VPN Guide

Do VPNs Stop DDoS Attacks?

VPNs can do a lot, but can they protect against DDoS attacks?

All of our content is written by humans, not robots. Learn More
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated Feb 21, 2024
By Aliza Vigderman & Gabe Turner on Feb 21, 2024

Picture this: you’re playing your favorite multiplayer video game when suddenly, you’re disconnected. You try to Google the problem, but that doesn’t work either. In fact, your internet connection is cut off entirely. The culprit? A distributed denial-of-service, or DDoS, attack.

A DDoS attack can take down an internet connection, website, or application. The effects range from the inconvenient (like losing a game) to devastating (like losing customers). Thankfully, there are things you can do to prevent them. Things like using a VPN.

Surfshark VPN Multihop
Surfshark VPN Multihop Server Locations

The Best VPNs to Stop DDoS Attacks

Cybercriminals and hackers are seemingly everywhere on the internet these days. And with DDoS attacks on the rise, it’s important to surf safely on the web. Here are our top picks for VPNs that can protect against DDoS attacks (we’ve personally tested every one of them):

Editor's Rating:
9.7 /10
Editor's Rating:
9.5 /10
Editor's Rating:
9.4 /10

Do VPNs Stop DDoS Attacks?

Generally speaking, yes, VPNs can stop DDoS attacks. A primary benefit of a VPN is that it hides IP addresses. With a hidden IP address, DDoS attacks can’t locate your network, making it much harder to target you. Additionally, VPNs encrypt web traffic, creating a tunnel between your computer and network, thus hiding activity from your internet service provider (ISP).

However, a VPN is not a foolproof solution to stop a DDoS attack. If a hacker already knows your computer’s IP address, then there isn’t much a VPN can do. Not to mention that sometimes hackers go straight to the VPN companies’ servers. If the company itself has poorly implemented DDoS attack protection, its users are likely unsafe. While VPNs can’t stop DDoS attacks in progress or already in servers, they can stop attacks once the VPN is set up on your devices.

NordVPN's Mac app
NordVPN’s Mac app

What Is a DDoS Attack?

Let’s back up for a second. What is a DDoS attack? “DDoS” stands for “distributed denial of service,” which is a type of cyberattack that forces people offline. Hackers’ goals in committing DDoS attacks are to flood a network with unwanted requests and traffic. Subsequently, a site can’t handle the influx any further, preventing legitimate traffic from coming through.

DDoS Attack Statistics

When the FBI shut down 15 DDoS-for-hire sites in December 2018,1 cybersecurity experts hoped it would slow the attacks down. Unfortunately, they’re still going strong. DDoS attacks surged 200 percent in 2023, according to one estimate.2

DDoS vs. DoS

Now, let’s get into some deeper technicalities. Denial-of-service (DoS) attacks, while seemingly similar to DDoS attacks, have some important differences. Firstly, a single source perpetrates DoS attacks, while multiple sources perpetuate DDoS attacks. From there, DoS attacks fall into two major categories:

  • Application attacks: Application attacks put operational strain on the software serving the requests so that it cannot handle additional requests.
  • Network attacks: These attacks saturate bandwidth by overwhelming a server with force or flooding it with malformed requests. As firewall configurations have advanced, these types of attacks have become less common.

To summarize:

Source Multiple computers One computer
Speed Faster Slower
Threat level High Low to medium
Malware involved? Yes, a botnet can be made up of infected PCs No

How Do DDoS Attacks Work?

A DDoS attack is when an attacker or multiple attackers make it impossible for a service to be delivered. They do this by blocking access to:

  • Servers
  • Devices
  • Services
  • Networks
  • Applications
  • Specific transactions within applications

The attacks drown systems with requests for data. This can mean sending a web server so many requests to serve a page that it crashes or hitting a database with a high volume of queries. As a result, internet bandwidth, CPU, and RAM capacity become overwhelmed.

Types of DDoS Attacks

There are three types of DDoS attacks:

  • Volume-based attacks: The most basic type of DDoS attacks, volume-based attacks use massive amounts of fabricated traffic to overwhelm a website or server. They include ICMP, UDP, and spoofed-packet flood attacks.
  • Protocol or network-layer DDoS attacks: These attacks consume server resources to force a network offline. If that’s not possible, they’ll eat up load balancer and firewall resources instead. Some types of protocol attacks are the Ping of Death, SYN flood, and Smurf DDoS.
  • Application-layer attacks: These attacks tend to target the layer where the web server responds to requests and generates webpages. The server is hit with requests to the point where it can’t handle them anymore and crashes.

Who Performs DDoS Attacks?

Cybercriminals and hackers use botnets, networks of malware-infected computers, to deploy DDoS attacks. This makes it hard to trace the crime3 to any particular person.

What Is the Motive Behind DDoS Attacks?

There are many reasons why cybercriminals would use a DDoS attack. Hackers can use DDoS attacks to extort companies and gain notoriety within the hacker community. Additionally, cyberterrorists use DDoS attacks to slow down websites of utility companies, banks, and even entire governments.

DOS and DDoS attacks are definitely not legal, at least not in the United States, where they fall under federal statutes.4 Participants risk being charged with both criminal and civil complaints. The Computer Fraud and Abuse Act prohibits a person from “knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally caus[ing] damages without authorization to a protected computer.” DDoS attacks are the transmission of a program, information code, or command, damaging the integrity or availability of data, a program, a system, or information, so they are classified as an illegal activity.

How Do I Know if I’ve Been DDoSed?

These are some of the warning signs that you’ve been DDoSed:

  • Website down
  • Lack of access to website management
  • Slow response
  • Loss of internet access
Slow internet speeds due to a DDoS attack
Slow internet speeds due to a DDoS attack

What To Do if You’re DDoSed

If you didn’t get your VPN set up in time and got DDoSed, there are some steps you can take:

  1. If you manage your website, put it into maintenance mode to prevent loss of website data.
  2. Inform your company management team of the issue.
  3. Call your ISP and tell them that you are under attack.
  4. Call any other third parties responsible for service delivery or perimeter security management to let them know that you are under attack.
  5. Capture as much information as possible, such as:
    1. Time the event started
    2. Duration of event
    3. Traffic statistics, if possible, to show traffic throughput
    4. Server logs
    5. Changes that might take place during or soon after the DDoS event
  6. Update your location by changing your IP address.
  7. If things are still out of hand after you complete those steps, take more serious actions, like contacting law enforcement. You can fill out a ticket with the FBI’s Internet Crime Complaint Center here.

DDoS, VPNs, and Gaming

DDoS attacks are a particular threat during gaming sessions. A VPN is a good way to protect against DDoS attacks during sessions because of hidden IP addresses. We compiled the best VPNs for gaming, but gamers can also protect themselves by not accepting unknown video call requests and by getting routers with built-in DDoS attack protection.

Playing Call of Duty with a VPN and testing latency with packet loss
Playing Call of Duty with a VPN and testing latency with packet loss

Pro Tip: Changing to a server near your location can increase speed. VPNs with a lot of servers give more options for switching

How To Prevent DDoS Attacks

While getting a VPN is a great step to prevent DDoS attacks, you should take other precautions to avoid catastrophe. In addition to using a VPN service, we recommend these best practices:

  1. Have a singular point of failure elimination. Architect your systems so that there are multiple entry points, making it harder to target your site.
  2. Use DDS rules. Make sure your hosting system has built-in DDS functionality, which can monitor traffic and allow access only to users who meet your specific criteria.
  3. Limit the number of entries to your data. Allow access to sensitive data to as few people as possible. This limits exposure and therefore risk.

What Is a VPN?

We hear about them all the time, but what is a VPN, really? Virtual private networks (VPNs) create an encrypted tunnel between your computer and a network, typically a public Wi-Fi network. This means all of your web traffic, along with your IP address, will be hidden from the ISP.

How Does a VPN Work?

VPNs work by connecting a user’s device and a (typically public) network via encrypted tunnel. The tunnel encrypts the user’s online activity and hides their IP address, replacing it with the IP address of the private server the user connected to. To transmit the data from the device to the private server, VPNs use internet protocols that put the data in packets and make sure it gets sent in the proper order. In case the VPN fails, most come with kill switches that will shut down all windows or apps with web traffic, leaving the user protected and private online.

Watch Out: One of the downsides of a VPN is that it can bog down your system, causing it to run slower.

What To Look For in a VPN

There are many criteria to consider when you’re choosing a VPN. These are the most important features to keep an eye out for:

    • Number of servers: Logging in to different servers can lead to a whole different internet experience, especially when you’re watching Netflix with a VPN.
NordVPN Chrome app connected to Japan while looking at Netflix
NordVPN Chrome app connected to Japan while looking at Netflix
  • Speed: The trade-off for VPN security is typically speed, and you don’t want to slow down your computer or devices too much.
Internet speed test results while connected to ExpressVPN
Internet speed test results while connected to ExpressVPN
  • Encryption: We check for AES-256, the gold standard for encryption.
  • Privacy policy: Make sure the company is not keeping track of too much data, especially unnecessary information like your browsing activity or IP address.
  • Headquarters location: Where companies are based has implications for what data laws they have to abide by and if they can be forced to surrender your data to the government. We prefer VPN companies headquartered in countries outside the jurisdiction of the Five Eyes, Nine Eyes, and 14 Eyes alliance or in countries with no strict data retention laws.
  • Kill switch: A kill switch is a fail-safe that automatically shuts down activity in the unlikely event that a VPN disconnects.
Kill Switch Configuration
Kill Switch Configuration
  • IP addresses: These can be dynamic or static. Dynamic IP addresses change every time you connect to the VPN, and static IP addresses don’t change. Dynamic is preferable, but static is OK if many users share the IP address.
  • Cost: A service might have everything you need, but it still needs to fit into your budget. There are free VPNs, which typically have some data limitations, and paying for a service can cost anywhere from $2 to $20 per month, depending on how long of a contract you sign up for and how many devices you want to connect.
  • Customer service options: We prefer a variety of customer support options, including email, live chat, and phone.


VPNs are a great way to stop DDoS attacks, but not 100 percent of the time. VPN companies could have poorly implemented DDoS protection, and attackers might already have your IP address, in which case there’s not much a VPN can do. However, when used correctly and set up in advance of an attack, VPNs are one of the best tactics to prevent DDoS attacks.

Most Common Questions

Here are the questions we get most frequently about VPNs and stopping DDoS attacks.

  • Does changing your IP stop DDoS attacks?

    No, if you are already under a DDoS attack, resetting your IP address won’t help much. However, resetting your IP address every few days is a good habit to develop if you’ve been the target of multiple DDoS attacks, or if you’re a streamer or a highly visible gamer. While changing your IP address won’t prevent an attacker from searching for your new IP address, it can delay them from finding it.

  • Are DDoS attacks illegal?

    Yes, DDoS attacks are illegal under the U.S. Computer Fraud and Abuse Act. Starting a DDoS attack against a network without permission will cost perpetrators up to 10 years in prison and up to $500,000 in fines.

  • How can I tell if I'm being DDoSed?

    There are a few telltale signs of being DDoSed. You’ll notice that your server slows down and responds with a 503 due to service outage. The TTL (time to live) on a ping request could time out, or, if you use the same connection for internal software, your employees could notice speed issues. Log analysis solutions could also show a huge spike in traffic, indicating that not all traffic is organic.

  • Can you call the cops for a DDoS attack?

    You can report a DDoS attack to law enforcement if you were threatened or blackmailed, or if you lost money as a result of the attack. In most cases, contact your national web crime unit. In the U.S., file a complaint online with the FBI’s Internet Crime Complaint Center.

  1. Cisco. (2020). Cisco Annual Internet Report (2018–2023) White Paper.

  2. Cyber Magazine. Zayo Group confirms DDoS attacks in 2023 are up 200%.

  3. Department of Homeland Security. (2021). Distributed Denial of Service Defense.

  4. DDoS Protection Services. (2014). Is DDoS Illegal Or An Act Of Protest?

  5. FBI. (2021). Internet Crime Compliance Center.