A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming it with a flood of internet traffic from multiple compromised systems. DDoS attacks can be incredibly disruptive and costly if you are not prepared. So what actually happens when you get hit with a DDoS attack?
How does a DDoS attack work?
In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single source. The attacker uses a botnet – a network of internet-connected devices that have been compromised with malware – to overwhelm the target. These compromised devices can include everything from computers and mobile devices to IoT gadgets like smart home devices or webcams.
The attacker sends commands from a central control server to the botnet, instructing the network of devices to flood the bandwidth or resources of the targeted system or service. By leveraging the power of thousands of devices working in concert, the attacker can generate an onslaught of malicious traffic many times more powerful than what even a single well-resourced machine could produce.
Common DDoS attack types
There are several common methods attackers use to carry out a DDoS assault:
- Volume-based attacks – This type of DDoS aims to saturate the bandwidth of the target with a flood of malicious traffic. HTTP floods, ICMP floods and UDP floods are examples of volume-based attacks.
- Protocol attacks – These attacks target the weaknesses in network protocols themselves in an attempt to overwhelm target resources. SYN floods, DNS amplification attacks, and attacks on SSL encryption fall under this category.
- Application layer attacks – Application layer attacks target web applications by depleting server resources through malicious payloads sent to those applications. Examples include GET/POST floods, attacks on APIs, and malformated requests.
What actually happens when you are hit by a DDoS attack?
When a DDoS attack hits your website or network, the immediate result is that your infrastructure becomes overloaded by the deluge of malicious traffic. This can lead to:
- Slow website performance or total unavailability of websites and web applications
- Inability to access on-premises and cloud-based servers
- Lag, latency and loss of service for applications
- Packet loss leading to slow or failed network communications
In other words, a successful DDoS attack disrupts your ability to communicate and serve customers online. Users will experience painfully slow load times, error messages, timeouts or the site simply being entirely unreachable. If the attack is significant enough, it can entirely knock your website or network offline.
Business impacts
The business impacts of a DDoS attack can be severe:
- Loss of sales and revenue due to site outage
- Customer dissatisfaction and defections
- Reputational damage and loss of credibility
- Costs associated with emergency response and mitigation
- Loss of productivity
For online businesses that depend on their website and applications being continuously accessible to drive sales, even minor amounts of downtime can quickly translate into major revenue loss. Outages during peak sales periods like Black Friday or Cyber Monday could be financially disastrous.
How do you know you are under attack?
Detecting an active DDoS attack will largely depend on your network monitoring capabilities. Some common signs that suggest you are being hit by a DDoS assault include:
- Sudden spike in bandwidth utilization and outbound traffic
- Increased errors, timeouts and packet loss
- Slow network performance and access times
- Inability to access websites and applications
- Unavailability of websites and “site cannot be reached” error messages
- Crawl errors in search engine results pages
Your IT team should continuously monitor traffic patterns and bandwidth usage across all of your infrastructure and be alert for abnormal activity associated with DDoS. Advanced DDoS mitigation solutions also employ always-on detection capable of automatically spotting and blocking attacks before they overwhelm your defenses.
How long does a DDoS attack last?
DDoS attacks can vary greatly in both scale and duration. Some attacks may only last several minutes, while others can persist for days or even weeks if the attacker has sufficient resources. In general:
- Small, unsophisticated DDoS attacks may last from a few minutes up to an hour.
- Larger DDoS assaults can last from several hours to multiple days.
- “Carpet bombing” attacks are short but frequent DDoS events over an extended period.
- Extortionist DDoS attacks often last until ransom is paid.
The longest DDoS attack on record lasted for 13 days, targeting content delivery provider Akamai in 2020. However, most large modern DDoS attacks average around 2-5 Gbps and last less than an hour. Attackers generally only maintain an assault as long as is needed to achieve their aim of disrupting your business or extorting money.
What is the impact of a DDoS attack?
The impacts of a DDoS attack can vary based on the attack size, vector, duration and defenses in place. Potential consequences include:
- Inaccessible websites and applications – Users receive slow load times, error messages or “site unavailable” notices during an attack.
- Lost revenue and customers – Outages drive customers away and directly result in lost sales opportunities during attacks.
- Reputational harm – DDoS events can hurt consumer confidence, brand reputation, and employee morale.
- Operational costs – Extensive IT resources are required to diagnose, respond to and mitigate attacks.
- Productivity losses – Employees are hampered or unable to perform duties during prolonged attacks.
- Customer dissatisfaction – Users become frustrated with sites and apps being unavailable during peak times.
Ultimately the goal of DDoS perpetrators is to inflict damage, whether financial, operational or reputational. Successful large-scale attacks can inflict serious harm on businesses.
DDoS collateral damage
DDoS attacks also often have “collateral damage” effects, disrupting access and connectivity for other companies and networks hosted on the same providers as the main target. Attacks on DNS servers or bandwidth saturated at the ISP level means entire neighborhoods of websites can be knocked offline together during major DDoS events.
How much does a DDoS attack cost?
Estimating the total potential cost of a DDoS attack combines both the direct costs of disruption as well as indirect costs like productivity and reputation loss. Some average costs include:
- Lost revenue: $40,000 to over $100,000 per hour of disruption
- IT expenses: $50,000 per attack on average
- Brand reputation damage: Estimated 5-10% loss of customers
- Increased spending on mitigation: 2-3x higher costs for DDoS protection
For a large online retailer, the total costs could easily escalate into millions of dollars for a prolonged major DDoS event, when factoring in IT expenses, lost sales and customer turnover. For small companies the costs may be lower but proportionally catastrophic to their business and viability.
Cost comparison by company size
| Company | Estimated cost per DDoS attack |
|---|---|
| Small business | $50,000 |
| Medium business | $500,000 |
| Enterprise | $1 million+ |
DDoS attacks have the power to instantly deprive businesses of revenue while racking up major IT expenses. Companies in all industries need to take these attacks seriously and implement robust defenses before they happen.
How to defend against DDoS
Defending your business against the crippling effects of DDoS requires a multifaceted strategy combining both in-house and cloud-based solutions:
Network security best practices
- Maintain patched and updated software to eliminate vulnerabilities
- Configure firewalls to filter and block malicious traffic
- Enable IPS/IDS monitoring to detect network anomalies
- Monitor bandwidth usage across network links
- Control access with ACLs and block unused ports/protocols
DDoS mitigation
- Use on-prem scrubbing appliances to clean local traffic
- Implement intelligent DDoS protection services in the cloud
- Activate any DDoS defenses included with CDNs or web hosts
- Shift public assets to DDoS-resistant hosting providers
- Enlist a DDoS mitigation service to instantly block attacks
The best defense will integrate both on-prem and cloud-based capabilities into a layered model. During an active attack, cloud scrubbing services are essential to absorb and disperse the malicious traffic before it can overwhelm local infrastructure.
Incident response planning
- Have an emergency response plan documenting internal procedures
- Establish communication protocols for both internal and external notifications
- Identify key personnel and define roles/responsibilities
- Maintain updated contact information for reporting attacks
- Test plans regularly through practice drills
Any defense also requires an effective incident response plan allowing you to quickly take action when a DDoS strike occurs. Planning ahead of time for mitigation, reporting, monitoring and public communications helps minimize business disruption.
How to track down the source of a DDoS attack
Trying to trace the original source of a DDoS attack is challenging. Because assaults employ botnets of thousands of compromised devices, identifying one perpetrator is nearly impossible. However, there are techniques to gather evidence on DDoS traffic sources:
- Analyze web server and firewall logs to identify key attackers
- Trace back IP addresses of botnet nodes to geographic locations
- Work with ISPs to uncover attack traffic origins
- Inspect packet contents for identifying information
- Check emails or social media for extortion demands claiming responsibility
- Look for similar infrastructure setups used across different attacks
While tracing to a single attacker is unlikely, these forensic methods help build a picture of the overall botnet structure and geographic sources of the traffic.
Technical limitations
However, there are limitations to gathering accurate attribution data on DDoS events:
- Botnet nodes use IP address spoofing and stolen IP blocks
- Traffic moves through compromised servers and proxy machines
- Attackers chain together diverse malware infected machines
- Identifying command and control servers is complex
Attackers actively hide their identity and often hijack innocent computers to conduct attacks. Still, any intelligence gathered can strengthen future defenses.
Legal implications of DDoS attacks
Launching a DDoS attack comes with serious legal risks under cybercrime laws worldwide. Penalties can include:
- Up to 10 years imprisonment in the U.S. under the CFAA
- £10,000 fines in the UK under the Computer Misuse Act
- Up to 5 years imprisonment in Australia under the Cybercrime Act
- Up to 7 years imprisonment in Singapore under the Computer Misuse Act
Law enforcement in many countries prioritize investigating and prosecuting DDoS attacks. The challenge lies in being able to trace the true perpetrators behind botnet-driven assaults to bring them to justice.
Extortion attempts
A growing legal issue around DDoS is cyber extortion – attackers threatening companies with attack unless ransom demands are paid. Extortion is illegal but common, with perpetrators rarely caught. Many advise avoiding payment while immediately contacting authorities if you receive a ransom note.
The future of DDoS attacks
DDoS assault techniques constantly evolve as attackers adopt new technologies and tactics. Some emerging trends include:
- Increase in frequency of short “hit and run” attacks
- More advanced botnets with millions of nodes
- Proliferation of DDoS-for-hire services
- Attacks targeting cloud infrastructure and providers
- Leveraging emotet and other malware strains
- Targeting of APIs and application layers
Attackers exhibit increasing technical sophistication while DDoS-as-a-service lowers the barrier to entry for petty cybercriminals. As our infrastructure grows more complex with cloud computing, IoT and mobile growth, the potential attack surface widens.
Businesses must employ layered defense with room to scale against the non-stop evolution of DDoS. Flexible solutions that combine on-prem hardware, intelligent software, and real-time mitigation services provide the best protection now and into the future.
Importance of preparation
While DDoS threats will only diversify, the fundamentals hold true – proper planning, prevention, detection and mitigation continue to form the core of effective security. DDoS resilience requires building comprehensive defenses before attacks strike and having mitigation partners ready to counter large events.
With adequate safeguards in place and a quick response, companies can minimize both the disruption and destruction caused by DDoS. But neglecting the threat of DDoS leaves you rolling the dice, where a devastating attack is never a matter of if but when.
Conclusion
DDoS attacks remain a potent threat to businesses globally. As attacks grow more frequent, longer and complex, the need for adequate defenses reaches new urgency. Understanding DDoS methods and impacts provides the knowledge to craft robust countermeasures.
While no solution can be 100% foolproof, vigilant monitoring paired with a layered model combining on-prem and cloud-based capabilities gives companies the best chance of deflecting attacks. DDoS resilience requires planning for the reality that it’s no longer a question of if you will be attacked – but when.
