When it comes to DDoS attacks there are 2 primary types.
A Volumetric attack with the goal of saturating the pipe on the target network.
A Trickle attack with the goal of tying up the resources of the target network while generating the least amount of bandwidth.
These 2 methods manifest in different ways where volumetric attacks consume tons of bandwidth which will manifest as a saturated internet link.
A trickle attack manifests as a high PPS ( Packets Per Second) rate, for example, a DDoS attack against a SIP server has the goal of tying up the server so it won’t accept a legitimate call this does not require a large amount of bandwidth.
Volumetric attacks usually require amplification and many hosts to accomplish their goal trickle attacks can be launched from as little as one machine.
An example of a trickle attack is a slowloris attack which uses a slow process to tie up resources on a web server until in crashes due to resource exhaustion,
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Mechanisms such as MOD-SECURITY can be used in this case to rate limit traffic from a single host others include MOD_EVASIVE or firewalls, commingIPS to keep track of connections from a specific source and rate limit the traffic or drop it entirely
See my latest video on this topic.
Please let me know if you have any questions!