01 / Fundamentals

5 Resources to Exhaust

A DDoS attack exhausts a finite resource. There are exactly 5 resources to exhaust. Every attack in existence targets one of them. Lower levels need more volume. Higher levels need less, but hit harder.

Hover a layer
Select a resource level to see what gets exhausted, example attacks, and server effect.
02 / Concurrency

The HTTP Version Multiplier

The same 10,000 requests per second looks like 10,000 connections on HTTP/1.0 but only 10 on HTTP/2. Firewalls that count connections are blind to the 100 streams multiplexed inside each one.

03 / Mechanisms

23 Core Mechanisms

Every attack in the 233-entry taxonomy reduces to one of 23 fundamental server-side effects. The industry groups them into 3 marketing categories. We decompose them into 23 because each needs different detection and different mitigation.

04 / Blind Spots

Where Defenses Are Blind

Combining target level with HTTP version reveals exactly where standard defenses cannot see. Red cells are blind spots that most vendors cannot detect.

05 / The Model

The Complete DDoS Formula

Every DDoS attack in history decomposes into these 5 components. Hover each term to understand its contribution to deadliness.

--
Detection Difficulty
--
Deadliness
--
Asymmetry
06 / Paradox

The Protocol Paradox

Better protocols are simultaneously harder to overwhelm AND introduce new attack surfaces. Empirical testing (IIS on GCP) showed HTTP/1.1 dies at 2,500 RPS while HTTP/2 survives to 10,000 RPS - a 4x resilience boost. But HTTP/2 enables Rapid Reset, which no vendor in our test detected.

HTTP/1.1 KILL THRESHOLD
2,500
RPS to DoS
HTTP/2 KILL THRESHOLD
10,000
RPS to DoS (4x more resilient)
WHY H/2 IS MORE RESILIENT: HPACK compresses 400-byte headers to ~30 bytes. Binary framing parses faster than text scanning. Multiplexing on 1 connection = fewer sockets and TLS sessions.
WHY H/2 IS MORE DANGEROUS: Stream-level attacks (Rapid Reset, CONTINUATION, Stream Exhaustion) don't exist on H/1.1. They're invisible to L4 firewalls. 0 of 10 vendors detected our 75 RST_STREAM probe.
NET RESULT: Script kiddie with GET flood? H/2 saves you. Advanced attacker with Rapid Reset? H/2 kills you. The correct posture: use H/2 for efficiency, deploy H2-aware L7 inspection to cover the new blind spots.
07 / Reality Check

Vendor Protection Reality

We tested 10 major CDN/WAF vendors with gentle probes (50 RST_STREAM cycles, 20 PINGs, 5 stream holds, Slowloris drip). These are the actual results from April 2026.

VENDOR RST DETECT PING LIMIT STREAM HOLD SLOWLORIS DOWNGRADE H3/QUIC TLS ms
KEY FINDING: 0 of 10 vendors detected 75 rapid RST_STREAM cycles. This doesn't mean they can't - our probe volume is below real attack thresholds (1000+ RSTs/sec). But it means detection requires sustained attack-level traffic.
DIFFERENTIATOR: Stream Hold is the test that separates vendors. Only Google GFE and Radware killed idle POST streams within 5 seconds. Everyone else held them 15+ seconds.
CAVEAT: These are point-in-time results from semi-active probing. Vendors may have detection at higher thresholds, behavioral ML that needs sustained patterns, or premium-tier features not tested here.