DDoS 101: What you should know about distributed denial-of-service attacks

In the first half of 2022, a significant increase in DDoS activity was reported globally. The total number of malicious DDoS attacks rose by 203% in the first six months of 2022 compared to the previous year's period. In this post, we’ve compiled everything you need to know about DDoS attacks, which seriously threaten digital assets and organizations’ business processes.

As technology has assumed a larger role in business, organizations face an ever greater variety of threats. Hackers have exploited increasingly advanced technologies with each passing year and have access to growing numbers of computers and networks. And they have no compunction about using these enhanced resources to threaten the business processes of organizations – sometimes just for fun. This, in turn, has led to an increase in distributed denial-of-service (DDoS) attacks, typically carried out for revenge, competition, politics, or so-called “hacktivism.” A recent report notes that in the first half of 2022, DDoS attacks increased by an alarming 203% compared to the same period in 2021. It was also mentioned in an IDC report released in February that DDoS attacks now represent the most serious concern for IT organizations, both large and small. 

DDoS attacks can incur significant financial losses for organizations by hampering their business processes and restricting access to services, even if they don’t result in data breaches. This post provides a comprehensive guide to DDoS attacks, including an explanation of how they work, examples of DDoS attacks, the best means of preventing them, what to do if (and when) they occur, and other vital information.

 

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is a type of DDoS cyber attack in which several compromised computer systems, which have been integrated into a hacker computer network, are used to attack a predetermined target. As the name implies, DDoS attacks – which can target servers, websites or other networks – result in denials of requests for service by real users of the targeted entity. In other words, in a DDoS attack, the target is bombarded with massive inquiries by the attacking computer(s), so real users can no longer access it. The enormous number of messages, inquiries and connection requests received by the targeted system typically cause it to slow down – or even collapse – thus making it inaccessible to genuine users.

 

What are the underlying reasons for DDoS attacks?

Individual hackers, hacker networks, criminal gangs, and even states can carry out DDoS attacks. The primary reasons for launching a DDoS attack can be summarized as follows: 

  • Competition: Unfortunately, some companies will “cross the line” and target their competitors' websites. Knowing that a loss of access can harm websites and business operations, malicious actors can orchestrate DDoS attacks on their rivals to render the latter’s services inaccessible. This can allow them to bolster their Google ranking while the targeted company struggles to get its website up and running again. It also gives them a chance to steal customers. Recent studies indicate that competitors orchestrated DDoS attacks suffered by two out of five businesses.
  • “Hacktivism”: DDoS attacks are also sometimes used by “benevolent” hackers in defense of particular causes or in response to calls by certain segments of the public. Engaging in DDoS hacking for “activist” causes, so-called “hacktivists” can target brands, campaigns or websites that have drawn the ire – for whatever reason – of the general public or particular activist groups.
  • Political reasons: Cyber warfare stands out as a relatively novel concept in international relations. Governments can resort to DDoS attacks to render inaccessible the public services of other states with which they have geopolitical or diplomatic differences. For example, it's well known that at the start of the ongoing conflict in Ukraine, official websites of the State of Ukraine were crippled by repeated DDoS attacks.

 

How does a DDoS attack work?

The question of what happens during a DDoS attack can only be answered by first understanding how the Internet works. Firstly, every action we perform on the Internet is responded to by a server. For instance, whenever you search for something, your inquiry initiates a function on a remote computer. This remote function delivers a result, which is then relayed to you. This process is repeated for any request you send to a related website. It will be noted that users occasionally encounter difficulties accessing certain websites – even if the quality of their connection is high. The main factor is the relative intensity of inquiries made to the remote computer. 

DDoS attacks happen when many users send too many requests simultaneously and successively to the same computer or network, thereby overwhelming it. In this case, requests are sent by computers belonging to real people. In other words, every request is transmitted over a real IP address. Firewalls running on servers cannot decide which IP address is safe or not among thousands of incoming requests. However, these clients are not legitimate users. They are part of a DDoS attack. Responses from the firewall to the client go unanswered. 

In general, DDoS attacks are managed by what is referred to as a "botmaster," who manages and deploys bot networks. The botmaster makes sure that the entire computer network under their control, known as a botnet, dispatches vast numbers of inquiries to the target. Unable to process all these inquiries simultaneously, the target is forced to slow down and becomes largely inaccessible.

 

What are the various types of DDoS attacks?

The contemporary literature on the subject defines mainly three types of DDoS attacks. These are as follows:

 

  • Volumetric attacks: In this type of attack, malicious actors aim to consume the existing bandwidth of the targeted system. This attack uses the target's internet protocol (IP) and sends vast requests to the DNS (domain name system).
  • Protocol attacks: This kind of attack aims to consume the resources of a server or its network systems, such as firewalls, routing engines or load balancers. This attack is best exemplified by what is referred to as an SYN flood. In an SYN flood, false-source IP addresses send high volumes of first-connection request packages to the targeted IP address. This transfer is continuously repeated to ensure that the TCP (Transfer Control Protocol) cannot be completed.
  • Application layer attacks: Malicious actors typically employ this type through HTTP attacks, in which several HTTP requests are sent to a server using different IP addresses. For example, a hacker will send repeated requests to a server to create PDF documents. Since the IP address and other identifiers are different for each request, the server cannot recognize that it is under attack and, therefore, cannot respond to the requests. This is also referred to as Layer 7 (see below). For this reason, many websites use real-person verification systems, known as CAPTCHA, to avoid this particular kind of attack.

 

How does one identify a DDoS attack?

The main indicator of a DDoS attack is the difficulty of access. If your website or application is slow – or entirely fails – to respond, or your platform is inaccessible even though you have a reliable network, you may be experiencing a DDoS attack. In other words, if users are having difficulty accessing your website, this could be a sign that a DDoS attack is underway.

 

How long does a typical DDoS attack last?

While the total number of DDoS attacks globally increases yearly, the typical duration of attacks can vary significantly. According to some sources, attacks usually last less than one hour, although other sources note that DDoS attacks can last as long as four hours https://www.comparitech.com/blog/information-security/ddos-statistics-facts/. Still, there are accounts of some attacks lasting up to 10 days, suggesting that DDoS attacks of longer duration are becoming increasingly common.

 

What should one do during a DDoS attack?

Website owners must take immediate action once it is determined that a DDoS attack is occurring. Every moment lost during this critical juncture means a greater chance of the server going down. One of the biggest challenges is to fend off the incoming DDoS attack without affecting one’s current visitor traffic. Hackers often make it difficult for the target to distinguish between fake and real traffic. Nevertheless, the following actions should be taken at the outset of any attack:

 

  1. Review traffic and define limits. This action, aimed at blocking over-the-limit traffic, is called “black hole filtering.”
  2. Distribute traffic. Distributing traffic to multiple servers will help alleviate the hardships – to a degree – your overwhelmed system server faces.
  3. Block the IP. If you identify unexpectedly busy traffic emanating from the same IP address, block the IP’s access as quickly as possible.

 

How can one protect oneself from DDoS attacks?

While hackers rely on increasingly sophisticated technology to carry out DDoS attacks, cybersecurity technologies are also improving. For example, businesses seeking protection from DDoS attacks can use cutting-edge solutions, such as the DDoS defense system (DDS). Organizations can also use web application firewall applications and block harmful inquiries by employing the real-time package analysis method. Another solution involves the restriction of inquiries sent. Limiting the number of requests a server can process within a certain period can also effectively ensure protection from DDoS. 

Businesses today face numerous cyber threats besides DDoS attacks, which can cause massive breaches and data loss. IT professionals are urged not to ignore cybersecurity in the digital transformation process and employ a complete, end-to-end cybersecurity solution to optimize safety. Such solutions not only identify dubious network traffic but also allow users to monitor the activities of all devices and employees remotely connected to business operations. Companies that guarantee secure network traffic by providing authorization ensure that all employees enjoy secure access to business networks – regardless of their physical location – and that would-be attacks are neutralized before they can do any serious damage.

 

Examples of DDoS attacks from around the world

Amazon, one of the world's biggest cloud platform providers, experienced one of the worst-ever DDoS attacks in the winter of 2020. The attack, during which Amazon’s servers had to fend off a staggering 2.3 terabytes of inquiries per second, was described by cybersecurity experts as a “wakeup call” for the entire industry. 

However, the largest ever DDoS attack targeted Google services in September 2017. In that attack, which involved a total volume of 2.54 Tbps, hackers sent false packets to 180,000 web servers.

 

Frequently Asked Questions

What is a DDoS attack, and why is it dangerous?

A distributed denial-of-service attack (DDoS) is an attack in which a bot network (botnet) involving multiple computers perpetually sends huge volumes of inquiries to a particular target. The main objectives of a DDoS attack are to exhaust the target's bandwidth, overload the network’s resources, or make the system’s application layers unable to respond to requests. DDoS attacks are difficult to identify (and it’s always hard to find the culprit), and they generally result in websites or servers becoming inaccessible. This can ruin an organization’s reputation and adversely impact customer interaction. 

What is a Layer 7 DDoS attack?

A Layer 7 DDoS attack is another name for the type of application layer included among distributed denial-of-service attack formats. Layer 7 is named after the Open Systems Interconnection (OSI) internet model, which divides the functions of a network system into seven isolated layers. In these attacks, botnets send vast amounts of inquiries to one of the application functions of the targeted system. In one Layer 7 attack experienced by a Google customer on June 1, it was found that 46 million inquiries had been sent within a single second. 

What is the purpose of DDoS attacks?

The purposes of DDoS attacks vary depending on the aims of the hacker. DDoS attacks carried out by hackers who hope to gain a competitive advantage generally aim at stealing customers from rivals. Attacks by so-called white hat hackers, meanwhile, target websites that have drawn a negative public reaction with the aim of deterrence. However, DDoS attacks can target businesses of any type or size. For example, small- and medium-scale enterprises (SMEs) are commonly targeted because they tend to underestimate the vital importance of cybersecurity. 

What’s the best way to avoid DDoS attacks?

The best way to avoid DDoS attacks is to migrate away from individual cyber security solutions and adopt cloud-based solutions that offer end-to-end network security. 

What’s the difference between DDoS and DoS attacks?

The main difference between DDoS attacks and DoS (denial-of-service) attacks is that only a single computer is needed to engage in the latter. On the other hand, DDoS attacks are performed by botnets comprised of multiple compromised computers, and inquiries are sent to the targeted system from dozens – or even hundreds – of computers.