A DDoS attack works like a store so packed with fake customers that no real shopper can get through the door — only the crowd is made of hijacked devices and the damage can run into tens of thousands of dollars per hour. In 2020, Amazon Web Services (AWS) fended off a 2.3 Tbps flood of traffic, the largest ever recorded Palo Alto Networks (cybersecurity firm).

4 related posts

Average DDoS attack duration: 2–3 hours Canadian Centre for Cyber Security (government security agency) · Largest recorded DDoS attack (2020): 2.3 Tbps Palo Alto Networks · Estimated annual DDoS attacks worldwide: Over 10 million CERT-EU (EU cybersecurity agency) · Average cost per hour of downtime: $20,000–$40,000 Indusface (cybersecurity blog)

Quick snapshot

1Confirmed facts
2What’s unclear
  • Exact attribution of many attacks remains unknown CERT-EU
  • Future evolution of attack vectors and botnet designs Canadian Centre for Cyber Security
3Timeline signal
  • 1999: First known DDoS attack on the University of Minnesota Palo Alto Networks
  • 2020: Largest attack (2.3 Tbps) hits AWS Canadian Centre for Cyber Security
4What’s next
  • Growing sophistication of IoT botnets CERT-EU
  • Increased use of DDoS as geopolitical tool Palo Alto Networks

Five key facts about DDoS attacks, one pattern: each reinforces how these attacks have grown from isolated pranks to infrastructure-level threats.

Fact Details
First major DDoS attack 1999, University of Minnesota Palo Alto Networks
Largest attack (volume) 2.3 Tbps (2020, AWS) Canadian Centre for Cyber Security
Average cost per hour $20,000–$40,000 Indusface
Attacks per day (global) Thousands CERT-EU

Is a DDoS attack illegal?

Yes. In the United States, launching a DDoS attack violates the Computer Fraud and Abuse Act (CFAA), a federal law that criminalizes unauthorized access and damage to protected computers. The FBI treats DDoS as a federal crime and actively investigates such attacks FBI (US law enforcement). Penalties can include fines and imprisonment.

The upshot

The legal teeth behind anti-DDoS laws mean that attackers face real consequences, but enforcement depends on attribution — which often remains a challenge.

What are the legal consequences of launching a DDoS attack?

  • Fines up to several hundred thousand dollars and prison sentences of up to 10 years under the CFAA Legal Information Institute (Cornell Law)
  • Civil lawsuits from affected companies seeking damages for downtime and remediation costs.

The implication: the risk-reward equation for attackers is increasingly unfavorable, but jurisdictional gaps still make prosecution difficult.

Have there been notable prosecutions for DDoS attacks?

  • In 2000, Canadian teen “Mafiaboy” was convicted for DDoS attacks on Yahoo, eBay, and CNN Palo Alto Networks
  • In 2017, a UK man was sentenced to 2 years for launching DDoS attacks against gaming services CERT-EU

Why this matters: each conviction sets a precedent that DDoS is not a victimless crime, but many perpetrators remain anonymous behind botnets.

How long do DDoS attacks usually last?

Most DDoS attacks last between 2 and 3 hours, though some can stretch to days or weeks Canadian Centre for Cyber Security (government security agency). The duration depends on the attacker’s resources, the target’s mitigation measures, and the motivation behind the strike.

What factors influence DDoS attack duration?

  • Attack type: Volumetric attacks (bandwidth saturation) are often short and intense; application-layer attacks can be prolonged because they target specific server functions Palo Alto Networks
  • Mitigation speed: Organizations with automated detection can shut down attacks in minutes; those without manual processes may suffer hours of downtime.
  • Attacker persistence: Some campaigns are designed to outlast manual mitigation, cycling through IP addresses and attack vectors.

Can DDoS attacks be prolonged?

Yes. For instance, a 2022 attack on a European bank lasted over 24 hours, using a mix of volumetric and application-layer methods CERT-EU. Prolonged attacks often aim to exhaust an organization’s human and financial resources.

Bottom line: DDoS attacks typically last a few hours, but extended campaigns are not rare. Organizations should prepare for both short bursts and drawn-out assaults.

The pattern: duration is a strategic choice. Attackers trade off intensity for persistence, and defenders must plan for both.

What is an example of a DDoS attack?

Real-world DDoS attacks offer a glimpse into the scale and sophistication of these operations. Three stand out for their impact and visibility.

What are some real-world DDoS attack cases?

  • 2016 Dyn attack: The Mirai botnet targeted Dyn, a DNS provider, taking down major sites like Twitter, Netflix, and Reddit across the US and Europe Palo Alto Networks
  • 2018 GitHub attack: A 1.35 Tbps memcached amplification attack hit GitHub, lasting about 20 minutes before mitigation kicked in Canadian Centre for Cyber Security
  • 2020 AWS attack: The largest recorded by volume at 2.3 Tbps, using CLDAP reflection Palo Alto Networks

How do DDoS attacks target different industries?

DDoS attacks hit gaming, financial, government, and media sectors disproportionately CERT-EU. For example, gaming platforms are frequent targets because downtime directly affects revenue.

What this means: no industry is immune, but attackers tend to follow the money or the political motive.

How do I know if I am under a DDoS attack?

Sudden website slowdown, unreachable services, and an unexplained surge in traffic are telltale signs Canadian Centre for Cyber Security. Here’s how to spot the difference between a traffic spike and an attack.

What are the signs of a DDoS attack?

  • Unusual traffic spike: Sudden jump in requests from a single IP range or region.
  • Slow network or server response: Timeouts, high latency, or error messages.
  • Unexplained resource usage: CPU, memory, or bandwidth maxing out without a clear cause Palo Alto Networks

How can I monitor for DDoS activity?

Continuous monitoring with SIEM tools, traffic analysis, and baselines of normal behavior are essential Canadian Centre for Cyber Security. The Canadian Centre for Cyber Security recommends establishing a baseline of normal network activity before an incident.

What to watch

A sudden 10x traffic increase from unusual geographies is a strong signal. Cross-reference with your baseline to distinguish a flash sale from a flood.

The catch: detection is only half the battle; without a response plan, even identified attacks can cause damage.

What is the most famous DDoS attack?

While several attacks have made headlines, the 2016 Dyn attack is often called the most famous because of its widespread impact on everyday internet users Palo Alto Networks. But the 2020 AWS attack holds the volume record.

What is the biggest DDoS attack in history?

The 2020 AWS attack peaked at 2.3 Tbps, making it the largest by bandwidth Canadian Centre for Cyber Security. It exploited CLDAP reflection, a technique that amplifies traffic by a factor of 70.

Why are these attacks notable?

  • The Dyn attack demonstrated how a single vulnerability (in IoT devices) could paralyze major internet infrastructure.
  • The GitHub attack showed that even large platforms can suffer if mitigation isn’t automatic.
  • The AWS attack proved that defenders can survive massive volumes with proper preparation.

The trade-off: fame comes from impact or volume, but the real lesson is preparation.

How to Stop a DDoS Attack

Stopping a DDoS attack requires a layered approach. These steps draw from official guidance by cyber authorities CERT-EU and Canadian Centre for Cyber Security.

  1. Establish a baseline of normal traffic so you can detect anomalies quickly Canadian Centre for Cyber Security
  2. Deploy a web application firewall (WAF) to filter malicious requests Canadian Centre for Cyber Security
  3. Use rate limiting and blacklisting to restrict traffic from suspicious IPs CERT-EU
  4. Implement upstream mitigation with CDN providers and ISPs to filter traffic before it reaches your network CERT-EU
  5. Use a scrubbing centre or DDoS mitigation service to divert and clean traffic CERT-EU
  6. Block known reflection vectors by disabling protocols like NTP, SSDP, and Memcached from responding to public queries Palo Alto Networks
  7. Conduct a full postmortem within 72 hours after the attack ends Palo Alto Networks
  8. Retain logs for at least one year for forensic analysis and compliance Indusface

Why this matters: a well-prepared organization can reduce attack duration from hours to minutes.

Timeline: Major DDoS Attacks

A look at key events that shaped DDoS history, from the first known incident to the record-breaking AWS attack.

  • 1999 – First known DDoS attack on the University of Minnesota Palo Alto Networks
  • 2000 – Mafiaboy attacks Yahoo, eBay, and CNN, raising public awareness Palo Alto Networks
  • 2016 – Dyn attack using Mirai botnet disrupts major services across the US Palo Alto Networks
  • 2018 – GitHub attack peaks at 1.35 Tbps, mitigated in 20 minutes Canadian Centre for Cyber Security
  • 2020 – AWS attack reaches 2.3 Tbps, the largest recorded Canadian Centre for Cyber Security

The implication: each attack taught defenders new lessons, but attackers also adapt.

What We Know and What Remains Unclear

Confirmed facts

  • DDoS attacks are illegal under the CFAA and similar laws worldwide Legal Information Institute
  • Mitigation techniques such as rate limiting, WAF, and CDN filtering are proven to reduce impact CERT-EU
  • The Mirai botnet source code was publicly released, leading to many copycat attacks Palo Alto Networks

What’s unclear

  • Exact attribution of many attacks remains unknown, as attackers hide behind IP spoofing and botnets CERT-EU
  • Future evolution of attack vectors — new amplification techniques may emerge as defenders close old ones Canadian Centre for Cyber Security

The implication: While confirmed facts provide a foundation, the unknowns highlight the need for continuous adaptation.

Quotes from Experts

“A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server.”

Palo Alto Networks (cybersecurity firm)

“Participating in Distributed Denial of Service attacks (DDoS) is a federal crime.”

FBI (US law enforcement)

“Establish a baseline of normal network activity so you can detect anomalies quickly.”

Canadian Centre for Cyber Security (government agency)

These authoritative voices underscore the seriousness of DDoS as both a legal and technical challenge.

Summary: The Real Threat Behind the Noise

DDoS attacks have evolved from teenage vandalism to a tool of cybercrime and even geopolitical leverage. The biggest recorded attack already exceeds 2.3 Tbps, and the weaponry — botnets, amplification techniques, and open source code — is widely available. For any organization that depends on internet-facing services, the choice is clear: invest in detection and mitigation now, or plan for a costly outage later. For a small business with limited IT staff, a single hour of downtime can mean lost revenue and eroded customer trust — and that’s a risk no company can afford to ignore.

Related reading: What Is a 401k? Plan Basics, How It Works & Irish Equivalent · Lord of the Flies – Summary Characters Themes Analysis

Additional sources

securityscorecard.com, certlibrary.com, sosafe-awareness.com, mrsc.org

Don't miss these

Frequently asked questions

What is the difference between DoS and DDoS?

DoS (Denial of Service) comes from a single source, while DDoS (Distributed Denial of Service) uses multiple compromised devices (a botnet). DDoS is harder to block because the traffic originates from many different IPs Palo Alto Networks.

Can a DDoS attack be traced back to the attacker?

Sometimes, but it’s difficult. Attackers often use spoofed IPs, proxy chains, or botnets composed of compromised devices. Advanced attribution requires cooperation between ISPs and law enforcement CERT-EU.

What is a botnet and how is it used in DDoS attacks?

A botnet is a network of compromised computers or devices (often IoT) controlled remotely. The attacker commands these bots to send traffic to a target, overwhelming it Canadian Centre for Cyber Security.

How do DDoS attacks affect small businesses?

Small businesses often lack dedicated IT security and can be crippled by even a short attack. Downtime costs, remediation expenses, and reputational damage can be disproportionately severe Indusface.

What was the first DDoS attack ever?

The first known DDoS attack occurred in 1999 at the University of Minnesota, targeting a campus computer lab Palo Alto Networks.

How much does a DDoS attack typically cost a company?

The average cost is between $20,000 and $40,000 per hour of downtime, factoring in lost revenue, IT response, and reputational harm Indusface.

Are DDoS attacks only launched by experienced hackers?

No. DDoS-for-hire services (often called “stressers” or “booters”) are widely available on the dark web, enabling anyone with a few dollars to launch an attack CERT-EU.