Distributed Denial of Service (DDoS) Attack

Why Trust Techopedia

What is a DDoS Attack?

Distributed denial-of-service (DDoS) attacks (pronounced dee-dos) are sometimes considered entry-level cybercrimes. They often require little to no technical skills and tools and are capable of taking a service offline almost immediately. They flood a website, server, or other Web resource with so much traffic that it prevents users from accessing it. However, large-scale and sophisticated DDoS attacks do require advanced knowledge and resources.

Advertisements

A DDoS attack is explained using an analogy: Led Zeppelin hadn’t played together for 19 years. When they announced they’d play a concert at the O2 Arena in London on 10 December 2007, the excitement was immense. So much so that 80,000 rock fans were trying to register online for tickets per minute! The ticketing website was overwhelmed and crashed.

This is exactly what a DDoS attack does – it takes a website or service offline. A business will suffer reputational damage, operational capability, and, potentially, lost revenue. And that lost revenue could be long-term. If customers go to a competitor because your service is unavailable, that competitor may also get repeat business.

Some DDoS attacks are completely debilitating for the victim yet astonishingly simple to conduct. However, attacks targeting businesses and large organizations with cybersecurity defenses are more sophisticated, requiring advanced knowledge and resources.

What is a DDoS attack Definition, How It Works & Types

Key Takeaways

  • DDoS attacks may cause a business to suffer reputational damage, operational capability, or lost revenue.
  • It can flood your website with so much traffic that it prevents users from accessing it.
  • Financial gain, hacktivism, and revenge are some motives behind DDoS attacks.
  • Types of DDoS attacks include volumetric, application-layer, and protocol attacks.
  • It is illegal to conduct a DDoS attack in many countries.

How a DDoS Attack Works

How a DDoS Attack Works

The following steps outline the basics of a DDos attack. The more sophisticated the attack, the more resources the attacker requires.

  1. Target

    The attacker chooses a target, such as a website, server, network, or other Internet-connected resource.
  2. Tools

    Attackers may use DDoS software downloaded online or hire DDoS-as-a-Service platforms to execute the attack.
  3. Botnet

    Most DDoS attacks are carried out using botnets, a network of infected computers and devices connected in a coordinated fashion. Malware is used to infect and control devices to form a botnet. Users are often unaware that their computers are infected and under the control of a botmaster.
  4. Attack

    The botnet attacks the target with a flood of fake traffic or requests to overwhelm their resources.
  5. Disruption

    The target is overwhelmed with fake data requests, exhausting resources and blocking legitimate access, taking the website or service offline.

Who Are Behind DDoS Attacks?

DDoS attacks can be carried out by a wide range of threat actors, from state-sponsored advanced persistent threat (APT) groups with significant resources to “script kiddies” – unskilled individuals using programs created by other hackers.

Are DDoS Attacks Legal?

It is illegal to conduct a DDoS attack, meaning it is punishable by law. In the U.S., under the Computer Fraud and Abuse Act (CFAA), sentences of up to 10 years imprisonment and fines can be imposed. In the U.K., the Computer Misuse Act governs such offenses, also leading to imprisonment and/or fines. Other countries where DDoS attacks are illegal include Australia, Canada, France, Germany, India, Japan, and others.

How to Identify a DDoS Attack

A site or service suddenly slowing or unavailable is a common indicator of a DDoS attack. However, as shown in the earlier concert ticket analogy, a legitimate spike in traffic may also have this effect.

Here’s how to identify a DDoS attack:

  • A surge in server CPU or memory usage
  • A flood of traffic from unexpected countries of origin
  • Increased number of error messages or failed login attempts
  • Performance issues such as a sudden slowing or service unavailable
  • Service disruptions in critical systems (e.g., email)
  • Unusual spikes in web traffic at non-peak times

Motives of the DDoS Attacks

Financial gainSocial warrior hacktivismRevenge

Money is the most common reason for launching DDoS attacks. A typical attack will take a website server or service offline for a period of time. When the attack ceases, a cryptocurrency ransom demand is often made. Attackers may threaten to continue the attack if the ransom is not paid.

Hacking groups such as Anonymous will attack an organization because they don’t agree with a political, ethical, or ecological stance adopted or promoted by the victim. Hacktivists use DDoS as the digital equivalent of a protest or demonstration of the organization they are targeting.

A disgruntled person – sometimes an employee or ex-employee – can DDoS a company they have a grievance with. A well-known DDoS attack example where revenge was the motive was against some of the biggest names in the U.S. financial sector, including Bank of America, Wells Fargo, and others. Attacks started in September 2012 and lasted for two weeks, on and off. Some organizations were offline for days at a time.

The attack was claimed by a hacktivist group called the Izz ad-Din al-Qassam Cyber Fighters, “the Cutting Sword of Justice.” Cyber researchers have attributed the attacks to an Iranian state-sponsored APT. The motive appears to have been revenge for the famous Stuxnet cyberattack against the uranium enrichment plant at Natanz, Iran.

Types of DDoS Attacks

Types of DDoS Attacks. Techopedia explains

Like the many sub-categories of malware, there are many sub-categories of DDoS attacks. The main types of attacks fall into three categories: volumetric, application-layer, and protocol attacks. Within these categories, sophisticated DDoS attacks may use a blend of each type of attack all at once.

Volumetric Attacks

Volumetric attacks are the most common types of DDoS attacks. They overwhelm the target’s network bandwidth by bombarding it with bogus data requests – on one port or every open port. The victim’s computer or device must try to deal with these fake requests, which occupy 100 percent of its bandwidth and processing capabilities. When this happens, legitimate requests cannot be serviced, and the target computer or service is essentially offline.

Typically, the messages sent to the victim’s computer are either User Datagram Protocol (UDP) packets or Internet Control Message Protocol (ICMP) packets.

  • UDP is tailored for fast data transmission, which makes it a prime tool for threat actors.
  • ICMP attacks send false error messages or false requests for information, tying up the target computer as it tries to service all these bogus requests.

Application-Layer Attacks

The application layer is the topmost tier, layer 7, of the Open Systems Interconnection (OSI) network model. It is concerned with the software that interacts with the network traffic. These attacks typically misuse direct web traffic using protocols such as Hypertext Transfer Protocol (HTTP), Secure Hypertext Transfer Protocol (HTTPS), Domain name system (DNS), or Simple Mail Transfer Protocol (SMTP).

While DDoS attacks are commonly associated with overwhelming bandwidth (i.e., flooding the computer or device and choking it with bogus network interactions), application-layer attacks focus on exhausting server processing power rather than flooding it to prevent legitimate traffic.

An application-layer DDoS attack example is the low and slow attack. These use a relatively low amount of traffic, so it can be harder to identify as a direct attack. They work by making a steady stream of connection requests with every step of each interaction paused for as long as possible but without causing the target computer to time out.

The target computer is working, but dreadfully slowly – to the point that it might as well not be. It’s like being in the queue for the checkout at a store and every person in front of you purposely being as slow as they can.

Protocol Attacks

A protocol attack may use a flood of purposefully malformed packets to attempt to confuse and crash the target device by overrunning internal buffers or corrupting data tables. Other protocol attacks make use of the so-called three-way handshake that takes place when a Transmission Control Protocol/Internet Protocol (TCP/IP) connection is requested, accepted, and connected.

How does a three-way handshake work?

  1. The connection request starts with a SYN packet from the computer requesting the connection.
  2. The receiver, in this case, the target computer, responds with a SYN+ACK packet to acknowledge the SYN packet.
  3. The client acknowledges the SYN+ACK packet by sending an ACK packet to the target computer.
  4. Then, they negotiate transmission speeds, protocols, packet sizes, and so forth, and establish a connection.

A SYN Flood Attack

A SYN flood attack is a protocol attack that exploits the three-way handshake. It works by sending a flood of SYN packets to the target machine. It responds with a SYN+ACK packet to each of these requests and waits for the final ACK from each of the remote devices.

But these are never sent. This means that each of these bogus connections ties up networking resources within the target machine until each of the incomplete connections times out. With a flood of SYN requests relentlessly hitting the target computer, it cannot accept any genuine connection requests.

ICMP Request Packets

Another technique is to use ICMP request packets. These are not sent to the victim’s computer – instead, they are sent to other, large networks.

The ICMP packets request that the packet be shared with all the hardware on the network. The request is replicated and sent to all networked devices. The request is for a dump of information about each device, which they obligingly provide.

However, the initial ICMP request was forged to look like it had been sent by the victim’s computer. All the responses from each of the network devices get sent to the victim’s website, server, or another internet-facing service.

By sending one packet, a deluge of information can be sent to the victim. This is known as amplification. The attacker uses a sizable number of innocent, large networks to bombard the target computer.

It’s like attacking a mountain village by going into the hills and poking the snow. The avalanche wipes out the village, and the threat actor hasn’t had any direct communication with the village itself.

Why Anyone Can Perform a DDoS Attack

Numerous DDoS attack software packages can be freely downloaded from the web. Not the dark web – they can be found on the regular or “clear web.”

Keep in mind that engaging in DDoS activities is illegal and carries legal consequences.

Download them and follow a few simple instructions. Source code for some DDoS programs can be obtained from GitHub. Clone the repository, compile the source code, and follow a list of instructions. This is achievable by anyone with minimal IT experience.

If you can find your way onto the dark web, you can find DDoS-as-a-Service outlets, where you pay attackers to mount the campaigns on your behalf. Typically, they will have developed malware and previously infected computers or other networked devices. These infected devices, called bots, can be used to generate the flood of traffic needed to topple a website.

The more bots the DDoS-as-a-Service outlet has, the more traffic it can generate. Depressingly, there are services available for as little as $20 per hour. The price for DDoS-for-hire services scales with the size of the botnet, duration, and intensity of the attack.

Tips to Protect Yourself From DDoS Attacks

7 Tips to Protect Yourself From DDoS Attacks

The Bottom Line

The DDoS attack definition refers to flooding a website or other web resource with so much traffic that it prevents users from accessing it. This is an intentional, malicious cyberattack that has become one of the go-to forms of digital revenge and extortion.

Often, the attacker thinks their crime is untraceable. While they wouldn’t commit a physical crime for fear of getting caught, they mistakenly believe the digital nature of the crime shields them from detection and punishment. But crime is crime, and there’s a big difference between being able to commit a crime and getting away with it.

This type of naive cybercriminal is often caught – and caught quickly – but that can be of little consolation to the victim who has been brought offline and lost revenue, customers, and dependability.

FAQs

What is DDoS in simple terms?

What is an example of a distributed denial of service attack?

What is meant by a DDoS attack?

Which of these would be an example of a DDoS attack?
(A) Phishing email scam (B) Overwhelming traffic surge (C) Unauthorized data access?

How long will a DDoS attack last?

Advertisements

Related Questions

Related Terms

Vangie Beal
Technology Expert
Vangie Beal
Technology Expert

Vangie Beal is a digital literacy instructor based in Nova Scotia, Canada, who joined Techopedia in 2024. She’s an award-winning business and technology writer with 20 years of experience in the technology and web publishing industry. Since the late ’90s, her byline has appeared in dozens of publications, including CIO, Webopedia, Computerworld, InternetNews, Small Business Computing, and many other tech and business publications. She is an avid gamer with deep roots in the female gaming community and a former Internet TV gaming host and games journalist.