What Is a DDoS (Distributed Denial-of-Service) Attack?

Cybercrime is a constant threat, meaning users need to be hyper-aware and educate themselves on the risks they may encounter when online. One of these growing dangers is a subcategory of cybercrime attacks known as DDoS attacks. These synchronized attacks can be devastating and are particularly hard to detect. In this article, we’ll explain what these attacks are and what warning signs to look for to catch an attack before it becomes devastating.

What is a DDoS attack?

DDoS, meaning distributed denial-of-service, is a type of attack on users' computers. It’s a subclass of denial-of-service, or DOS, attacks.  These are attacks specifically designed to shut down a network, and they easily become DDoS attacks. Like other forms of cyberattacks, such as ransomware attacks, the idea is to make important files, data, or documents inaccessible to users.

How does a DDoS attack work?

DDoS attacks take out their target by flooding a target network with traffic or information so that it cannot function and crashes. A denial-of-service attack typically comes from only one network or system.  A distributed denial-of-service attack, on the other hand, is multi-layered. It involves multiple systems working together to synchronize a DOS attack to one target.

The networks involved have usually been previously infected by malware. This is what makes it possible for one hacker to execute a DDoS attack with multiple systems. Each computer or system involved can be directed to attack the victim device’s IP addresses, and the network under attack is overwhelmed and resorts to denying service for all traffic.

Think of it like a traffic jam; during big travel weekends, like Christmas or Thanksgiving, the highway floods with unexpected traffic and new traffic patterns. It causes a backup for everyone - even the cars that normally travel that route in their day-to-day.

How to identify DDoS attacks

Distinguishing between malicious and normal web traffic is particularly difficult when it comes to DDoS attacks because they only involve legitimate devices. In a distributed denial-of-service attack, the traffic is made up of real, legitimate users; preemptively blocking harmful activity is almost impossible. It’s hard to determine what traffic is harmful, and furthermore, where it’s coming from.

What makes distributed denial-of-service attacks unique is that they don’t try to breach security. The attack disables servers without brute force or hacking into your perimeters; it’s all done via methods that are, on the surface, legitimate. However, users and hosts will feel the effects of a DDoS attack just as they would with a different type of attack.

DDoS attacks vary in their length; sometimes they happen in large numbers of repeated assaults and sometimes they are just one overwhelming incident. The damage is detrimental either way. It can take months for a company to recover from a DDoS attack, which has long-term effects on a business.

A DDOS attack graphic

Ultimately, identifying DDoS attacks is difficult. However, there are a few red flags to look for when trying to detect and stop attacks. If you encounter any of the following, it may be a DDoS attack:

  • Your network receives too many incomplete connection requests from the same IP addresses over a short period of time.
  • Certain traffic source addresses continue querying the same data set even after the TTL (time-to-live) has expired.
  • Regular users or employees report unusual slow site performance.
  • Your server responds with 503 unavailable errors when traffic volume is high and doesn’t leave when traffic volume decreases, as it does for normal traffic.
  • Reports indicate unusual and unexplainable spikes in traffic.

Three types of DDoS attacks

There are many different techniques used, meaning that they can be difficult to evade and understand. However, DDoS attacks fall under three general categories.

Volumetric attacks

Volumetric attacks generate massive amounts of traffic through various methods to oversaturate the bandwidth. It creates a digital traffic jam so that no more traffic can make it through to the site, keeping users out and harming the reputation and business of a company.

Volumetric attacks are a brute force method, stealing more bandwidth than the other two kinds of attack. They typically rely on IoT devices and DDoS botnets, which are robot networks that move data without any human assistance. These bots flood the server with attack traffic faster than any one hacker could in real time, causing a shutdown for the victim.

The most common kinds of volumetric attacks are UDP and ICMP floods, and DNS amplification attacks. As the name implies, UDP and ICMP floods work to overwhelm the host with User Datagram Protocol packets or Internet Control Message Protocol pings in order to overpower the server or web application. Attackers use reflection attacks to manipulate victims’ IP addresses to make the requests, sometimes even spoofing IPs to worsen the attacks, and the bandwidth can’t keep up.

With DNS amplification attacks, the attacks manipulate public DNS servers into sending large numbers of small packets from many different sources. The attacker overwhelms the system with DNS lookup requests. The DNS server responds to each, but the amount of data returned to the victim's own DNS server causes a shutdown.

Protocol attacks

Protocol attacks are attacks on a network’s infrastructure, like servers, firewalls, and load balancers. They target protocol communications with malicious connection requests until it can’t function properly.

Whereas volumetric attacks are brute force, protocol attacks focus on targeting weaknesses in Internet communications protocols. Protocols are complex and updates are slow. This means that vulnerabilities are often exposed for hackers to take advantage of in DDoS attacks.

One common type of protocol attack are ping of death attacks. Sending a ping includes packets of information delivered to the recipient of the ping. With ping of death attacks, the data destroys the device's bandwidth with the sheer volume of requests.  The attacker exploits vulnerabilities in the system with packets that will freeze or crash the system.

Application attacks

Application attacks are more sophisticated attacks that exploit weakness in the application layer. They open connections and processes that clog up disk space and memory, which again, make it so that the sites or application servers can’t work as they should.

As far as the techniques behind distributed denial of service—DDoS—attacks go, there are several to be aware of. Although knowing the methods a hacker may use won’t necessarily help you prevent an attack, it’s worth knowing the mechanics.

HTTP flood attacks are an example of application layer attacks; they involve the web server and Internet more prevalently than other kinds of attacks. The attacker makes innocuous interactions with the web server, which intend to use up the server's resources.

How to protect against DDoS attacks

Over the last few years, DDoS attacks have worsened. Whereas the average attack used to last thirty minutes, many now average closer to fifty hours. Though DDoS protection is difficult, you can take measures that will help you evade potential damages from a DDoS attack. 

You can make your hosting infrastructure more resistant to distributed denial-of-service attacks by increasing your bandwidth. Learn how you can test your own network with an IP stresser to determine the strength of your network's capabilities.

Many of the kinds of attacks mentioned above rely on overwhelming the bandwidth of your server. With a large enough bandwidth, users can handle the spikes in activity meant to crash a system. Attackers will have to put in more work to overwhelm your site or server. You can also check with your web host to see if they offer DDoS mitigation tools, like a scrubbing center, to help you prevent attacks.

Switching to a cloud service instead of hardware can increase your bandwidth easily, plus help protect your data and information against other threats. If you want to keep using hardware for your network, try configuring your settings to prioritize network security. You can configure your firewall to drop incoming ICMP packets, which will help with floods. With hardware adjustments, this will cut down ping-based attacks.

Frequently asked questions

What does DDoS stand for?

DDoS stands for Distributed Denial-of-Service.

Is DDoS a crime?

Yes, distributed denial-of-service attacks are an illegal cybercrime, just like swatting attacks or identity theft. Committing a distributed denial-of-service attack, and being implicated for the attack, can lead to jail time.      

Can a VPN protect you from DDoS attacks?

Though they don’t guarantee protection, generally, yes, virtual private networks can help stop DDoS attacks. They hide your IP address, making it more difficult for DDoS attackers to locate and target your network.