DDos Methods & Mitigations 

DDos Methods & Mitigations

Distributed denial of service (DDoS) attacks are a subclass of denial of service (DoS) attacks. A DDoS attack involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic.

History of DDos 

Check out our timeline to see the progression of the largest and most famous distributed denial of service attacks that have occurred within the past several years (both traffic-based and packet-based attacks)


June — Cloudflare reported detecting and mitigating a 26 million RPS DDoS attack on an unnamed client’s website.

April — Cloudflare reported the detection and mitigation of a 15.3 million RPS DDoS attack on a customer operating a crypto launchpad. The attack utilized a botnet consisting of an estimated 6,000 unique devices from 112 countries. Unlike many other DDoS attacks, this one was carried out via HTTPS, which is uncommon because it’s more expensive for threat actors to use secure, encrypted connections.  


December — Microsoft reported two additional attacks against customers in Asia. The first was a 3.25 Tbps UDP attack that lasted more than 15 minutes; the second was a 2.55 Tbps UDP flood that lasted more than five minutes. While the latter might not sound like a long time, it’s five minutes longer of unrelenting attack time than any organization wants to sustain.

November — Microsoft previously reported detecting and mitigating a whopping 3.45 Tbps DDoS attack against an Azure customer in Asia. This security incident had a packet rate of 340 million packets per second.

July — Cloudflare reported a DDoS attack that topped out at 17.2 million traffic requests per second against financial websites. 


February — Amazon Web Services (AWS) reported in their TLR for Q1 2020 that they observed and mitigated a 2.3 Tbps UDP reflection vector DDoS attack. Not only is this the largest DDoS attack that AWS reported ever facing, but it was also thought to be the largest DDoS attack in history on record at the time in terms of bit rate.


April — Imperva reports one of their clients was able to thwart a DDoS attack that peaked at 580 million packets per second. To date, this is considered the largest DDoS attack by packet volume to date.

January — Another Imperva client sustained a 500 million packets per second DDoS attack.


March — NETSCOUT reported that its Arbor ATLAS global traffic and DDoS threat detection system confirmed a 1.7 Tbps memcached reflection/amplification attack on an unnamed U.S.-based service provider.

February — The GitHub DDoS attack inundated the company with 1.35 Tbps of data (129.6 million PPS) — the largest DDoS attack on record as of that time — via memcaching. This means that the attackers spoofed GitHub’s IP address to send small inquiries to several Memcached servers to trigger a major response in the form of a 50x data response.


October — The Czech statistical office websites relating to the Czech Republic’s parliamentary elections — volby.cz and volbyhned.cz — failed temporarily due to DDoS attacks during the vote count.

August — Web host company DreamHost, which was said to host the Nazi-advocate website Daily Stormer under its new name Punished Stormer, suffered a DDoS attack of unannounced proportion. This attack followed a Department of Justice request for visitor data relating to the stormer site.

June — Throughout the second half of the year, video game software developer Square Enix’s Final Fantasy XIV online role-playing game (RPG) sustained intermittent DDoS attacks via botnets. The attacks spanned the summer and another set of attacks occurred during the fall.


October — The Dyn DDoS attack, which measured in at 1.2 Tbps and was considered the largest DDoS attack at the time, brought down much of the internet across the U.S. and Europe. Using the Mirai botnet, the attack targeted Dyn, a company that controls much of the domain name system (DNS) infrastructure of the internet.

September — French web host OVH experienced a DDoS attack measuring in at nearly 1 Tbps. The attackers used a botnet of hacked IoT devices (CCTV cameras and personal video recorders) to launch their attack.


March — GitHub sustained a DDoS attack that was thought to be politically motivated because it focused on two GitHub projects that aimed to provide Chinese citizens with a way to circumvent Chinese state web censorship.


November —The website for Occupy Central in Hong Kong, which was campaigning for a more democratic voting system, experienced a 500 Gbps DDoS attack that was executed via five botnets. Also targeted were the online news site Apple Daily and PopVote, a mock election site, both of which supported OC’s message.


HTTP floods: Attacker exploits seemingly-legitimate HTTP GET or POST requests to attack a web server or application.

Mitigation: The most highly-effective mitigation mechanism rely on a combination of traffic profiling methods, including identifying IP reputation, keeping track abnormal activity and employing progressive security challenges (e.g., asking to parse JavaScript).

Low and Slow: opening multiple connections to the targeted web server and keeping them open as long as possible. It does this by continuously sending partial HTTP requests, none of which are ever completed. The attacked servers open more and connections open, waiting for each of the attack requests to be completed.

Mitigation: Enable reverse proxy technology, used for inspection of all incoming requests on their way to the clients’ servers and do not forward any partial connection requests.

UDP flood: Attacker overwhelms random ports on the targeted host with IP packets containing UDP datagrams.

Mitigation: Limiting the rate of ICMP responses.

SYN flood: Attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Mitigation: Using cryptographic hashing, the server sends its SYN-ACK response with a sequence number (seqno) that is constructed from the client IP address, port number, and possibly other unique identifying information. When the client responds, this hash is included in the ACK packet. The server verifies the ACK, and only then allocates memory for the connection.

NTP amplification: Attack in which the attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.

Mitigation: Reduce the number of NTP servers that support the monlist command

DNS amplification: Attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers.

Mitigation: Blocking specific DNS servers or all open recursive relay servers, and rate limiting.


Ziyaettin Botnet Services

Its a botnet with +27K devices all over the world with a power of +300 GB TCP/UDP:

  • Big raw Layer 4 service
  • TCP/UDP attack support
  • Layer 7 service
  • Cloudfare bypass 100K + RQS


TLS v3 and floods HTTPS requests in a secure tunnel through HTTP proxies

 node tls.js GET https://target.com 120 64


DDoS Script (DDoS Panel) with Multiple Bypass ( Cloudflare UAM,CAPTCHA,BFM,NOSEC / DDoS Guard / Google Shield / V Shield / Amazon / etc.. )

  •   [Layer 7]
    •  – cfb     | Bypass CF attack
    •  – pxcfb   | Bypass CF attack with proxy
    •  – cfreq   | Bypass CF UAM, CAPTCHA, BFM, etc,, with request
    •  – cfsoc   | Bypass CF UAM, CAPTCHA, BFM, etc,, with socket
    •  – pxsky   | Bypass Google Project Shield, Vshield, DDoS Guard Free, CF NoSec With Proxy
    •  – sky     | Sky method without proxy
    •  – http2   | HTTP 2.0 Request Attack 
    •  = pxhttp2 | HTTP 2.0 Request Attack With Proxy
    •  – spoof   | Spoof Attasck
    •  – pxspoof | Spoof Attack with Proxy
    •  – get     | Get  Request Attack
    •  – post    | Post Request Attack
    •  – head    | Head Request Attack
    •  – soc     | Socket Attack
    •  – pxraw   | Proxy Request Attack
    •  – pxsoc   | Proxy Socket Attack
  •   [Layer 4]
    •   -udp     | UDP Attack
    •   -tcp     | TCP Attack


  • Layer7
  • get GET | GET Flood
  • post POST | POST Flood
  • ovh OVH | Bypass OVH
  • ovh RHEX | Random HEX
  • ovh STOMP | Bypass chk_captcha
  • stress STRESS | Send HTTP Packet With High Byte
  • dyn DYN | A New Method With Random SubDomain
  • downloader DOWNLOADER | A New Method of Reading data slowly
  • slow SLOW | Slowloris Old Method of DDoS
  • head HEAD | https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD
  • null NULL | Null UserAgent and …
  • cookie COOKIE | Random Cookie PHP ‘if (isset($_COOKIE))’
  • pps PPS | Only ‘GET / HTTP/1.1\r\n\r\n’
  • even EVEN | GET Method with more header
  • googleshield GSB | Google Project Shield Bypass
  • DDoSGuard DGB | DDoS Guard Bypass
  • ArvanCloud AVB | Arvan Cloud Bypass
  • Google bot BOT | Like Google bot
  • Apache Webserver APACHE | Apache Expliot
  • wordpress expliot XMLRPC | WP XMLRPC expliot (add /xmlrpc.php)
  • CloudFlare CFB | CloudFlare Bypass
  • CloudFlare UnderAttack Mode CFBUAM | CloudFlare Under Attack Mode Bypass
  • bypass BYPASS | Bypass Normal AntiDDoS
  • bypass BOMB | Bypass with codesenberg/bombardier
  • 🔪 KILLER | run many threads to kill a target
  • 🧅 TOR | Bypass onion website
  • Layer4:
  • tcp TCP | TCP Flood Bypass
  • udp UDP | UDP Flood Bypass
  • syn SYN | SYN Flood
  • cps CPS | Open and close connections with proxy
  • icmp ICMP | Icmp echo request flood (Layer3)
  • connection CONNECTION | Open connection alive with proxy
  • vse VSE | Send Valve Source Engine Protocol
  • teamspeak 3 TS3 | Send Teamspeak 3 Status Ping Protocol
  • fivem FIVEM | Send Fivem Status Ping Protocol
  • mem MEM | Memcached Amplification
  • ntp NTP | NTP Amplification
  • mcbot MCBOT | Minecraft Bot Attack
  • minecraft MINECRAFT | Minecraft Status Ping Protocol
  • minecraft pe MCPE | Minecraft PE Status Ping Protocol
  • dns DNS | DNS Amplification
  • chargen CHAR | Chargen Amplification
  • cldap CLDAP | Cldap Amplification
  • ard ARD | Apple Remote Desktop Amplification
  • rdp RDP | Remote Desktop Protocol Amplification

Fuxi Botnet 

  • 700GB UDP Flood
  • 400GB TCP/ACk Flood


We guarantee a minimum of 500k-1m+ pps per concurrent for Layer 4 (the Gbps will depend on the method) and minimum 300Gbps of valid.

  • Bypass Security Protection Like:
    • Cloudflare (free-enterprise) Cloudflare Bot-Fight mode, and javascript detection,
    • Cloudflare UAM (js challenge), Cloudflare Captcha (hcaptcha & recaptcha)
    • DDoS-Guard (JS challenge)
    • Sucuri
    • Stormwall(recaptcha v2 & v3)
    • Amazon CDN Cloudfront
    • Imperva Incapsula
    • Akamai
    • Fastly
    • Blazingfast
    • Nooder(recaptcha v3)
    • React.su
    • Qrator
    • Arvan Cloud


DDOS Archive by RootSec (Scanners, BotNets (Mirai and QBot Premium & Normal and more), Exploits, Methods, Sniffers)


DDoS Tool that supports:

  • DNS Amplification (Domain Name System)
  • NTP Amplification (Network Time Protocol)
  • SNMP Amplification (Simple Network Management Protocol)
  • SSDP Amplification (Simple Service Discovery Protocol)


Slowloris is a type of denial of service attack tool invented by Robert “RSnake” Hansen which allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports.


R.U.D.Y. is a denial-of-service attack tool that aims to keep a web server tied up by submitting form data at an absurdly slow pace. A R.U.D.Y. exploit is categorized as a low-and-slow attack, since it focuses on creating a few drawn-out requests rather than overwhelming a server with a high volume of quick requests. A successful R.U.D.Y. attack will result in the victim’s web server becoming unavailable to legitimate traffic.


Related Content




Sign up now to receive the latest notifications and updates from Hadess.

Sign up for News & Communications

Do you want quick & free cyber-security analysis of your application?

Secure your entire workforce, including remote employees.