A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.
The impact could range from a minor annoyance from disrupted services to experiencing entire websites, applications, or even entire business taken offline.
This type of attack has been around for a long time and continues to grow and evolve. Netscout reports that it observed 13,142,840 DDoS attacks in 2023 alone.
Denial of service (DoS) is what it sounds like: Thwarting access to virtually anything from servers, devices, and services to networks, applications, and even specific transactions within applications.
The difference between DoS and DDoS is a matter of scale. In both cases, the aim is to knock the target system offline with more requests for data than the system can handle, but in a DoS attack it’s one system that is sending the malicious data or requests, whereas a DDoS attack comes from multiple systems.
Distributed attacks can cause much more damage than an attack originating from a single machine, as the defending company needs to block large numbers of IP addresses.
A DDoS is a blunt instrument of an attack. Unlike a successful infiltration, it doesn’t net you any private data or get you control over your target’s infrastructure. It just knocks their cyber infrastructure offline. Still, in a world where having a web presence is a must for just about any business, a DDoS attack can be a destructive weapon aimed at an enemy.
There are three main motives behind DDoS attacks:
Taking rivals offline — The Mirai botnet, which was used in the DDoS attack against DNS provider Dyn, was designed as a weapon in a war among Minecraft server providers. And, today, the gaming industry remains a primary target of DDoS attacks. As Netscout put it in its most recent DDoS Threat Intelligence Report, “The allure of attacking the gaming industry lies in its substantial financial value and the goal of disrupting competitors.”
Geopolitics — The Netscout report also noted that politically motivated groups are “increasingly are using DDoS as a tool to target those ideologically opposed to them.” In Peru, for example, DDoS attacks spiked after nationwide protests in December. And, these groups are “executing attacks that seamlessly transcend national borders.” The pro-Russia hacktivist group NoName057(16), for example, targeted not just Ukraine, but countries that support Ukraine.
Financial gain — While a DDoS attack isn’t the same thing as a ransomware attack, DDoS attackers sometimes will contact their victims and promise to turn off the firehose of packets in exchange for some Bitcoin.
And, sometimes, DDoS attackers are just in it for the money—not money from you, but from someone who wants to take your website out. Tools called booters and stressers are available on the dark web that essentially provide DDoS-as-a-Service to interested customers, offering access to ready-made botnets at the click of a button, for a price.
DDoS botnets are the core of any DDoS attack. A botnet consists of hundreds or thousands of machines, called zombies or bots, that a malicious hacker has gained control over. The attackers will harvest these systems by identifying vulnerable systems that they can infect with malware through phishing attacks, malvertising attacks, and other mass infection techniques. The infected machines can range from ordinary home or office PCs to DDoS devices—the Mirai botnet famously marshalled an army of hacked CCTV cameras—and their owners almost certainly don’t know they’ve been compromised, as they continue to function normally in most respects.
The infected machines await a remote command from a so-called command-and-control server, which serves as a command center for the attack and is often itself a hacked machine. Once unleashed, the bots all attempt to access some resource or service that the victim makes available online. Individually, the requests and network traffic directed by each bot towards the victim would be harmless and normal. But because there are so many of them, the requests often overwhelm the target system’s capacities—and because the bots are generally ordinary computers widely distributed across the internet, it can be difficult or impossible to block out their traffic without cutting off legitimate users at the same time.
There are three primary classes of DDoS attacks, distinguished mainly by the type of traffic they lob at victims’ systems:
Techniques common to all types of DDoS attacks include:
All three of these techniques can be combined into what’s known as a reflection or amplification DDoS attack, which has become increasingly common.
DDoS attacks can be difficult to diagnose. Afterall, the attacks superficially resemble a flood of traffic from legitimate requests from legitimate users. But there are ways you can distinguish the artificial traffic from a DDoS attack from the more “natural” traffic you’d expect to get from real users.
DDoS attack symptoms to watch for:
Mitigating a DDoS attack is difficult because, as previously noted, the attack takes the form of web traffic of the same kind that your legitimate customers use. It would be easy to “stop” a DDoS attack on your website simply by blocking all HTTP requests, and indeed doing so may be necessary to keep your server from crashing. But doing that also blocks anyone else from visiting your website, which means your attackers have achieved their goals.
If you can distinguish DDoS traffic from legitimate traffic as described in the previous section, that can help mitigate the attack while keeping your services at least partially online: for instance, if you know the attack traffic is coming from Eastern European sources, you can block IP addresses from that geographic region. A good preventative technique is to shut down any publicly exposed services that you aren’t using. Services that might be vulnerable to application-layer attacks can be turned off without affecting your ability to serve web pages.
In general, though, the best way to mitigate against DDoS attacks is to simply have the capacity to withstand large amounts of inbound traffic. Depending on your situation, that might mean beefing up your own network, or making use of a content delivery network (CDN), a service designed to accommodate huge amounts of traffic. Your network service provider might have their own mitigation services you can make use of.
Yes, DDoS is illegal. Most anti-cybercrime laws, in the U.S., the U.K., and elsewhere, are fairly broadly drawn and criminalize any act that impairs the operation of a computer or online service, rather than specifying particular techniques. And the act of hacking into a computer to make it part of a botnet is itself illegal.
You might see a counterargument that goes something like this: it’s not illegal to send web traffic or requests over the internet to a server, and so therefore DDoS attacks, which are just aggregating an overwhelming amount of web traffic, cannot be deemed a crime. This is a fundamental misunderstanding of the law, however.
Simulating a DDoS attack with the consent of the target organization for the purposes of stress-testing their network is legal, however.
March, 2024 — a group of Russia-aligned hacktivists disrupted several French government services with a series of DDoS attacks.
June 2022 — Google disrupts the largest DDoS attack to date, which over the course of a couple of minutes reached 46 million requests per second.
October 2016 — A DDoS attack on DNS provider Dyn knocked out internet access to most of the US East Coast and almost took down the internet. This remains one of the most infamous DDoS attacks of all time.
March 2014 — Project management software provider Basecamp was taken offline by a DDoS attack after refusing to pay a ransom.
February 2004 — A DDoS attack famously took the SCO Group’s website offline. At the time, the company was much in the news for lawsuits relating to its claiming to own the rights to Linux, leading to speculation that open source advocates were responsible for the attack.