A DDoS attack, which stands for Distributed Denial of Service attack, is a type of cyber attack that aims to make a website or online service unavailable by flooding it with excessive traffic from multiple sources. The goal is to overload the target’s infrastructure and prevent legitimate users from accessing the service.
What is a DDoS attack?
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources. This makes it difficult to stop the attack simply by blocking a single source of the traffic. The attack traffic is generated by multiple compromised systems which are often infected with malware. The malware allows the attacker to control the systems and launch an attack on command.
These compromised devices used to generate the attack traffic are known as bots or zombies. They form what is called a botnet – a network of devices under the control of the attacker. Botnets can consist of thousands of devices spread across the globe.
The attacker initiates the attack by sending commands to the botnet. The botnet then starts sending a huge flood of requests to the target. These requests could be attempts to open connections, view pages, run searches or perform other activities on the site. The large number of requests overwhelms the target, causing its servers to slow down or even crash.
How does a DDoS attack work?
There are three main phases to a DDoS attack:
- Building the botnet
- Sending traffic to the target
- Overwhelming the target
1. Building the botnet
The first step for the attacker is compromising systems and building a botnet. Methods used to build botnets include:
- Infecting computers with malware
- Exploiting vulnerabilities in systems
- Gaining unauthorized access to Internet of Things (IoT) devices like security cameras and digital video recorders
Once infected, the compromised devices become bots that can be remotely controlled through command and control servers. The botnet is dispersed globally so traffic looks less suspicious and is hard to block.
2. Sending traffic to the target
When the botnet is ready, the attacker initiates the DDoS attack and the bots start flooding the target with requests. Different types of traffic flooding methods used in DDoS attacks include:
- UDP floods – Sending many User Datagram Protocol (UDP) packets to overwhelm random ports on the target.
- ICMP floods – Sending many pings via Internet Control Message Protocol (ICMP) requests.
- SYN floods – Sending many TCP connection requests to use up resources on the target.
- HTTP floods – Sending many HTTP GET or POST requests to target web servers and applications.
- DNS amplification – Spoofing the IP of the target to receive many DNS response packets.
The bots may continually send the flood traffic or send waves of traffic intermittently over a period of time.
3. Overwhelming the target
The incoming flood of requests exceeds what the servers and infrastructure of the target can handle. The servers become overloaded attempting to process the attack traffic. This prevents them from responding to legitimate user requests.
Common effects experienced by the target include:
- Unavailability of websites and web applications
- Inability to access services like email and databases
- Service degradation and increased latency
- System crashes and network component failures
The attack continues until the botnet is dismantled or the attacker decides to stop it. Some attacks last for days or even weeks.
What are the impacts of DDoS attacks?
DDoS attacks can severely impact organizations and users in many ways, including:
Availability and disruption of services
The primary impact is making online services and resources unavailable to legitimate users. Websites, web applications, online banking systems and other services may be inaccessible.
Loss of revenue and reputation
E-commerce websites, online stores and other businesses that rely on Internet access face loss of sales and revenue. DDoS attacks also damage brand reputation.
Additional bandwidth and infrastructure costs
Targets may need to provision extra bandwidth and resources to handle the excess attack traffic. This leads to higher infrastructure costs.
Theft of data and compromised security
DDoS attacks may sometimes be used to divert security resources while a secondary attack is launched to steal data or breach systems. The overwhelmed victim is unable to detect or prevent the security compromise.
Types of DDoS attacks
There are several categories of DDoS attacks, classified based on the type of traffic flooding method used:
Volume-based attacks
These attempts to saturate the bandwidth of the target network with high volumes of traffic. Examples include UDP and ICMP floods.
Protocol attacks
These attacks target the weaknesses of network communication protocols. SYN floods and Ping-of-Death attacks belong in this category.
Application layer attacks
These target web servers and applications with a flood of requests to consume server resources. HTTP floods and GET/POST attacks fall under this type.
Reflection attacks
These use innocent servers to reflect and amplify the attack traffic directed towards the target. DNS amplification attacks utilize DNS servers for this.
| Attack Type | Description |
|---|---|
| Volume-based | Flood network bandwidth with high traffic |
| Protocol | Exploit weaknesses in network protocols |
| Application layer | Overwhelm web servers and applications |
| Reflection | Use other servers to reflect and amplify attack traffic |
DDoS attack tools
Launching a DDoS attack requires botnets and attack tools. Some common DDoS tools used by attackers include:
LOIC
LOIC or Low Orbit Ion Cannon is a popular open source DDoS tool often used by hacktivists. It can perform UDP, TCP and HTTP floods.
HOIC
An upgraded version of LOIC that allows controlling multiple LOIC instances from a single master.
Botnets
Custom malware like TrickBot, Sality and Zeus infect devices to build botnets that can be used to launch DDoS attacks.
Booter/Stresser services
These services let anyone pay to launch attacks from pre-built botnets without needing technical skills.
Ransom DDoS
Attackers threaten businesses with DDoS attacks unless ransom demands are met.
DDoS attack duration
DDoS attacks can last anywhere from minutes to weeks depending on the motivations and resources of the attackers. Some typical attack durations include:
- Under 1 hour – Short bursts to cause disruption.
- 1 to 24 hours – Sustained assaults to maximize damage.
- Days/Weeks – Advanced persistent attacks by motivated adversaries.
Attackers with larger botnets and resources can maintain assaults longer and cause more sustained denial of service. Some attacks have lasted for weeks, bombarding targets continuously or intermittently.
DDoS attack size
DDoS attack size is measured in terms of traffic volume delivered, typically in Gigabits per second (Gbps). Some major attack size milestones over the years:
- 2002 – 1 Gbps
- 2004 – 60 Gbps
- 2007 – 100 Gbps
- 2013 – 300 Gbps
- 2014 – 400 Gbps
- 2016 – 900 Gbps
- 2020 – 1.7 Tbps
Attack size keeps increasing as botnets grow larger. Multi-vector attacks combining different flooding techniques can maximize attack size. High volume attacks over 500 Gbps can overwhelm most organizations.
Who is responsible for DDoS attacks?
DDoS attacks may be perpetrated by different malicious actors including:
- Hacktivists – For political and social causes
- Cybercriminals – For financial gain via ransom and theft
- Competitors – To harm competition
- Nation states – For cyber warfare and espionage
- Script kiddies – For fun and fame
- Disgruntled employees or customers – For revenge
What are the motivations behind DDoS attacks?
Attackers use DDoS for a variety of motivations:
Financial gain
Cybercriminals extort money from businesses by threatening DDoS attacks if ransom demands are not met.
Business competition
Companies may launch attacks against competitors to disrupt services and reputation.
Hacktivism
Hacktivist collectives like Anonymous use DDoS to take down organizations for political and social causes.
Revenge
Disgruntled customers or ex-employees may initiate attacks to damage company operations and credibility.
Bragging rights
Skilled hackers launch large DDoS attacks to show off their capabilities and gain notoriety.
How to protect against DDoS attacks
Measures to prevent and mitigate DDoS attacks include:
- Increasing bandwidth and resources
- Using DDoS mitigation services
- Enabling load balancing and caching
- Monitoring for attack traffic patterns
- Blacklisting bad IP sources
- Having an incident response plan ready
- Accepting some downtime during massive attacks
Conclusion
DDoS attacks present an immense threat to organizations by disrupting services and resources. As botnets grow larger and more sophisticated, the scale and impact of attacks increases. By understanding how DDoS attacks work and preparing mitigation strategies, organizations can limit their effectiveness and minimize the damage caused.
