Article

What is a DDoS attack?

Security
Time to read: 12 minutes

A distributed denial-of-service (DDoS) attack, also referred to as a distributed network attack, is a type of cyber attack that aims to disrupt or disable normal traffic to a server, service, or network. With a DDoS attack, the attacker sends a target system or surrounding systems an overwhelming flood of internet traffic. Because the target is not expecting the spike in traffic, it is unable to process it fast enough to keep it from slowing or stopping normal traffic.

DDoS attacks exploit traffic limitations of resources with a finite limit to the number of requests that can be processed at any given time. Exceeding these thresholds, such as a web application’s maximum number of simultaneous connections or a network’s bandwidth restrictions, is the essence of a DDoS attack. The result is that users are unable to access systems, services, or websites.

The objectives of DDoS attacks vary, as do the perpetrators. They are carried out by disgruntled individuals, cybercrime syndicates, nation-states, hacktivists, and small-time cyber criminals. The motivations mirror those of other cyber attacks, such as seeking revenge, making a statement, or creating a distraction to allow them to steal sensitive information, hold data and systems for ransom, or compromise systems for future attacks.

How a DDoS attack works

DDoS attacks are carried out with networks of internet-connected systems, including computers, Internet of Things (IoT) devices, and other networked resources, such as devices that have been coopted by the attackers. The compromised systems are infected with malware that allows the attacker to control them.

The attack occurs when systems are activated and unleashed on the target with direction to send continuous requests to the target’s internet protocol (IP) address. The traffic is able to pass through security controls undetected because the devices are legitimate. Because of this, even when an attack is underway, it is very difficult to separate the malicious traffic from legitimate traffic.

The individual devices that have been infected and used to conduct a DDoS attack are referred to as zombies or bots. Collectively, they form a network called a botnet. This is the primary vector for DDoS attacks. The scale, velocity, and duration of the attack is dictated by the size of the botnet.

How to identity a DDoS attack

Despite the power of DDoS attacks, it can be tricky to identify them, because many of the effects are similar to those encountered during normal operations. The most commonly noticed symptom of a DDoS attack is that the server, service, or network is slow or unavailable.

The markers that identify a DDoS attack vary based on the type. These signs include:

  1. Abnormal traffic patterns (e.g., spikes at odd hours)
  2. Dropped internet connections
  3. Large amounts of traffic originating from a single IP address or IP range
  4. Surge in requests to a single page or endpoint that cannot be explained
  5. Traffic from users who share characteristics (e.g., device type, geolocation, or web browser type)
  6. Unusual email content (e.g., media and content) or excessive spam
  7. Websites become unavailable to view

If there is a suspicion of a DDoS attack, IT teams can:

  1. Check to see if users have received a 503 service unavailable error.
  2. Review access logs to look for signs of an attack.
  3. Test site speed, measuring against a benchmark site speed.
  4. Try to load other websites and determine whether they are loading at regular speed.

Types of DDoS attacks

There are many types of DDoS attacks. Following are several examples that illustrate the different approaches.

Application layer DDoS attacks

Commonly called Layer 7 DDoS attacks, these target software that provides a service, such as those used to generate web pages in response to hypertext transfer protocol (HTTP) requests and any other cloud-based applications. This type of DDoS attack is popular because the application layer requires less bandwidth to execute successfully.

Protocol DDoS attacks

Protocol DDoS attacks exploit vulnerabilities in Layers 3 (network) and 4 (transport) of the Open Systems Interconnection (OSI) protocol stack. A SYN flood attack is an example of a protocol DDoS attack. It initiates a connection to a target, but does not complete the connection. The target has to spend resources to wait for the barrage of half-opened connections, leaving it unable to respond to legitimate traffic.

Volume-based or volumetric DDoS attacks

Relatively uncommon (i.e., reportedly less than 1% of DDoS attacks are volume-based), volumetric DDoS attacks overtake bandwidth between the target and the internet by sending a flood of network traffic. An example of a volumetric DDoS attack is domain name system (DNS) amplification, where an attacker spoofs the target’s address and sends a barrage of fake DNS name lookup requests to open DNS servers.

Mitigating a DDoS attack

While DDoS attacks are difficult to avoid completely, there are ways to mitigate the risk and results of one, including the following.

Anycast network diffusion

An Anycast network can be used to spread DDoS attack traffic across multiple servers that can better absorb the traffic.

Blackhole routing

With blackhole routing, a black hole is created, and all traffic is to a null route and dropped from the network. This tactic does stop the malicious traffic, but also the legitimate traffic. It is an effective mitigation tool when a DDoS attack is targeting a particular server or service.

Rate limiting

Rate limiting restricts the number of requests that a server can accept during a certain period. This is often used as one component of a larger defense strategy, as it is not sufficient to stop a sophisticated DDoS attack.

Risk assessments

Conducting regular risk assessments, including security audits of devices, servers, and networks, helps identify vulnerabilities and opportunities to harden defenses, minimizing the damage and disruption that a DDoS attack can cause.

Web application firewall

A web application firewall (WAF) is used to mitigate a layer 7 DDoS attack by acting as a reverse proxy to protect the targeted server from malicious traffic. The WAF filters requests, blocking DDoS tools based on pre-defined rules. With a WAF, custom rules can be quickly set to address a specific type of DDoS attack.

A brief history of DDoS attacks

1974—First DoS attack

The DoS attack that is considered to be first occurred in 1974. David Dennis, a high school student at the University, sent an external (EXT) command to 31 Computer-Based Education Research Laboratory (CERL) computers at the University of Illinois Urbana-Champaign at once. It locked up all of the systems, forcing all of the users to shut down and restart their systems.

1996—PANIX attack

The first known DDoS attack is reported to have targeted the New York-based internet service provider (ISP), Panix, which was hit with a SYN flood DDoS attack. Using a spoofed IP address, the attacker flooded the organization’s servers with half-opened connections, which made it impossible to process normal traffic. It took Panix several days to recover from the DDoS attack.

2000—MafiaBoy attack

The MafiaBoy DDoS attack was launched by Michael Calce (a.k.a. MafiaBoy) during a NANOG (North American Network Operators’ Group) conference—ironically, during the keynote presentation about DoS attacks. Large organizations, including Dell, CNN, Yahoo, eBay, and Amazon, were targeted by the TF2 DDoS attack tool.

2002—DDoS against Yahoo

This DDoS attack against Yahoo in 2002 is notable because it shed light on a new approach to evading defenses. Referred to as capacity and sizing models for DDoS resiliency, this approach used different attack combinations to overwhelm the transaction capacity of systems.

2012—Six banks DDoS attack

This approach of using multiple attacks was escalated in DDoS attacks that targeted six U.S. banks. The attacks were carried out by a botnet called Brobot with hundreds of compromised servers that had the capacity to generate massive volumes of attack traffic in excess of more than 60 gigabits per second.

This was a significant increase over the average volume at the time of 20 gigabits of traffic per second. In addition to the scale of traffic, this DDoS attack was notable due to its persistence, which overwhelmed the defenses of the banks. The attacks were backed by the Iranian government, which engaged two Iran-based computer companies, ITSecTeam (ITSEC) and Mersad Company (MERSAD), to implement them.

2013—Spamhaus DDoS attack

This DDoS attack was launched against Spamhaus, a non-profit anti-spam organization, and was noteworthy because despite having robust defenses, this attack completely overwhelmed their systems, dismantling their website and email services. The attack volume was estimated at 300 gigabits of traffic per second.

This incident is an example of a vengeance-motivated DDoS attack. It was traced to an individual at a Dutch company, Cyberbunker. The catalyst occurred when Spamhaus blacklisted the company for spamming.

2014—CloudFlare DDoS attack

The volume of traffic created for DDoS attacks continued to escalate. CloudFlare, a cybersecurity provider and content delivery network, was hit by a DDoS attack that generated more than 400 gigabits per second of traffic.

This attack exploited a vulnerability in the Network Time Protocol (NTP) protocol, which keeps the clock times of servers, switches, routers, and computers in a synchronized network. Spoofed addresses were used to send bogus NTP server responses to the attack target’s servers. This type of attack has a very high amplification factor of up to 206 times.

2014—Occupy Central, Hong Kong DDoS attack

This retaliatory, multi-day DDoS attack targeted the Hong Kong-based Occupy Central group in response to its work to gain a more democratic voting system. This DDoS attack used five botnets to generate 500 gigabits per second of traffic. The source attack was not officially found, but is widely believed to have been the work of the Chinese government.

2015—BBC attack

An attack on the BBC’s on-demand TV, iPlayer, and radio services by the hacktivist group New World Hacking took a new cloud-based approach. It used two Amazon Web Services (AWS) instances to launch the attack using BangStresser, a DDoS-as-a-service tool it had created.

2016—Mirai DDoS attacks on Krebs and OVH

A blog by a cybersecurity expert named Brian Krebs was attacked by the Mirai botnet. This attack is interesting because of its size and the composition of the bot network. Krebs, a regular target for DDoS attacks, said that of the more than 250 attacks he had recorded, this attack was more than three times larger, with traffic in exceeding 600 gigabits per second.

The Mirai botnet was comprised of IoT devices, including home routers, IP cameras, and video players. Shortly after the attack on Krebs, the botnet, which had grown to almost 150,000 bots, hit the European hosting company OVH with an attack that generated 1.1 terabits per second of traffic.

2018—GitHub attack

The GitHub DDoS attack utilized a new approach, exploiting a standard command of Memcached, a tool used to speed up dynamic websites and networks. This capability was leveraged to amplify the attack. At its peak, the ratio of the attacker’s request size to the amount of malicious traffic generated was 51,200 times.

2020—Google attack

This assault on Google demonstrated a whole new level of DDoS attack. Launched from three Chinese internet service providers (ISPs), the attack targeted thousands of Google’s IP addresses for more than six months, with traffic volume reaching 2.5 terabits per second. This was more than four times the volume of the Mirai botnet in 2016.

2021—European gambling company

An attack on one European gambling company slammed the target with more than 800 gigabits per second of traffic. The target received a message demanding a payment to stop. The attackers threatened to increase the scale of the attack if the payment was not made.

FAQ about DDoS attacks

What is a DDoS attack?

A DDoS attack is a cybercrime that renders servers, services, or networks inaccessible or interminably slow by flooding them with fake traffic and preventing users from accessing them.

What are some examples of a DDoS attack?

Three DDoS attack types that take different approaches are:

  1. Application-layer or layer-7 attacks
  2. Protocol attacks
  3. Volume-based or volumetric attacks

Is it illegal to execute a DDoS attack?

Yes, launching a DDoS attack is illegal. In the United States, a DDoS attack can be classified as a federal criminal offense under the Computer Fraud and Abuse Act (CFAA). Under this law, guilty parties can be sentenced to up to 10 years in prison.

What threats does a DDoS attack pose?

Potential threats posed by a DDoS attack include:

  1. Financial losses due to lost productivity, downtime, missed sales, violations of customers’ service level agreements (SLAs), and the cost of mitigation and recovery
  2. Service disruption that prevents the operation of core functions and service delivery
  3. Reputational damage caused when users cannot reach applications, sites, or services

How can a DDoS attack be prevented?

Ways to prevent or mitigate the impact of a DDoS attack include:

  1. Blacklist suspicious IP addresses
  2. Implement several cybersecurity defense layers
  3. Increase system bandwidth
  4. Use firewalls and web application firewalls (WAF) with packet filters

How do perpetrators of DDoS attacks avoid detection?

Cybercriminals use several tactics to evade detection when executing a DDoS attack, including:

  1. Reflection tactics that manipulate the default behavior of legitimate services, such as domain name system (DNS), network time protocol (NTP), and simple network management protocol (SNMP) servers, to hide the attacker
  2. Spoofing source and destination addresses

Preparing for a possible DDoS attack

Any organization with a connected device or system is susceptible to a DDoS attack. The impact can range from mildly annoying to devastating. While no defense is guaranteed to stop a DDoS attack, having prevention and mitigation strategies and tools in place can help reduce the risk of major losses.

Unleash the power of unified identity security

With the trusted identity security vendor for 48% of the Fortune 500