What is a distributed denial-of-service (DDoS) attack?

Distributed denial-of-service attacks are a type of denial-of-service attack (DoS attack), a category that includes all cyberattacks that slow or stop applications or services. DDoS attacks are unique in that they send attack traffic from multiple sources all at once—potentially making then harder to recognize and defend against—which puts the “distributed” into “distributed denial-of-service.”

According to the IBM® X-Force® Threat Intelligence Index, DDoS attacks account for 2% of the attacks that X-Force responds to. However, the disruptions that they cause can be costly. System downtime can lead to service disruptions, lost revenue and reputational damage. The IBM Cost of a Data Breach Report notes that the cost of lost business due to a cyberattack averages USD 1.47 million.  

Unlike other cyberattacks, DDoS attacks don’t exploit vulnerabilities in network resources to breach computer systems. Instead, they use standard network connection protocols such as Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) to flood endpoints, apps and other assets with more traffic than they can handle.

Web servers, routers and other network infrastructure can process only a finite number of requests and sustain a limited number of connections at any one time. By using up a resource’s available bandwidth, DDoS attacks prevent these resources from responding to legitimate connection requests and packets.

In broad terms, a DDoS attack has two main stages: creating a botnet and carrying out the attack. 

A DDoS attack usually requires a botnet—a network of internet-connected devices that have been infected with malware that enables hackers to control the devices remotely.

Botnets can include laptop and desktop computers, mobile phones, Internet of Things (IoT) devices and other consumer or commercial endpoints. The owners of these compromised devices are typically unaware that they have been infected or are being used for a DDoS attack.

Some cybercriminals build their own botnets, actively spreading malware and taking over devices. Others purchase or rent preestablished botnets from other cybercriminals on the dark web under a model referred to as “denial-of-service as a service.”

Not all DDoS attacks use botnets. Some exploit the normal operations of uninfected devices for malicious ends. (For more information, see “Smurf attacks.”) 

Hackers command the devices in the botnet to send connection requests or other packets to the IP address of the target server, device or service.

Most DDoS attacks rely on brute force, sending a large number of requests to eat up all of the target’s bandwidth. Some DDoS attacks send a smaller number of more complicated requests that require the target to expend resources in responding. In either case, the result is the same: The attack traffic overwhelms the target system, causing a denial of service and preventing legitimate traffic from accessing it.

Hackers often obscure the source of their attacks through IP spoofing, a technique by which cybercriminals forge fake source IP addresses for packets sent from the botnet. In one form of IP spoofing, called “reflection,” hackers make it look as if the malicious traffic was sent from the victim’s own IP address.

DDoS attacks are not always the primary attack. Sometimes hackers use them to distract the victim from another cybercrime. For example, attackers might exfiltrate data or deploy ransomware to a network while the cybersecurity team is occupied with fending off the DDoS attack.

Hackers use DDoS attacks for all kinds of reasons: extortion, shutting down organizations and institutions they disagree with, stifling competing businesses and even cyberwarfare.

Some of the most common DDoS attack targets include:

• Online retailers
• Internet service providers (ISPs)
• Cloud service providers
• Financial institutions
• Software as a service (SaaS) providers
• Gaming companies
• Government agencies

DDoS attacks are classified based on the tactics that they use and the network architecture they target. Common types of DDoS attacks include:

• Application layer attacks
• Protocol attacks
• Volumetric attacks
• Multivector attacks

As the name suggests, application layer attacks target the application layer of a network. In the Open Systems Interconnection model (OSI model) framework, this layer is where users interact with web pages and apps. Application layer attacks disrupt web applications by flooding them with malicious requests.

One of the most common application layer attacks is the HTTP flood attack, in which an attacker continuously sends a large number of HTTP requests from multiple devices to the same website. The website cannot keep up with all the requests, and it slows down or crashes. HTTP flood attacks are akin to hundreds or thousands of web browsers repeatedly refreshing the same webpage.

Protocol attacks target the network layer (layer 3) and the transport layer (layer 4) of the OSI model. They aim to overwhelm critical network resources such as firewalls, load balancers and web servers with malicious connection requests.

Two of the most common types of protocol attacks include SYN flood attacks and smurf attacks. 

A SYN flood attack takes advantage of the TCP handshake, a process by which two devices establish a connection with one another. A typical TCP handshake has three steps:

1. One device sends a synchronization (SYN) packet to initiate the connection.
2. The other device responds with a synchronization/acknowledgment (SYN/ACK) packet to acknowledge the request.
3. The original device sends back an ACK packet to finalize the connection.

In a SYN flood attack, the attacker sends the target server a large number of SYN packets with spoofed source IP addresses. The server responds to the spoofed IP addresses and waits for the final ACK packets. Because the source IP addresses were spoofed, these packets never arrive. The server is tied up in a large number of unfinished connections, leaving it unavailable for legitimate TCP handshakes.

A smurf attack takes advantage of the Internet Control Message Protocol (ICMP), a communication protocol used to assess the status of a connection between two devices.

In a typical ICMP exchange, one device sends an ICMP echo request to another, and the latter device responds with an ICMP echo reply.

In a smurf attack, the attacker sends an ICMP echo request from a spoofed IP address that matches the victim’s IP address. This ICMP echo request is sent to an IP broadcast network that forwards the request to every device on a network.

Every device that receives the ICMP echo request—potentially hundreds or thousands of devices—responds by sending an ICMP echo reply to the victim’s IP address. The sheer volume of responses is more than the victim's device can handle. Unlike many other types of DDoS attacks, smurf attacks do not necessarily require a botnet.

Volumetric DDoS attacks consume all available bandwidth within a target network or between a target service and the rest of the internet, preventing legitimate users from connecting to network resources.

Volumetric attacks often flood networks and resources with high amounts of traffic, even compared to other types of DDoS attacks. Volumetric attacks have been known to overwhelm DDoS protection measures such as scrubbing centers, which are designed to filter out malicious traffic from legitimate traffic.

Common types of volumetric attacks include UDP floods, ICMP floods and DNS amplification attacks.

UDP floods send fake User Datagram Protocol (UDP) packets to a target host’s ports, prompting the host to look for an application to receive these packets. Because the UDP packets are fake, there is no application to receive them, and the host must send an ICMP “destination unreachable” message back to the sender.

The host’s resources are tied up in responding to the constant stream of fake UDP packets, leaving the host unavailable to respond to legitimate packets.

ICMP floods, also called “ping flood attacks,” bombard targets with ICMP echo requests from multiple spoofed IP addresses. The targeted server must respond to all of these requests and becomes overloaded and unable to process valid ICMP echo requests.

ICMP floods are distinguished from smurf attacks in that attackers send large numbers of ICMP requests from their botnets. In a smurf attack, hackers trick network devices into sending ICMP responses to the victim’s IP address.

In a DNS amplification attack, the attacker sends several Domain Name System (DNS) requests to one or many public DNS servers. These lookup requests use a spoofed IP address belonging to the victim and ask the DNS servers to return a large amount of information per request. The DNS server replies to the requests by flooding the victim’s IP address with large amounts of data.

As the name implies, multivector attacks exploit multiple attack vectors, rather than a single source, to maximize damage and frustrate DDoS mitigation efforts.

Attackers might use multiple vectors simultaneously or switch between vectors midattack, when one vector is thwarted. For example, hackers might begin with a smurf attack, but when the traffic from network devices is shut down, they might launch a UDP flood from their botnet.

DDoS threats might also be used in tandem with other cyberthreats. For example, ransomware attackers might pressure their victims by threatening to mount a DDoS attack if the ransom is not paid.

DDoS attacks remain a common cybercriminal tactic for many reasons.

A cybercriminal no longer even needs to know how to code to launch a DDoS attack. Cybercrime marketplaces thrive on the dark web, where threat actors can buy and sell botnets, malware and other tools for conducting DDoS attacks.

By hiring ready-made botnets from other hackers, cybercriminals can easily launch DDoS attacks on their own with little preparation or planning.

Because botnets are comprised largely of consumer and commercial devices, it can be difficult for organizations to separate malicious traffic from real users.

Moreover, the symptoms of DDoS attacks—slow service and temporarily unavailable sites and apps—can be caused by sudden spikes in legitimate traffic, making it hard to detect DDoS attacks early.

When a DDoS attack has been identified, the distributed nature of the cyberattack means that organizations cannot simply block it by shutting down a single traffic source. Standard network security controls intended to thwart DDoS attacks, such as rate limiting, can also slow down operations for legitimate users.

The rise of the Internet of Things has given hackers a rich source of devices to turn into bots.

Internet-enabled appliances—including operational technology (OT) such as healthcare devices and manufacturing systems—are sold and operated with universal defaults and weak or nonexistent security controls, making them vulnerable to malware infection.

It can be difficult for the owners of these devices to notice they have been compromised, as IoT devices are often used passively or infrequently.

DDoS attacks are becoming more sophisticated as hackers adopt artificial intelligence (AI) and machine learning (ML) tools to help direct their attacks. Adaptive DDoS attacks use AI and ML to find the most vulnerable aspects of systems and automatically shift attack vectors and strategies in response to a cybersecurity team’s DDoS mitigation efforts.

The sooner a DDoS attack can be identified, the sooner defense and remediation can begin. Signs that an attack is under way include:

• A site or service unexpectedly begins to slow down or is completely unavailable.
  
  
• An unusually large volume of traffic arrives from a single IP address or range of IP addresses.
  
  
• The traffic from many similar profiles—such as from a specific type of device or geolocation—suddenly increases.
  
  
•  A sudden surge in requests for a single action, endpoint or page.
  
  
• Spikes in traffic at an unusual time of day, day of the week or on a regular pattern such as every five minutes.
  
  
• Unexplained errors or timeouts.
  
  
•  Services sharing the same network simultaneously begin to slow.

Many of these behaviors might be caused by other factors. However, checking for DDoS attacks first can save time and mitigate damage if a DDoS attack is underway.

DDoS protection solutions help detect traffic anomalies and determine whether they are innocent or malicious. After all, a sudden flood of requests might be the result of a successful marketing campaign, and blocking those requests might be a business disaster.

DDoS mitigation efforts typically attempt to divert the flow of malicious traffic as quickly as possible. 

Common DDoS prevention and mitigation efforts include:

While standard firewalls protect networks at the port level, WAFs help ensure that requests are safe before forwarding them to web servers. A WAF can determine which types of requests are legitimate and which are not, enabling it to drop malicious traffic and prevent application-layer attacks.

A CDN is a network of distributed servers that can help users access online services more quickly and reliably. With a CDN in place, users’ requests don’t travel all the way back to the service’s origin server. Instead, requests are routed to a geographically closer CDN server that delivers the content.

CDNs can help protect against DDoS attacks by increasing a service’s overall capacity for traffic. When a CDN server is taken down by a DDoS attack, user traffic can be routed to other available server resources in the network.

Endpoint detection and response (EDR), network detection and response (NDR) and other tools can monitor network infrastructure for indicators of compromise. When these systems see possible DDoS signs—such as abnormal traffic patterns—they can trigger real-time incident responses, such as terminating suspicious network connections.

A “black hole” is part of a network where incoming traffic is deleted without being processed or stored. Blackhole routing means diverting incoming traffic to a black hole when a DDoS attack is suspected.

The downside is that blackhole routing can discard the good with the bad. Valid and perhaps valuable traffic might also be thrown away, making blackhole routing a simple but blunt instrument in the face of an attack.

Rate limiting means placing limits on the number of incoming requests a server is allowed to accept during a set time period. Service might also slow for legitimate users, but the server is not overwhelmed. 

Load balancing is the process of distributing network traffic among multiple servers to optimize application availability. Load balancing can help defend against DDoS attacks by automatically routing traffic away from overwhelmed servers.

Organizations can install hardware- or software-based load balancers to process traffic. They can also use anycast networking, which enables a single IP address to be assigned to several servers or nodes across multiple locations so that traffic can be shared across those servers. Normally, a request is sent to the optimal server. As traffic increases, the load is spread out, meaning that the servers are less apt to be overwhelmed.

Scrubbing centers are specialized networks or services that can filter malicious traffic from legitimate traffic by using techniques such as traffic authentication and anomaly detection. Scrubbing centers block malicious traffic while allowing the legitimate traffic to reach its destination.