Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

What is a DDoS attack?

Learn everything about DDoS attacks, how they work, and how to protect your business. Understand the risks, types, and best practices.

21-04-2022 - 12 minute read. Posted in: cybercrime.

What is a DDoS attack?

Everything you need to know about a DDoS attack

Any organisation or business that is present and accessible on the Internet is a potential target for DDoS attacks. It is therefore important that all businesses, regardless of size, are aware of this type of cyber-attack and take the appropriate precautions to protect themselves against them.

DDoS attacks work by using a botnet to overwhelm a target with excessive traffic, disrupting normal service and potentially compromising sensitive information.

Definition and meaning

A Distributed Denial of Service (DDoS) attack is a type of cyberattack that targets a computer system, network, or website by overwhelming it with a flood of malicious traffic from multiple sources. This malicious traffic can originate from compromised devices, such as computers, smartphones, or IoT devices, which are collectively known as a botnet. The primary goal of a DDoS attack is to exhaust the target system’s resources, rendering it unavailable to legitimate users. Unlike other cyberattacks that aim to steal data or gain unauthorized access, a DDoS attack focuses on disrupting the normal functioning of the targeted system, causing significant downtime and potential financial losses.

How does a DDoS attack work?

DDoS stands for “Distributed Denial of Service”. It is a type of denial of service attack where hackers, through malware, control many computers at once and use them to send large amounts of fake traffic to a website, web server or network, causing it to become overloaded and out of service. These attacks aim to disrupt the availability of specific systems, such as websites or applications, to legitimate users by overwhelming the target system with large volumes of requests.

If a website or similar is hit by a DDoS attack, it will receive thousands of requests from multiple sources over a period of minutes or sometimes hours. These requests are automated and come from a potentially huge network of computers.

DDoS attack vs. hacking

A DDoS attack is not the same as other forms of hacking, although the two can be used together; the hackers behind DDoS attacks are not trying to gain access to a website’s files or sensitive information, but instead the aim is to cause it to shut down or become vulnerable due to the volume of traffic.

In some cases the attack may be followed by attempts to hack the site while it is vulnerable, but in the vast majority of cases the aim is simply to make the site stop working.

Traffic generated by botnet

DDoS attacks have become quite sophisticated and widespread, partly due to the proliferation of vulnerable IoT devices that can be easily exploited in large botnets.

A botnet is a network of potentially millions of computers, smartphones, routers and other internet-connected devices that contain applications or malware that allow the devices to be remotely controlled so that they can be used in a coordinated DDoS attack.

Curious about how botnets operate and their role in cyber threats? Explore our in-depth guide on botnets.

The distinction between DoS and DDoS attacks

Denial of service attacks have been around almost since the Internet was first deployed. Initially, it was possible for IT criminals to overload a server or website by sending many repeated requests from just one computer. This is called a DoS attack or “Denial of Service attack”. The overall impact of such attacks is relatively small and rarely challenges the capacity of servers or websites today.

“Distributed” in Distributed Denial of Service (DDoS) refers to traffic coming from many places because of the botnet.

The consequences of a DDoS attack

The most immediate and obvious consequence is that the website, server or network is overloaded and becomes inaccessible to the business, customers or users.

This means that all normal traffic is unavailable to the business while the attack is ongoing. This can affect the company’s reputation among customers, stakeholders or other companies. And if the website is down for a long time, it can affect its ranking in Google, as no one is coming to the website.

If the website is unavailable due to a denial of service, it will return a “502 bad gateway error” if you try to access it, which will have a negative impact on Google search rankings.

Vulnerability: A DDoS attack can make a company’s website more vulnerable to hacking, as all systems are focused on getting the site back up and running, and security systems may have been put out of action due to the attack.

Hackers can then more easily gain unauthorised access to the website while the DDoS attack is ongoing.

Follow-up attacks do not always come from the same source as the fake traffic that created the DDoS attack: an intelligent hacker knows how to cover his tracks and uses multiple IP addresses to attack the website while hiding his real location.

Server problems: If a website, server or network is the victim of regular attacks, they can lead to problems with the company’s hosting provider.

A good hosting provider will offer tools to secure a site against DDoS attacks, but if a company or organisation does not have this and also shares hosting, the attacks can affect other sites on the same server. Therefore, implementing comprehensive DDoS attack protection, including managed protection services, Web Access Firewalls, and monitoring tools, is crucial to safeguard networks against Distributed Denial of Service attacks.

Financial losses: For some businesses, such as web shops, the financial impact of customers being unable to access the company’s website can be significant. In addition, companies sometimes have to spend money to repair their website, server or network.

DDoS attack types

There are several types of DDoS attacks, and in recent years a DDoS technique called “DNS Amplification” has proved particularly popular with IT criminals. Here, a cybercriminal exploits compromised devices to send fake queries to a number of DNS servers, which return the query to the victim’s IP address. The data packets returned are generally many times larger than the queries, and the attack is therefore “amplified” via the DNS servers. The victim’s system is overloaded and shuts down.

Typical DDoS attacks are:

  • Volume attacks: Overload the capacity (bandwidth) of the Internet connection.

  • Protocol attack: Overloads the capacity of a firewall, router or other network component.

  • Application attacks: Exploits weaknesses in the applications/systems of a network component, such as a web server. These include application layer attacks that target the top layer in the OSI model, disrupting web application packets and hindering data transmission between hosts. Application layer attacks, occurring at Layer 6 and 7, can flood HTTP requests to a login page or exploit expensive API calls, rendering critical components unavailable to genuine users.

What is the purpose of DDoS attacks?

Since hackers do not want access to data or files or extort money from their victims, their motivations behind DDoS attacks are different from many other types of cyber attacks.

DDoS attacks from competitors

In some cases, a company's competitors may use extreme methods to outdo them. A competitor may hire a hacker to carry out a DDoS attack on a company's website knowing that it could affect the company in several ways.

The competitor may run ads using the company name as a keyword during the time the website is down (even though this is illegal in Denmark). In this way, they may rank higher than the company on Google.

DDoS attack due to content

Some sites are subject to DDoS attacks because of the type of content on the website.

For example, a whistleblower portal may be subject to a DDoS attack. It could also be a website that deals with controversial issues such as abortion rights or anti-racism. Cyber criminals who disagree with such messages therefore carry out DDoS attacks to stop others from accessing the websites, for example to get guidance or help.

Some non-profit organisations deal with controversial issues and may suffer financial consequences if they cannot receive donations.

Politically motivated DDoS attacks

Cybercriminals are increasingly using politically motivated DDoS attacks to disrupt and influence political processes on a global scale.

If a website is dedicated to a political party, candidate or organisation, or promotes a particular political cause, it may be vulnerable to cyber attacks from cyber criminals who disagree with the policy.

The attacks do not come unnecessarily from political opponents. They are more likely to come from external sources that seek to disrupt political debate, block certain types of content or pressure politicians to resign.

How to mitigate DDoS attacks?

Companies can never completely avoid or prevent being hit by a DDoS attack, as it is an external attack. However, there are some precautions that can provide protection or mitigate DDoS attacks.

DDoS attack prevention should be approached comprehensively, including both on-premises and cloud-based solutions. Effective management of DDoS threats involves rapid detection and response, along with proactive measures to minimize disruption and costs associated with various types of DDoS attacks.

A company can prepare for a DDoS attack by, for example, creating an emergency page for their website that tells their customers how to contact the company.

It is a good idea for businesses to contact their ISP and ask what services they offer if the business is hit by a denial of service attack.

It is also possible to buy an additional separate internet access which can be used if the primary internet access is blocked.

Finally, companies can buy a service from IT security providers that redirects their internet traffic to a so-called “scrubbing” centre that has a very high bandwidth.

What can you do if you are hit by a DDoS attack?

Follow a DDoS guidebook

Because of the immediate consequences of a DDoS attack, dealing with a DDoS attack can be particularly time-critical. After an attack, it is very helpful for companies to follow a roadmap that ensures a consistent, approved and effective approach to mitigating the attack and getting back to normal operations as quickly as possible. The roadmap can be added to the company's existing incident response plan or as an annex to the contingency plan.

Manage the attack early

The sooner a DDoS attack is detected and dealt with, the better the chances of stopping it or minimising its impact. This requires having a good knowledge of the company's data traffic, having set up appropriate monitoring and automatically receiving notifications from own devices or external providers if traffic patterns change significantly.

Contact the ISP or external provider

Providers or external providers may, as a first step after an attack, "null route" data traffic, stopping traffic before it reaches the intended server. However, this may have the same effect as a DDoS attack, and traffic should instead, or as soon as possible, be routed past a "scrubber", which rejects the fake traffic from the DDoS attack, but allows legitimate traffic.

Security firms typically have a large capacity and experience to handle DDoS attacks quickly and can redirect traffic to their own servers that can handle the load. As a company, you should be aware that this requires an agreement in advance with the security company. If a company is in dialogue with a security company about this option, it is advisable to take the recommendations of the Centre for Cyber Security (CFCS) as a starting point.

Contact DDoS specialists and crime prevention authorities

After the attack has stopped and normal operations have been restored, it is recommended that the company prepares an investigation report. Companies may benefit from the services of an external firm or from authorities familiar with cyber attacks against companies.

Best practices for DDoS protection

To mitigate DDoS attacks, it’s essential to implement a combination of security measures and best practices. Here are some of the most effective ways to protect against DDoS attacks:

  1. Implement a web application firewall (WAF): A WAF can help detect and block malicious traffic, including DDoS attacks, by analyzing HTTP requests and identifying suspicious patterns. This adds an extra layer of security by filtering out harmful traffic before it reaches your server. Want to know even more about how firewalls protect against cyber threats? Dive into our guide on firewalls and network security.

  2. Use a content delivery network (CDN): A CDN can help distribute traffic across multiple servers, making it more difficult for attackers to target a single system. By spreading the load, a CDN can absorb and mitigate the impact of a DDoS attack, ensuring that legitimate traffic can still access your site.

  3. Enable rate limiting: Rate limiting can help prevent DDoS attacks by limiting the number of requests from a single IP address. This can stop attackers from overwhelming your system with excessive requests, protecting your resources and maintaining service availability.

  4. Implement IP blocking: IP blocking can help prevent DDoS attacks by blocking traffic from known malicious IP addresses. By maintaining a blacklist of harmful IPs, you can proactively prevent attack traffic from reaching your network.

  5. Use a DDoS protection service: A DDoS protection service can help detect and block DDoS attacks in real-time, using advanced algorithms and machine learning techniques. These services are designed to identify and mitigate attacks quickly, ensuring minimal disruption to your operations.

  6. Regularly update and patch software: Regularly updating and patching software can help prevent DDoS attacks by fixing security vulnerabilities that can be exploited by attackers. Keeping your systems up-to-date ensures that you are protected against the latest threats.

  7. Monitor network traffic: Monitoring network traffic can help detect DDoS attacks early, allowing for swift action to be taken to mitigate the attack. By setting up alerts for unusual traffic patterns, you can respond quickly to potential threats.

  8. Implement an incident response plan: Having an incident response plan in place can help ensure that DDoS attacks are responded to quickly and effectively, minimizing downtime and damage. This plan should outline the steps to take during an attack, including communication strategies and recovery procedures.

By implementing these best practices, organizations can significantly reduce the risk of DDoS attacks and ensure the availability and security of their online services.

This post has been updated on 05-02-2025 by Sarah Krarup.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

Introduction of Zero Trust
tips

Introduction of Zero Trust

Zero trust is a newer strategy in cybersecurity. It does not trust any sources and therefore security is extra high when using zero trust.

01-06-2023 · 5 min.
5 tips to stay safe on social media
cybercrime

5 tips to stay safe on social media

Social media is not as safe as you think, so it's important to be careful. Here are five tips for safe digital behaviour.

25-07-2022 · 6 min.
Remember good information security
gdpr

Remember good information security

When you think of GDPR, you also have to think of information security. Here we shed some light on the topic so you can get even better at protecting your data.

04-05-2023 · 6 min.