How does someone do a DDoS attack?

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up the highway, preventing regular traffic from arriving at its desired destination.

Common Features of DDoS Attacks

  • Overwhelms the target with traffic from multiple sources
  • Exploits vulnerabilities in networked devices
  • Renders the target inaccessible to legitimate users
  • Can lead to loss of revenue and reputation damage

DDoS attacks have been growing in frequency, size and complexity over the years. Some major developments enabling this trend include:

  • Proliferation of insecure IoT devices
  • Availability of DDoS-for-hire services
  • Increasingly sophisticated DDoS botnets
  • Wide-spread use of amplification techniques

With the growing digitization of everyday life, DDoS attacks present an ever-present threat. A sufficiently large DDoS attack targeting critical infrastructure can inflict damage on par with a natural disaster. Thus, cybersecurity experts take the prevention, detection and mitigation of DDoS attacks very seriously.

Launching a DDoS Attack

To launch a successful DDoS attack that can take down a website or online service, an attacker needs:

  1. A large number of hijacked devices to generate high volumes of traffic
  2. A way to control/direct the hijacked devices
  3. Malicious traffic that can overwhelm the target’s network capacity
  4. Often, technical skills to identify network vulnerabilities

While technical knowledge helps, even novice attackers can launch harmful DDoS attacks using easy-to-access DDoS-for-hire services. Typically, DDoS attacks can be divided into 3 categories based on the architecture used:

Volumetric Attacks

In a volumetric DDoS attack, the attacker seeks to simply flood the network capacity of the target with an overwhelming deluge of traffic. This is akin to attempting to clog a pipe by pouring large amounts of debris down it. Volumetric attacks typically rely on:

  • Spoofed UDP/ICMP floods
  • NTP/SSDP/DNS amplification
  • Permanent/Reflector DDoS botnets

Volumetric DDoS attacks commonly exceed 100 Gbps in size. The goal is to achieve sufficiently high traffic volume that the target becomes unreachable due to bandwidth saturation.

Protocol Attacks

In a protocol DDoS attack, vulnerabilities in network protocols and infrastructure are exploited to severely degrade availability. For example, a protocol attack might target:

  • TCP SYN Flood – exhausts server resources by initiating many bogus new connections
  • ACK Flood – sends ACK packets without establishing valid connections first
  • SSL Renegotiation – repeatedly renegotiates SSL connections

These attacks don’t require massive traffic volume like volumetric DDoS. Instead, they are designed to use intrinsic weaknesses in protocols against the target.

Application Layer Attacks

Application layer attacks zero in on web server and application vulnerabilities using the least amount of traffic. Examples include:

  • HTTP Flood – inundates web servers with valid HTTP requests
  • Low and Slow Attack – sends partial HTTP requests at a slow rate to monopolize server resources
  • Hashdos Attack – sends thousands of unique URI requests to target resource-intensive backend database lookups

These attacks make normal operation impossible by exhausting server resources via carefully crafted malicious requests.

Building a DDoS Botnet

To achieve the high traffic volume required for large volumetric DDoS attacks, attackers build and control vast networks of hijacked devices known as botnets. Let’s examine the key steps involved:

Identifying Vulnerable Devices

DDoS botnets are built by identifying vulnerable, often poorly secured IoT and computing devices. Common targets include:

  • Routers, modems and other consumer network hardware
  • Surveillance cameras, digital video recorders
  • Printers, smart TVs, wearables
  • Servers running outdated software with known exploits
  • Computers infected with malware/viruses

Attackers actively scan the Internet for easily exploitable devices using techniques like IP spoofing. Default login credentials that were never changed are a prime target.

Compromising and Control

Once susceptible devices are discovered, they are compromised using exploits. Often, malware called a bot binary is installed to enable command and control (C&C) by the attacker through a C&C server. This transforms the devices into bots which can be remotely directed. Communication between the C&C server and bots can be encrypted or disguised as normal traffic.

Growth and Maintenance

Successful botnets can scale rapidly by having bots propagate malware and recruit new bots from devices on their local networks. This allows exponential growth while adding layers of obfuscation for protection. Regular software updates help ensure bots remain undetected. Botnets with over 100,000 bots capable of 1 Tbps+ attacks have been observed in the wild.

DDoS Attack Tools

There are many tools freely available that even unskilled individuals can use to launch DDoS attacks, though typically limited in scale. Let’s look at some examples:

Low Orbit Ion Cannon (LOIC)

LOIC is a popular entry-level open source DDoS tool used for volumetric attacks. It allows users to control multiple LOIC instances distributed across devices via IRC channels. However, all instances utilize the IP address of the user, making anonymization via VPN/proxy service necessary.

HOIC – High Orbit Ion Cannon

HOIC improved upon LOIC as an open source network stress tool. It allows users to coordinate DDoS attacks using a simple control panel and offers basic anonymization by obscuring the source IP. However, traffic is still generated from the user’s system.


The Metasploit penetration testing framework contains well-known DDoS modules. While intended for legal security research, it can be misused. Available methods include SYN floods, UDP floods and ACK floods.

DDoSIM – DDoS Simulator

As an open source network testing tool, DDoSIM allows creation of simulated botnets and DDoS attacks in a controlled manner. Up to 3,500 bots spread over 5 subnets can be simulated for testing. Traffic levels of 5 Gbps can be generated safely.

BoNeSi – DDoS Botnet Simulator

This educational tool generates a virtual three-tier DDoS botnet for studying attack techniques. It provides visibility into all C&C communication and traffic flows generated by bots. Uses include analyzing detection mechanisms.

These tools highlight how basic DDoS capabilities are readily accessible. However, they offer limited attack scale and often minimal anonymity. The most powerful attacks require many compromised devices and obfuscation methods that advanced malware tools provide.

DDoS-for-Hire Services

Accessing DDoS as a paid service is an alternative to building botnets that lowers barriers for less tech savvy attackers. Some examples of DDoS booter/stresser sites include:

  • Ragebooter
  • DownThem
  • StressThem
  • Nightmare Market

For nominal fees, these services promise to overwhelm targets with massive traffic floods. Payment is made via cryptocurrency, prepaid card or PayPal. While marketed as “IP stress testing” services, the reality is they enable attacks as a convenience service. However, legal crackdowns have hampered many providers.

Sophisticated cybercriminals can also access DDoS-for-hire from dark web groups and compromised botnet rental services. For example, an underground DDoS service called Cubed was exposed in 2020 after amassing over 50,000 bots capable of 170 Gbps attacks. Customers paid up to $60 per month for DDoS capabilities, often to extort businesses.

DDoS Attack Defense Strategies

Now that we’ve surveyed common DDoS attack types and methods, let’s examine some key defensive strategies and best practices organizations should employ:

Network Engineering

Mitigating DDoS begins with proper network design engineering:

  • Over-provision bandwidth to decrease capacity for saturation
  • Use intelligent load balancing across data centers
  • Route traffic through upstream providers that deploy anti-DDoS scrubbing filters
  • Enable IP traffic shaping to detect and restrict floods
  • Remove unused network services and close unused ports

Monitoring and Detection

Monitoring network traffic and system logs allows early attack detection:

  • Set bandwidth usage thresholds that trigger alerts
  • Graph network traffic over time to reveal abnormal spikes
  • Detect attack signatures based on unusual traffic patterns
  • Analyze log data in real-time to identify bottlenecks

Artificial intelligence and machine learning can automate aspects of monitoring and detection for improved results over relying solely on human analysis.

Mitigation Services

Specialized DDoS mitigation service providers can quickly siphon off and filter attack traffic while allowing legitimate access:

Mitigation Method Example Providers
Cloud Scrubbing Cloudflare, Akamai, Radware
On-Premise Scrubbers Arbor Networks, Fortinet

These services work by analyzing traffic and blocking bad signatures, but costs can be high.

Best Practices

Additional best practices for managing DDoS risk include:

  • Maintain an incident response plan for DDoS attacks
  • Purchase excess bandwidth from ISPs
  • Validate external-facing systems for vulnerabilities
  • Enable firewall blacklisting of bogon IP ranges
  • Educate staff on DDoS threats

A capable DDoS defense strategy combines technological safeguards with knowledgeable staff and tested plans.

The Future of DDoS Threats

DDoS attacks continue to grow in power and sophistication. Some emerging trends to be aware of include:

  • Increase of ransom-driven DDoS extortion attempts
  • Diversification from volumetric attacks to other vectors
  • More exploitation of vulnerable Memcached/Redis servers for amplification attacks
  • Coordinated DDoS attacks as cover for data thefts and system infiltration

As long as attackers are financially motivated and insecure IoT devices proliferate, DDoS represents an ever-present threat. Organizations must invest in layered defenses and staff education to manage risks.


DDoS attacks intend to make online services unusable by flooding infrastructure with malicious traffic. Attackers have an array of tools to compromise vulnerable devices into botnets capable of delivering devastating attacks. Volumetric attacks using DDoS amplification techniques pose the largest threats today. While DDoS motives vary from protest to extortion, the end result is availability and revenue loss for the target organization. Investing in robust engineering, monitoring, detection and mitigation capabilities is key to reducing DDoS risk. But no single solution will fully prevent attacks. The threat landscape continues to evolve as attackers invent new techniques and expand botnet capabilities. Maintaining strong network security hygiene and vigilance is critical for surviving in the era of increasingly extreme DDoS.