What is a DDoS attack?

Any organisation or business that is present and accessible on the Internet is a potential target for DDoS attacks. It is therefore important that all businesses, regardless of size, are aware of this type of cyber-attack and take the appropriate precautions to protect themselves against them.

How does a DDoS attack work?

DDoS stands for "Distributed Denial of Service". It is a type of denial of service attack where hackers, through malware, control many computers at once and use them to send large amounts of fake traffic to a website, web server or network, causing it to become overloaded and out of service. While the attack is in progress, the website, network or server is inaccessible to legitimate traffic.

If a website or similar is hit by a DDoS attack, it will receive thousands of requests from multiple sources over a period of minutes or sometimes hours. These requests are automated and come from a potentially huge network of computers.

DDoS attack vs. hacking

A DDoS attack is not the same as other forms of hacking, although the two can be used together; the hackers behind DDoS attacks are not trying to gain access to a website's files or sensitive information, but instead the aim is to cause it to shut down or become vulnerable due to the volume of traffic.

In some cases the attack may be followed by attempts to hack the site while it is vulnerable, but in the vast majority of cases the aim is simply to make the site stop working.

Traffic generated by botnet

DDoS attacks have become quite sophisticated and widespread, partly due to the proliferation of vulnerable IoT devices that can be easily exploited in large botnets.

A botnet is a network of potentially millions of computers, smartphones, routers and other internet-connected devices that contain applications or malware that allow the devices to be remotely controlled so that they can be used in a coordinated DDoS attack.

The distinction between DoS and DDoS attacks

Denial of service attacks have been around almost since the Internet was first deployed. Initially, it was possible for IT criminals to overload a server or website by sending many repeated requests from just one computer. This is called a DoS attack or "Denial of Service attack". The overall impact of such attacks is relatively small and rarely challenges the capacity of servers or websites today.

"Distributed" in Distributed Denial of Service (DDoS) refers to traffic coming from many places because of the botnet.

The consequences of a DDoS attack

The most immediate and obvious consequence is that the website, server or network is overloaded and becomes inaccessible to the business, customers or users.

This means that all normal traffic is unavailable to the business while the attack is ongoing. This can affect the company's reputation among customers, stakeholders or other companies. And if the website is down for a long time, it can affect its ranking in Google, as no one is coming to the website.

If the website is unavailable due to a denial of service, it will return a "502 bad gateway error" if you try to access it, which will have a negative impact on Google search rankings.

Vulnerability. A DDoS attack can make a company's website more vulnerable to hacking, as all systems are focused on getting the site back up and running, and security systems may have been put out of action due to the attack.

Hackers can then more easily gain unauthorised access to the website while the DDoS attack is ongoing.

Follow-up attacks do not always come from the same source as the fake traffic that created the DDoS attack: an intelligent hacker knows how to cover his tracks and uses multiple IP addresses to attack the website while hiding his real location.

Server problems. If a website, server or network is the victim of regular attacks, they can lead to problems with the company's hosting provider.

A good hosting provider will offer tools to secure a site against DDoS attacks, but if a company or organisation does not have this and also shares hosting, the attacks can affect other sites on the same server.

Financial losses. For some businesses, such as web shops, the financial impact of customers being unable to access the company's website can be significant. In addition, companies sometimes have to spend money to repair their website, server or network.

DDoS attack types

There are several types of DDoS attacks, and in recent years a DDoS technique called "DNS Amplification" has proved particularly popular with IT criminals. Here, a cybercriminal exploits compromised devices to send fakequeries to a number of DNS servers, which return the query to the victim's IP address. The data packets returned are generally many times larger than the queries, and the attack is therefore "amplified" via the DNS servers. The victim's system is overloaded and shuts down.

Typical DDoS attacks are:

• Volume attacks. Overload the capacity (bandwidth) of the Internet connection.
• Protocol attack. Overloads the capacity of a firewall, router or other network component.
• Application attacks. Exploits weaknesses in the applications/systems of a network component, such as a web server.

What is the purpose of DDoS attacks?

Since hackers do not want access to data or files or extort money from their victims, their motivations behind DDoS attacks are different from many other types of cyber attacks.

DDoS attacks from competitors

In some cases, a company's competitors may use extreme methods to outdo them. A competitor may hire a hacker to carry out a DDoS attack on a company's website knowing that it could affect the company in several ways.

The competitor may run ads using the company name as a keyword during the time the website is down (even though this is illegal in Denmark). In this way, they may rank higher than the company on Google.

DDoS attack due to content

Some sites are subject to DDoS attacks because of the type of content on the website.

For example, a whistleblower portal may be subject to a DDoS attack. It could also be a website that deals with controversial issues such as abortion rights or anti-racism. Cyber criminals who disagree with such messages therefore carry out DDoS attacks to stop others from accessing the websites, for example to get guidance or help.

Some non-profit organisations deal with controversial issues and may suffer financial consequences if they cannot receive donations.

Politically motivated DDoS attacks

Politically motivated DDoS attacks are becoming more common as cyber threats are increasingly used to influence the political process worldwide.

If a website is dedicated to a political party, candidate or organisation, or promotes a particular political cause, it may be vulnerable to cyber attacks from cyber criminals who disagree with the policy.

The attacks do not come unnecessarily from political opponents. They are more likely to come from external sources that seek to disrupt political debate, block certain types of content or pressure politicians to resign.

How to avoid being hit by a DDoS attack?

Companies can never completely avoid or prevent being hit by a DDoS attack, as it is an external attack. However, there are some precautions that can provide protection or mitigate DDoS attacks.

A company can prepare for a DDoS attack by, for example, creating an emergency page for their website that tells their customers how to contact the company.

It is a good idea for businesses to contact their ISP and ask what services they offer if the business is hit by a denial of service attack.

It is also possible to buy an additional separate internet access which can be used if the primary internet access is blocked.

Finally, companies can buy a service from IT security providers that redirects their internet traffic to a so-called "scrubbing" centre that has a very high bandwidth.

What can you do if you are hit by a DDoS attack?

Follow a DDoS guidebook

Because of the immediate consequences of a DDoS attack, dealing with a DDoS attack can be particularly time-critical. After an attack, it is very helpful for companies to follow a roadmap that ensures a consistent, approved and effective approach to mitigating the attack and getting back to normal operations as quickly as possible. The roadmap can be added to the company's existing incident response plan or as an annex to the contingency plan.

Manage the attack early

The sooner a DDoS attack is detected and dealt with, the better the chances of stopping it or minimising its impact. This requires having a good knowledge of the company's data traffic, having set up appropriate monitoring and automatically receiving notifications from own devices or external providers if traffic patterns change significantly.

Contact the ISP or external provider

Providers or external providers may, as a first step after an attack, "null route" data traffic, stopping traffic before it reaches the intended server. However, this may have the same effect as a DDoS attack, and traffic should instead, or as soon as possible, be routed past a "scrubber", which rejects the fake traffic from the DDoS attack, but allows legitimate traffic.

Contact DDoS security companies

Security firms typically have a large capacity and experience to handle DDoS attacks quickly and can redirect traffic to their own servers that can handle the load. As a company, you should be aware that this requires an agreement in advance with the security company. If a company is in dialogue with a security company about this option, it is advisable to take the recommendations of the Centre for Cyber Security (CFCS) as a starting point.

Contact DDoS specialists and crime prevention authorities

After the attack has stopped and normal operations have been restored, it is recommended that the company prepares an investigation report. Companies may benefit from the services of an external firm or from authorities familiar with cyber attacks against companies.