 5 milliseconds. Application-layer filtering adds more, depending on the WAF configuration. A well-tuned system should not noticeably affect page load times for legitimate users.

Can I run my own DDoS protection on a VPS?

You can install tools like fail2ban, ModSecurity, or nginx rate limiting. These help against small attacks and brute force attempts. They will not stop a volumetric flood that saturates your uplink. Provider-level network mitigation is the only effective defense against large attacks.

What is the difference between DDoS protection and a CDN?

A CDN caches content at edge locations and can absorb some DDoS traffic by distributing load. However, a CDN is not designed for DDoS mitigation. Dynamic requests, API calls, and uncacheable content still reach the origin. Professional DDoS protection uses scrubbing centers and FlowSpec rules that a CDN does not provide. The two complement each other but are not interchangeable.

How do I know if my site is under a DDoS attack?

Signs include sudden traffic spikes in analytics, slow response times, server errors (502, 503, 504), or complete unavailability. On a Linux VPS, you can check connection counts with ss -tan | wc -l and sample traffic with tcpdump -nn -c 100 -i any port 80. If you see thousands of connections from a small set of IPs or repetitive requests to the same URL, you may be under attack. Contact your provider's support for confirmation.

Is DDoS protection enough by itself?

No. DDoS protection prevents availability attacks but does not fix application vulnerabilities. A WAF stops some web attacks, but it does not replace secure coding, regular updates, or proper authentication. Protection is one layer of a defense-in-depth strategy.