Distributed Denial of Service (DDoS) Attack

Why Trust Techopedia

What is a DDoS Attack?

A Distributed Denial-of-Service attack requires no technical skills, can take you offline almost immediately, and may use an army of oblivious thralls. What is a DDoS attack? It’s the entry-level cybercrime.


Led Zeppelin hadn’t played together for 19 years. When they announced they’d play a concert at the O2 Arena in London on 1o December 2007, the excitement was immense. So much so that 80,000 rock fans were trying to register online for tickets – per minute! The ticketing website simply couldn’t cope. It gave up the ghost and crashed.

A DDoS attack – pronounced dee-dos – does just that. It floods your website – or other web-facing resource – with so much traffic that it simply can’t cope.

Techopedia Explains

That website or service has been taken offline. Your business will suffer reputational damage, operational capability, and, if it is an e-commerce website, lost revenue. And that lost revenue could be long-term. If your customers have to go to one of your competitors because you can’t trade, they may well give your competitor their repeat business.

Make no mistake, a DDoS attack is completely debilitating for the victim yet astonishingly simple to conduct.

Who Are Behind DDoS Attacks?

DDoS attacks can be performed by threat actors of every size, from state-sponsored Advanced Persistent Threat (APT) groups right down to the zero-skilled would-be hacker.

Motives of the DDoS Attacks

1. The motives are not always financial, but money is the most common reason.

A typical attack will take a website or other internet-facing server or service offline for a period of time. When the attack is ceased, a ransom demand is made with the threat that if the cryptocurrency ransom is not paid, the attacks will recommence.

2. Another motive is social warrior hacktivism. Hacking groups such as Anonymous will attack an organization because they don’t agree with a stance adopted or promoted by the victim.

It might be political, ethical, or ecological. The hacktivists use DDoS as the digital equivalent of a student sit-in or a mass protest at the gates of the organization they are targeting.

These are not jolly student japes, however. It is illegal to conduct a DDoS attack. The US legislation is the Federal Computer Fraud and Abuse Act, with sentences of up to 10 years imprisonment and a US $500K fine.

In the UK, the relevant legislation is the Computer Misuse Act, which carries no official guidelines for sentencing, leaving the judge to award punishment as they see fit.

3. Revenge is also a motive. The disgruntled employee, the disgruntled ex-employee, or even the disgruntled person who failed the interview and never became an employee can easily perform a DDoS attack against a company they have a grievance against.

Revenge was the motive for the severe and protracted DDoS attacks against giants of the United States financial sector, such as US Bancorp, Bank of America, Wells Fargo, and others. The attacks started in September 2012 and lasted for two weeks, on and off. Some of these organizations were offline for days at a time.

The attack was claimed by a hitherto unheard-of hacktivist group called the Izz ad-Din al-Qassam Cyber Fighters, “the Cutting Sword of Justice.” Cyber researchers have attributed the attacks to an Iranian state-sponsored APT. All indications suggest that the motive was revenge for the famous Stuxnet cyberattack against the uranium enrichment plant at Natanz, Iran.

The Types of DDoS Attacks

Types of DDoS Attacks

Like the many sub-categories of malware, there are many sub-categories of DDoS attacks. But they fall into three main categories.

Volumetric Attacks

These are the most common DDoS attacks. They overwhelm the target computer’s network bandwidth by bombarding it with bogus data requests.

Sometimes on one port, sometimes on every open port. The victim computer or device must try to deal with these apparently legitimate requests, which occupy 100 percent of its bandwidth and processing capabilities. Legitimate requests cannot be serviced, and the target computer, device, or service is essentially offline.

Typically, the messages sent to the victim’s computer are either User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) packets.

UDP is tailored for fast data transmission, which makes it a prime tool for threat actors. ICMP attacks send false error messages or false requests for information and tie up the target computer as it tries to service all these bogus requests.

Application-Layer Attacks

The application layer is the topmost tier, layer 7, of the Open Systems Interconnection (OSI) network model. It is concerned with the software that interacts with the network traffic.

These attacks typically misuse direct web traffic using protocols such as Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS), Domain Name System (DNS), or Simple Mail Transfer Protocol (SMTP).

They use the same principle of flooding the victim’s computer or device and choking it with bogus network interactions, which prevent legitimate traffic from being serviced.

Protocol Attacks

A protocol attack may use a flood of purposefully malformed packets to attempt to confuse and crash the target device by over-running internal buffers or corrupting data tables.

Other protocol attacks make use of the so-called three-way handshake that takes place when a Transmission Control Protocol/Internet Protocol (TCP/IP) connection is requested, accepted, and connected.

The connection request starts with a SYN packet from the computer requesting the connection. The receiver, in this case, the target computer, responds with a SYN+ACK packet to acknowledge the SYN packet.

The client acknowledges the SYN+ACK packet by sending an ACK packet to the target computer. They then negotiate transmission speeds, protocols, packet sizes, and so forth, and establish a connection.

A SYN Flood Attack

A SYN flood attack is a protocol attack that works by sending a flood of SYN packets to the target machine. It responds with a SYN+ACK packet to each of these requests and waits for the final ACK from each of the remote devices.

But these are never sent. This means that each of these bogus connections ties up networking resources within the target machine until each of the incomplete connections times out. Of course, with a flood of SYN requests relentlessly hitting the target computer, it cannot accept any genuine connection requests.

A variation of this type of attack is the low and slow attack. These use a relatively low amount of traffic, so they can be harder to identify as a direct attack.

They make a steady stream of connection requests with every step of each interaction paused for as long as possible but without causing the target computer to time out.

So the target computer is working, but dreadfully slowly, to the point that it might as well not be. It’s like being in the queue for the checkout at a store and every person in front of you purposely being as slow as they can.

ICMP Request Packets

Another technique is to use ICMP request packets. These are not sent to the victim’s computer however, they are sent to other, large networks.

The ICMP packets request that the packet be shared with all the hardware on the network. So the request is replicated and sent to all of the networked devices. The request is for a dump of information about each device, which they obligingly provide.

However, the initial ICMP request was forged to look like it had been sent by the victim’s computer. All the responses from each of the network devices get sent to the victim’s website, server, or another internet-facing service.

So by sending one packet, a deluge of information can be sent to the victim. This is known as amplification. Of course, the threat actor uses a sizable number of innocent, large networks to bombard the target computer.

It’s like attacking a mountain village by going into the hills and poking the snow. The avalanche wipes out the village, and the threat actor hasn’t had any direct communication with the village itself.

Sophisticated DDoS Attacks

Sophisticated DDoS attacks can use a blend of volumetric, application-layer, and protocol attacks all at once. As we’ll see, most DDoS attacks are not sophisticated, but they’re still devastating.

Why Anyone Can Perform a DDoS Attack

There are numerous DDoS attack software packages that can be easily and freely downloaded from the web. Not the dark web. You can find them on the regular or “clear web.”

Download them, follow a few simple instructions, and hey presto, you’re a criminal. No IT or cyber knowledge is required.

You can obtain the source code for some DDoS programs from GitHub. Clone the repository, compile the source code, and fire them up.

There’s a bit more knowledge required for this, but if you can follow a simple list of instructions, this is achievable by anyone with a smattering of IT experience. The image at the top of this article is a section of source code from one such program.

If you can find your way onto the dark web, you can find DDoS-as-a-Service outlets. You pay them to mount the campaigns on your behalf. Typically they will have developed malware and previously infected as many computers (or other networked devices) as they can.

These infected devices – called bots – can be used in concert to generate the flood of traffic needed to topple a website. The owner of the infected device won’t even know they’re contributing to an attack.

The more bots the DDoS-as-a-Service outlet has, the more traffic it can generate. Depressingly, there are services available for as little as $20 per hour.

How to Protect Yourself From DDoS Attacks

The most effective methods of DDoS protection are cloud-based. DDoS protection providers maintain extremely fast networks that can deliver many multiple terabits of data per second.

Like a monumental proxy, all traffic to your website – or any other network resource you wish to protect – is delivered via your DDoS protection provider’s network.

When you are suffering a DDoS attack, the deluge of traffic is distributed between their many points of presence or “data treatment centers.”

These are numerous enough and fast enough to intelligently separate the wheat from the chaff in real-time. Genuine traffic is permitted through to the website or server, and the DDoS traffic is discarded.

Sometimes these services are bolstered with a web application firewall or other forms of defense that vary from provider to provider.

The Bottom Line

The basic DDoS attack has become one of the go-to forms of digital revenge. There are two reasons for this. First, it is simple to carry out a DDoS attack. Second, the perpetrator thinks their crime is untraceable.

While they wouldn’t commit a physical crime for fear of getting caught, they mistakenly believe the digital nature of the crime shields them from detection and punishment. But a crime is a crime, and there’s a big difference between being able to commit a crime and being able to get away with a crime.

This type of naïve cybercriminal is often caught – and caught quickly – but that can be of little consolation to the victim who has been brought offline and lost revenue, customers, and dependability.


Related Questions

Related Terms

Marshall Gunnell
IT & Cybersecurity Expert
Marshall Gunnell
IT & Cybersecurity Expert

Marshall, a Mississippi native, is a dedicated expert in IT and cybersecurity with over a decade of experience. Along Techopedia, his bylines can be found on Business Insider, PCWorld, VGKAMI, How-To Geek, and Zapier. His articles have reached a massive readership of over 100 million people. Marshall previously served as the Chief Marketing Officer (CMO) and technical staff writer at StorageReview, providing comprehensive news coverage and detailed product reviews on storage arrays, hard drives, SSDs, and more. He also developed sales strategies based on regional and global market research to identify and create new project initiatives.  Currently, Marshall resides in…