VPN Guide

Do VPNs Stop DDoS Attacks?

VPNs can do a lot, but can they protect against DDoS attacks?

All of our content is written by humans, not robots. Learn More
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated Nov 14, 2022
By Aliza Vigderman & Gabe Turner on Nov 14, 2022

DDoS attacks are serious and scary. From our point of view, proactive protection is typically the best course of action when it comes to digital security, and that certainly rings true here. In this article, we’ll tell you all we know about distributed denial-of-service (DDoS) attacks and how a VPN can stop them.

The Best VPNs to Stop DDoS Attacks

Editor's Rating:
9.7 /10
Editor's Rating:
9.5 /10
Editor's Rating:
9.4 /10

Do VPNs Stop DDoS Attacks?

Generally speaking, yes, VPNs can stop DDoS attacks. A primary benefit of a VPN is that it hides IP addresses. With a hidden IP address, DDoS attacks can’t locate your network, making it much harder to target you. Additionally, VPNs encrypt web traffic, creating a tunnel between your computer and network, thus hiding activity from your internet service provider (ISP). However, a VPN is not a foolproof solution to stop a DDoS attack. If a hacker already knows your computer’s IP address, then there isn’t much a VPN can do. Not to mention that sometimes hackers go straight to the VPN companies’ servers. If the company itself has poorly implemented DDoS attack protection, its users are likely unsafe. While VPNs can’t stop DDoS attacks in progress or already in servers, they can stop attacks once the VPN is set up on your devices.

What Is a DDoS Attack?

Let’s back up for a second. What is a DDoS attack? “DDoS” stands for “distributed denial of service,” which is a type of cyberattack that forces people offline. Hackers’ goals in committing DDoS attacks are to flood a network with unwanted requests and traffic. Subsequently, a site can’t handle the influx any further, preventing legitimate traffic from coming through.

Surfshark Multihop
Surfshark Multihop Server Locations

DDoS Attack Statistics

It’s predicted that the number of DDoS attacks will double from 7.9 million in 2018 to 15.4 million in 2023.1 However, the acceleration of DDoS attack growth has slowed since the FBI shut down 15 of the largest DDoS-for-hire websites in December 2018.2

DDoS vs. DoS

Now, let’s get into some deeper technicalities. Denial-of-service (DoS) attacks, while seemingly similar to DDoS attacks, have some important differences. Firstly, a single source perpetrates DoS attacks, while multiple sources perpetuate DDoS attacks. From there, DoS attacks fall into two major categories:

  • Application attacks: Application attacks put operational strain on the software serving the requests so that it cannot handle additional requests.
  • Network attacks: These attacks saturate bandwidth by overwhelming a server with force or flooding it with malformed requests. As firewall configurations have advanced, these types of attacks have become less common.

To summarize:

Source Multiple computers One computer
Speed Faster Slower
Threat level High Low to medium
Malware involved? Yes, a botnet can be made up of infected PCs No

How Do DDoS Attacks Work?

A DDoS attack is when an attacker or multiple attackers make it impossible for a service to be delivered. They do this by blocking access to:

  • Servers
  • Devices
  • Services
  • Networks
  • Applications
  • Specific transactions within applications

The attacks drown systems with requests for data. This can mean sending a web server so many requests to serve a page that it crashes or hitting a database with a high volume of queries. As a result, internet bandwidth, CPU, and RAM capacity become overwhelmed.

Types of DDoS Attacks

There are three types of DDoS attacks:

  • Volume-based attacks: The most basic type of DDoS attacks, volume-based attacks use massive amounts of fabricated traffic to overwhelm a website or server. They include ICMP, UDP, and spoofed-packet flood attacks.
  • Protocol or network-layer DDoS attacks: These attacks consume server resources to force a network offline. If that’s not possible, they’ll eat up load balancer and firewall resources instead. Some types of protocol attacks are the Ping of Death, SYN flood, and Smurf DDoS.
  • Application-layer attacks: These attacks tend to target the layer where the web server responds to requests and generates webpages. The server is hit with requests to the point where it can’t handle them anymore and crashes.

Who Performs DDoS Attacks?

Cybercriminals and hackers use botnets, networks of malware-infected computers, to deploy DDoS attacks. This makes it hard to trace the [citaton id=”3″]crime[/citation] to any particular person. There are many reasons why cybercriminals would use a DDoS attack. Hackers can use DDoS attacks to extort companies and gain notoriety within the hacker community. Additionally, cyberterrorists use DDoS attacks to slow down websites of utility companies, banks, and even entire governments.

DDoS attacks are definitely not legal, at least not in the United States, where they fall under federal statutes.4 Participants risk being charged with both criminal and civil complaints, and the same is true for DoS attacks. The Computer Fraud and Abuse Act prohibits a person from “knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally caus[ing] damages without authorization to a protected computer.” DDoS attacks are the transmission of a program, information code, or command, damaging the integrity or availability of data, a program, a system, or information, so they are classified as an illegal activity.

How Do I Know if I’ve Been DDoSed?

These are some of the warning signs that you’ve been DDoSed:

  • Website down
  • Lack of access to website management
  • Slow response
  • Loss of internet access

What To Do if You’re DDoSed

If you didn’t get your VPN set up in time and got DDoSed, there are some steps you can take:

  1. If you manage your website, put it into maintenance mode to prevent loss of website data.
  2. Inform your company management team of the issue.
  3. Call your ISP and tell them that you are under attack.
  4. Call any other third parties responsible for service delivery or perimeter security management to let them know that you are under attack.
  5. Capture as much information as possible, such as the following:
    1. Time the event started
    2. Duration of event
    3. Traffic statistics, if possible, to show traffic throughput
    4. Server logs
    5. Changes that might take place during or soon after the DDoS event
  6. Update your location by changing your IP address.
  7. If things are still out of hand after you complete those steps, take more serious actions, like contacting law enforcement by filling out a ticket with the FBI’s Internet Crime Complaint Center5 and contacting those who could have lost data.

DDoS, VPNs, and Gaming

DDoS attacks are a particular threat during gaming sessions. A VPN is a good way to protect against DDoS attacks during sessions because of hidden IP addresses. We compiled the best VPNs for gaming, but gamers can also protect themselves by not accepting unknown video call requests and by getting routers with built-in DDoS attack protection.

McAfee VPN iOS Home Screen Connected
McAfee VPN iOS Home Screen Connected

Pro Tip: Changing to a server near your location can increase speed. VPNs with a lot of servers give more options for switching

How To Prevent DDoS Attacks

While getting a VPN is a great step to prevent DDoS attacks, you should take other precautions to avoid catastrophe. In addition to using a VPN service, we recommend these best practices:

  1. Have a singular point of failure elimination. Architect your systems so that there are multiple entry points, making it harder to target your site.
  2. Use DDS rules. Make sure your hosting system has built-in DDS functionality, which can monitor traffic and allow access only to users who meet your specific criteria.
  3. Limit the number of entries to your data. Allow access to sensitive data to as few people as possible. This limits exposure and therefore risk.

What Is a VPN?

We hear about them all the time, but what is a VPN, really? Virtual private networks (VPNs) create an encrypted tunnel between your computer and a network, typically a public Wi-Fi network. This means all of your web traffic, along with your IP address, will be hidden from the ISP.

How Does a VPN Work?

VPNs work by connecting a user’s device and a (typically public) network via encrypted tunnel. The tunnel encrypts the user’s online activity and hides their IP address, replacing it with the IP address of the private server the user connected to. To transmit the data from the device to the private server, VPNs use internet protocols that put the data in packets and make sure it gets sent in the proper order. In case the VPN fails, most come with kill switches that will shut down all windows or apps with web traffic, leaving the user protected and private online.

Watch Out: One of the downsides of a VPN is that it can bog down your system, causing it to run slower.

What To Look For in a VPN

There are many criteria to consider when you’re choosing a VPN. These are the most important features to keep an eye out for:

  • Number of servers: Logging in to different servers can lead to a whole different internet experience, especially when you’re watching Netflix with a VPN.
  • Speed: The trade-off for VPN security is typically speed, and you don’t want to slow down your computer or devices too much.
Kaspersky VPN Speed Test
Kaspersky VPN Speed Test
  • Encryption: We check for AES-256, the gold standard for encryption.
  • Privacy policy: Make sure the company is not keeping track of too much data, especially unnecessary information like your browsing activity or IP address.
  • Headquarters location: Where companies are based has implications for what data laws they have to abide by and if they can be forced to surrender your data to the government. We prefer VPN companies headquartered in countries outside the jurisdiction of the Five Eyes, Nine Eyes, and 14 Eyes alliance or in countries with no strict data retention laws.
  • Kill switch: A kill switch is a fail-safe that automatically shuts down activity in the unlikely event that a VPN disconnects.
TunnelBear VPN Kill Switch
TunnelBear VPN Kill Switch
  • IP addresses: These can be dynamic or static. Dynamic IP addresses change every time you connect to the VPN, and static IP addresses don’t change. Dynamic is preferable, but static is OK if many users share the IP address.
  • Cost: A service might have everything you need, but it still needs to fit into your budget. There are free VPNs, which typically have some data limitations, and paying for a service can cost anywhere from $2 to $20 per month, depending on how long of a contract you sign up for and how many devices you want to connect.
  • Customer service options: We prefer a variety of customer support options, including email, live chat, and phone.


VPNs are a great way to stop DDoS attacks, but not 100 percent of the time. VPN companies could have poorly implemented DDoS protection, and attackers might already have your IP address, in which case there’s not much a VPN can do. However, when used correctly and set up in advance of an attack, VPNs are one of the best tactics to prevent DDoS attacks.

Most Common Questions

Here are the questions we get most frequently about VPNs and stopping DDoS attacks.

  • Does changing your IP stop DDoS attacks?

    No, if you are already under a DDoS attack, resetting your IP address won’t help much. However, resetting your IP address every few days is a good habit to develop if you’ve been the target of multiple DDoS attacks, or if you’re a streamer or a highly visible gamer. While changing your IP address won’t prevent an attacker from searching for your new IP address, it can delay them from finding it.

  • Are DDoS attacks illegal?

    Yes, DDoS attacks are illegal under the U.S. Computer Fraud and Abuse Act. Starting a DDoS attack against a network without permission will cost perpetrators up to 10 years in prison and up to $500,000 in fines.

  • How can I tell if I'm being DDoSed?

    There are a few telltale signs of being DDoSed. You’ll notice that your server slows down and responds with a 503 due to service outage. The TTL (time to live) on a ping request could time out, or, if you use the same connection for internal software, your employees could notice speed issues. Log analysis solutions could also show a huge spike in traffic, indicating that not all traffic is organic.

  • Can you call the cops for a DDoS attack?

    You can report a DDoS attack to law enforcement if you were threatened or blackmailed, or if you lost money as a result of the attack. In most cases, contact your national web crime unit. In the U.S., file a complaint online with the FBI’s Internet Crime Complaint Center.

  1. Cisco. (2020). Cisco Annual Internet Report (2018–2023) White Paper.

  2. Forbes. (2019). FBI Crackdown Leads To Massive Drop In DDoS Attacks.

  3. Department of Homeland Security. (2021). Distributed Denial of Service Defense.

  4. DDoS Protection Services. (2014). Is DDoS Illegal Or An Act Of Protest?

  5. FBI. (2021). Internet Crime Compliance Center.