A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.
What is the purpose of a DDoS attack?
The purpose of a DDoS attack is to overload a targeted resource with traffic, rendering it inaccessible to legitimate users. Attackers utilize botnets – networks of compromised devices under their control – to generate vast amounts of requests targeting the victim resource. This can include web servers, name servers, mail servers, routers, firewalls or applications. By flooding the target with more requests than it can handle, attackers can cause denial of service to normal users of the resource by overwhelming systems and bandwidth capacity. Many DDoS attacks are launched for ideological, political or personal motivations, but can also be used as a distraction or smokescreen for more damaging infiltration attempts. Major DDoS attacks can cost enterprises millions in lost revenue and productivity.
How does a DDoS attack work?
DDoS attacks work by enslaving large numbers of devices scattered around the internet as “bots” which overwhelm a target with fake requests. By gaining unauthorized access and control, attackers infect vulnerable devices with malware, creating a botnet or zombie army to carry out the attack. Botnets can grow to millions of bots, giving the attacker immense disproportionate bandwidth to exhaust resources. Bots can generate requests from spoofed IP addresses, making blocking based on source impossible. Multiple attack vectors can be used to flood victims, including TCP, UDP and application-layer requests via HTTP, DNS and other protocols. During attacks, targets can be sent more requests per second than they could handle in years of normal operation. With large botnets, attackers may only need a small fraction of their resources to congest a victim’s bandwidth or overload systems and crash sites.
Common DDoS attack types
There are several common DDoS attack vector types, each with their own characteristics:
- Volume-based attacks – Attempt to saturate bandwidth by flooding networks with immense amounts of traffic. UDP, ICMP and amplification floods are examples.
- Protocol attacks – Target network infrastructure and services by consuming excessive resources of protocols like SYN floods, ACK floods, and DNS request floods.
- Application layer attacks – Overwhelm applications by exhausting server resources via HTTP floods, distributed attacks like Low and Slow, and GET/POST floods.
DDoS attacks have also grown in size and complexity, with multivector attacks combining multiple methods for greater impact. Attackers continue to evolve new attack vectors as mitigation catches up to existing techniques.
What are the main DDoS attack techniques?
Attackers have a range of techniques available to overwhelm systems and services via DDoS. Common and emerging attack types include:
Volumetric Attacks
Volumetric DDoS attacks aim to saturate bandwidth by flooding networks with huge amounts of bogus traffic. Common examples include:
- UDP floods – Exploiting UDP’s stateless nature for amplified, easily spoofed packets.
- ICMP floods – Bombarding targets with ICMP echo requests via ping commands.
- SYN floods – Filling up TCP connection queues by continually initiating requests.
Protocol Attacks
Protocol attacks consume actual server resources and can take down entire systems. These include:
- SYN flood – Opening excessive numbers of TCP connections.
- ACK flood – Overwhelming systems with spoofed ACK packets.
- DNS amplification – Using DNS servers to flood targets with huge responses.
Application Layer Attacks
Application layer attacks target web services, applications and APIs directly at Layer 7. Tactics include:
- HTTP flood – Bombarding sites with valid HTTP requests.
- Slowloris – Slowly connecting to web servers and holding connections open.
- GET/POST floods – Flooding targeted APIs or endpoints with API calls.
Reflection Amplification Attacks
Reflection amplification attacks spoof requests to public third-party services to flood victims. Examples include:
- DNS amplification – Spoofing requests to DNS servers for large payload responses.
- NTP amplification – Exploiting Network Time Protocol servers for DDoS reflection.
- SSDP amplification – Abusing UPnP SSDP servers to magnify attack size.
Multi-Vector Attacks
Multi-vector attacks combine multiple DDoS vectors like HTTP floods, UDP floods, and DNS queries for powerful assaults exceeding terabit volumes.
What are the effects of DDoS attacks?
DDoS attacks starve networks, websites, applications and services of the bandwidth and resources needed to function correctly. Effects can include:
- Slow network performance and connectivity issues
- Unavailability of websites and web-based services
- Failure of API and VoIP services
- Packet loss impediment to VPN access
- Lost sales and revenue
- Loss of customer trust and loyalty
- Corruption of database systems
Large enterprises can lose hundreds of thousands per hour during DDoS attacks. Websites that are critical for operations or revenue generation can end up costing more in a short time. Attacks also consume IT and security staff resources as they scramble to mitigate the situation.
What are the stages of a DDoS attack?
DDoS attackers use a series of phases to plan, launch and leverage attacks. The typical DDoS attack lifecycle includes:
- Reconnaissance – Identifying targets and studying systems, configurations and defenses.
- Weaponization – Compromising systems to build zombie botnets and arsenals.
- Delivery – Launching attacks via botnets, reflection servers, Stressors and other resources.
- Execution – Flooding targets through various DDoS attack vectors.
- Amplification – Leveraging reflection to maximize attack size and impact.
After completing the cycle, attackers typically cover their tracks and retain access or move to new targets. Perpetual reconnaissance lets them identify future weaknesses.
What are botnets and how are they used for DDoS attacks?
Botnets are networks of infected zombie machines that give attackers the distributed bandwidth to overwhelm targets. Compromised devices become bots by installing malware after phishing attacks, weak passwords and unpatched vulnerabilities. Attackers harvest millions of bots across PCs, mobile devices, servers and IoT platforms. Botnets act under the command and control of their operator who can effectively point bandwidth at victims from around the globe. Huge botnets like Meris (100k nodes) and Mirai (600k nodes) have fueled record-setting DDoS attacks.
Main botnet types
- IRC-based – Controlled via Internet Relay Chat (IRC) channels.
- P2P botnets – Using peer-to-peer technology for management.
- HTTP-based – Communicating via HTTP APIs for command.
Infected Linux servers, IoT devices like cameras and routers, and Windows PCs are common nodes for botnets, although Android botnets have emerged. Geolocation diversity across bot nodes gives attackers anonymity and greater firepower when targeting organizations or infrastructure.
What are common DDoS attack tools?
The ecosystem of tools for launching DDoS attacks continues to expand. On the high end, botnet-for-hire booter/stresser services make launching DDoS trivial for unskilled attackers. There are also many free, open source and commercial tools to execute DoS. Common DDoS tools include:
- LOIC – Open source stress testing tool used to flood targets.
- HOIC – Enhanced version of LOIC for greater DDoS impact.
- BOTs – Custom Trojans and botnet malware kits.
- Stacheldraht – Classic DDoS tool for launching attacks.
- Trin00 – Utility to assist with denial of service reconnaissance and attacks.
Hacker forums frequently release updated attack tools, scripts, bot executables and step-by-step guides. However, lack of skill is not an obstacle with the emergence of DDoS-for-hire booters and stressers. These services require little technical knowledge and are cheaply affordable, lowering the barrier to entry for even novice attackers.
What are the major recorded DDoS attacks?
Larger and more complex DDoS assaults are consistently toppling records year after year. Some of the major historical DDoS attacks include:
| Year | Target | Duration | Size |
| 2022 | Africa Telecom | 5 days | 15.3 Tbps |
| 2020 | Amazon AWS | 3 days | 2.3 Tbps |
| 2018 | GitHub | 10 minutes | 1.3 Tbps |
| 2016 | DNS provider Dyn | 12+ hours | 1.2 Tbps |
| 2013 | Spamhaus | multiple attacks | 300 Gbps |
Major tech firms like Amazon, Dyn, and GitHub have been targeted by massive attacks reaching 1 Tbps and beyond. However, enterprises across industries suffer increasing attacks ranging from a few Gbps to over 100 Gbps. As botnets scale and tactics evolve, future DDoS assaults are expected to grow even larger.
What are common DDoS attack targets?
DDoS attackers target organizations across industries, seeking to negatively impact operations, services and bottom lines. Common targets include but are not limited to:
- ISPs and infrastructure providers
- SaaS and web-based services
- Media, entertainment and gaming sites
- Ecommerce retailers
- Banks and financial services
- Healthcare providers
- Government and military agencies
- Educational institutions
Motivations vary from hacktivism and revenge to extortion and anti-competitive business practices. High-traffic websites and online organizations are natural targets, but DDoS allows any internet-reliant business to be attacked at the DNS, network or application layers. To hackers, anyone is a potential target.
How are DDoS attacks evolving?
DDoS attacks are becoming larger, more complex and more frequent each year. Notable trends evolving attacks include:
- Increasing magnitude – Flooding attacks over 1 Tbps are now common.
- Ongoing reflection amplification – Leveraging protocols like CLDAP for bigger attacks.
- Multivector combinations – Uniting attack vectors for combined impact.
- Hit and run cycles – Short bursts to evade defenses followed by periods of quiet.
- Hijacking CDNs for DoS – Exploiting weaknesses in content delivery networks.
- Abusing cloud platforms – Leveraging serverless resources and functions.
Attackers continue to innovate new ways to magnify the scale and impact of assaults. DDoS mitigation requires ongoing awareness of these emerging tactics.
How can organizations defend against DDoS attacks?
Defending against DDoS involves both preventative measures and mitigation capabilities. Strategies include:
- Implementing application & network safeguards
- Increasing infrastructure capacity and attack resilience
- Enabling blackhole filtering and sinkholes
- Leveraging ISP and carrier help
- Adding DDoS mitigation services via cloud scrubbing centers
- Enabling content delivery networks (CDN)
- Performing disaster recovery and business continuity planning
Hybrid on-premise and cloud DDoS protection provides the most adaptability along with failover options when on-site solutions are overwhelmed.
Conclusion
DDoS represents a major threat to online business, services and infrastructure. Attackers leveraging botnets can starve bandwidth and overload systems by focusing huge levels of bogus requests from distributed sources. As new tactics emerge and assault magnitude increases, organizations must employ layered defenses and traffic scrubbing techniques. By understanding the common DDoS attack methods, targets, tools and impact, enterprises can better prepare and implement robust countermeasures.
