{"id":23002,"date":"2026-04-29T06:40:47","date_gmt":"2026-04-29T06:40:47","guid":{"rendered":"https:\/\/atalnetworks.com\/?p=23002"},"modified":"2026-05-10T13:38:16","modified_gmt":"2026-05-10T13:38:16","slug":"what-is-ddos-attack","status":"publish","type":"post","link":"https:\/\/atalnetworks.com\/nl\/what-is-ddos-attack\/","title":{"rendered":"DDoS Attacks: How They Work and How to Stop Them"},"content":{"rendered":"<p><b>A Distributed Denial of Service (DDoS) attack floods a server, network, or online service with traffic from thousands to millions of compromised devices until it can no longer respond to legitimate users. DDoS attacks target bandwidth, connection capacity, or application processing power \u2014 all at once, from sources distributed across dozens of countries, making them nearly impossible to block by IP address alone.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The numbers behind this threat are not abstract. In Q1 2025, Cloudflare blocked 20.5 million DDoS attacks \u2014 matching 96% of everything it blocked across all of 2024. The largest single attack on record peaked at 22.2 terabits per second in September 2025. Terabit-scale attacks now occur daily.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">An unprotected organization loses approximately $6,000 per minute during a DDoS attack, according to<\/span><a href=\"https:\/\/www.kentik.com\/kentipedia\/ddos-protection\/\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">Kentik&#8217;s 2026 DDoS analysis<\/span><\/a><span style=\"font-weight: 400;\">. At 45 minutes average attack duration, that is $270,000 per incident \u2014 before factoring in reputational damage, SLA penalties, and customer churn.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At Atal Networks, our network engineering team defends against DDoS attacks continuously across 213+ data centers in 196+ countries. Our DPI-powered scrubbing and BGP Flowspec-based mitigation protects more than 35,000<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/dedicated-servers\/\"> <span style=\"font-weight: 400;\">aangewezen server<\/span><\/a><span style=\"font-weight: 400;\"> en<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/vps\/\"> <span style=\"font-weight: 400;\">VPS-hosting<\/span><\/a><span style=\"font-weight: 400;\"> clients every day. This article covers how these attacks are built, how they run, and exactly what stops them.<\/span><\/p>\n<div id=\"table-of-contents\" style=\"background-color: #f9f9f9; padding: 20px; margin-bottom: 25px; border: 1px solid #e1e1e1;\">\n<h2><b>Table of Contents<\/b><\/h2>\n<ul>\n<li><a href=\"#ddos-vs-dos\">DDoS vs. DoS: What Makes Them Different<\/a><\/li>\n<li><a href=\"#how-botnets-power\">How Botnets Power DDoS Attacks<\/a><\/li>\n<li><a href=\"#types-of-ddos\">The 7 Types of DDoS Attacks<\/a><\/li>\n<li><a href=\"#multi-vector\">Multi-Vector DDoS: The 2025-2026 Attack Model<\/a><\/li>\n<li><a href=\"#financial-cost\">The Real Financial Cost of a DDoS Attack<\/a><\/li>\n<li><a href=\"#methods-stop\">9 Methods That Actually Stop DDoS Attacks<\/a><\/li>\n<li><a href=\"#dedicated-vs-vps\">DDoS Protection: Dedicated Server vs. VPS<\/a><\/li>\n<li><a href=\"#attack-response\">DDoS Attack Response: Step-by-Step<\/a><\/li>\n<li><a href=\"#legal-consequences\">Legal Consequences of DDoS Attacks<\/a><\/li>\n<li><a href=\"#how-atal-protects\">How Atal Networks Protects Your Server<\/a><\/li>\n<li><a href=\"#faq\">Frequently Asked Questions About DDoS Attacks<\/a><\/li>\n<li><a href=\"#related-articles\">Related Articles<\/a><\/li>\n<\/ul>\n<\/div>\n<h2><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone size-full wp-image-23005\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different.webp\" alt=\"DDoS vs. DoS - What Makes Them Different\" width=\"1600\" height=\"893\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different.webp 1600w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different-1024x572.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different-1536x857.webp 1536w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS-vs.-DoS-What-Makes-Them-Different-18x10.webp 18w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/h2>\n<h2 id=\"ddos-vs-dos\"><b>DDoS vs. DoS: What Makes Them Different<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">A Denial of Service (DoS) attack sends high traffic volume from a single machine to overwhelm a target. A Distributed Denial of Service (DDoS) attack does the same using thousands to millions of compromised devices across multiple countries and IP ranges simultaneously \u2014 making source-based blocking nearly impossible.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A DoS attack is straightforward to stop. Identify the single attacking IP address, block it, and the attack ends. Attackers solved this defense decades ago by switching to a distributed model.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A DDoS attack draws on a<\/span><a href=\"https:\/\/claude.ai\/chat\/75a43d58-7ae1-4692-80b0-bf6564b7da9b#how-botnets-power-ddos-attacks\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">botnet<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 a network of devices compromised without their owners&#8217; knowledge. When 500,000 unique IP addresses each send a small stream of traffic to your server, you cannot block the attack by banning individual sources. The traffic profile matches legitimate users because the compromised devices generating it are legitimate\u2014they are just being controlled remotely.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to<\/span><a href=\"https:\/\/en.wikipedia.org\/wiki\/Denial-of-service_attack\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">Wikipedia&#8217;s entry on denial-of-service attacks<\/span><\/a><span style=\"font-weight: 400;\">, this distributed architecture separates the attack origin (the attacker) from the attack source (the botnet), making attribution and mitigation exponentially harder than single-source attacks.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The target resource varies by attack type:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Attack Category<\/b><\/td>\n<td><b>Resource Targeted<\/b><\/td>\n<td><b>OSI Layer<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Volumetric attack<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Network bandwidth<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Layers 3\u20134<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Protocol attack<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Connection state (firewall, router)<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Layers 3\u20134<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Application-layer attack<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Server CPU, memory, threads<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Layer 7<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">A single campaign often targets all three simultaneously\u2014a technique called multi-vector DDoS that we cover in detail below.<\/span><\/p>\n<h2><img decoding=\"async\" class=\"alignnone size-full wp-image-23007\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308.webp\" alt=\"_(How_Botnets_202604291308\" width=\"1600\" height=\"893\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308.webp 1600w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308-1024x572.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308-1536x857.webp 1536w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/How_Botnets_202604291308-18x10.webp 18w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/h2>\n<h2 id=\"how-botnets-power\"><b>How Botnets Power DDoS Attacks<\/b><\/h2>\n<p><b>A botnet is a network of compromised devices\u2014home routers, security cameras, smart TVs, IoT sensors, and infected computers\u2014controlled through a command-and-control (C2) server. The attacker activates the botnet by sending a single instruction through the C2 channel, causing every compromised device to send traffic to the target at the same moment.<\/b><\/p>\n<h3><b>How Devices Become Part of a Botnet<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Attackers scan the internet for devices with known software vulnerabilities or factory-default credentials. Home routers shipped with &#8220;admin\/admin&#8221; passwords are the easiest entry point. IP cameras running outdated firmware are next. Once a device is compromised, malware spreads laterally to other devices on the same local network.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Mirai botnet, which produced the record-breaking 1.2 Tbps Dyn DNS attack in October 2016, used this exact method. It infected over 600,000 IoT devices by scanning for Telnet access with 61 common factory credential pairs. Modern Mirai variants\u2014including Eleven11bot and Aisuru, both tracked by Nokia&#8217;s Deepfield Emergency Response Team in early 2025\u2014continue to use the same technique against newer IoT hardware.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Nokia&#8217;s 2025 DDoS research found that 100 to 200 million IPv4 endpoints now covertly participate in attack traffic via residential proxy networks. These are not data centers. servers\u2014they are household devices: laptops, phones, gaming consoles, DVRs, and baby monitors. The traffic they generate carries a clean residential IP reputation, which breaks IP-reputation-based blocking entirely.<\/span><\/p>\n<h3><b>Command-and-Control Infrastructure<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The attacker does not communicate directly with each infected device. C2 servers relay instructions. Modern botnets use peer-to-peer C2 architectures with no central point of failure\u2014taking down one C2 server does not stop the network. Advanced botnets route C2 traffic over encrypted channels on port 443, disguising instructions as normal HTTPS traffic to evade detection.<\/span><\/p>\n<h3><b>DDoS-as-a-Service: $5 Buys an Attack<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Booter and stresser services sell DDoS capacity on a subscription basis \u2014 no technical knowledge required. Pricing on dark web markets starts at approximately $5 per hour for a small attack and scales to thousands of dollars for sustained, high-volume campaigns targeting large infrastructure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In 2025,<\/span><a href=\"https:\/\/www.europol.europa.eu\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\"> Europol<\/span><\/a><span style=\"font-weight: 400;\"> dismantled multiple DDoS-for-hire services in coordinated international operations, arresting platform administrators and prosecuting paying customers. The enforcement action confirms that using a booter service \u2014 not just operating one \u2014 constitutes a criminal offense in EU member states and the United States.<\/span><\/p>\n<h2><img decoding=\"async\" class=\"alignnone size-full wp-image-23008\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks.webp\" alt=\"The 7 Types of DDoS Attacks\" width=\"1376\" height=\"768\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks.webp 1376w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks-1024x572.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/The-7-Types-of-DDoS-Attacks-18x10.webp 18w\" sizes=\"(max-width: 1376px) 100vw, 1376px\" \/><\/h2>\n<h2 id=\"types-of-ddos\"><b>The 7 Types of DDoS Attacks<\/b><\/h2>\n<p><b>DDoS attacks divide into three categories: volumetric attacks that saturate bandwidth at Layers 3 and 4, protocol attacks that exhaust connection state tables in routers and firewalls, and application-layer attacks that overwhelm server processing capacity at Layer 7. Each type requires a different detection method and a different mitigation response.<\/b><\/p>\n<h3><b>1. UDP Flood<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A UDP flood sends massive volumes of User Datagram Protocol packets to random ports on the target server. The server checks each port for a listening service, finds none, and replies with ICMP &#8220;Destination Unreachable&#8221; packets. This bidirectional exchange exhausts the server&#8217;s available network bandwidth.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">UDP packets require no handshake before transmission. An attacker using a large botnet can generate and sustain multi-terabit UDP floods with relatively modest infrastructure. UDP floods powered the majority of the largest volumetric attacks recorded in 2025, including attacks exceeding 1 Tbps targeting gaming, financial services, and telecommunications infrastructure.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> Sudden spike in UDP traffic volume, high ICMP Destination Unreachable rate, source IPs concentrated in specific AS ranges.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Rate-limit inbound UDP at the upstream network edge. Apply BGP Flowspec rules targeting the attacking AS ranges. For servers that do not use UDP, block all inbound UDP at the perimeter<\/span> <b>network firewall<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>2. ICMP (Ping) Flood<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">An ICMP flood sends a high-volume stream of Internet Control Message Protocol (ICMP) echo request packets\u2014also known as pings\u2014to the target. The server must respond to each one with an echo reply, consuming both inbound and outbound bandwidth. A sufficient volume of ICMP packets saturates the server&#8217;s network link before any legitimate traffic can reach it.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The Smurf attack variant amplifies this further: the attacker sends ICMP requests with the target&#8217;s IP address forged as the source to a network broadcast address. Every device on that network responds to the target&#8217;s IP, multiplying the attack volume without multiplying the attacker&#8217;s resources. RFC-compliance fixes in modern networking equipment have made pure Smurf attacks less effective, but ICMP floods remain a standard component of multi-vector campaigns.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> ICMP traffic volume exceeds baseline by 10x or more; ICMP packets arriving from geographically scattered sources at uniform intervals.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Rate-limit ICMP at the edge. For servers with no legitimate ICMP traffic needs, block all inbound ICMP.<\/span><\/p>\n<h3><b>3. SYN Flood<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A SYN flood exploits the TCP three-way handshake by sending thousands of SYN packets per second to the target. The target allocates connection state for each one and replies with SYN-ACK, but the attacker never sends the final ACK. Half-open connections fill the server&#8217;s connection state table, blocking all new legitimate TCP connections.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The three-way handshake (SYN \u2192 SYN-ACK \u2192 ACK) is required to establish every TCP connection. The server must hold state for each SYN it receives while waiting for the ACK to complete the handshake. A SYN flood of sufficient volume fills this state table. When the table is full, the server cannot accept new connections from anyone\u2014the service appears offline.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This attack type is fully documented in<\/span><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc4987\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">RFC 4987<\/span><\/a><span style=\"font-weight: 400;\">, which describes TCP SYN flooding and its countermeasures. Modern infrastructure commonly uses SYN cookies as a defense \u2014 a technique that allows the server to validate the TCP handshake without storing connection state for incomplete handshakes.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> High ratio of half-open to established TCP connections; connection state table utilization near 100%; incoming SYN rate exceeds the server&#8217;s SYN-ACK sending rate.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Enable SYN cookies at the OS or network level. Apply rate limits on inbound SYN packets per source IP. Configure the <\/span><b>network firewall<\/b><span style=\"font-weight: 400;\"> to drop SYN packets from known-bad IP ranges.<\/span><\/p>\n<h3><b>4. DNS Amplification<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A DNS amplification attack exploits open DNS resolvers to multiply attack traffic volume. The attacker spoofs the target&#8217;s IP address and sends small DNS queries (40\u201360 bytes) to thousands of open resolvers. Each resolver sends a large DNS response (up to 4,000 bytes) to the target&#8217;s IP\u2014producing an amplification factor of up to 70x without requiring proportional botnet capacity.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Amplification attacks are among the most efficient DDoS techniques available because the attacker can generate terabit-scale floods using modest resources. The attack traffic arrives from legitimate DNS server IP addresses worldwide, making source-based blocking destroy valid DNS functionality.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">NTP amplification works the same way using the Network Time Protocol monlist command, which can produce responses 4,096 times larger than the triggering request. SSDP, CLDAP, and memcached have also been exploited as amplification vectors.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> Spike in inbound UDP traffic from port 53 (DNS) or port 123 (NTP); source IPs mapping to legitimate DNS or NTP infrastructure; traffic volume disproportionate to your server&#8217;s DNS activity.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Upstream filtering of amplification vectors at the ISP or transit level. Applying ingress filtering (<\/span><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc2827\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">BCP 38<\/span><\/a><span style=\"font-weight: 400;\">) blocks spoofed-source packets before they leave the attacker&#8217;s network.<\/span><\/p>\n<h3><b>5. HTTP Flood<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">An HTTP flood sends a sustained high volume of valid HTTP GET or POST requests to a web server or API endpoint. Unlike bandwidth attacks, an HTTP flood exhausts server CPU, memory, and application thread pools\u2014making the application unresponsive even when network bandwidth remains available.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">HTTP floods are the dominant form of Layer 7 DDoS. Because every request is syntactically valid\u2014correct headers, proper HTTP structure, diverse source IPs\u2014it is significantly harder to distinguish attack traffic from real users without behavioral analysis.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Advanced HTTP floods rotate User-Agent strings, Accept-Language headers, and cookies to simulate browser behavior. Some complete full TLS handshakes before sending requests, bypassing TLS-fingerprinting-based defenses. This makes Layer 7 detection reliant on behavioral analysis and rate patterns rather than packet structure.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> Request rate per source IP abnormally high; requests target the same endpoint repeatedly; request patterns lack the variety of normal browsing (no static resource requests, no image loads); error rate on the server rises sharply.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Web Application Firewall (WAF) with behavioral rate limiting. CAPTCHA challenges for suspicious traffic. Edge caching to absorb static content requests. Distinguishing bots from browsers via JavaScript challenge at the CDN layer.<\/span><\/p>\n<h3><b>6. HTTP\/2 Rapid Reset<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The HTTP\/2 Rapid Reset attack abuses stream multiplexing in HTTP\/2 to generate an extreme rate of server processing without completing requests. The attacker opens thousands of HTTP\/2 streams and immediately resets each one with RST_STREAM\u2014forcing the server to process the overhead of each stream while the attacker avoids waiting for responses.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This vulnerability \u2014 designated<\/span><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-44487\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">CVE-2023-44487<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 was disclosed in October 2023 after attackers used it to generate 201 million requests per second against Cloudflare&#8217;s infrastructure, the largest Layer 7 attack recorded at that time. Unlike volumetric attacks, HTTP\/2 Rapid Reset can generate attack throughput exceeding any previous application-layer record using comparatively small bandwidth.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Every server running HTTP\/2 must have this CVE patched. NGINX, Apache, IIS, and major CDNs released patches in October 2023. Unpatched servers running HTTP\/2 remain vulnerable to this specific technique regardless of other protective measures.<\/span><\/p>\n<p><b>Detection signal:<\/b><span style=\"font-weight: 400;\"> Extremely high RST_STREAM rate on HTTP\/2 connections; server CPU spikes despite low inbound bandwidth; HTTP\/2 connections opening and closing rapidly without completing any requests.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Apply CVE-2023-44487 patches to all HTTP\/2-enabled servers. Configure HTTP\/2 stream concurrency limits. Terminate HTTP\/2 at a patched reverse proxy or CDN that handles the stream management before forwarding to the origin.<\/span><\/p>\n<h3><b>7. Slowloris<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Slowloris keeps as many HTTP connections to a web server open for as long as possible by sending partial HTTP headers at slow intervals\u2014fast enough to prevent server timeout, never completing the request. The server&#8217;s connection pool fills entirely with these incomplete requests, blocking all new connections from legitimate users.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Slowloris requires minimal bandwidth to execute. A single machine can take down a web server that is not protected against slow HTTP attacks by holding hundreds of connections open indefinitely. The attack is specifically effective against multi-threaded web servers that allocate a worker thread per connection\u2014including older Apache HTTP Server configurations.<\/span><\/p>\n<p><b>Detection signal: The<\/b><span style=\"font-weight: 400;\"> connection pool is near capacity; there is a large number of connections in the HTTP header-reading state; connections are lasting far longer than the typical request completion time; incoming bandwidth is normal while the server is unresponsive.<\/span><\/p>\n<p><b>Mitigation:<\/b><span style=\"font-weight: 400;\"> Configure aggressive connection timeouts. Limit maximum connections per IP. Use an event-driven web server (Nginx) or a reverse proxy that handles connection management separately from application processing. Rate-limit partial header connections at the network firewall.<\/span><\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-23009\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320.webp\" alt=\"DDoS_attacks_work_and_stop_202604291320\" width=\"1376\" height=\"768\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320.webp 1376w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320-1024x572.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/DDoS_attacks_work_and_stop_202604291320-18x10.webp 18w\" sizes=\"(max-width: 1376px) 100vw, 1376px\" \/><\/h2>\n<h2 id=\"multi-vector\"><b>Multi-Vector DDoS: The 2025-2026 Attack Model<\/b><\/h2>\n<p><b>Multi-vector DDoS attacks combine two or more attack types in a single coordinated campaign. Nokia&#8217;s 2025 threat data shows that 58% of DDoS attacks now combine multiple vectors, and 52% target multiple hosts at the same time. Attackers sequence attack types in response to defender actions, making multi-vector campaigns adaptive rather than static.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The &#8220;single large flood&#8221; model of DDoS is obsolete. In one documented 2025 campaign tracked by Nokia&#8217;s Deepfield Emergency Response Team, attackers executed four distinct attack types in three minutes: TCP carpet bombing, UDP flood, DNS amplification, and a high-rate SYN flood. Each stage is adapted based on the defender&#8217;s response. When one vector was blocked, the campaign shifted to the next while increasing bandwidth to the remaining vectors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is reconnaissance built into the attack. The attacker learns which defenses are active and which vectors bypass them before launching a sustained campaign.<\/span><\/p>\n<p><b>78% of attacks in 2025 ended within five minutes.<\/b><span style=\"font-weight: 400;\"> That is not a sign of failed attacks. Short-duration automated campaigns that probe infrastructure and move on are the primary reconnaissance technique for identifying targets worth attacking with sustained pressure.<\/span><\/p>\n<h3><b>Ransom DDoS (RDoS): The Extortion Layer<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Ransom DDoS combines a DDoS capability demonstration with a payment demand. The attacker sends a warning email threatening a sustained attack unless a ransom \u2014 typically 5\u201320 Bitcoin \u2014 is paid within a 24-hour deadline. Some RDoS threats come with a short proof-of-capability attack. Others bluff entirely and never attack if ignored.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The<\/span><a href=\"https:\/\/www.fbi.gov\/investigate\/cyber\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">FBI&#8217;s Internet Crime Complaint Center (IC3)<\/span><\/a><span style=\"font-weight: 400;\"> documented $16.6 billion in cybercrime losses in 2024, with DDoS and ransomware among the most financially damaging threat categories. RDoS campaigns often run parallel to broader ransomware operations, using the DDoS as additional pressure during ransom negotiations.<\/span><\/p>\n<p><b>Our recommendation:<\/b><span style=\"font-weight: 400;\"> Do not pay. Payment does not guarantee the attack stops, confirms your willingness to pay, and makes your organization a recurring target. Contact your hosting provider&#8217;s NOC and<\/span><a href=\"https:\/\/www.isaca.org\/credentialing\/cisa\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">CISA<\/span><\/a><span style=\"font-weight: 400;\"> immediately.<\/span><\/p>\n<h2 id=\"financial-cost\"><b>The Real Financial Cost of a DDoS Attack<\/b><\/h2>\n<p><b>A DDoS attack costs an unprotected organization approximately $6,000 per minute in downtime losses. At the 2025 average attack duration of 45 minutes, a single attack produces roughly $270,000 in direct costs\u2014before SLA penalties, emergency mitigation fees, recovery labor, and long-term reputational damage.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Breaking down that $6,000 per minute:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Cost Category<\/b><\/td>\n<td><b>How It Accumulates<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Lost revenue<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Every transaction that cannot be completed during the outage<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">SLA breach penalties<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Contractual payments to enterprise customers per minute of downtime<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Emergency mitigation<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Mid-attack scrubbing service activation at premium rates<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Engineering labor<\/span><\/td>\n<td><span style=\"font-weight: 400;\">On-call staff responding to the incident at overtime cost<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Reputational damage<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Customer churn, search ranking signals, and brand trust erosion<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">The 47.1 million DDoS attacks recorded in 2025\u2014a 236% increase over 2024 per Cloudflare&#8217;s Q4 report\u2014make this not a theoretical risk but an operational certainty for any publicly accessible infrastructure.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For a concrete example: an e-commerce store processing $15,000 per hour in orders loses $11,250 in sales during a 45-minute attack. Add $5,000 in emergency mitigation, $3,000 in engineering time, and any SLA obligations, and a single attack costs more than an entire year of properly provisioned DDoS protection.<\/span><\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-23010\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328.webp\" alt=\"(9_Methods_202604291328\" width=\"1600\" height=\"1195\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328.webp 1600w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328-300x224.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328-1024x765.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328-768x574.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328-1536x1147.webp 1536w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/9_Methods_202604291328-16x12.webp 16w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/h2>\n<h2 id=\"methods-stop\"><b>9 Methods That Actually Stop DDoS Attacks<\/b><\/h2>\n<p><b>Stopping a DDoS attack requires a layered defense at multiple network levels. Upstream scrubbing at the network edge absorbs volumetric floods before they reach your server. Deep packet inspection identifies attack traffic by content pattern. Rate limiting caps traffic from suspicious sources. Anycast distribution spreads attack load across geographically dispersed infrastructure. No single method stops every attack type.<\/b><\/p>\n<h3><b>Method 1: Network-Level DDoS Scrubbing<\/b><\/h3>\n<p><b>Network scrubbing intercepts all traffic to a target IP via BGP rerouting, filters malicious packets using DPI-based rule sets, and forwards only clean traffic to the destination server \u2014 all without the target&#8217;s connection seeing the attack volume.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Scrubbing operates at a scale that server-level defenses cannot match. A 1 Tbps attack hitting your server&#8217;s 10 Gbps port saturates it in milliseconds. The same attack routed to a scrubbing center with 10+ Tbps of available filtering capacity is absorbed without affecting your server&#8217;s link.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">At Atal Networks, scrubbing is built into our network infrastructure. Our<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/what-is-deep-packet-inspection-dpi\/\"><span style=\"font-weight: 400;\"> deep packet inspection (DPI)<\/span><\/a><span style=\"font-weight: 400;\"> systems at every point of presence detect attack patterns and activate BGP-based traffic diversion in under 30 seconds. Every client on our<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/dedicated-servers\/\"> <span style=\"font-weight: 400;\">aangewezen server<\/span><\/a><span style=\"font-weight: 400;\"> plans receives this protection automatically, with no configuration required.<\/span><\/p>\n<h3><b>Method 2: BGP Flowspec and Blackholing<\/b><\/h3>\n<p><b>BGP Flowspec (defined in<\/b><a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc5575\" target=\"_blank\" rel=\"noopener\"> <b>RFC 5575<\/b><\/a><b>) pushes granular traffic filtering rules to upstream routers across an entire provider network \u2014 blocking specific UDP source ports, dropping packets above a size threshold, or rate-limiting traffic from specific autonomous systems \u2014 without blocking all traffic to the targeted IP.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">BGP blackholing is the blunter alternative: all traffic to a specific IP prefix is dropped at the upstream router, stopping the attack immediately but also blocking legitimate users from reaching that IP. Blackholing is a last resort for attacks exceeding scrubbing capacity.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Flowspec is the surgical option. Instead of nullrouting an IP, Flowspec pushes specific match-and-action rules (block UDP\/53 from AS12345, drop ICMP packets over 1,500 bytes) to every router in the provider network. Our BGP infrastructure deploys Flowspec rules globally within 60 seconds of attack characterization, targeting the specific traffic signature without over-blocking.<\/span><\/p>\n<h3><b>Method 3: Deep Packet Inspection (DPI)<\/b><\/h3>\n<p><a href=\"https:\/\/atalnetworks.com\/nl\/what-is-deep-packet-inspection-dpi\/\"><b>Deep packet inspection<\/b><\/a><b> reads both the header and payload of every packet at Layer 7, enabling the detection of attack traffic that appears legitimate at the header level. DPI identifies application-layer floods, protocol exploits, and botnet command patterns that IP-level filtering cannot see.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Without DPI, a scrubbing center can filter by IP, port, and protocol\u2014but it cannot tell an HTTP flood from a legitimate traffic surge or a DNS amplification attack from normal DNS traffic. DPI identifies attack traffic by the content pattern of the packets, not just their origin.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Our DPI systems run on purpose-built network hardware at every point of presence, processing traffic at line speed \u2014 10 Gbps to 100 Gbps \u2014 without introducing latency on your server&#8217;s connection.<\/span><\/p>\n<h3><b>Method 4: Rate Limiting<\/b><\/h3>\n<p><b>Rate limiting caps the volume of requests or packets accepted from any single source IP address within a defined time window. A source IP sending more than the configured threshold is throttled \u2014 its excess traffic is dropped while traffic from other sources continues normally.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Rate limiting is most effective against botnets with low source-IP diversity and against Slowloris attacks that hold connections open. Configure rate limits in layers:<\/span><\/p>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Network layer:<\/b><span style=\"font-weight: 400;\"> Packets per second per source IP at the perimeter firewall<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Transport layer:<\/b><span style=\"font-weight: 400;\"> TCP connections per second per source IP<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Application layer:<\/b><span style=\"font-weight: 400;\"> HTTP requests per minute per source IP per endpoint<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Rate limiting alone is insufficient against highly distributed attacks where millions of unique IPs each send a small traffic volume that individually falls below any reasonable threshold. Combine it with behavioral analysis and IP reputation filtering.<\/span><\/p>\n<h3><b>Method 5: Web Application Firewall (WAF)<\/b><\/h3>\n<p><b>A web application firewall filters HTTP and HTTPS traffic between the internet and your web application, blocking requests that match attack signatures, exceed rate thresholds, originate from blocked IP ranges, or fail behavioral challenge tests. A WAF is the primary defense layer against Layer 7 DDoS, including HTTP floods and HTTP\/2 Rapid Reset.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">WAF rule categories for DDoS mitigation:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Rule Type<\/b><\/td>\n<td><b>Function<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Rate limiting<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Cap requests per IP per endpoint per time window<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">IP reputation<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Block traffic from known-bad IP ranges and AS numbers<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Geo-blocking<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Restrict traffic from countries or regions with no legitimate users<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Bot detection<\/span><\/td>\n<td><span style=\"font-weight: 400;\">CAPTCHA and JavaScript challenge for suspicious traffic<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Payload signatures<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Block requests matching known attack patterns<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Connection limits<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Cap concurrent connections from a single IP<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">For<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/bare-metal-servers\/\"> <span style=\"font-weight: 400;\">Kale metalen servers<\/span><\/a><span style=\"font-weight: 400;\"> running business-critical applications, our network engineering team configures custom WAF rulesets that match your application&#8217;s specific traffic profile\u2014avoiding the false positives that generic rule sets produce on specialized workloads.<\/span><\/p>\n<h3><b>Method 6: Anycast Network Diffusion<\/b><\/h3>\n<p><b>Anycast routing assigns a single IP address to multiple geographically distributed servers. Routing protocols direct incoming traffic to the nearest anycast node based on network topology. A large DDoS attack targeting an anycast IP is automatically distributed across all nodes, reducing the load on any single location to a manageable fraction of the total attack volume.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">A server behind a single anycast entry point absorbs a fraction of attack traffic proportional to the number of nodes in the anycast network. Our 213+ data centers across 196+ countries form an anycast-capable global network. A 1 Tbps attack hitting a 20-node anycast network reaches each node at approximately 50 Gbps \u2014 well within the scrubbing capacity at each point of presence.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Anycast also provides geographic resilience. If one region is overwhelmed, routing protocols automatically shift traffic toward nodes with available capacity.<\/span><\/p>\n<h3><b>Method 7: Attack Surface Reduction<\/b><\/h3>\n<p><b>Reducing your server&#8217;s attack surface means closing every port, protocol, and service that your application does not actively need \u2014 eliminating potential amplification vectors and reducing the number of endpoints an attacker can target.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Attack surface reduction steps:<\/span><\/p>\n<ol>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Close all ports not required by your application. If your server runs only HTTPS, block all inbound traffic except ports 443 and 22 (SSH for management, restricted to known IPs).<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Disable UDP if your application does not use it. This eliminates you as a target for UDP-based volumetric and amplification attacks.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Move internal server-to-server communication to private VLANs, off the public internet entirely.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Restrict management interface access (SSH, RDP) to specific IP ranges using firewall rules.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Disable unused protocols and services at the OS level.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Onze<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/colocation\/\"> <span style=\"font-weight: 400;\">colocation services<\/span><\/a><span style=\"font-weight: 400;\"> and dedicated server plans support private VLAN configurations that move internal traffic to isolated network segments, removing it from the publicly routable attack surface entirely.<\/span><\/p>\n<h3><b>Method 8: Over-Provisioned Bandwidth<\/b><\/h3>\n<p><b>Over-provisioning bandwidth above your normal peak consumption gives DPI and scrubbing systems time to activate before the attack saturates your link. A server running at 30% of available bandwidth can absorb a significant attack surge before mitigation activates. A server running at 90% of capacity goes offline the instant a small attack arrives.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">At Atal Networks, our dedicated server plans include 10Gbps ports with burst capacity. The physical port provisioning is designed to maintain headroom above normal peak traffic load, giving our automated detection systems the window they need to characterize and respond to an attack before your service degrades.<\/span><\/p>\n<h3><b>Method 9: IP Reputation and Threat Intelligence Filtering<\/b><\/h3>\n<p><b>IP reputation filtering uses continuously updated blocklists of IP addresses and autonomous systems known to host botnet infrastructure, DDoS-for-hire services, and attack tooling. Applying these lists at the upstream network edge drops attack traffic before it reaches your server&#8217;s network link.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Commercial threat intelligence feeds from providers including Spamhaus, Emerging Threats, and Team Cymru maintain blocklists that update frequently enough to be effective against campaign-based botnets. Residential proxy botnets\u2014which route attack traffic through household devices with clean IP reputations\u2014are not effectively blocked by reputation lists alone.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Pair IP reputation filtering with behavioral analysis for coverage against both traditional botnet infrastructure and residential proxy traffic.<\/span><\/p>\n<h2 id=\"dedicated-vs-vps\"><b>DDoS Protection: Dedicated Server vs. VPS<\/b><\/h2>\n<p><b>On VPS infrastructure, DDoS protection runs at the hypervisor layer with shared scrubbing resources applied uniformly across all tenants on the same physical host. On dedicated server infrastructure, DPI and scrubbing operate on a dedicated physical port with configurations tailored to your specific application traffic profile. The dedicated model provides stronger protection and eliminates the noisy-neighbor problem.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">This distinction matters operationally:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>Factor<\/b><\/td>\n<td><b>VPS-hosting<\/b><\/td>\n<td><b>Aangewezen server<\/b><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Protection scope<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Host-level, shared with all VMs on the physical server<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Port-level, dedicated to your server<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Policy customization<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Standardized rules for all tenants<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Custom DPI rules for your application<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Noisy neighbor risk<\/span><\/td>\n<td><span style=\"font-weight: 400;\">A DDoS targeting another VM on your host affects you<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Your port is isolated from other clients&#8217; traffic<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Scrubbing bandwidth<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Shared across all VMs on the physical host<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Dedicated to your server&#8217;s port<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Custom BGP Flowspec<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Not configurable per tenant<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Available on request<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Best for<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Standard applications under moderate attack risk<\/span><\/td>\n<td><span style=\"font-weight: 400;\">High-value applications, financial services, gaming, healthcare, e-commerce<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">For organizations where uptime directly equals revenue\u2014e-commerce platforms, SaaS applications with SLA obligations, financial trading infrastructure, and gaming servers\u2014<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/dedicated-servers\/\"><span style=\"font-weight: 400;\">Toegewijde servers<\/span><\/a><span style=\"font-weight: 400;\"> with dedicated DDoS protection match the risk profile of the workload.<\/span><\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-23011\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337.webp\" alt=\"A_premium,_modern_enterprise_cybersecurity_202604291337\" width=\"1600\" height=\"893\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337.webp 1600w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337-1024x572.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337-1536x857.webp 1536w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/A_premium_modern_enterprise_cybersecurity_202604291337-18x10.webp 18w\" sizes=\"(max-width: 1600px) 100vw, 1600px\" \/><\/h2>\n<h2 id=\"attack-response\"><b>DDoS Attack Response: Step-by-Step<\/b><\/h2>\n<p><b>When a DDoS attack starts, the first five minutes determine whether the incident is contained quickly or causes an extended outage. Confirm the attack, characterize the traffic vector, notify your hosting provider&#8217;s NOC, and activate pre-configured mitigation \u2014 in that sequence, as fast as possible.<\/b><\/p>\n<h3><b>Minute 0 \u2014 Confirm It Is an Attack<\/b><\/h3>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Check your monitoring dashboard for traffic volume anomalies, error rate spikes, and connection count changes.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Confirm the server is unreachable from external locations, not just your current network.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Check your hosting provider&#8217;s status page for regional network events.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Pull a packet capture sample from your network edge to identify traffic characteristics.<\/span><\/li>\n<\/ul>\n<h3><b>Minutes 1-5 \u2014 Characterize and Notify<\/b><\/h3>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identify the attack vector from packet captures: UDP flood, SYN flood, HTTP flood, and DNS amplification.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Note source IP distribution \u2014 are sources concentrated in specific AS ranges or globally scattered?<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Measure attack volume in Gbps (for bandwidth attacks) or Rps\/Pps (for application and protocol attacks).<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Contact your hosting provider immediately.<\/b><span style=\"font-weight: 400;\"> If you are an Atal Networks client, reach our 24\/7 NOC. Provide the attack vector characterization and volume estimate. Our team deploys Flowspec rules within 60 seconds of receiving your attack profile.<\/span><\/li>\n<\/ul>\n<h3><b>Minutes 5-30 \u2014 Apply and Monitor Mitigation<\/b><\/h3>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Activate WAF emergency mode: maximum rate limiting and enable geo-restrictions if your user base is geographically bound.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Apply IP blocklists for known attack source ranges.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Reduce attack surface: temporarily disable unused ports, protocols, and services.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">For extreme-volume attacks, request BGP blackholing of the attacked IP if other services on the same subnet can be isolated.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Watch for vector shifts. Multi-vector attacks switch techniques after one vector is blocked.<\/span><\/li>\n<\/ul>\n<h3><b>Post-Attack \u2014 Review and Harden<\/b><\/h3>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Check intrusion detection logs.<\/b><span style=\"font-weight: 400;\"> DDoS is frequently used as a distraction for a concurrent intrusion attempt. Verify no unauthorized access occurred during the incident window.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Update firewall and WAF rules to permanently block the attack patterns identified.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Document the incident timeline, attack characteristics, and mitigation effectiveness.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Report sustained or sophisticated attacks to<\/span><a href=\"https:\/\/www.cisa.gov\/topics\/cyber-threats-and-advisories\/denial-service\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">CISA<\/span><\/a><span style=\"font-weight: 400;\"> and, if RDoS, to the<\/span><a href=\"https:\/\/www.fbi.gov\/investigate\/cyber\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">FBI Cyber Division<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Review your<\/span> <b>network security strategy<\/b><span style=\"font-weight: 400;\"> for structural improvements: additional anycast coverage, increased scrubbing capacity, and over-provisioned bandwidth headroom.<\/span><\/li>\n<\/ul>\n<h2 id=\"legal-consequences\"><b>Legal Consequences of DDoS Attacks<\/b><\/h2>\n<p><b>Launching a DDoS attack is a federal crime in the United States under 18 U.S.C. \u00a7 1030 (the Computer Fraud and Abuse Act), carrying penalties of up to 10 years in federal prison per offense. In the European Union, Directive 2013\/40\/EU criminalizes attacks on information systems with imprisonment penalties of up to 5 years.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The legal exposure applies to the attacker AND to customers of DDoS-for-hire services. In 2025,<\/span><a href=\"https:\/\/www.europol.europa.eu\/\" target=\"_blank\" rel=\"noopener\"> <span style=\"font-weight: 400;\">Europol<\/span><\/a><span style=\"font-weight: 400;\"> prosecuted both booter service operators and paying users who had rented attack capacity, demonstrating that &#8220;I just paid for a service&#8221; is not a legal defense.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">US penalties under the CFAA:<\/span><\/p>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Up to <\/span><b>10 years<\/b><span style=\"font-weight: 400;\"> of federal imprisonment for a first offense<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Up to <\/span><b>20 years<\/b><span style=\"font-weight: 400;\"> for repeat offenses or attacks on protected computer systems<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Civil liability to the attacked organizations for documented damages<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">For the victims of DDoS attacks, having inadequate security controls can also create liability:<\/span><\/p>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>GDPR fines<\/b><span style=\"font-weight: 400;\"> if an attack causes availability failures affecting EU personal data processing (Article 32 requires &#8220;appropriate technical measures&#8221;)<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>PCI DSS failures<\/b><span style=\"font-weight: 400;\"> if the cardholder data system availability is disrupted<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Contractual breach claims<\/b><span style=\"font-weight: 400;\"> from enterprise customers holding uptime SLAs<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Documented DDoS protection measures \u2014 like network-level scrubbing, WAF configuration records, and incident response logs \u2014 are part of demonstrating the &#8220;appropriate technical measures&#8221; required by both GDPR and most enterprise security frameworks.<\/span><\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-23012\" src=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects.webp\" alt=\"how atal networks protects\" width=\"1500\" height=\"837\" srcset=\"https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects.webp 1500w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects-300x167.webp 300w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects-1024x571.webp 1024w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects-768x429.webp 768w, https:\/\/atalnetworks.com\/wp-content\/uploads\/2025\/04\/how-atal-networks-protects-18x10.webp 18w\" sizes=\"(max-width: 1500px) 100vw, 1500px\" \/><\/h2>\n<h2 id=\"how-atal-protects\"><b>How Atal Networks Protects Your Server<\/b><\/h2>\n<p><b>Every Atal Networks dedicated server and VPS sits behind our network-level DDoS protection infrastructure, which uses deep packet inspection to detect attack patterns and BGP Flowspec to filter them at the network edge\u2014automatically, before attack traffic reaches your server&#8217;s port.<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Here is the exact sequence when an attack targets an Atal Networks client:<\/span><\/p>\n<ol>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Detection.<\/b><span style=\"font-weight: 400;\"> DPI systems at the network edge, at the nearest point of presence, identify the attack pattern\u2014volumetric characteristics, SYN flood ratio, HTTP request anomalies, and DNS amplification signature.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Characterization.<\/b><span style=\"font-weight: 400;\"> The attack vector, source distribution, and volume are logged and passed to the mitigation controller.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>BGP Flowspec deployment.<\/b><span style=\"font-weight: 400;\"> Mitigation rules matching the attack signature are pushed across our multihomed BGP network to all upstream routers within 60 seconds.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Traffic rerouting.<\/b><span style=\"font-weight: 400;\"> Attack traffic matching the Flowspec rules is filtered at the network edge. Clean traffic continues on the original path to your server.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>NOC monitoring.<\/b><span style=\"font-weight: 400;\"> Our network engineers receive an alert and monitor the attack in real time, ready to adjust rules if the attack shifts vectors.<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Post-attack review.<\/b><span style=\"font-weight: 400;\"> Attack characteristics are logged and used to update global threat intelligence for all clients.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">For clients running applications with specific protection requirements \u2014 custom rate limits, application-layer filtering rules, SSL inspection for compliance, or dedicated scrubbing capacity reservations \u2014 our network engineering team configures these at the port level.<\/span><\/p>\n<p><a href=\"https:\/\/atalnetworks.com\/nl\/dedicated-servers\/\"><span style=\"font-weight: 400;\">Explore DDoS-Protected Dedicated Server Plans \u2014 Get 70% Off Your First Month<\/span><\/a><\/p>\n<h2 id=\"faq\"><b>Frequently Asked Questions About DDoS Attacks<\/b><\/h2>\n<h3><b>What is a DDoS attack?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A Distributed Denial of Service (DDoS) attack floods a server, network, or online service with traffic from thousands to millions of compromised devices until the target cannot respond to legitimate users. DDoS attacks target bandwidth, connection state capacity, or application processing resources \u2014 often all three in a single coordinated campaign. The defining characteristic is the distributed source: traffic originates from many devices in many countries simultaneously.<\/span><\/p>\n<h3><b>How is a DDoS attack different from a DoS attack?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A DoS (Denial of Service) attack sends high traffic volume from a single source machine. Blocking the single attacking IP address stops the attack immediately. A DDoS attack uses a botnet of thousands to millions of compromised devices across distributed IP addresses, making source-based blocking nearly impossible. DDoS attacks are significantly more difficult to stop because the traffic appears to come from diverse, legitimate sources.<\/span><\/p>\n<h3><b>How long does a DDoS attack typically last?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Nokia&#8217;s 2025 DDoS research data shows that 78% of attacks end within five minutes and 37% end within two minutes. However, the average attack duration in 2025 was 45 minutes according to Kentik&#8217;s analysis. Ransom DDoS campaigns can run for hours or days. Sustained campaigns by state-sponsored or organized criminal groups have lasted weeks. Automated mitigation that activates within 60 seconds is the critical requirement for limiting damage from short-burst attacks.<\/span><\/p>\n<h3><b>Can a DDoS attack be used to steal data?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A DDoS attack does not directly steal data. DDoS is an availability attack \u2014 its purpose is to make a service unreachable. However, threat actors increasingly use DDoS as a distraction or smokescreen for a concurrent intrusion attempt. While security teams focus on restoring service availability, attackers probe for weaknesses in authentication systems, unpatched vulnerabilities, or misconfigured access controls. Always review intrusion detection logs and access logs after any DDoS incident.<\/span><\/p>\n<h3><b>Does a VPN protect against DDoS attacks?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">A VPN hides your real IP address, preventing attackers from directing traffic to your server&#8217;s actual network address. If an attacker does not know your server&#8217;s real IP, they cannot target it. However, once your real IP is identified \u2014 through a previous connection, a DNS leak, or other discovery \u2014 a VPN does not protect against the traffic flood itself. Real DDoS protection requires upstream scrubbing at the network level, not endpoint-based encryption.<\/span><\/p>\n<h3><b>Is DDoS protection included with Atal Networks hosting?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Yes. All Atal Networks dedicated server and VPS plans include network-level DDoS protection as a standard feature. Our DPI-powered detection and BGP Flowspec-based mitigation activate automatically across all 213+ data centers globally within 60 seconds of attack detection. Clients with advanced requirements \u2014 custom rate limiting, application-layer filtering, SSL inspection for compliance, or dedicated scrubbing capacity \u2014 can request custom DDoS protection configurations from our network engineering team via<\/span><a href=\"https:\/\/atalnetworks.com\/nl\/contact-us\/\"> <span style=\"font-weight: 400;\">contact<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h3><b>Can a DDoS attack be traced back to the attacker?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">DDoS attacks are difficult to trace in real time because attack traffic comes from compromised third-party devices, not the attacker&#8217;s own machines. Attackers also spoof source IP addresses in some attack types. Law enforcement traces DDoS perpetrators through C2 server infrastructure analysis, hosting records for booter services, financial payment records, and international agency cooperation. Europol&#8217;s 2025 DDoS-for-hire takedowns resulted in arrests of operators and users, confirming that investigation does lead to prosecution.<\/span><\/p>\n<h3><b>What is the difference between DDoS mitigation and DDoS prevention?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">DDoS prevention reduces the probability that an attack succeeds through attack surface reduction, over-provisioned bandwidth, anycast architecture, and pre-configured firewall rules. DDoS mitigation is the active process of detecting an attack in progress, filtering malicious traffic, and forwarding only clean traffic to the destination. Prevention limits risk before an attack. Mitigation limits damage when one occurs. A complete defense strategy requires both, with mitigation operating automatically at the network edge, so it activates faster than any human response.<\/span><\/p>\n<h2 id=\"related-articles\"><b>Related Articles<\/b><\/h2>\n<ul>\n\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/atalnetworks.com\/nl\/what-is-deep-packet-inspection-dpi\/\"><span style=\"font-weight: 400;\">What Is Deep Packet Inspection (DPI)?<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 the detection technology behind DDoS mitigation<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><a href=\"https:\/\/atalnetworks.com\/nl\/network-firewalls-types-functions-configuration\/\">Network Firewalls<\/a>: Types, Functions, and Configuration \u2014 first-line defense for your server perimeter<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\"><a href=\"https:\/\/atalnetworks.com\/nl\/network-security-for-dedicated-server\/\">Network Security Guide for Dedicated Server Clients<\/a> \u2014 full security strategy for server infrastructure<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/atalnetworks.com\/nl\/dedicated-servers\/\"><span style=\"font-weight: 400;\">Dedicated Servers with Built-In DDoS Protection<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 hardware-level protection for high-value workloads<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/atalnetworks.com\/nl\/vps-hosting\/\"><span style=\"font-weight: 400;\">VPS Hosting Plans<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 shared-infrastructure hosting with network-level DDoS protection<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/atalnetworks.com\/nl\/bare-metal-servers\/\"><span style=\"font-weight: 400;\">Kale metalen servers<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 unshared hardware for maximum security isolation<\/span><\/li>\n<p>\u00a0\t<\/p>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"https:\/\/atalnetworks.com\/nl\/premium-vps-solutions\/\"><span style=\"font-weight: 400;\">Proxy and VPN Infrastructure<\/span><\/a><span style=\"font-weight: 400;\"> \u2014 privacy-first server configurations<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>A Distributed Denial of Service (DDoS) attack floods a server, network, or online service with traffic from thousands to millions [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":23004,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23002","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-grade-server"],"acf":[],"_links":{"self":[{"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/posts\/23002","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/comments?post=23002"}],"version-history":[{"count":5,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/posts\/23002\/revisions"}],"predecessor-version":[{"id":23200,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/posts\/23002\/revisions\/23200"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/media\/23004"}],"wp:attachment":[{"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/media?parent=23002"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/categories?post=23002"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/atalnetworks.com\/nl\/wp-json\/wp\/v2\/tags?post=23002"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}