Distributed denial of service (DDoS)

A Distributed Denial of Service (DDoS) attack is a malicious activity in which a network of compromised computers disrupts services.

Back to glossary

DDoS

Distributed Denial of Service (DDoS) attacks are common and nasty. A DDoS attack tries to make a website and its servers unavailable to real users by using multiple devices in a botnet to send fake traffic. They can knock out websites, disrupt services and cause financial and reputational damage. This entry will explain what DDoS attacks are, how they work and how to stop them.

DDoS attacks are not new. They’ve been around since the dawn of the internet but the frequency, sophistication and impact have increased dramatically in recent years. This entry will look at the history of DDoS attacks, the types and the tools and techniques used by attackers.

What are DDoS attacks

A DDoS attack is a malicious attempt to disrupt the normal functioning of a network, service or website by flooding it with internet traffic. The ‘Distributed’ in DDoS comes from the fact that the attack source is often multiple, often thousands of, unique IP addresses. That makes it impossible to stop the attack by blocking a single IP address. The flood of internet traffic prevents real traffic from getting to the network, service or website.

DDoS are a type of DoS (Denial of Service) attack but are much more powerful because of their distributed nature. A DoS attack comes from a single source, a DDoS attack uses a network of computers as sources of attack traffic. These computers are often infected with malware and controlled by the attacker without the owner’s knowledge.

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack is a type of cyber attack where a website, server or network resource is flooded with malicious traffic from multiple sources. The goal of a DDoS attack is to make the target system or resource unavailable to real users by consuming its bandwidth, processing power or memory. DDoS attacks can be launched for many reasons including disrupting business, extortion or competitive advantage.

The DDoS attack process

A DDoS attack involves three parties: the victim, the attacker and the bots or ‘zombie computers’. The attacker sends instructions to the network of bots they control to send traffic to the victim’s network or website. This floods the victim’s network and slows it down or crashes it.

One common type of DDoS attack is a ‘protocol attack’ which targets weaknesses in internet communication protocols.

An attacker can create a botnet or network of bots in several ways. They can infect computers with malware, exploit software or hardware vulnerabilities or use social engineering to trick users into installing malicious software. Once a computer is part of a botnet it can be controlled remotely by the attacker, often without the owner’s knowledge.

How DDoS Attacks Work

DDoS attacks involve a network of compromised devices, a botnet, controlled by an attacker. The botnet is used to flood the target system with traffic making it impossible for real users to get to the system. DDoS attacks can be launched with various tools and techniques including malware, botnets and amplification attacks.

Types of DDoS attacks

There are several types of DDoS attacks, each with its own characteristics and methods. The most common are volume based attacks, protocol attacks and application layer attacks. Volume based attacks consume the bandwidth of the victim’s network, protocol attacks exploit the victim’s server or network infrastructure and application layer attacks target specific applications on the victim’s network.

Each type of DDoS attack requires a different approach to mitigation so organisations need to know what type of attack they are facing. For example, to mitigate a volume based attack you may need to increase the bandwidth of the network, to mitigate an application layer attack you may need to patch the vulnerabilities in the target application. To mitigate DDoS attacks you can use managed DDoS protection services, Web Access Firewalls (WAF) and Content Delivery Networks (CDN).

Application Layer DDoS

Application layer DDoS attacks target specific vulnerabilities in web applications to make the application not work as intended. These attacks target the communication protocols involved in exchanging data between two applications over the internet. Application layer DDoS attacks are hard to prevent and mitigate but are the easiest to launch. They can be launched with various tools and techniques including SQL injection and cross-site scripting (XSS).

Protocol DDoS Attacks

Protocol attacks target weaknesses and vulnerabilities in internet communication protocols in Layer 3 and Layer 4 of the OSI model. These attacks consume and exhaust the compute capacity of various network infrastructure resources like servers or firewalls. Protocol attacks exploit Transmission Control Protocol (TCP) or Internet Control Message Protocol (ICMP) protocols. They can be launched with various tools and techniques including SYN flooding and ICMP flooding.

Volumetric DDoS Attacks

Volumetric DDoS attacks target OSI Layers 3 and 4, flooding the target with traffic from multiple sources. Volumetric attacks consume all the target’s bandwidth making it slow down or crash. They are often used to distract from other types of DDoS attacks or more serious cyber attacks. Volumetric attacks can be launched with various tools and techniques including botnets and amplification attacks.

DDoS Impact

DDoS attacks can have a huge impact on businesses and organisations. They can cause downtime, disrupt services and financial losses. They can also damage an organisation’s reputation leading to loss of customers and business opportunities. The cost of a DDoS attack can range from thousands to millions of dollars depending on the severity and duration of the attack. Getting DDoS mitigation services is crucial for organisations to detect and block attacks fast and minimise disruption to their business.

DDoS attacks can also have indirect impacts. For example they can be used as a smokescreen for other malicious activities. While the victim’s IT team is busy dealing with the DDoS attack the attacker can exploit this distraction to do data breaches, malware infections or other types of cyber attacks.

DDoS case studies

There have been many high profile DDoS attacks over the years. One of the most notable was the attack on Dyn, a major DNS provider, in 2016. The attack was caused by a botnet of IoT devices and affected several major websites including Twitter, Reddit and Netflix.

In 2018 another DDoS attack hit GitHub, a popular web-based hosting service for software development. The attack peaked at 1.35 terabits per second, one of the largest DDoS attacks ever. GitHub was able to mitigate the attack in 10 minutes but the incident showed the growing power and complexity of DDoS attacks. This was due to their DDoS protection solution which was robust enough to handle the large scale attack while keeping the service available.

Preventing and mitigating DDoS attacks

Preventing and mitigating DDoS attacks is a complex task that requires a multi layered approach. A robust DDoS protection solution is required to detect and block DDoS traffic before it reaches the target network. It involves a combination of technical measures like firewalls and intrusion detection systems and organisational measures like incident response plans and employee training.

Technical measures can detect and block DDoS traffic before it reaches the target network. This can be rate limiting, IP filtering and deep packet inspection. But these are not foolproof as attackers are always evolving to bypass defences.

DDoS protection services

Given the complexity of DDoS mitigation many organisations choose to use DDoS mitigation services. These services offer a range of solutions from traffic scrubbing to cloud based DDoS protection. Traffic scrubbing is filtering out DDoS traffic before it reaches the target network and cloud based DDoS protection is routing traffic through a network of servers that can absorb and dissipate the DDoS traffic.

DDoS protection services can offer high level of protection but they are not a silver bullet. They should be part of a overall cybersecurity strategy that includes measures to prevent botnets from being created such as patch management and malware protection.

Incident response planning

Having an incident response plan in place is key to dealing with DDoS attacks. This plan should outline the steps to be taken in the event of an attack including who to notify, how to mitigate the attack and how to assess the impact of the attack. The plan should be reviewed and updated regularly to ensure it’s effective.

Employee training is also part of DDoS mitigation. Employees should be educated on the signs of a DDoS attack and what to do if they suspect an attack is happening. This will ensure a quick and effective response to an attack.

DDoS attacks are a real threat in today’s digital world and can cause harm to businesses and organisations. Knowing what these attacks are, what they can do and how to prevent and mitigate them is key to cybersecurity.

You can’t eliminate the risk of DDoS attacks completely but a multi layered approach that includes technical measures, organisational measures and DDoS protection services can reduce the risk and impact of these attacks.

This post has been updated on 15-11-2024 by Sofie Meyer.

Author Sofie Meyer

About the author

Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.

Similar definitions

Ubiquitous computing Frames per second (FPS) GLib Protocol TCP: A Guide to Its Functionality What is Swatting: A Comprehensive Guide Example of Uniform Resource Locator: A Clear Guide Default gateway Credentials Internet protocol television (IPTV) Advanced systems format (ASF) Wireless access point (WAP) Key fob Interweb CompuServe Proxy