What Volumetric DDoS Attacks Actually Look Like at the Network Level

Your site goes down. Response times spike from 80ms to 30 seconds. Then nothing. Most people assume something broke. In reality, someone may have just thrown a wall of traffic at your server until it collapsed under the weight.

Volumetric DDoS attacks are the most common type of distributed denial-of-service attack — and the most misunderstood. People hear "DDoS" and picture shadowy hackers. The reality is more mechanical and, in some ways, more boring. It's mostly about one thing: filling up pipes.

Understanding what actually happens at the network level helps you make smarter decisions about your hosting setup. So let's break it down.

What a Volumetric Attack Is Trying to Do

Every server has a fixed amount of network bandwidth — the maximum amount of data it can send and receive per second. A volumetric DDoS attack tries to saturate that bandwidth completely. When your pipe is full, legitimate traffic can't get through. Your site doesn't just slow down; it becomes unreachable.

Think of it like a highway with four lanes. Normal traffic flows fine. Now imagine 50,000 cars all trying to enter at once. Nothing moves. That's the model — pure capacity exhaustion.

The numbers here aren't small. Modern volumetric attacks regularly hit hundreds of gigabits per second. The largest on record have broken the 1 Tbps barrier. A typical shared hosting server sits on a 1 Gbps uplink. You can see how quickly this gets problematic.

The Three Most Common Volumetric Attack Vectors

UDP Flood

UDP (User Datagram Protocol) is connectionless — you can send packets to any IP and port without establishing a session first. Attackers exploit this by flooding a target with massive volumes of UDP packets. The server tries to process each packet, finds nothing listening on that port, and sends back an ICMP "destination unreachable" message. Multiply that by millions of packets per second, and both inbound and outbound bandwidth get hammered simultaneously.

ICMP (Ping) Flood

Ping packets are small — usually 64 bytes. But send enough of them fast enough and they add up. ICMP floods overwhelm the network stack on the server itself. The server burns CPU cycles processing each incoming request and generating echo replies, leaving almost nothing left for real work.

Amplification Attacks

These are the most dangerous volumetric attacks because they let attackers punch well above their weight. The basic mechanics work like this:

• The attacker sends a small request to an open server (DNS, NTP, Memcached, etc.) with your IP address forged as the source
• The open server sends a much larger response back to your IP
• The attacker does this thousands of times in parallel

DNS amplification can achieve a 28x to 54x amplification factor. NTP amplification can hit 556x. Memcached amplification has been measured at over 51,000x in real attacks. With a botnet of even modest size, this lets attackers generate hundreds of gigabits of traffic pointed at a single target.

What This Traffic Looks Like on the Wire

Network engineers can spot volumetric attacks quickly when reviewing traffic captures. Some telltale signs:

• Packet size uniformity: Attack traffic often consists of packets that are all nearly the same size. Real browsing traffic is mixed — small DNS queries, medium HTML responses, larger image downloads. A uniform pattern is a red flag.
• Single-port concentration: Traffic hammering port 53 or port 80 exclusively, with nothing else, looks unnatural.
• Spoofed source IPs: Amplification attacks use forged source addresses. You'll see traffic arriving from known open resolvers worldwide — thousands of different IPs, but all sending similar-sized packets at unusual rates.
• Geographic clustering: Botnet-driven floods often show heavy concentration from specific countries or ASNs, especially those known to host compromised infrastructure.
• Protocol ratios: On a normal web server, UDP traffic should be a fraction of TCP. If UDP suddenly represents 95% of incoming packets, something is wrong.

Why Your Server Can't Simply Absorb It

A common misconception is that you just need a powerful enough server. CPU and RAM matter less than you'd think during a volumetric attack. The bottleneck is almost always the network link itself.

Even if your server's CPU ignores every malicious packet, the packets still have to arrive at your network card before they can be dropped. A 10 Gbps attack against a 1 Gbps server doesn't need to be processed — it just needs to exist. The pipe fills up regardless of what the server does internally. You can't out-hardware a volumetric attack at the server level.

This is why the only real defense happens upstream, before the traffic reaches your server at all. We covered this in detail in DDoS Attacks Explained: What They Are and How Hosting-Level Protection Actually Works.

Where DDoS Protection Hosting Actually Intervenes

Effective DDoS protection for hosted sites works by scrubbing traffic upstream at the network edge — at a point in the infrastructure that has far more capacity than any individual server. When an attack is detected, traffic gets rerouted through scrubbing centers that can process hundreds of gigabits per second, strip out the malicious packets, and pass only clean traffic downstream to your server.

The key technical steps look something like this:

1. Detection: Traffic baselines are established. Anomalies — sudden spikes in UDP, unusual packet size distributions, rate limits being hit — trigger an alert.
2. Classification: Attack traffic gets fingerprinted. Is it a reflection attack? A UDP flood? What ports, what protocols, what source patterns?
3. Filtering: Rules are applied to drop matching traffic before it reaches the origin server. Clean traffic continues. Malicious traffic is discarded.
4. Monitoring: The attack profile often shifts as attackers realize their flood is being neutralized. Ongoing analysis adapts filters in real time.

Good DDoS protection hosting operates at a network capacity that makes even large attacks manageable — because the scrubbing layer absorbs the volume before your server ever sees it. That's what we do here, and it's why the protection has to live at the hosting infrastructure level rather than on the server itself.

For a look at how this fits into a broader security strategy, The Website Security Stack Every Site Owner Should Know About in 2025 is worth reading.

What About Application-Layer Attacks?

Volumetric attacks target bandwidth. But there's a related category — Layer 7 or application-layer attacks — that target your web server's processing capacity instead. These send requests that look like normal HTTP traffic but are designed to exhaust server resources (database connections, session memory, CPU).

These attacks use far less bandwidth and are harder to detect through packet analysis alone. That's where a web application firewall comes in — it inspects the content of requests, not just the volume. The two defenses are complementary, not interchangeable. What Is a Web Application Firewall and Do You Really Need One? explains how that layer works in practice.

You can also explore the technical details of how we handle both threat types in our DDoS mitigation overview and WAF documentation.

The Practical Takeaway

Volumetric DDoS attacks are a bandwidth problem, not a software problem. No amount of server hardening, WordPress plugins, or application-level configuration will save you when a multi-gigabit flood hits your uplink. The protection has to happen upstream, at the network level, with enough capacity to absorb or filter the attack traffic before it reaches you.

If your hosting plan doesn't include infrastructure-level DDoS mitigation, you're relying on your server surviving something it structurally cannot survive on its own. That's the part worth understanding — and worth checking before the next attack, not after.