A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
What is a DDoS Attack?
A DDoS attack is initiated by an attacker who provides instructions to launch a DDoS attack on a specific target. The attacker begins by exploiting vulnerabilities on one computer system and making it the DDoS “master.” From there, the attack master identifies and infects other vulnerable systems with malware to form a network or botnet of infected zombie machines to carry out the attack.
In a DDoS scenario, the attack master sends instructions to the botnet and all infected systems simultaneously flood the target with data packets from random source IP addresses. The goal is to overwhelm the target’s resources so that legitimate requests cannot get through or the entire system crashes. This results in a denial-of-service to legitimate users. The impact can include:
- Unavailability of a website
- Inability to access any online services
- Dramatic slowdown of network performance
A DDoS attack is similar to crowding the entry of a shop with tons of people so legitimate customers cannot enter. The scale and speed of a DDoS attack can cripple websites and networks in an instant.
Common DDoS Attack Vectors
There are several main types of DDoS attacks:
- Volume-based attacks – This type of DDoS aims to saturate the bandwidth of the target. Attackers send a huge volume of traffic to the target to consume all available bandwidth. This results in a dramatic slowdown or complete outage of the target’s network connection.
- Protocol attacks – These attacks target and abuse weaknesses in the protocols that construct network connections. The goal is to overwhelm network infrastructure like routers, firewalls and load balancers. Examples are SYN floods, UDP floods, and ACK floods which exploit the TCP/IP protocol.
- Application layer attacks – These directly target apps, servers and databases. Attackers send a flood of requests to web applications and APIs to crash them or slow them down significantly. Common examples are HTTP floods and GET/POST floods.
Attackers can combine multiple vectors in a single, complex DDoS attack for maximum impact.
DDoS Attack Tools
Launching a successful DDoS attack was once quite complex, requiring technical skills to code an attack tool and manually infect devices. Today, attackers can simply download DDoS attack tools from the Internet underground and launch attacks with little effort. Some common DDoS tools include LOIC, HOIC, XOIC which allow users to overwhelm targets by flooding them with junk web traffic.
Attackers can also leverage DDoS-for-hire booter/stresser services to carry out attacks on their behalf. Booter services provide a web interface for users to specify a target URL or IP address, select an attack type, pay a fee and launch a DDoS attack with the click of a button. This makes it simple for anyone to initiate a powerful DDoS attack, regardless of technical expertise.
Is a DDoS Attack Illegal?
Launching a DDoS attack involves exploiting systems without permission and disrupting services through malicious means. This type of activity is widely considered a criminal act in most regions around the world. However, the exact legality depends on each country’s cybersecurity laws.
United States
In the United States, DDoS attacks are illegal under the Computer Fraud and Abuse Act (CFAA). The CFAA prohibits accessing a computer without authorization or in excess of allowed authorization in order to defraud and obtain something of value.
Since DDoS attacks involve hijacking Internet-connected devices without permission to bombard targets and cost them money, this is considered felony hacking according to the CFAA.
The maximum penalties for DDoS attacks under CFAA include:
- Up to 10 years in prison
- Fines up to $250,000 for individuals, $500,000 for organizations
- Restitution to compensate victims for financial losses due to the attack
The United States Department of Justice has pursued charges and arrests against numerous DDoS attackers under CFAA over the years. Defendants have received multi-year prison sentences in some cases involving high impact attacks against commercial websites.
European Union
In Europe, the Council of Europe Convention on Cybercrime is the key framework around computer crimes including DDoS attacks. Signed by all European Union members, the convention states that interfering with or damaging computer systems without right should be criminalized by domestic laws within each country.
The EU Network and Information Security (NIS) Directive also requires member states to penalize DDoS attacks with “effective, proportionate and dissuasive” sanctions. Individual countries implement their own maximum penalties, but they commonly include multi-year prison sentences.
For example, the UK Computer Misuse Act sets a maximum of 10 years in prison for DDoS. The German Penal Code imposes up to 3 years imprisonment for disabling or obstructing computer systems.
China
China formally prohibited DDoS attacks and outlined penalties in Article 285 of its 2017 Cybersecurity Law. Individuals who carry out DDoS attacks face up to 3 years in prison along with fines for damages. Organizations can receive much harsher punishments, including fines up to 1 million RMB (approx $150,000 USD).
China has famously deployed a massive DDoS attack against GitHub back in 2015 to censor content. The attack generated over 2.6 trillion bits of traffic per second and remains one of the largest on record. However, the country strongly enforces anti-DDoS laws for individuals and hacker groups within its borders. Numerous arrests have occurred over the years.
Other Regions
DDoS attacks are illegal in most countries around the world. Even if they are not explicitly outlawed, they typically violate computer crime and cybersecurity laws similar to CFAA and the Cybercrime Convention.
For example, Australia considers DDoS a form of “unauthorized access” or “impairment of electronic communication” under its Cybercrime Act. Canada prohibits “mischief in relation to computer data” under Section 430 of its criminal code. DDoS violations in these countries can lead to criminal charges, fines and imprisonment.
So in summary, launching a DDoS attack is a serious cybercrime that commonly results in felony charges globally. Participating in a DDoS also violates the terms of service of Internet providers and websites. The legal risks apply to both the attack organizers and infected botnet machines participating in the DDoS traffic flood. However, companies impacted by DDoS attacks are generally not held legally responsible.
Defending Against DDoS Attacks
While DDoS attacks remain an illegal threat, there are ways for individuals and organizations to defend themselves. Here are some best practices:
Use DDoS Mitigation Services
Specialized third-party DDoS mitigation services can quickly identify attack traffic and filter it before it overwhelms a network. DDoS protection services scrub attack traffic on the cloud without impacting normal traffic flow to the protected target. This allows websites and networks to stay operational even under a DDoS bombardment.
Overprovision Bandwidth
Having excess bandwidth capacity can prevent smaller DDoS attacks from consuming all connectivity. When bandwidth is overprovisioned, there is enough extra capacity that a flood of attack traffic cannot crowded out normal traffic.
Blacklist Known Attack Sources
Blocking traffic from known malicious IP addresses and domains can reduce the impact of some DDoS attacks. Blacklists from threat intelligence providers can identify and cut off botnet traffic. However, this is less effective against rapidly evolving botnets with random IP spoofing.
Patch Vulnerabilities
Keeping software updated with the latest security patches prevents hackers from compromising systems in the first place. Vulnerability patching limits the pool of devices that attackers can infect to build their botnets. This reduces the firepower available for their DDoS attacks.
Spread Out Critical Systems
Distributing critical infrastructure across multiple locations and providers makes it harder to cripple everything with a DDoS barrage. If one node gets overloaded with attack traffic, others can still operate normally to maintain service availability.
Famous DDoS Attacks
Some of the largest and most disruptive DDoS attacks include:
GitHub DDoS Attack (2018)
In 2018, a massive 1.35 terabit per second DDoS assaulted GitHub, taking the developer platform completely offline for over 5 minutes. The attack traffic originated from over a thousand different autonomous systems across tens of thousands of unique endpoints. No attacker has claimed responsibility for what remains the biggest publicly disclosed DDoS attack.
Dyn Cyberattack (2016)
This complex DDoS attack targeted managed DNS provider Dyn in 2016 and disrupted major sites including Twitter, Spotify, Reddit, Github and Amazon. The Mirai botnet bombarded Dyn servers with massive traffic from 100,000 infected IoT devices like cameras and DVRs. The attack made large parts of the Internet inaccessible to users on the US East Coast.
Spamhaus DDoS (2013)
The anti-spam group Spamhaus was hit by a 300Gbps DDoS campaign in 2013 that disrupted operations for several days. The attackers leveraged DNS reflection techniques that spoofed requests from Spamhaus to DNS servers and amplified traffic significantly. Cloudflare helped mitigate the attack, which targeted its network after Spamhaus.
| Attack | Year | Traffic | Description |
|---|---|---|---|
| GitHub DDoS | 2018 | 1.35 Tbps | Largest recorded DDoS overloaded GitHub for minutes |
| Dyn Cyberattack | 2016 | 1.2 Tbps | Botnet took down major sites like Twitter and Spotify |
| Spamhaus DDoS | 2013 | 300 Gbps | Huge DNS amplification disrupted Spamhaus and Cloudflare |
Conclusion
DDoS attacks remain a serious threat that can cripple networks and websites by flooding them with high volumes of malicious traffic. However, actively participating in a DDoS is a felony crime in most regions punishable by years in prison. There are also ways for companies and infrastructure providers to defend against attacks by filtering DDoS traffic, distributing resources and keeping software patched. While no single solution can block all DDoS damage, a layered defense can minimize the outages and disruption that attackers aim to achieve.