A Distributed Denial-of-Service attack is the most common way to take a server offline — UDP Flood, TCP SYN, HTTP/2 Rapid Reset. Learn how every DDoS attack vector works and how to hire DDoS stress testing for your own infrastructure.
Two distinct but related concepts — understanding both is the starting point for any DDoS stress test.
A Distributed Denial-of-Service (DDoS) attack is a coordinated attempt to exhaust the resources of a server, network device, or online service by overwhelming it with traffic from a large number of distributed sources — typically a botnet: a network of compromised machines under adversarial control.
Unlike a single-source Denial-of-Service (DoS) attack, the distributed nature of DDoS makes simple IP-blocking ineffective. Attacks are classified by OSI model layer: Layer 4 (Transport layer) attacks saturate bandwidth or exhaust connection tables; Layer 7 (Application layer) attacks exhaust server CPU by sending requests that appear legitimate.
Record volumetric DDoS attacks in 2024 exceeded 5 Tbps (Cloudflare, October 2024), generated by botnets of several million compromised endpoints including IoT devices, cloud VMs, and CLDAP/DNS reflectors used for amplification.
A DDoS-for-hire service — also called a stresser or booter — is a commercial platform that provides on-demand DDoS attack capacity, marketed for server stress testing. Users pay for access to botnet infrastructure or amplification relays and direct traffic at a target IP or domain of their choosing.
Legitimate use cases involve testing your own servers, game server infrastructure, or CDN bypass resistance before an actual attack arrives. The stresser generates real attack traffic — UDP Flood, TCP SYN Flood, or HTTP/2 Rapid Reset — against the target and reports results including PPS, Gbps, and whether the target's DDoS mitigation held.
Legal boundary: stress testing infrastructure you own or hold written authorization to test is legal in most jurisdictions. Directing attacks at third-party infrastructure without authorization is a criminal offense under the Computer Fraud and Abuse Act (USA), the Computer Misuse Act (UK), and equivalent laws worldwide.
Every DDoS attack method targets a different part of the network stack. Choosing the right vector for stress testing depends on how the target is protected.
| Attack vector | OSI layer | Target resource | Mitigation | Bypass difficulty |
|---|---|---|---|---|
| UDP Flood | L4 Transport | Bandwidth, CPU (ICMP replies) | Rate limiting, upstream scrubbing | Low |
| TCP SYN Flood | L4 Transport | Connection table (half-open) | SYN cookies, stateful firewall | Low |
| ICMP Flood (Ping Flood) | L3 Network | Bandwidth, CPU | ICMP rate limit, null-route | Low |
| DNS / NTP Amplification | L4 Transport | Bandwidth (amplified) | BCP38, ingress filtering | Medium |
| HTTP Flood (GET/POST) | L7 Application | CPU, memory, DB connections | Bot detection, JS challenge | Medium |
| HTTP Bypass | L7 Application | CPU, CDN origin | Cloudflare, advanced WAF | High |
| HTTP/2 Rapid Reset (CVE-2023-44487) | L7 Application | Web server threads, memory | Patched servers, stream limits | High |
Sends large volumes of User Datagram Protocol (UDP) packets to random ports on the target. The server processes each packet and sends back ICMP Destination Unreachable responses, consuming bandwidth and CPU until exhaustion. Amplification variants use open DNS resolvers, NTP servers, or SSDP endpoints to multiply traffic 10–500× beyond the attacker's upstream capacity.
L4 · BandwidthExploits the TCP three-way handshake: the attacker sends SYN packets but never completes the connection with the final ACK. The server allocates a half-open connection entry for each SYN and waits for an ACK that never arrives. When the connection table fills, legitimate TCP connections are refused. Mitigated by SYN cookies on the server or upstream firewall, but high-volume variants still saturate NIC queues.
L4 · State exhaustionCVE-2023-44487 — exploits the HTTP/2 multiplexed stream mechanism: the attacker sends a large number of RST_STREAM frames immediately after opening streams, forcing the server to allocate and immediately deallocate resources at a rate that overwhelms even CDN-level mitigation. Used against Cloudflare, AWS, and Google infrastructure in the August 2023 record attack (398 Mrps). Mitigated by patched server software and stream-rate limits.
L7 · ApplicationModern stresser platforms give security teams direct access to real DDoS attack infrastructure for authorized testing.
A stresser (also marketed as a booter) is a DDoS-for-hire platform that aggregates botnet capacity, amplification relays, and L7 attack scripts into a self-service web panel. You enter a target IP or URL, select an attack method and duration, and the platform dispatches the attack from its distributed network of nodes.
The choice of attack method depends on what protection the target uses. Major DDoS mitigation providers handle attacks differently:
Three steps to test your server's DDoS resilience with a stresser service.
Match the DDoS vector to your server's protection. For an unprotected VPS, start with UDP Flood to measure raw bandwidth tolerance. For Cloudflare-protected targets, use L7 HTTP Bypass or HTTP/2 Rapid Reset methods that pass through CDN scrubbing. For game servers, use the server-specific method (RakNet, Source, FiveM).
Enter the IP address or domain of the server you own and are authorized to test. Set the attack duration (typically 60–300 seconds for a meaningful stress test) and the port (80/443 for web servers; game-specific ports for game servers). Confirm you have authorization — reputable stressers require owning the target or holding signed authorization.
Watch the stresser dashboard during the attack: PPS (packets per second) indicates L4 intensity; Gbps shows volumetric load. Monitor your server's CPU, NIC queue, and application response time in parallel. If the server degrades or goes offline, your current DDoS mitigation is insufficient for this attack volume and method.
A Distributed Denial-of-Service (DDoS) attack is a coordinated attempt to make a server, network, or online service unavailable by flooding it with traffic from a large number of sources — typically a botnet. Unlike a single-source DoS attack, the distributed nature makes DDoS traffic harder to filter because it originates from many different IP addresses worldwide. Attacks are classified by OSI layer: Layer 4 attacks saturate bandwidth or exhaust connection tables; Layer 7 attacks exhaust CPU by sending requests that appear legitimate.
DDoS for hire — also called a stresser or booter service — is a commercial platform that provides on-demand DDoS attack capacity. Users pay for access to botnet or amplification infrastructure and direct traffic at a target for server stress testing. Using such a service against infrastructure you own and are testing is legal; using it against infrastructure you do not own or are not authorized to test is a criminal offense in most countries.
Layer 4 (Transport layer) DDoS attacks target the TCP/UDP network stack: UDP Flood saturates bandwidth, TCP SYN Flood exhausts connection tables, ICMP Flood consumes CPU. These are volumetric attacks that typically require large bandwidth to be effective against protected infrastructure. Layer 7 (Application layer) DDoS attacks mimic legitimate HTTP/HTTPS requests, consuming server CPU, memory, and database connections. L7 attacks are harder to filter because they look like real user traffic and can bypass CDN scrubbing — making them the primary method for attacking Cloudflare-protected targets.
HTTP/2 Rapid Reset (CVE-2023-44487) is a Layer 7 DDoS technique that exploits HTTP/2's multiplexed stream mechanism. The attacker sends RST_STREAM frames immediately after opening streams, forcing the server to allocate and release resources at a rate that overwhelms server threads. It was used to set a record DDoS attack of 398 million requests per second against Cloudflare, AWS, and Google in August 2023 — at roughly 8x the previous record. Mitigation requires updated server software (nginx, Apache, Go HTTP/2 libraries) with stream-rate limits and HTTP/2 connection limits.
Cloudflare's Anycast network provides strong L3/L4 volumetric DDoS scrubbing and machine-learning-based bot detection for L7 attacks. However, advanced L7 HTTP Bypass methods that mimic legitimate browser behavior can partially circumvent JS challenges. HTTP/2 Rapid Reset demonstrated the ability to overload Cloudflare infrastructure at sufficient request rates in 2023. OVH anti-DDoS, Voxility, and Path.net provide alternative hardware-level mitigation at the network edge, each with different strengths against specific attack vectors.
UDP amplification attacks exploit open network services that return responses much larger than the original request. The attacker spoofs the victim's IP address as the source and sends small requests to amplification servers (DNS resolvers, NTP servers, SSDP devices, Memcached instances). The amplification servers send their large responses to the victim's IP — multiplying the attacker's bandwidth by an amplification factor of 10–50,000x. DNS amplification has an average factor of ~50x; Memcached can reach 50,000x. BCP38 ingress filtering and disabling open resolvers are the primary mitigations.
DDoS stress testing of infrastructure you own or have explicit written authorization to test is legal in most jurisdictions. Launching a DDoS attack against infrastructure you do not own — even through a commercial stresser service — is illegal under the Computer Fraud and Abuse Act (CFAA, USA), the Computer Misuse Act (CMA, UK), the NIS2 Directive (EU), and equivalent laws in most countries, with penalties including fines and imprisonment. Reputable stresser services require confirmation of ownership or authorization before processing orders.
An unprotected VPS or dedicated server with a standard 1 Gbps uplink can be taken offline with 1–5 Gbps of UDP Flood. Servers behind upstream scrubbing (OVH anti-DDoS, Voxility) may withstand hundreds of Gbps of volumetric L4 traffic. CDN-protected targets (Cloudflare) typically require switching to L7 HTTP Bypass methods that bypass scrubbing by appearing as legitimate requests — volume measured in requests per second (RPS) rather than Gbps. The August 2023 record HTTP/2 Rapid Reset attack reached 398 million RPS before the targeted CDN deployed mitigations.