Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
DDoS attack protection: the main threat to digital service availability
Distributed denial-of-service (DDoS) attacks are becoming increasingly frequent. Their goal is to cause service unavailability across the assets of companies and organisations in order to generate economic impact or reputational damage for the targeted organisation.
To carry them out, organised groups and threat actors—driven by political, ideological, economic or other motives—make use of tools that leverage the power of bot networks (botnets) to launch attacks from multiple locations against specific services until they saturate them, thereby causing a denial of service and preventing access or normal operation.
DDoS attacks have become one of the leading causes of digital service outages, directly affecting business continuity and corporate reputation.
The global growth of DDoS attacks
The cyber threat landscape during the second half of 2025 shows a significant escalation in both the volume and sophistication of DDoS attacks, with more than 8 million attacks recorded, according to Netscout data.
Cyber threats continue to evolve, and DDoS attacks have become tools used in digital conflicts and campaigns aimed at destabilising critical infrastructure (communications, transport, energy, defence), often operating through interconnected networks and intensifying especially during high-visibility events.
Main types of DDoS attacks
Today, DDoS attacks are classified into volumetric attacks, state or resource exhaustion attacks, and application-layer attacks.
Volumetric DDoS attacks
Volumetric DDoS attacks aim to saturate the available bandwidth, causing overload both on the access network—typically WAN links connected to the internet.
For this type of attack, the victim IP address does not need to be assigned to a server or even be in use. It only needs to be routable on the internet.
There have been cases of attacks targeting the last IP address in a customer’s range, which has no actual use. For example, a flood of unsolicited packets, typically using the UDP protocol, causes downstream bandwidth saturation. Even if this traffic is dropped at the datacenter ingress firewall, the saturation is still effective and the attacker achieves their objective.
Some of the most common examples of volumetric DDoS attacks include UDP Flood and DNS Reflection/Amplification:
- UDP Flood: consists of generating large volumes of UDP packets against the chosen victim.
- DNS Reflection/Amplification: uses DNS servers to generate a large volume of traffic and overwhelm the target server.
Volumetric attacks do not aim to exploit system vulnerabilities, but to overwhelm network capacity, making services inaccessible even when security systems are working correctly.
Resource exhaustion DDoS attacks
Resource exhaustion attacks seek to consume the state tables of the TCP/IP stack present in most components of the victim’s security and service infrastructure: firewalls, IPS, load balancers, or the TCP servers themselves.
All stateful devices—network and security systems that maintain information about the state of each connection—have a limit on their capacity to process new connections. This type of attack aims to saturate that capacity.
Two typical examples of this type of attack are SYN Flood and TCP Connection Flood:
- SYN Flood: floods the servers’ connection table with SYN packets, overwhelming them so they cannot accept new connections.
- TCP Connection Flood: floods the firewall with legitimate TCP connections at a rate higher than the number of connections per second it can handle. As a result, all services behind the firewall lose connectivity.
Additionally, connectivity between the internal network (LAN) and the DMZ, where internet-facing services reside, will stop working, clearly showing that the saturation occurs at the firewall and not on the internet access link.
Application-layer DDoS attacks
Application-layer attacks saturate resources such as CPU, memory or concurrent sessions of a specific service.
These attacks are more stealthy, as they can be carried out using legitimate traffic and may even be launched from a single attacking machine while generating relatively low traffic volumes.
Some examples of this type of DDoS attack include:
- Slowloris, which aims to open as many HTTP connections as possible to a web server and keep them open for as long as possible, preventing the server from handling legitimate requests.
- RUDY: very similar to the previous attack, it aims to saturate the number of connections on a web server and keep them open by sending traffic.
- THC-SSL: an attack that generates numerous SSL renegotiation attempts, saturating the CPU of the HTTPS server.
■ In light of all the above, companies with an online presence need to protect their network assets and ensure business continuity and reputation with a DDoS protection solution tailored to their needs.
For each type of network scenario or attack, a specific Anti-DDoS architecture solution must be applied.
Anti-DDoS solutions to protect digital services
An ISP-based solution deployed from the operator’s network can effectively address any type of attack with proper configuration and deployment, with minimal impact on service delivery and providing clean traffic transparently to the customer over the same contracted communication link, without the need for traffic diversion.
A Cloud-based solution is suitable for any type of volumetric attack, delivering clean traffic via a virtual point-to-point link. It is also appropriate when a company has multi-country sites, with different geographic locations and multiple internet providers.
These solutions offer on-demand configuration, diverting traffic at the time of the attack to counter it; or always-on mode, where all traffic is continuously analysed to stop a volumetric attack the moment it occurs.
Key capabilities of an effective DDoS protection solution
The core features that any denial-of-service protection solution should provide include monitoring and detection, mitigation and traffic scrubbing, and mitigation reporting:
- In the monitoring phase, traffic to or from the customer is continuously analysed to identify attack traffic patterns using DDoS detection mechanisms.
- The mitigation and malicious traffic scrubbing phase removes all illegitimate traffic destined for the customer. This can be performed in always-on or on-demand mode, depending on the specific configuration, ensuring that only legitimate traffic reaches the company and preventing service collapse by transparently stopping the attack.
- Finally, any denial-of-service protection solution should provide real-time information throughout an attack—at the start, during, and upon its completion.
A managed DDoS protection service delivered by a network operator enables faster and more effective detection, mitigation and traffic scrubbing, minimising the impact on services.
The importance of an operator-managed DDoS protection service
One might ask whether it is necessary to contract a managed service alongside a denial-of-service protection solution—and if so, from whom.
As noted earlier, denial-of-service attacks are becoming increasingly frequent, with millions of attacks each year. Based on internet traffic visibility, those who can observe the largest share of traffic are best positioned to stop this type of service unavailability attack.
Therefore, having a managed DDoS protection service supported by the operator’s network and run by specialised teams is key to effective defence. A telecommunications operator, in its role as an internet service provider, offers a privileged view of global traffic and the ability to act directly from the network to mitigate attacks.
Building on this infrastructure, Telefónica Tech provides companies with expert teams fully dedicated to DDoS attack detection and mitigation, mitigating more than 1,500 attacks annually in customer environments, applying the most appropriate countermeasures at each stage of the attack and minimising the impact on customer services.
■ Having the experience of a specialist makes it possible to adapt the response and apply the most effective solution for each type of DDoS attack. At the same time, the network operator has a global view of traffic that enables faster and more accurate anticipation and mitigation of attacks. The combination of both factors therefore provides the strongest defence against denial-of-service threats.
A telecommunications operator, thanks to its global traffic visibility and network-level response capabilities, is best positioned to mitigate DDoS attacks effectively.
In this way, attack detection is performed automatically when certain traffic patterns targeting customer links are identified, generating an alert that is logged in the systems for evaluation by the service operations team. This ensures effective mitigation of all types of attacks and proactive detection of denial-of-service attacks.
When a potential attack is detected, detection tools generate the corresponding alerts and action must be taken—either automatically or manually, but always under the supervision of expert hands in this type of solution, provided by the network operator from its position as an ISP.
Conclusions
Any company with an online presence, regardless of sector or industry, that needs to protect its network assets and ensure service availability, business continuity and reputation, requires a tailored denial-of-service protection solution capable of detecting, mitigating and reporting at all times when an attack occurs.
In the case of the public sector, additional requirements apply.
A telecommunications operator, due to its global traffic visibility and network response capabilities, combined with an expert team specialised in these solutions, is best positioned to mitigate DDoS attacks effectively.
■ DDoS Protection: At Telefónica Tech, we design and operate managed DDoS protection services that comprehensively cover companies’ security needs, combining solutions tailored to each environment with the expertise of our teams specialised in DDoS attack mitigation.
