A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming it with a flood of internet traffic. DDoS attacks accomplish this by leveraging multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
DDoS attacks have been growing in frequency, size and sophistication in recent years. This is driven by the expanding number of potentially compromised components that can be conscripted into a botnet, the ready availability of DDoS-for-hire services (DNS, network, SSL deep protocol attacks) and inadequate cybersecurity measures, including a lack of DDoS protection. According to Kaspersky Lab, DDoS attacks grew by 180 percent in the first quarter of 2023 over the same quarter in 2022.
If a DDoS attack overwhelms a website or network, a range of negative outcomes can result:
| Website unavailability | Target users are unable to access the website or utilize its services during the attack, resulting in a loss of productivity, transactions and revenue. |
| Poor network performance | Network speeds slow to a crawl, resulting in interrupted connectivity, timed-out attempts to reach network resources and inability to use bandwidth-sensitive applications. |
| Loss of customer trust, loyalty | Users that are unable to access a website or that experience slow network performance frequently switch to competitor websites/networks — some never return. |
| Reputational damage | News of successful DDoS attacks drives negative social media conversations about the affected organization, damaging its brand reputation. |
Website unavailability, slow network speeds and an inability to conduct business online during DDoS attacks directly translate into lost revenue for attacked organizations. According to Radware, the average cost of network downtime per minute is $5,600 for enterprises. For small- and medium-sized businesses the average cost per minute is $8,500. In a Neustar survey of 710 companies, 77 percent of respondents indicated that they had been on the receiving end of a DDoS attack. Of those organizations attacked, 33 percent estimated the financial impact at between $100,000 and $500,000.
Large scale DDoS attacks can overwhelm network bandwidth measured in tens of gigabits per second (Gbps). In recent years massive attacks exceeding 500Gbps have become more common. In 2022, Amazon reported mitigating a DDoS attack that peaked at 2.3 terabits per second (Tbps), one of the largest ever reported. The following year Microsoft reported blocking a 3.47Tbps DDoS attack — a record at the time.
Why are DDoS attacks launched?
Cybercriminals orchestrate DDoS attacks for a variety of self-serving reasons:
Financial gain
Many DDoS attacks are ransom-based. The attackers overload the target network or server and then demand payment to stop the attack. Criminal organizations often conduct a short demonstration attack to prove they have the capability to mount a more sustained onslaught. Targets that depend heavily on online transactions often decide that paying the ransom is more cost effective than suffering extended outages.
Ransom demands are typically made in cryptocurrencies like Bitcoin rather than more traceable traditional forms of payment. DDoS-for-hire services have proliferated on the Dark Web, providing easy access to attack services for those willing to pay.
Retaliation
Angry customers and disgruntled employees may launch DDoS attacks against an organization to punish them over a perceived grievance. Activist groups such as Anonymous have used DDoS attacks to retaliate against organizations they view as opponents of their causes and ideologies.
Diversion
DDoS attacks can act as a smokescreen for more nefarious intrusions by directing IT security staff resources to defending against DDoS floods. With security resources overwhelmed by the DDoS onslaught, attackers have an open window to target vulnerabilities and exfiltrate valuable data.
40% of organizations attacked with DDoS report they were hit with additional cyber attacks beyond the DDoS, per Kaspersky Lab research. Multi-vector attacks like these lead to dramatically higher financial losses from data breaches.
Ruining Reputation
For less scrupulous organizations, DDoS attacks can be used against competitors to ruin their reputation for reliable service and trustworthiness with customers. Unpredictable network failures erode consumer confidence.
Hactivism
Politically or socially motivated hacktivist groups like Anonymous see DDoS attacks as a form of civil disobedience and protest against targets like financial institutions, corporations and government bodies. DDoS attacks provide an asymmetric means for hacktivists to disrupt much larger opponents.
Common DDoS attack vectors
DDoS attackers have multiple attack vectors available to overwhelm systems and bandwidth. Common examples include:
Volume-based attacks
Volume-based attacks aim to saturate available bandwidth by flooding target networks with an overwhelming amount of traffic. These attacks include:
- UDP floods leveraging User Datagram Protocol (UDP) packets
- ICMP floods that exploit Internet Control Message Protocol (ICMP) packets typically used for error signaling and diagnostics
- SYN floods which initiate a flood of TCP SYN requests for new connections to exhaust state-tracking resources
- Ping-based floods using numerous ICMP Echo Request packets
- Other spoofed packet floods using counterfeited source IP addresses
Volume-based floods often exceed 100Gbps — sometimes reaching previously unimaginable scales. The largest confirmed DDoS attack to date produced traffic exceeding 46 million packets per second (Mpps).
Protocol attacks
Rather than simple floods, protocol attacks target inherent weaknesses in network infrastructure, protocols and systems. Low-and-slow attacks like these require little traffic to bring down servers and circumvent legacy DDoS defenses. Examples include:
- HTTP protocol violations attacks
- Attacks amplifying DNS and NTP traffic
- TCP state-exhaustion attacks like SYN floods
- SSL renegotiation attacks that monopolize HTTPS resources
- DNS query floods that overload recursive resolvers
- SIP, CLDAP and other protocol attacks abusing design vulnerabilities
Application layer attacks
Sophisticated application layer (layer 7) attacks directly target web application code, APIs and databases linked to websites and networks. These low-volume, high-efficiency attacks include:
- HTTP flood attacks targeting resource pools
- Low-and-slow attacks going after state exhaustion vulnerabilities
- GET/POST attacks
- DNS query floods going after domain name system servers
- SSL renegotiation attacks disrupting transport layer security
- Brute force attacks to crack passwords on login pages
Multi-vector DDoS attacks
For greater impact, cybercriminals increasingly launch DDoS attacks combining multiple vectors. Multi-vector attacks present a complex incident for overloaded defenders to mitigate. According to Kaspersky, multi-vector attacks increased from 17.22% of all DDoS events in Q4 2018 to 38.13% in Q4 2019.
Often multi-vector attacks incorporate a flood-based attack to consume bandwidth paired with protocol or application attacks to tax other resources. Sources of DDoS botnets are also diversifying. A single campaign can leverage computers, mobile phones, IoT devices and ever expanding endpoints.
DDoS attack sources
Successful DDoS attacks require large distributed botnets of devices to carry out the actual assault. By leveraging tens of thousands or more devices, attackers can generate floods of malicious traffic while obscuring the attack’s true origin. Botnets are assembled by first compromising vulnerable Internet-connected devices without the owner’s knowledge. Common DDoS bots include:
Consumer PCs and laptops
In the early days of DDoS, attackers focused on exploiting malware and worms to build large Windows-based botnets for traffic generation. While no longer the primary source, compromised PCs and laptops still get dragooned into DDoS botnets.
Servers
Servers offer attackers access to more bandwidth than consumer devices for DDoS generation. Compromised Linux servers can be secretly converted into bots.
IoT devices
The massive proliferation of poorly secured Internet of Things (IoT) devices like DVRs, routers, smart cameras and more provide nearly limitless susceptible endpoints for bot masters. Kaspersky observed a nearly fivefold increase in IoT botnets tracked from 2019 to Q1 2022.
Mobile phones
Android devices infected with malware can morph normal user phones into DDoS bots only triggered upon command. Mobile phones provide both infected devices and network connectivity.
Cloud instances
Poorly configured cloud workloads give attackers the ability to spin up virtual bots capable of generating crippling DDoS traffic while avoiding detection.
Reflectors/Amplifiers
Certain protocols can be exploited by attackers to reflect and amplify DDoS floods. Misconfigured DNS and NTP servers are common resources used for high-powered amplification attacks.
How are modern DDoS attacks evolving?
DDoS events are continually evolving as cybercriminals develop ever larger and more sophisticated attack campaigns. Some key trends in DDoS attacks include:
- Increasing magnitude – Over the last decade attack bandwidth has grown massively from under 50Gbps to exceeding 2Tbps. Source PCs have expanded from thousands to millions.
- Greater frequency – Organizations of all sizes face weekly or even daily DDoS attacks as incidence rate rises.
- Higher complexity – Multi-vector attacks combining various DDoS methods over numerous protocols from diverse sources are increasingly common.
- New targets – Beyond online businesses, DDoS perpetrators are going after new targets like government bodies, schools, nonprofits and more.
- New motivations – Greater financial incentives for DDoS attacks and the rise of disruptive hactivist collectives point to more frequent events.
- DDoS-for-hire – The burgeoning market for cyberattack services and the proliferation of malware kits provide convenient tools for orchestrating DDoS campaigns.
The vast potential rewards of successful attacks provide cybercriminals compelling motivation for launching ever more damaging and complex DDoS incidents. Ransom payouts often range from tens of thousands to hundreds of thousands of dollars, far exceeding the meager costs of renting ready-made DDoS botnets and infrastructure. As long as the economics remain lopsided in favor of cybercrime, DDoS threats will continue to plague organizations and users.
What happens when a DDoS attack succeeds?
With attacks growing in scale and sophistication, many organizations are unable to defend against DDoS campaigns using legacy security tools and methods. When DDoS perpetrators overrun defenses, the consequences for the targeted organization include:
- Network and website outages lead to angry, lost customers and plummeting sales.
- Slow network performance renders applications unusable resulting in workforce productivity declines.
- Loss of user data and confidential information during outages aids data exfiltration efforts.
- Diversionary DDoS attacks provide cover for malware and ransomware installation which can harm systems long after the DDoS is over.
- Poor website availability leads users to jump to competitors, surrendering hard-earned loyalty.
- Missed business opportunities and revenue targets undermine investor confidence.
- Angry users vent frustrations and damaging accusations on social media platforms.
- Senior leaders must devote resources to managing public and media relations rather than running the business.
- Quality employees question leaders’ ability to defend the organization causing retention issues.
- DDoS incidents followed by data breaches result in customer churn, lawsuits, and regulatory consequences.
Ultimately DDoS attacks that successfully sideline websites and overload infrastructure carry devastating aftershocks long after the initial incident.
How can organizations defend against DDoS attacks?
With the frequency and might of DDoS assaults increasing, organizations must deploy layered defenses to achieve resilience. Steps to defend the network edge and critical resources include:
Hybrid DDoS protection
DDoS solutions should offer a hybrid defense combining cloud and on-premise scrubbing to block volumetric and application attacks while maintaining uptime. Network and web application firewall components provide additional safeguards against protocol and HTTP attacks.
Overprovision bandwidth
Maintaining excess bandwidth overhead allows sites to absorb moderate traffic spikes while attacks are mitigated by DDoS defenses. Burstable bandwidth options on web host services facilitate this recommendation.
DDoS attack plan
Develop and document an emergency response plan for DoS events specifying internal personnel assignments and external resources to be activated. Conduct mock incident exercises to improve plan effectiveness.
Monitor traffic
Analyze bandwidth usage under normal conditions. Sudden suspicious spikes may indicate an attack underway. Monitoring tools paired with machine learning quickly detect abnormal traffic patterns.
Server redundancy
Distribute website content across multiple servers hosted by different providers to avoid single points of failure. Anycast routing improves availability by serving identical IP addresses from geographically diverse locations.
Cache content
Caching mechanisms like a content delivery network (CDN) serve website content from edge servers closer to users, minimizing reliance on origin servers under siege.
Know normal traffic
Understand traffic flows to important applications during normal operations for faster anomaly detection when the unexpected occurs. Watch for unusual spikes in traffic to DNS, websites or other network services.
Penetration testing
Conduct controlled penetration tests mimicking DDoS attacks against applications and services. Identify potential weak points for remediation before real assaults.
Promote security hygiene
Enforce strong user access policies across networks, end user devices and key servers to diminish vulnerabilities. Rapidly apply software patches and disable unneeded services to reduce exploit potential.
Cloud proxy service
Route incoming requests through proxy servers for analysis before passing legitimate traffic to origin servers. Proxies filter malicious packets and absorb excess traffic.
Compartmentalize apps/data
Isolate critical applications and datasets not directly accessible from public networks. Restricting exposure of sensitive assets reduces risk.
Conclusion
As DDoS attacks become more frequent and damaging, taking proactive steps to improve resilience is crucial for organizations. By implementing layered defenses both on-premise and in the cloud, updating policies and technology, and developing effective incident response plans organizations can minimize disruptions and damages from denial of service attacks. Though no single solution provides absolute protection, an integrated and proactive security approach can greatly reduce risks. With cybercriminals continuously innovating new ways to paralyze networks and IT infrastructure, maintaining up-to-date defenses requires constant vigilance.
