Distributed denial-of-service (DDoS) attacks have evolved from a blunt instrument used by hobbyist hackers into a sophisticated tool deployed by nation-state actors, ransomware gangs, and hacktivist groups. In Australia, the volume and intensity of DDoS attacks has risen sharply in recent years, with financial services, telecommunications, government, and e-commerce among the most targeted sectors. Understanding how these attacks work is the first step toward building a defence that actually holds.
What a DDoS attack actually does
A denial-of-service attack floods a target, whether a web server, network link, or application layer, with so much traffic or so many requests that it can no longer serve legitimate users. The "distributed" part means the attack traffic comes from thousands or millions of sources simultaneously, making it far harder to block than traffic originating from a single IP address.
Attackers typically build or rent a botnet: a network of compromised devices that collectively generate the flood. Modern botnets exploit everything from misconfigured home routers and internet-of-things devices to cloud virtual machines with stolen credentials. The owner of each compromised device usually has no idea it is participating in an attack.
There are three broad categories of DDoS attack that Australian security teams should understand:
- Volumetric attacks overwhelm bandwidth with sheer traffic volume, commonly using amplification techniques such as DNS reflection or NTP amplification to multiply the attack size by a factor of tens or hundreds.
- Protocol attacks exploit weaknesses in network protocols, particularly at Layers 3 and 4 of the OSI model. SYN flood attacks, for instance, exhaust the connection state tables of firewalls and load balancers.
- Application layer (Layer 7) attacks send seemingly legitimate HTTP or HTTPS requests at high volume, targeting the processing capacity of a web server or application. These are harder to detect because the traffic looks like normal user behaviour.
The Australian threat landscape
Australia's exposure to DDoS attacks is shaped by its role as a high-income, digitally connected economy in the Asia-Pacific region. The Australian Signals Directorate has repeatedly flagged volumetric and application-layer DDoS as a persistent threat to critical infrastructure, particularly energy, financial services, and health. Attacks timed to coincide with major news events, political decisions, or geopolitical tensions are a growing pattern.
Ransomware groups increasingly use DDoS as a secondary pressure tactic. If a victim is rebuilding after an encryption attack, a simultaneous DDoS on their public-facing services compounds the outage and increases pressure to pay. For broader context on how ransomware operators layer their pressure campaigns, the ransomware guidance for Australian IT teams on this site covers the current threat picture in detail.
There is also a DDoS-for-hire economy that lowers the barrier to attack dramatically. Booter and stresser services let almost anyone pay a small fee to launch a volumetric attack against a target of their choice. This means small businesses, local councils, and community organisations can find themselves in the crosshairs, not just enterprise or government targets.
How attackers choose their targets
Opportunism drives a significant share of DDoS activity. Automated scanning tools identify publicly reachable services, and poorly mitigated targets are noted and revisited. But many attacks are deliberate and targeted, motivated by:
- Financial extortion ("pay us or we maintain the attack")
- Competitive disruption, particularly in online gaming and e-commerce
- Hacktivism tied to political or social causes
- Nation-state operations designed to destabilise critical services
- Smokescreen attacks that distract security teams while a parallel intrusion occurs
The smokescreen use case is particularly dangerous and underappreciated. A well-timed DDoS absorbs the attention of the security operations centre while attackers pursue credential theft or data exfiltration through a separate vector. This is why treating a DDoS event as purely a network problem, rather than investigating it as part of a broader incident, can be a costly mistake.
Building a layered defence
No single control prevents every DDoS attack, but a layered approach significantly reduces impact. The following measures form the practical core of DDoS resilience for Australian organisations:
Upstream scrubbing and CDN protection
Cloud-based DDoS scrubbing services sit in front of your infrastructure and absorb or filter attack traffic before it reaches your network. Providers like Cloudflare, Akamai, and AWS Shield route traffic through their globally distributed scrubbing centres, using a combination of traffic analysis, rate limiting, and reputation databases to separate attack packets from legitimate requests. For most Australian organisations, this is the single most effective control against volumetric attacks.
Network-level rate limiting and ACLs
At the perimeter, access control lists and rate limiting rules on routers and firewalls can blunt protocol-layer attacks. These controls are not sufficient on their own against large-scale volumetric floods because the attack traffic still consumes upstream bandwidth, but they reduce the load on downstream systems and buy time for scrubbing services to engage.
Anycast routing
Large scrubbing network operators use anycast routing to distribute attack traffic across dozens of data centres simultaneously. The attack is absorbed across a wide surface area rather than concentrating on a single point of presence. This is largely delivered as part of managed DDoS protection services rather than something an organisation builds itself.
Application layer defences
Layer 7 attacks require a web application firewall (WAF) capable of detecting anomalous request patterns. Challenge-response mechanisms such as CAPTCHAs and JavaScript challenges can be deployed under attack conditions to separate browsers from bots. Rate limiting by IP, session, or user agent pattern is another layer that helps here. Teams that have deployed zero trust security principles, including strict authentication at every access layer, find that application-level DDoS attacks have a reduced attack surface to begin with.
Incident response planning
Knowing what to do when an attack begins is as important as the technical controls in place beforehand. A DDoS response runbook should cover: who is notified and in what order, how the team confirms it is a DDoS rather than a different outage type, which escalation paths activate with upstream providers, and how the team maintains communications during an outage. This runbook should be tested through tabletop exercises at least annually. Teams looking at broader incident response planning, including mandatory notification obligations, will find the data breach response guidance a useful companion, particularly for attacks that transition into data exfiltration events.
What the Essential Eight says
The ASD's Essential Eight does not address DDoS directly, because it is primarily focused on preventing malware delivery and privilege escalation. However, several Essential Eight controls reduce the blast radius of a DDoS attack used as a cover for intrusion: patching internet-facing services closes the vulnerabilities attackers might exploit during the distraction window, and multi-factor authentication limits the value of credentials that might be harvested during the confusion of an active outage.
Practical steps for Australian IT teams
The practical starting point for most Australian IT teams is an honest assessment of current exposure. Map every internet-facing service, including those hosted on third-party SaaS or cloud infrastructure, and confirm that each has appropriate upstream protection. Review contracts with internet service providers and cloud hosting vendors for DDoS mitigation service level agreements; many default contracts offer minimal protection. For organisations in sectors designated as critical infrastructure under the Security of Critical Infrastructure Act, DDoS resilience is not optional: it is part of the risk management programme required by law.
Test your defences before an attacker does. Controlled load testing and, for more mature organisations, red-team exercises that simulate DDoS alongside parallel intrusion attempts, reveal gaps that theoretical planning does not. The cost of a few hours of testing is trivial compared to the cost of a prolonged outage during peak trading or a government service window.
