A DDoS attack (distributed denial of service) is a type of DoS attack in which the target server, service, or network is overloaded with traffic originating from several sources (for example, a group of devices). Like any other DoS attack, the goal of a DDoS one is to make the victim’s system inaccessible.
Most DDoS attacks involve the use of botnets — networks of remotely managed devices infected with malware. Upon instruction by the C2 (command-and-control) server, the devices start bombarding the target resource with requests, causing a temporary denial of service. A botnet can consist of both personal computers as well as, for example, IoT (internet of things) devices.
How to detect a DDoS attack
A successful DDoS attack makes the target resource unavailable or slow to respond. However, such a result does not necessarily point to a DDoS attack as the culprit, since the slowdown or shutdown of a resource can occur for other reasons — such as software failure or a spike in legitimate traffic. Therefore, network analysis tools are used to detect DDoS attacks. Signs of a DDoS attack include:
- Suspicious traffic coming from IP addresses in the same range or from devices with similar characteristics (device type, geolocation, browser version).
- Multiple requests to specific web pages, ports or devices.
DDoS attacks can be classified in a number of ways; primarily:
- By the protocol used by the cybercriminals: TCP flood, UDP flood, HTTP flood, ICMP flood, and others.
- By the layer of the Open System Interconnection (OSI) model at which the attack occurs. Under this model, interactions among different devices in the network are divided into seven layers. DDoS attacks most often strike at one of three OSI layers: network (L3), transport (L4), and application (L7).
- By attack mechanism. DDoS attacks can be divided into bandwidth-depletion and resource-depletion attacks. The first include flood attacks (overloading the channel with a large number of packets) and amplification attacks (when attackers send requests not to the target resource directly, but to some intermediary service — often spoofing the victim’s IP; the channel becomes overloaded with responses from this service). The second group covers attacks that, for example, exploit vulnerabilities in network protocols or send malformed data packets.
The objectives of DDoS attackers can be divided into two groups:
- Commercial, such as extortion, harming competitors, selling one’s own DDoS protection solutions.
- Non-commercial, such as hacktivism, revenge, disruption of classes at school/university, entertainment.
Whatever the motive, DDoS attacks are a crime and punishable by law.
There are specialized anti-DDoS solutions that protect web resources by analyzing and filtering traffic. Additionally, various restrictions can be applied to counter DDoS attacks, such as blocking requests coming from certain regions or from a denylist of IP addresses, rate limiting that limits the number of requests from the same source in a set timeframe, among other measures.