What Is a Distributed Denial of Service (DDoS) Attack?

A distributed denial of service (DDoS) attack sends a massive flood of traffic to a website, server or network so that it stops working entirely or performs so poorly that it disrupts service.

Some signs of a DDoS attack are obvious: A website suddenly goes offline or network performance plummets for no apparent reason (such issues may also stem from other causes).

Additional signs that may indicate a DDoS attack include:

• Unusual traffic patterns, such as sudden spikes from a single region or a flood of traffic from one IP address
• Increased Domain Name System (DNS) request failures, indicating a breakdown in the internet system that connects users to websites
• Prolonged bot activity detected by behavioral analysis tools

DDoS attacks are nefarious because they can hurt targets in several ways. Many organizations depend on internet connectivity to operate, and any prolonged disruption can be detrimental. For example, an online retailer shut down by a DDoS attack would temporarily be unable to sell products.

DDoS is also disruptive because the victim must focus time, money and other resources to resolve the attack instead of focusing on its core business. When an attack harms a victim’s customers, partners or other stakeholders, it can cause lasting reputational damage.

Cybercriminals may also use a DDoS attack to cover a data breach or learn more about a target’s cybersecurity defenses. And, in the case of ransomware, a victim may end up paying a ransom to stop the attack.

In 2016, cybercriminals launched repeated DDoS attacks against Dyn, one of the companies that handles DNS services on the internet. As a result, numerous other major sites, including Netflix and Reddit, experienced outages for several hours because they could not complete DNS processes.

One factor that made this attack unique was that it involved the Mirai botnet, which comprises connected devices (such as digital cameras and smart TVs) rather than computers. Analysts said that allowed for a large-scale attack because so many devices are connected, and often they are not as well protected as computers.

In 2018, cybercriminals struck at GitHub, an online platform that developers use to create and manage software code. This DDoS attack used amplification, originating from more than 1,000 autonomous systems, that involved tens of thousands of endpoints. At the attack’s peak, GitHub’s network was hit with 1.35 terabits of data per second, far more than previous DDoS attacks. GitHub detected the attack promptly and was able to recover quickly with help from its DDoS mitigation partner.

Amazon Web Services (AWS) is one of the world’s largest cloud service providers. One of its customers suffered a massive DDoS attack in 2020. Because the customer was operating on AWS infrastructure, AWS stepped in to defend against the attack. It deployed AWS Shield, the security service it uses to protect customers from DDoS and other attacks. With a peak volume of 2.3 terabits per second, the traffic in this attack set a new record.

When a user connects to a website, several processes are happening behind the scenes to make that connection happen. One model of internet connectivity has seven layers, each responsible for a different step in the process. Different types of DDoS attacks target different layers. In addition, DDoS attacks often target protocols, or the rules that govern how traffic moves around the internet.

Volumetric attacks, the most common type of DDoS attack, overwhelm the target with malicious traffic that blocks legitimate traffic. This influx ties up all of the target’s network bandwidth so the site can no longer work properly. Attackers amplify the traffic by using a botnet or sending small connection requests to the victim’s servers in such a way that they generate immense traffic.

This type of volumetric DDoS attack involves the User Datagram Protocol (UDP), one of the ways computers exchange data quickly. An attacker can overload a target’s server by sending a massive amount of UDP packets at once.

The Internet Control Message Protocol (ICMP) lets computers send quick, brief messages to each other — more like a “ping” than actual data. In an ICMP flood attack, the target receives so many pings that its network is overwhelmed.

While a volumetric attack overwhelms the victim’s network bandwidth, a resource or application layer attack directly targets the victim’s website or application. For example, by sending many fake requests to a site, attackers can overwhelm its underlying infrastructure — the CPU, memory or databases — and cause the site to crash.

A protocol attack exploits the rules that help computers and networks exchange data efficiently. For example, one type of protocol translates website URLs into IP addresses. Attackers take advantage of weaknesses in these protocols to overload the network infrastructure.

A synchronized (SYN) flood disrupts the process that two computers use to initiate an exchange. Usually, a three-step process enables the devices to connect. But in a SYN flood attack, the bad actor starts the process repeatedly without completing it — once again, tying up the target’s systems.

In a Smurf attack, an attacker sends a fake message — made to look like it is coming from the victim’s IP address — to many other computers. When all of those computers reply to the victim, they overwhelm the target’s system. Smurf attacks are named for the small, blue cartoon characters who take on a much bigger targets by working together.

DNS servers are analogous to phone books or directory assistance for the internet. When a user types in a website address, the DNS server looks up the IP address for that site to make the connection. A DNS amplification/reflection attack works by sending DNS lookup requests — spoofed so they appear to be from the victim — thereby tricking DNS servers into sending multiple responses to the victim.

Attackers may deploy more than one type of DDoS attack at once or over a period of time.

Cybercriminals use emerging technologies to refine their tactics, so organizations must continually adapt their defenses. Here are three ways that technology advances have changed DDoS attacks:

• Artificial intelligence–enhanced DDoS attacks: Artificial intelligence (AI) creates several advantages for cybercriminals. It can generate bots that are harder to distinguish from legitimate users, so security solutions may fail to weed out malicious traffic. AI can be adaptive, changing tactics during an attack in response to a target’s defenses. AI also helps attackers scan security systems for vulnerabilities, making attacks more efficient and more effective.
• Ransom DDoS (RDDoS): Combining the disruption of a DDoS attack with a demand for payment, RDDoS is a growing concern. Cybercriminals know that organizations need online connectivity to carry out their work and thus may be willing to pay to end the attack.
• 5G networks and Internet of Things devices: The number of connected devices has increased exponentially and will continue to grow. That creates more opportunities for cybercriminals to compromise devices and enlist them in an attack, creating a botnet that is harder to stop.

Organizations use various solutions and strategies to prevent DDoS attacks and mitigate the damage they can cause. The right defense will help organizations identify and filter out malicious traffic while protecting systems from further damage and maintaining operations as much as possible. Often, a cybersecurity platform will include features and capabilities meant to counter DDoS attacks, among other types of threats.

Here are some of the most common defenses against DDoS attacks.

Differentiation analyzes network traffic to stop malicious traffic while allowing legitimate traffic through. The analysis looks at traffic patterns, such as volume or sources, and filters it according to predetermined rules.

Web application firewalls filter traffic at the application layer to prevent known attack patterns, such as bots or suspicious requests, from reaching a website or application.

Load balancing divides network traffic among several servers so that if an attack occurs, it will be less likely to overwhelm a single server.

Anycast network diffusion spreads traffic across multiple servers in different geographic locations to prevent an attack from overwhelming a single server.

Rate limiting lets an organization control the number of incoming connection requests that a user or an IP address can send in a period of time. This prevents attackers from overwhelming systems.

After a victim’s system or network detects a DDoS attack, it can activate blackhole routing. This drops all traffic to the IP, whether malicious or legitimate, to contain the attack and prevent any further slowdowns or crashes.

Cloud-based DDoS mitigation solutions like those from from AWS Shield, Cloudflare, Akamai and others use AI to block attacks automatically based on preset rules. The combination of AI and automation enables targets to respond much more quickly than they could by relying solely on human monitoring.

The ability to monitor network traffic in real time and to quickly identify threats is essential. and threat intelligence platforms are crucial because they increase organizations’ visibility and control over their technology environments.

Organizations may engage an expert third party that specializes in DDoS protection. Typically, this is full-service protection involving security software that automatically detects and filters DDoS attacks in real time; server and network infrastructure designed to withstand DDoS attacks; and experts who are available to help if an attack occurs. Such services are helpful for stopping attacks and minimizing attack damage or downtime.

Often, organizations find it valuable to engage  cybersecurity experts who can assess risks in their environment and evaluate their organization’s cybersecurity capabilities against best practices. For example, CDW provides penetration testing to help your organization identify security gaps and vulnerabilities before attackers do. By strengthening your cyber resilience, your organization will be much more likely to withstand and quickly recover from an attack.

When a significant DDoS attack occurs, an organization’s first call may be to a cybersecurity firm, such as a DDoS protection service provider. These partners can help victims contain the attack and minimize the impact so they can restore normal operations as quickly as possible. Forensic investigators can help victims determine the cause of the attack, both to prevent a recurrence and to support any future criminal prosecution.

It’s not unusual for organizations to lack the internal expertise to perform these operations themselves. Victims may also report the attack to law enforcement agencies, which can support investigations, gather evidence and potentially pursue the attackers.

Expert partners like CDW provide tactical, operational and strategic insights to help organizations understand where they are most vulnerable, and work with them to establish appropriate countermeasures. With deep expertise in cybersecurity, CDW takes a holistic approach to threat and vulnerability management, helping organizations mature their security posture across networks, cloud environments and endpoints.

Learn how CDW can improve advanced threat detection and response capabilities.