Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger.
What is a DDoS attack?
A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.
The impact could range from a minor annoyance from disrupted services to experiencing entire websites, applications, or even entire business taken offline.
This type of attack has been around for a long time and continues to grow and evolve. Netscout reports that it observed 13,142,840 DDoS attacks in 2023 alone.
What is DoS
Denial of service (DoS) is what it sounds like: Thwarting access to virtually anything from servers, devices, and services to networks, applications, and even specific transactions within applications.
What is the difference between DoS and DDoS?
The difference between DoS and DDoS is a matter of scale. In both cases, the aim is to knock the target system offline with more requests for data than the system can handle, but in a DoS attack it’s one system that is sending the malicious data or requests, whereas a DDoS attack comes from multiple systems.
Distributed attacks can cause much more damage than an attack originating from a single machine, as the defending company needs to block large numbers of IP addresses.
Common motives behind DDoS attacks?
A DDoS is a blunt instrument of an attack. Unlike a successful infiltration, it doesn’t net you any private data or get you control over your target’s infrastructure. It just knocks their cyber infrastructure offline. Still, in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy.
There are three main motives behind DDoS attacks:
Taking rivals offline — The Mirai botnet, which was used in the DDoS attack against DNS provider Dyn, was designed as a weapon in a war among Minecraft server providers. And, today, the gaming industry remains a primary target of DDoS attacks. As Netscout put it in its most recent DDoS Threat Intelligence Report, “The allure of attacking the gaming industry lies in its substantial financial value and the goal of disrupting competitors.”
Geopolitics — The Netscout report also noted that politically motivated groups are “increasingly are using DDoS as a tool to target those ideologically opposed to them.” In Peru, for example, DDoS attacks spiked after nationwide protests in December. And, these groups are “executing attacks that seamlessly transcend national borders.” The pro-Russia hacktivist group NoName057(16), for example, targeted not just Ukraine, but countries that support Ukraine.
Financial gain — While a DDoS attack isn’t the same thing as a ransomware attack, DDoS attackers sometimes will contact their victims and promise to turn off the firehose of packets in exchange for some Bitcoin.
And, sometimes, DDoS attackers are just in it for the money—not money from you, but from someone who wants to take your website out. Tools called booters and stressers are available on the dark web that essentially provide DDoS-as-a-Service to interested customers, offering access to ready-made botnets at the click of a button, for a price.
How do DDoS attacks work?
DDoS botnets are the core of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombies or bots, that a malicious hacker has gained control over. The attackers will harvest these systems by identifying vulnerable systems that they can infect with malware through phishing attacks, malvertising attacks, and other mass infection techniques. The infected machines can range from ordinary home or office PCs to DDoS devices—the Mirai botnet famously marshalled an army of hacked CCTV cameras—and their owners almost certainly don’t know they’ve been compromised, as they continue to function normally in most respects.
The infected machines await a remote command from a so-called command-and-control server, which serves as a command center for the attack and is often itself a hacked machine. Once unleashed, the bots all attempt to access some resource or service that the victim makes available online. Individually, the requests and network traffic directed by each bot towards the victim would be harmless and normal. But because there are so many of them, the requests often overwhelm the target system’s capacities—and because the bots are generally ordinary computers widely distributed across the internet, it can be difficult or impossible to block out their traffic without cutting off legitimate users at the same time.
Types of DDoS attacks
There are three primary classes of DDoS attacks, distinguished mainly by the type of traffic they lob at victims’ systems:
- Volume-based attacks use massive amounts of bogus traffic to overwhelm a resource such as a website or server. They include ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is measured in bits per second (bps).
- Protocol or network-layer DDoS attacks send large numbers of packets to targeted network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).
- Application-layer attacks are conducted by flooding applications with maliciously crafted requests. The size of application-layer attacks is measured in requests per second (RPS).
Techniques used in DDoS attacks
Techniques common to all types of DDoS attacks include:
- Spoofing: We say that an attacker spoofs an IP packet when they change or obfuscate information in its header that should tell you where it’s coming from. Because the victim can’t see the packet’s real source, it can’t block attacks coming from that source.
- Reflection: The attacker may craft an IP address that’s spoofed so it looks like it actually originated with the intended victim, then send that packet to a third-party system, which “replies” back to the victim. This makes it even harder for the target to understand where an attack is truly coming from.
- Amplification: Certain online services can be tricked into replying to packets with very large packets, or with multiple packets.
All three of these techniques can be combined into what’s known as a reflection or amplification DDoS attack, which has become increasingly common.
How to identify DDoS attacks
DDoS attacks can be difficult to diagnose. Afterall, the attacks superficially resemble a flood of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS attack from the more “natural” traffic you’d expect to get from real users.
DDoS attack symptoms to watch for:
- Despite spoofing or distribution techniques, many DDoS attacks will originate from a restricted range of IP addresses or from a single country or region—perhaps a region that you don’t ordinarily see much traffic from.
- Similarly, you might notice that all the traffic is coming from the same kind of client, with the same OS and web browser showing up in its HTTP requests, instead of showing the diversity you’d expect from real visitors.
- The traffic might hammer away at a single server, network port, or web page, rather than be evenly distributed across your site.
- The traffic could come in regularly timed waves or patterns.
How to stop a DDoS attack
Mitigating a DDoS attack is difficult because, as previously noted, the attack takes the form of web traffic of the same kind that your legitimate customers use. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and indeed doing so may be necessary to keep your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers have achieved their goals.
If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: for instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.
In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service designed to accommodate huge amounts of traffic. Your network service provider might have their own mitigation services you can make use of.
Is DDoS illegal?
Yes, DDoS is illegal. Most anti-cybercrime laws, in the U.S., the U.K., and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. And the act of hacking into a computer to make it part of a botnet is itself illegal.
You might see a counterargument that goes something like this: it’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however.
Simulating a DDoS attack with the consent of the target organization for the purposes of stress-testing their network is legal, however.
DDoS attack examples
March, 2024 — a group of Russia-aligned hacktivists disrupted several French government services with a series of DDoS attacks.
June 2022 — Google disrupts the largest DDoS attack to date, which over the course of a couple of minutes reached 46 million requests per second.
October 2016 — A DDoS attack on DNS provider Dyn knocked out internet access to most of the US East Coast and almost took down the internet. This remains one of the most infamous DDoS attacks of all time.
March 2014 — Project management software provider Basecamp was taken offline by a DDoS attack after refusing to pay a ransom.
February 2004 — A DDoS attack famously took the SCO Group’s website offline. At the time, the company was much in the news for lawsuits relating to its claiming to own the rights to Linux, leading to speculation that open source advocates were responsible for the attack.
