A distributed denial-of-service (DDoS) attack doesn't try to break into your systems — it tries to drown them. By flooding a website, application, or internet connection with far more traffic than it can handle, an attacker makes it unavailable to the people who actually need it: your customers, your staff, your point-of-sale. For any business that takes orders, bookings, payments, or support online, "unavailable" translates directly into lost revenue and a frustrated customer base. Here's how these attacks work and what defending against them realistically looks like for a small or midsize business.

What a DDoS Attack Actually Is

The "distributed" part is what makes it hard to stop. Rather than one source you could simply block, the flood arrives from thousands of compromised devices — a botnet of hijacked computers, servers, routers, and IoT gadgets — all aimed at you at once. Because the traffic comes from everywhere, you can't just blacklist an address and move on.

The attack works by exhausting a finite resource. That might be your internet bandwidth, the connection table in your firewall, or your application's ability to process requests. Once that resource is saturated, legitimate traffic can't get through — the digital equivalent of a crowd blocking your front door so real customers can't get in.

The Three Types of Attack

Volumetric attacks

Raw flooding that saturates your internet bandwidth — UDP floods, DNS amplification, and the like. These are the most common and the most brute-force, and they're measured in sheer volume.

Protocol attacks

Attacks that exhaust the state tables of firewalls, load balancers, or servers, such as SYN floods. They don't need enormous bandwidth; they exploit how the network handshake itself works, tying up resources with half-open connections.

Application-layer attacks

Low-and-slow requests that look almost legitimate but target an expensive part of your application — a search, a login, a checkout. Because the volume can be modest, these are the hardest to spot and often the hardest to filter without affecting real users.

Why Small and Midsize Businesses Get Hit

It's tempting to assume DDoS is an enterprise problem, but SMBs are targeted constantly, for three reasons. First, extortion — a short demonstration attack followed by a ransom demand to make it stop. Second, as a smokescreen — the flood distracts your team and your monitoring while the attacker does something quieter elsewhere, like exfiltrating data. Third, collateral damage — you share infrastructure or an ISP with the real target and get caught in the blast radius. Attack tools are cheap and rentable by the hour, so the barrier to launching one is low and the motive doesn't have to be sophisticated.

Signs You're Under Attack

A DDoS often looks at first like a run of bad luck: a site that's suddenly slow or unreachable, an internet connection pinned at 100%, services timing out for no obvious reason, or a firewall that's mysteriously maxed out. The tell is the traffic pattern — a sudden, sustained spike from an unusual spread of sources, often hammering a single service or page. Distinguishing a genuine attack from a legitimate surge (a marketing campaign, a viral moment, a sale) is exactly the kind of judgment that good monitoring and an experienced team provide, and it's why "is this an attack or just traffic?" should never be a guess made in a panic.

The Layers That Actually Defend You

No single box stops DDoS. Effective defense is layered, and the most important layer sits upstream of you.

Upstream scrubbing or CDN

This is the cornerstone. A cloud DDoS-protection service or content delivery network absorbs and filters the flood before it ever reaches your connection. You cannot fight a 100 Gbps attack on a 1 Gbps circuit — you need capacity bigger than the attacker's, and only a large provider has that. This is the layer most SMBs are missing.

Rate limiting and a web application firewall

At the application layer, throttling abusive request patterns and filtering malicious ones blunts the attacks that slip past raw volume filtering, especially application-layer floods.

Network hardening

Properly configured firewalls, unused protocols disabled, and a working relationship with your ISP so they can help filter upstream when you call.

Resilient architecture

Distributing services so a single choke point can't take everything down — an approach that pairs well with modern designs like SASE and SD-WAN, which give you more than one path and more than one place to absorb pressure.

Have a Runbook Before You Need One

When an attack hits, you don't want to be looking up your ISP's emergency number for the first time. A short runbook — who to call, how to engage your scrubbing provider, how to communicate with customers while you work — turns a panicked scramble into a procedure. Because the cost here is measured in downtime, it's worth reading our breakdown of what IT downtime actually costs to size the investment correctly; for most businesses, a single serious outage dwarfs a year of protection.

It's also worth deciding in advance what "good enough" looks like mid-incident. Fully stopping a large attack may be out of your hands in the moment; keeping your critical services reachable for customers — and knowing which non-essential systems you can shed to preserve them — often matters more than a perfect defense. Those calls are far easier to make calmly, written down ahead of time, than at 2 a.m. with the phones ringing and revenue on the line.

The Bottom Line

DDoS protection isn't about buying one product — it's about having upstream capacity, sensible network design, and a plan you can execute under pressure. Most SMBs are well served by a managed scrubbing or CDN layer plus a hardened network, which costs far less than the revenue a serious outage burns. If you want your defenses reviewed before an attack tests them for you, our network engineering team can help. Get in touch to start.