Distributed Denial of Service attacks have grown in volume, sophistication, and frequency throughout the 2020s. The 2.3 Tbps DDoS attack against Amazon Web Services in 2020 set a record that stood for only months before being surpassed. Cloudflare mitigated a 5.6 Tbps UDP-based DDoS in October 2024 — the largest ever recorded at that point. These figures are not relevant only to hyperscalers. The same attack methodologies are available to commodity threat actors through DDoS-for-hire services (stressers/booters) at costs starting under $50 per attack, and the enterprises and financial institutions in New York City are among the most frequently targeted organizations globally.
This guide covers DDoS attack taxonomy, the technical architecture of enterprise DDoS protection, a comparison of the leading mitigation solutions, and the operational decisions that determine whether your protection strategy survives a sustained volumetric attack.
DDoS Attack Taxonomy
Volumetric Attacks (Layer 3/4)
Volumetric attacks attempt to saturate the target's network bandwidth or exhaust upstream router resources with high-volume traffic. The attacker does not need to compromise the target — they simply need to generate more traffic than the target's network can absorb. Amplification attacks are the primary mechanism: the attacker sends small requests to third-party servers with the source IP spoofed to the target's IP address. The third-party servers send large responses to the target, amplifying the attack volume significantly.
NTP amplification (amplification factor up to 556x), DNS amplification (up to 179x), SSDP amplification (up to 30x), and Memcached amplification (up to 51,000x) are the most common volumetric amplification vectors. A single host with a 1 Gbps uplink can generate hundreds of Gbps of attack traffic by exploiting misconfigured amplifiers on the open internet.
Protocol/State Exhaustion Attacks (Layer 3/4)
Protocol attacks exploit weaknesses in Layer 3/4 protocols to exhaust stateful devices — firewalls, load balancers, connection state tables — with partial connections or malformed packets. SYN floods are the canonical example: the attacker sends SYN packets with spoofed source addresses, causing the target to allocate state for half-open TCP connections until the connection table is exhausted. The target's legitimate TCP handshake capacity is consumed even though total traffic volume may be modest.
Application Layer Attacks (Layer 7)
Layer 7 attacks target the application tier directly, generating legitimate-appearing HTTP requests that consume application resources disproportionately to their bandwidth consumption. An HTTP flood against a computationally expensive endpoint — a search function, an authentication endpoint, a report generation API — can overwhelm application servers with a relatively small number of requests per second from a distributed botnet. Because requests appear legitimate, they bypass many volumetric attack detection mechanisms and require application-layer inspection to identify and block.
BGP Blackholing
BGP blackholing (also called RTBH — Remotely Triggered Black Hole routing) is the bluntest DDoS mitigation tool available: the targeted IP address is advertised to upstream providers with a community that causes them to route all traffic destined for that IP to null (drop it). This stops the attack from reaching the network, but also stops all legitimate traffic — the IP address becomes unreachable. Blackholing is appropriate when the attack target is a non-critical IP address (a VPN concentrator that is not the primary access point) or when the attack volume is so large that upstream providers are demanding blackholing to protect shared infrastructure. For critical services, blackholing is a last resort.
Upstream Scrubbing Centers
Scrubbing center-based mitigation routes traffic through purpose-built mitigation infrastructure that filters attack traffic and forwards clean traffic to the destination. In an always-on deployment, all traffic is routed through the scrubbing center continuously. In an on-demand model, traffic is redirected to scrubbing infrastructure only when an attack is detected.
Always-on protection provides faster response (no detection-to-activation delay) but introduces a permanent latency component. On-demand protection avoids routine latency but requires detection, decision, and BGP route announcement time (typically 5-15 minutes) before mitigation is active — during which the attack may have already caused damage.
Enterprise DDoS Mitigation Solutions
Cloudflare Magic Transit
Magic Transit advertises enterprise IP prefixes through Cloudflare's network via BGP. All inbound traffic for protected prefixes flows through Cloudflare's anycast network, where DDoS scrubbing occurs before traffic is forwarded to the customer's network via GRE or IPsec tunnels. The architecture provides both volumetric protection (Cloudflare's network capacity far exceeds any attack that has been recorded) and layer 7 protection through integration with Cloudflare WAF and rate limiting. For NYC enterprises with existing Cloudflare relationships, Magic Transit integrates naturally with the existing security stack. Pricing is bandwidth-based and typically requires a minimum commit.
Akamai Prolexic
Prolexic is Akamai's purpose-built DDoS mitigation platform with approximately 20 Tbps of dedicated scrubbing capacity globally. Prolexic offers both always-on and on-demand deployments, with SOC-staffed incident response for complex attack scenarios. Integration with Akamai's CDN and application security products provides a unified approach to web application protection. Prolexic is the preferred choice for large financial services organizations that require dedicated capacity commitment and SLA-backed response guarantees.
AWS Shield Advanced
For workloads hosted on AWS, Shield Advanced provides DDoS protection integrated with the AWS network. It includes 24/7 access to the AWS DDoS Response Team (DRT), automatic protection for EC2, ELB, CloudFront, and Route 53 resources, and financial protection against EC2 scaling charges incurred during an attack. Shield Advanced does not protect non-AWS infrastructure and requires application-layer firewall management through AWS WAF. For primarily cloud-native organizations, Shield Advanced is cost-effective; for hybrid environments with significant on-premises infrastructure, it addresses only the cloud component.
SLA Requirements and NYC Financial Services Considerations
NYC financial services organizations face elevated DDoS risk due to sector targeting by nation-state actors, hacktivists, and financially motivated attackers. The 2012 Operation Ababil attacks on US financial institutions demonstrated that sustained, coordinated DDoS campaigns against banks are operationally feasible and can persist for months. DDoS protection SLAs for financial services organizations should specify: time-to-mitigation (ideally under 10 seconds for always-on, under 15 minutes for on-demand), guaranteed mitigation capacity, and contractual commitments for L7 attack mitigation that requires human analysis.
For organizations under NY DFS 23 NYCRR 500, DDoS mitigation is not explicitly mandated but falls within the risk assessment requirements — a material DDoS attack against a covered entity's systems constitutes a cybersecurity event that may trigger reporting obligations. Fortress MSSP provides DDoS protection architecture design and vendor selection guidance for NYC enterprises. Contact us to assess your DDoS exposure and mitigation posture.