• United States



Josh Fruhlinger
Contributing writer

DDoS attacks: Definition, examples, and techniques

Jan 31, 20229 mins

Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for twenty years, and they’re only growing more prevalent and stronger.

DDOS attack
Credit: Evgeniy Shkolenko / Getty Images

What is a DDoS attack?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.

Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.

The impact could range from a minor annoyance from disrupted services to experiencing entire websites, applications, or even entire business taken offline.

How do DDoS attacks work?

DDoS botnets are the core of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombies or bots, that a malicious hacker has gained control over. The attackers will harvest these systems by identifying vulnerable systems that they can infect with malware through phishing attacks, malvertising attacks, and other mass infection techniques. The infected machines can range from ordinary home or office PCs to DDoS devices—the Mirai botnet famously marshalled an army of hacked CCTV cameras—and their owners almost certainly don’t know they’ve been compromised, as they continue to function normally in most respects.

The infected machines await a remote command from a so-called command-and-control server, which serves as a command center for the attack and is often itself a hacked machine. Once unleashed, the bots all attempt to access some resource or service that the victim makes available online. Individually, the requests and network traffic directed by each bot towards the victim would be harmless and normal. But because there are so many of them, the requests often overwhelm the target system’s capacities—and because the bots are generally ordinary computers widely distributed across the internet, it can be difficult or impossible to block out their traffic without cutting off legitimate users at the same time.

There are three primary classes of DDoS attacks, distinguished mainly by the type of traffic they lob at victims’ systems:

  1. Volume-based attacks use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
  2. Protocol or network-layer DDoS attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
  3. Application-layer attacks are conducted by flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).

Important techniques used in all types of DDoS attacks include:

  • Spoofing: We say that an attacker spoofs an IP packet when they change or obfuscate information in its header that should tell you where it’s coming from. Because the victim can’t see the packet’s real source, it can’t block attacks coming from that source.
  • Reflection: The attacker may craft an IP address that’s spoofed so it looks like it actually originated with the intended victim, then send that packet to a third-party system, which “replies” back to the victim. This makes it even harder for the target to understand where an attack is truly coming from.
  • Amplification: Certain online services can be tricked into replying to packets with very large packets, or with multiple packets.

All three of these techniques can be combined into what’s known as a reflection/amplification DDoS attack, which has become increasingly common.

How to identify DDoS attacks

DDoS attacks can be difficult to diagnose. Afterall, the attacks superficially resemble a flood of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS attack from the more “natural” traffic you’d expect to get from a real users. Here are four DDoS attack symptoms to watch for:

  • Despite spoofing or distribution techniques, many DDoS attacks will originate from a restricted range of IP addresses or from a single country or region—perhaps a region that you don’t ordinarily see much traffic from.
  • Similarly, you might notice that all the traffic is coming from the same kind of client, with the same OS and web browser showing up in its HTTP requests, instead of showing the diversity you’d expect from real visitors.
  • The traffic might hammer away at a single server, network port, or web page, rather than be evenly distributed across your site.
  • The traffic could come in regularly timed waves or patterns.

How to stop a DDoS attack

Mitigating a DDoS attack is difficult because, as previously noted, the attack takes the form of web traffic of the same kind that your legitimate customers use. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and indeed doing so may be necessary to keep your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers have achieved their goals.

If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: for instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.

In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service designed to accommodate huge amounts of traffic. Your network service provider might have their own mitigation services you can make use of.

Reasons for DDoS attacks

A DDoS is a blunt instrument of an attack. Unlike a successful infiltration, it doesn’t net you any private data or get you control over your target’s infrastructure. It just knocks their cyber infrastructure offline. Still, in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy. People might launch DDoS attacks to knock business or political rivals offline—the Mirai botnet was designed as a weapon in a war among Minecraft server providers, and there’s evidence that the Russian security services were at one point preparing a similar attack. And while a DDoS attack isn’t the same thing as a ransomware attack, DDoS attackers sometimes will contact their victims and promise to turn off the firehose of packets in exchange for some Bitcoin.  

DDoS tools: Booters and stressers

And, sometimes, DDoS attackers are just in it for the money—not money from you, but from someone who wants to take your website out. Tools called booters and stressers are available on more unseemly parts of the internet that essentially provide DDoS-as-a-Service to interested customers, offering access to ready-made botnets at the click of a button, for a price.

Is DDoS illegal?

You might see an argument that goes something like this: it’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however. Setting aside for the moment that the act of hacking into a computer to make it part of a botnet is illegal, most anti-cybercrime laws, in the U.S., the U.K., and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. Simulating a DDoS attack with the consent of the target organization for the purposes of stress-testing their network is legal, however.

DDoS attacks today

As mentioned briefly above, it’s becoming more common for these attacks to be conducted by rented botnets. Expect this trend to continue.

Another trend is the use of multiple attack vectors within an attack, also known as Advanced Persistent Denial-of-Service APDoS. For instance, an APDoS attack may involve the application layer, such as attacks against databases and applications as well as directly on the server. “This goes beyond simply ‘flooding,’” attacks says Chuck Mackey, managing director of partner success at Binary Defense.

Additionally, Mackey explains, attackers often don’t just directly target their victims but also the organizations on which they depend such as ISPs and cloud providers. “These are broad-reaching, high-impact attacks that are well-coordinated,” he says.

This is also changing the impact of DDoS attacks on organizations and expanding their risk. “Businesses are no longer merely concerned with DDoS attacks on themselves, but attacks on the vast number of business partners, vendors, and suppliers on whom those businesses rely,” says Mike Overly, cybersecurity lawyer at Foley & Lardner LLP. “One of the oldest adages in security is that a business is only as secure as its weakest link. In today’s environment (as evidenced by recent breaches), that weakest link can be, and frequently is, one of the third parties,” he says.