What are DDoS cyber attacks?

What is a DDoS attack?

A Distributed Denial of Service (DDoS) attack is a cyber attack that attempts to make a website or online service unavailable by overwhelming it with traffic from multiple sources. The attacker uses a network of compromised devices, known as a botnet, to flood the target with requests and overload its servers. This prevents legitimate users from being able to access the website or service.

Some key characteristics of DDoS attacks:

  • Attempt to disrupt normal traffic of a website or online service
  • Use multiple compromised devices to generate huge amounts of traffic
  • Flood the target with requests to overwhelm its capacity
  • Prevent legitimate users from being able to access the service

DDoS attacks have become an increasingly common threat on the internet. They are relatively easy to execute and can be very disruptive if sufficient traffic volume is directed at the victim. Attackers often employ botnets numbering in the tens or even hundreds of thousands of devices to carry out large-scale DDoS campaigns.

What are the types of DDoS attacks?

There are several major types of DDoS attacks, which are categorized according to the kind of traffic used in the assault:

  • Volume-based attacks – This type of DDoS aims to overwhelm the target with huge amounts of bogus traffic. Common examples include UDP floods, ICMP floods, and other spoofed packet attacks.
  • Protocol attacks – These attacks target inherent weaknesses in network protocols and systems. Examples include SYN floods, Ping of Death, Smurf attacks, and more.
  • Application layer attacks – Rather than just flooding networks or systems, application layer DDoS tries to deplete server resources by sending a high volume of application calls or requests. This includes GET/POST floods, DNS query floods, and SSL abuse.
  • Multi-vector DDoS – Attackers may combine multiple attack vectors and types of traffic in order to enhance the scale and effectiveness of an assault. This can involve botnets executing different DDoS methods simultaneously.

Of these, volume-based floods using large botnets are a very common DDoS technique. However, application layer attacks that target web servers and applications directly can also be highly disruptive to online services. Attackers will tailor the type of DDoS used based on the victim’s infrastructure and defenses.

What are the major DDoS attack tools and methods?

Cybercriminals employ a range of tools and malware to carry out DDoS attacks:

  • Botnets – Networks of computers infected with malware, allowing them to be centrally controlled by an attacker. Used to generate huge floods of traffic from distributed sources.
  • DDoS booters/stressers – Web services that allow attackers to pay to trigger on-demand DDoS attacks from networks of compromised devices.
  • IoT botnets – Malware infects Internet of Things (IoT) devices like cameras, routers, etc. and harnesses them for DDoS attacks.
  • NTP amplification – Exploits public NTP servers to reflect and amplify traffic directed at victims.
  • DNS amplification – Similarly abuses open DNS resolvers to increase DDoS traffic volumes.
  • TCP SYN flood – Sends successive SYN packets to consume enough server resources to deny legitimate connections.
  • UDP flood – Inundates random ports on a victim server with UDP packets, using up bandwidth.
  • HTTP flood – Bombs web servers with a high volume of standard HTTP requests from multiple sources.

Attackers will typically target and compromise vulnerable systems that can then be incorporated into a botnet to carry out large-scale DDoS campaigns. They may also rent access to existing botnets and stresser services on cybercrime markets and forums.

What are common DDoS attack size and volumes?

DDoS attacks were traditionally measured in gigabits per second (Gbps). However, as assault size and network capacity has grown, attacks are now frequently measured in terabits per second (Tbps):

  • 10-20 Gbps – Capable of disrupting smaller websites and services
  • 50-100 Gbps – Can overwhelm moderate-sized infrastructure
  • 100-500 Gbps – Considered a very major attack
  • 500 Gbps to 1 Tbps – Among the largest attacks observed
  • 1-3 Tbps – Record-setting DDoS volumes

Some of the largest DDoS attacks on record include:

  • October 2016 on DNS provider Dyn – 1.2 Tbps using Mirai IoT botnet
  • February 2018 on Github by Memcached reflections – 1.35 Tbps
  • June 2019 on provider Cloudflare – 2.3 Tbps

Attacks exceeding 1 Tbps are now increasingly common. As botnets grow larger and Internet bandwidth expands, assault magnitude will likely continue to increase. Even small, temporary outages can cost businesses significant revenue and productivity.

Attack Size Traffic Volume Impact
Small 10-20 Gbps Disrupt smaller sites
Moderate 50-100 Gbps Overwhelm medium infrastructure
Major 100-500 Gbps Cause outages at many companies
Very large 500 Gbps – 1 Tbps Among the biggest attacks seen
Record-setting 1-3+ Tbps Disabled major providers and networks

What are the impacts of DDoS attacks?

DDoS attacks can severely disrupt an organization’s operations and bottom line:

  • Makes websites and online services unavailable to users
  • Loss of sales, reputation damage, and customer dissatisfaction
  • Prevents employees from being able to work and access resources
  • Ties up IT resources responding to the attack
  • Some outages cost hundreds of thousands of dollars per hour

If the assault overwhelms the network or servers, the website or service will be inaccessible to legitimate users for the duration of the attack. This directly translates into lost business and potential damage to the company’s reputation.

Prolonged outages also impact employee productivity across the organization. Resources must be allocated to mitigate the DDoS and maintain other critical systems. In the most severe cases, companies incur major losses running into the millions of dollars.

Calculating the cost per hour of an outage

To estimate the cost of a DDoS outage, multiply:

  • Average revenue per hour
  • Average profit margin

For example, if a company generates $1 million per day in revenue with a 10% profit margin:

  • Average revenue per hour = $1,000,000 / 24 = $41,666
  • Profit per hour = $41,666 x 0.10 = $4,166/hour

Even brief disruptions can have large financial consequences. A 3-hour outage would cost around $12,500 in lost profits alone in this scenario. The true cost when factoring in overhead, repairs, reputation damage, and other factors could be much higher.

What are the main motives behind DDoS attacks?

Attackers engage in DDoS activity for a variety of reasons:

  • Financial gain – Extorting businesses by threatening attacks unless paid ransom.
  • Revenge – Carried out by disgruntled customers, hacking groups, etc.
  • Competitive advantage – Directly targeting business rivals.
  • Hacktivism – For political or social causes, highlighting vulnerabilities.
  • Cyberwarfare – By nation states and state-sponsored actors against strategic targets.

Cybercriminals often use DDoS as an extortion tactic, threatening attacks against gambling sites, banks, online retailers, and others unless they pay a ransom. The availability of DDoS-for-hire booter services has also fueled growth.

Competitors may attempt to take out each other’s websites to gain an edge. Activist groups like Anonymous have used DDoS to make political statements and take down sites associated with their causes. And governments may employ DDoS to cripple critical infrastructure or communication systems in other countries.

How can businesses defend against DDoS attacks?

A layered DDoS mitigation strategy is required to defend against modern large-scale attacks:

  • Network security monitoring – Detect incoming attacks by analyzing traffic for anomalies and known attack signatures.
  • Over-provisioning bandwidth – Maintain excess capacity to absorb and delay impact of volumetric floods.
  • Traffic scrubbing – Use scrubbing centers to filter and clean attack traffic near the source.
  • Application security – Harden web and DNS servers against application attacks.
  • Blackhole routing – Divert attack traffic into a “blackhole” to neutralize impact.
  • DDoS mitigation service – Use specialized third-party services that can absorb and mitigate attacks on behalf of the client.

The scale and complexity of modern DDoS attacks requires leveraging automated mitigation systems and services. Cloud-based scrubbing services from vendors like Cloudflare and Akamai have become essential to effectively deflect large assaults.

On-premise solutions like routers and firewalls that rely on manual configuration are often overwhelmed and unable to cope with massive attack volumes exceeding 100+ Gbps. Intelligent DDoS protection services can automatically divert traffic and enact mitigation steps once an attack is detected.


DDoS represents a serious threat to organizations dependent on online operations and infrastructure. Attackers continue to find new techniques and expand the scale of assaults using compromised botnets and reflection/amplification attacks.

Defending against DDoS requires implementing strong monitoring to detect attacks rapidly. Companies also need scalable solutions and services capable of mitigating extremely high volumes of malicious traffic through traffic scrubbing, blackholing, and diversion.

While no solution can prevent all DDoS disruptions, a layered approach combining on-premise and cloud-based defenses provides the greatest protection against debilitating denial of service attacks in today’s threat landscape. Careful planning and testing of DDoS readiness is essential for reducing business risk.