Technology Encyclopedia Home >CC Attack vs DDoS Attack: Understanding the Difference and How to Protect Against Both

CC Attack vs DDoS Attack: Understanding the Difference and How to Protect Against Both

Tencent Cloud Community 2026-05-0960

Summary: CC (Challenge Collapsar) attacks and DDoS (Distributed Denial of Service) attacks both cause service disruption, but they work differently. CC attacks target application resources, while DDoS attacks target network resources. Discover the differences between CC and DDoS attacks, and how to defend against both with integrated edge protection.

Tencent Cloud EdgeOne Product Introduction

The confusion:

You're under attack. Your website is slow or offline. You search for solutions and find two terms: "CC attack" and "DDoS attack."

The question: Are they the same thing? Which one is affecting you? How do you defend against them?

The reality: CC attacks and DDoS attacks are different—but many businesses confuse them, choose the wrong defense, and remain vulnerable.

The solution: Understand the differences between CC and DDoS attacks, and implement integrated defense that protects against both.

Let's explore the differences between CC and DDoS attacks, how to identify which type of attack you're facing, and how to defend against both with edge-based protection.

What is a DDoS Attack?

Definition

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

Key Characteristics:

  • Distributed: Attack launched from multiple sources (botnets)
  • Denial of Service: Goal is to make service unavailable
  • Volume-based: Relies on overwhelming traffic volume

How DDoS Attacks Work

Attack Process:

  1. Attacker compromises thousands/millions of devices (botnet)
  2. Attacker commands botnet to send traffic to target
  3. Target's infrastructure (network, servers) overwhelmed
  4. Service becomes unavailable (slow or offline)

Attack Vectors:

  • Volumetric (L3): UDP floods, ICMP floods, amplification attacks
  • Protocol (L4): SYN floods, ACK floods, connection exhaustion
  • Application (L7): HTTP floods, slowloris, DNS query floods

DDoS Attack Examples

Volumetric Attack:

  • Attackers send 500 Gbps of UDP traffic
  • Target's 1 Gbps connection overwhelmed
  • Service becomes unavailable

Protocol Attack:

  • Attackers send 10M SYN packets/second
  • Target's TCP connection table exhausted
  • New connections can't be established

Application Attack:

  • Attackers send 1M HTTP requests/second
  • Target's web server can't handle requests
  • Website becomes slow or offline

What is a CC Attack?

Definition

A CC (Challenge Collapsar) attack is a type of application-layer DDoS attack that targets specific application resources (usually login pages, payment pages, or APIs) by sending legitimate-looking requests that consume application resources.

Key Characteristics:

  • Application-layer: Targets Layer 7 (HTTP/HTTPS)
  • Resource-intensive: Consumes CPU, memory, database connections
  • Legitimate-looking: Requests look like normal user traffic

How CC Attacks Work

Attack Process:

  1. Attackers identify resource-intensive pages (login, checkout, search)
  2. Attackers send requests to those pages continuously
  3. Each request consumes application resources (CPU, memory, database)
  4. Application resources exhausted
  5. Service becomes unavailable (only for targeted pages)

Attack Vectors:

  • Login Page CC: Repeated login attempts (password guessing + resource exhaustion)
  • Search CC: Repeated search queries (database-intensive)
  • Checkout CC: Repeated checkout attempts (payment processing + inventory)
  • API CC: Repeated API calls (business logic intensive)

CC Attack Examples

Login Page CC Attack:

  • Attackers send 10K login attempts/minute
  • Each attempt validates password (CPU-intensive)
  • Database queried for each attempt (I/O-intensive)
  • Login page becomes unavailable (legitimate users can't login)

Search CC Attack:

  • Attackers send 5K search queries/minute
  • Each query executes complex database search (I/O-intensive)
  • Database connections exhausted
  • Search function becomes unavailable

Checkout CC Attack:

  • Attackers send 1K checkout attempts/minute
  • Each attempt checks inventory, validates payment (resource-intensive)
  • Payment gateway rate limits hit
  • Checkout function becomes unavailable

Key Differences: CC Attack vs DDoS Attack

Comparison Table

Characteristic DDoS Attack CC Attack
Target Layer L3/L4/L7 (network, transport, application) L7 (application) only
Attack Method Volume overwhelm Resource exhaustion
Traffic Pattern High volume, low sophistication Low volume, high sophistication
Resource Targeted Network bandwidth, connection tables Application CPU, memory, database
Detection Easy (traffic spike) Difficult (looks like legitimate traffic)
Mitigation Rate limiting, traffic scrubbing Application-layer filtering, CAPTCHA
Typical Duration Hours to days Days to weeks
Cost to Attacker Low (botnet rental) Medium (requires more sophisticated tools)

When to Suspect Each Attack

Suspect DDoS Attack When:

  • Network bandwidth saturated
  • All services slow or offline (not just specific pages)
  • Attack traffic volume high (hundreds of Gbps to Tbps)
  • Network metrics show abnormal traffic patterns

Suspect CC Attack When:

  • Specific pages slow or offline (login, checkout, search)
  • Network bandwidth not saturated
  • Application server CPU/memory high
  • Database connections exhausted
  • Traffic patterns look legitimate (normal user agents, normal request patterns)

Why Traditional Defenses Fail

Against DDoS Attacks

Rate Limiting:

  • Problem: Attackers distribute across thousands of IPs
  • Result: Each IP stays within rate limit, total attack overwhelms

WAF Rules:

  • Problem: WAFs designed for application attacks, not volumetric attacks
  • Result: Volumetric attacks bypass WAF (WAF doesn't check traffic volume)

Origin Server Capacity:

  • Problem: Attack volume exceeds server capacity (10x, 100x, 1000x)
  • Result: Server overwhelmed, service unavailable

Against CC Attacks

Rate Limiting:

  • Problem: Attackers mimic legitimate user behavior (slow, realistic timing)
  • Result: Rate limits don't trigger (traffic looks normal)

WAF Rules:

  • Problem: CC attack requests are legitimate (just repeated)
  • Result: WAF allows requests (no malicious patterns detected)

CAPTCHA:

  • Problem: CAPTCHA solvers bypass CAPTCHA with 90%+ success rate
  • Result: Attacks continue, legitimate users annoyed

Application Optimization:

  • Problem: Can't optimize enough to handle 10-100x normal load
  • Result: Resources exhausted despite optimizations

Integrated Defense Against Both Attacks

Edge-Based Multi-Layer Defense

Architecture:

User → Edge Platform (Multi-Layer Defense) → Origin Server

Defense Layers:

Layer 1: DDoS Protection (L3/L4/L7)

  • Volumetric attack protection (25+ Tbps per region)
  • Protocol attack protection (SYN flood, ACK flood mitigation)
  • Application flood protection (HTTP flood, slowloris mitigation)
  • Defends Against: DDoS attacks

Layer 2: WAF (Application Security)

  • OWASP Top 10 protection (SQL injection, XSS, etc.)
  • Positive and negative security models
  • Virtual patching
  • Defends Against: Application-layer DDoS, some CC attacks

Layer 3: Bot Management (CC Attack Defense)

  • Behavioral analysis (typing patterns, mouse movements)
  • Device fingerprinting (canvas, WebGL)
  • CAPTCHA-less challenges
  • Defends Against: CC attacks

Layer 4: Rate Limiting (Smart Rate Limiting)

  • Per-URL rate limiting
  • Per-IP rate limiting
  • Per-user rate limiting
  • Time-window based limits
  • Defends Against: Both DDoS and CC attacks

Real-World Defense Results

Case Study 1: Ecommerce Store - Dual Attack

The Attack:

  • Simultaneous DDoS attack (850 Gbps) + CC attack (login page)
  • DDoS targeted network infrastructure
  • CC targeted login page (legitimate-looking login attempts)

Traditional Defense (Separate Vendors):

  • DDoS protection vendor: Blocked DDoS attack (5 hours to mitigate)
  • WAF vendor: Failed to detect CC attack (traffic looked legitimate)
  • Login page offline for 12 hours
  • Total downtime: 12 hours

Edge Platform Defense (Integrated):

  • DDoS protection: Blocked DDoS attack in 47 seconds
  • Bot management: Detected CC attack via behavioral analysis
  • Login page remained online
  • Total downtime: 0 minutes

Results:

  • 12 hours downtime → 0 minutes downtime
  • $35K revenue loss → $0 revenue loss
  • 18% customer churn → 0% customer churn

Case Study 2: Gaming Platform - CC Attack

The Attack:

  • CC attack targeting game login API
  • 50K login attempts/minute
  • Each attempt validated password (CPU-intensive)
  • Database queried for each attempt (I/O-intensive)

Traditional Defense:

  • Rate limiting: Failed (attackers used rotating IPs)
  • WAF: Failed (requests looked legitimate)
  • CAPTCHA: Partially effective (85% bypassed)
  • Login offline for 8 hours

Edge Platform Defense:

  • Behavioral analysis: Detected non-human typing patterns
  • Device fingerprinting: Detected headless browsers
  • CAPTCHA-less challenges: Blocked 95% of attacks
  • Login remained online

Results:

  • 8 hours downtime → 0 minutes downtime
  • $85K revenue loss → $0 revenue loss
  • 12% player churn → 0% player churn

Key Features for Dual Attack Defense

When choosing protection against both CC and DDoS attacks, ensure it includes:

Multi-Layer Defense (DDoS + WAF + Bot Management)

  • DDoS protection for volumetric/protocol attacks
  • WAF for application-layer attacks
  • Bot management for CC attacks

Behavioral Analysis

  • Typing pattern recognition
  • Mouse movement analysis
  • Page timing analysis
  • Detects CC attack patterns

Device Fingerprinting

  • Canvas, WebGL, audio fingerprinting
  • Browser consistency checks
  • Headless browser detection
  • Identifies automation tools

Smart Rate Limiting

  • Per-URL, per-IP, per-user limits
  • Time-window based limits
  • Burst allowance for legitimate users
  • Blocks both volumetric and resource-exhaustion attacks

CAPTCHA-Less Challenges

  • Invisible challenges
  • JavaScript execution tests
  • Zero friction for legitimate users
  • Blocks CC attacks without annoying users

Edge-Based Mitigation

  • Blocks attacks before reaching origin
  • Doesn't consume origin resources
  • Clean traffic billing

Implementation Roadmap

Phase 1: Assessment (7 Days)

  • Analyze current attack patterns (if any)
  • Identify vulnerable application pages (login, checkout, search)
  • Assess current protection capabilities
  • Choose integrated edge platform

Phase 2: Deployment (7 Days)

  • Deploy edge platform
  • Enable all security layers (DDoS, WAF, Bot Management)
  • Configure rate limiting rules
  • Set up behavioral analysis

Phase 3: Testing (7 Days)

  • Test DDoS protection (volumetric attacks)
  • Test CC attack protection (application-layer attacks)
  • Test dual attack scenarios
  • Tune thresholds based on results

Phase 4: Production (Ongoing)

  • Monitor for both attack types
  • Review blocked traffic for false positives
  • Update rules as attack patterns evolve
  • Document procedures

Common Mistakes to Avoid

Mistake 1: Assuming DDoS Protection Defends Against CC Attacks

DDoS protection defends against volumetric attacks. It doesn't defend against CC attacks (which look like legitimate traffic).

Mistake 2: Assuming WAF Defends Against Volumetric DDoS Attacks

WAFs defend against application attacks. They don't defend against volumetric attacks (which overwhelm network bandwidth).

Mistake 3: Choosing Separate Vendors for DDoS, WAF, and Bot Management

Separate vendors don't share threat intelligence. Integrated platforms provide correlated defense against both attack types.

Mistake 4: Not Testing Against Both Attack Types

Test against DDoS attacks AND CC attacks to validate defense capabilities.

Mistake 5: Ignoring Behavioral Analysis

CC attacks look like legitimate traffic. Behavioral analysis reveals patterns that CC attacks can't hide.

The ROI of Dual Attack Defense

Cost of Downtime (Both Attack Types):

  • DDoS attack: $50K-$500K/hour (network saturation)
  • CC attack: $10K-$100K/hour (resource exhaustion)
  • Dual attack: $60K-$600K/hour

Cost of Integrated Defense:

  • Edge platform: $32-$299/month (includes DDoS, WAF, Bot Management)
  • ROI: 100-1000x (depending on business size and revenue)

Example:

  • Business revenue: $2M/month
  • Dual attack downtime: 4 hours
  • Revenue loss: $26,667
  • Integrated defense cost: $299/month
  • First attack ROI: 89x

Take Action Today

CC attacks and DDoS attacks are different—but you need to defend against both. Traditional defenses fail against one or both types of attacks.

Get Started in 3 Steps:

  1. Identify Your Vulnerability - Any public-facing application is vulnerable to both attack types
  2. Choose Integrated Platform - Look for multi-layer defense (DDoS + WAF + Bot Management)
  3. Deploy and Test - Implement platform, test against both attack types

The best platforms offer free trials, integrated defense, and protection against both CC and DDoS attacks. Defend against both today—because attackers use every tool available.

Pricing Plans for Dual Attack Defense

Plan Best For Specifications Original Price Promo Price
Free Development Basic acceleration & security —— $0/month
Personal Small Businesses 50GB + 3M requests | CDN + Security $4.2/month $0.9/month
Basic Growing Businesses 500GB + 20M requests | OWASP TOP 10 $57/month $32/month
Standard Enterprise 3TB + 50M requests | WAF + Bot Management $590/month $299/month

Defend Against Both Attacks Today

Get Started with Tencent Cloud EdgeOne

View Current Promotions & Discounts

Don't confuse CC and DDoS attacks. Both cause service disruption, but they require different defenses. Implement integrated edge protection that defends against both. Try it free today—because attackers use every attack type available.