What Is A DDos Attack?

What Is A DDos Attack?

Updated: 08-10-2021

Distributed Denial-of-Service attacks are carried out by cybercriminals who flood a target site or server with malicious traffic to the point where it becomes inaccessible to users. Cybercriminals use botnets to launch this kind of attack.

Botnets are a group of infected devices controlled by cybercriminals.

The owners of the infected devices may not even be aware that they're instigating botnet attacks. A DDoS attack occurs when the botnets are prompted to visit the target website simultaneously, slowing or shutting down the website completely when it fails to handle the high traffic. This is because website servers have a limit to the number of web requests they can handle at one time.

A DDoS attack aims to exceed the set limit and ultimately hinder legitimate users from accessing the target website. Some hackers do it for fun, while others for financial gain. It's difficult for websites to protect themselves against DDoS attacks unless they use anti-DDoS hosts.

This article explains what a DDoS attack is and how to protect yourself against such an attack. Here's a preview of what's to come:

  • What is a DDoS attack?
  • How do DDoS attacks work?
  • How to identify a DDoS attack?
  • How to protect against DDoS attacks?
  • What may happen as a result of a DDoS attack?
  • What are the common types of DDoS attacks?
  • How to mitigate a DDoS attack?
  • Reasons for DDoS attacks
  • Online gaming DDoS attacks
  • New forms of DDoS attacks
  • Real-life examples of DDoS attacks

What Is a DDoS Attack?

A DDoS attack is a cyberattack used to take down a website or make it extremely slow, albeit temporarily. The attack can affect large corporations and small businesses alike. For a better understanding of DDoS attacks, you'll first need to learn more about botnets.

Cybercriminals can easily buy botnets on the dark web, a subset of the deep web, and can only be accessed using the Tor browser. Exploited machines can be any internet-connected devices or Internet of Things (IoT) devices, such as smartwatches, traffic lights, home security systems, washing machines, etc. Think of a DDoS attack as unexpected traffic that disrupts normal traffic and prevents motorists from arriving at their destination.

How Do DDOS Attacks Work?

Even though there are different types of DDoS attacks, the most common attacks involve a hacker creating or buying a botnet from the dark web. The hacker then instructs the botnet to visit a target website. The target website will then be flooded by thousands of devices requesting access to the website's content.

In most cases, the website server cannot handle the multiple requests and thus is shut down from the network. If the webserver can handle the number of requests without shutting down, the website takes a longer time to load, and this may frustrate users, who will then opt for other websites. But, in most cases, DDoS attacks make a website entirely inaccessible for legitimate users.

Hosting companies find it difficult to prevent DDoS attacks because each bot is a legitimate IoT device, and it is almost impossible to separate normal traffic from DDoS traffic.

How To Identify a DDOS Attack?

You can easily notice when your site is undergoing a DDoS attack by how it reacts to web requests. If the website was fast and responsive but suddenly becomes slow or unavailable, it might be because of a DDoS attack. On the other hand, if you run a website that handles a huge traffic volume, it might be difficult to identify a DDoS attack because you might think the performance issues are due to a spike in traffic.

In that case, you can use traffic analytics tools to help you identify a DDoS attack. You can also watch out for the signs below to better identify a DDoS attack:

  • Large volume of web requests to a single web page.
  • Large volume of traffic originating from one IP address or IP range.
  • Large volume of traffic originating from users sharing a single behavioral profile, e.g., device type, geolocation, or web browser.
  • Odd web traffic patterns that appear at given intervals.

How To Protect Against DDOS Attacks?

You can protect yourself against DDoS attacks in two ways. First, you can choose a hosting company with anti-DDoS if you're a website owner. Alternatively, you can protect your personal IoT devices against DDoS attacks.

Protecting Your Website Against DDoS Attacks

If you're a website owner, you can check the measures employed by your hosting provider against DDoS attacks. Different hosting providers have different security measures that offer protection against such attacks. Unfortunately, most hosting providers only have basic protection that can't prevent DDoS attacks.

Additionally, basic protection offered by hosting providers can't prevent DDoS attacks because the requests sent by devices part of a botnet seem like normal requests. And there's no way the hosting providers can differentiate between malicious requests and normal requests. Even if the hosting providers decide to block them, a botnet's number of web requests may be too much for the webserver to handle. Nowadays, botnets are becoming much more advanced, making it difficult for websites to offer protection against DDoS attacks.

Protecting Your Personal Devices Against DDoS Attacks

The best way to protect your personal devices against DDoS attacks is by using a Virtual Private Network (VPN). A VPN masks your real IP address and assigns you a fake IP address depending on the VPN server you choose.

It also encrypts your online traffic and creates a secure communication tunnel between you and the destination server.

For an attacker to launch a DDoS attack, they need your actual IP address. So when a VPN hides your real IP, it makes it difficult for the attacker to launch the attack.

What Does DDoS Attack Do?

A DDoS attack can have serious consequences, especially for an e-commerce website. Most online shoppers expect e-commerce websites to load faster and be responsive. A potential customer will be frustrated if a website loads slowly or is unavailable due to a DDoS attack. This may lead to loss of potential customers and income. 

What Are Common Types of DDOS Attacks?

The categorization of DDoS attacks depends on the network component targeted. For this reason, you need to understand how a network connection works to know the type of attack you might face. Typically, a network connection is made up of different layers.

Each layer serves a different purpose to make the network functional. These layers include:

  • Application layer
  • Presentation layer
  • Session layer
  • Transport layer
  • Network layer
  • Data Link layer
  • Physical layer

DDoS attacks can also be categorized depending on the attack vectors used in overwhelming network traffic.

Application Layer Attacks

An attacker can launch a DDoS attack on the application layer or the 7th layer of the OSI model to exhaust the target's resources. This is usually the layer that generates web pages on the server and delivers HTTP requests responses. While an HTTP request might be easy to execute on the client side, it's computationally expensive for the server to respond to such a request.

This is because the server has to load multiple files and run different database queries before creating a single web page. As a result, application-layer attacks can be difficult to defend against because it's hard for the server to differentiate legitimate traffic from illegitimate ones.

HTTP Flood Attack

This kind of DDoS attack entails the flooding of multiple HTTP requests to the server. It can be compared to multiple people pressing the refresh button simultaneously on many different computers resulting in a denial of service.

The HTTP flood attack can either be simple or complex.

Simpler implementations of the attack target one Universal Resource Locator (URL) while using the same range of IP addresses, user agents, and referrers. On the other hand, complex implementations of the attack use multiple attacking IP addresses, referrers, and user agents to target random URLs.

Protocol Attacks/State-Exhaustion Attacks

The main goal of this attack is to overconsume server resources and cause service disruption. This attack consumes network resources of network equipment such as firewalls and load balancers. Additionally, it utilizes the weaknesses in layer 3 and 4 of the OSI model, making the target website inaccessible.

SYN Flood DDoS Attack/Half-Open Attack

This type of attack exploits the vulnerabilities in the TCP/IP handshake to cause service disruption. It makes the target website unavailable to real users by consuming all the server resources. The attacker achieves this by repeatedly sending SYN packets to the targeted server machine and overwhelming its ports. As a result, the targeted device fails to respond to legitimate traffic or responds slowly. 

Volumetric Attacks

This type of attack creates congestion by consuming all the bandwidth between the target device and the internet. In a volumetric attack, the attacker sends massive traffic to the target using amplification or any other method of sending a huge volume of traffic, such as web requests from a botnet.

DNS Amplification Attack

This reflection-based volumetric DDoS attack overwhelms the target server by sending an amplified amount of traffic. In this type of attack, the attacker uses a spoofed IP address to request an open DNS server, sending a response to the target IP address. It works by leveraging DNS resolvers to overwhelm the target IP address with traffic.

How To Mitigate a DDoS Attack

Most of the time, it's difficult to prevent a DDoS attack with the basic protection offered by hosting providers. If your device or web server is under a DDoS attack, the best way to mitigate the attack is by separating the attack traffic from normal traffic. Unfortunately, it isn't as easy as it sounds because DDoS traffic is advanced and comes in different forms.

A DDoS attack can either be from an un-spoofed single source or a complex multi-vector attack. You can easily identify an attack from an un-spoofed single source, but it's difficult to detect and mitigate an adaptive multi-vector DDoS attack. This is because a multi-vector attack utilizes several attack pathways and distracts mitigation efforts based on one trajectory.

It usually attacks multiple protocol stack layers simultaneously, e.g., the DNS amplification attack and HTTP flood attack. Mitigating such an attack requires several strategies based on different trajectories. The more complex the attack, the more difficult it is to differentiate attack traffic from regular traffic.

Mitigation attempts often involve the indiscriminate dropping or limiting of traffic. This means that legitimate traffic can also be thrown out with illegitimate traffic to overcome a complex DDoS attack.

Network administrators can take the following measures in case of a DDoS attack:

Blackhole Routing

Blackhole routing involves routing both legitimate and illegitimate network traffic to a black hole and dropping it from the network. The black hole is simply a null route with no specific destination. It's the easiest solution but not ideal because it makes the network inaccessible, and this is exactly what the attacker wants to happen.

Rate Limiting

Rate limiting involves limiting the number of requests a server can accept at a given time. It's an effective way of mitigating brute force attacks and slowing down web scrapers used to steal content but isn't effective enough to handle a complex DDoS attack.

Web Application Firewall (WAF)

Web Application Firewall is a tool effective in mitigating layer 7 DDoS attacks. The network administrator can place a WAF tool between the internet and web server; the WAF tool will act as a reverse proxy and protect the web server from malicious traffic.

WAF filters requests based on rules that can identify DDoS tools and effectively impede layer 7 attacks.

Anycast Network Diffusion

This mitigation measure uses the Anycast network to scatter illegitimate traffic over a network of distributed servers until the traffic is absorbed fully by the network. Anycast is a traffic routing method that delivers data packets to a destination nearer to the sender in terms of network topology.

It mitigates a DDoS attack by spreading the attack's impact from one network server to another and makes attack traffic manageable to the point that it can't overwhelm the server. When multiple web requests flood a single IP address managed by the Anycast network, the network distributes the requests using a prioritization methodology and chooses particular data centers with the capacity to process the requests efficiently.

As mentioned earlier, a DDoS attack aims at overwhelming a network by sending multiple requests simultaneously to a target server. With an Anycast network, the load is spread from the target server to other available data centers capable of processing and handling each incoming request. It also prevents the target server from extending its capacity, and helps avoid service interruptions to clients.

Reasons for DDoS Attacks

There are several reasons for launching DDoS attacks against a company or organization. For instance, a rival company may pay some attackers to take down a competitor's website. Below are major reasons cybercriminals launch DDoS attacks:


Cybercriminals target financial institutions and large e-commerce companies with a DDoS attack and demand ransom for the resumption of normal services. They may even go ahead and launch a larger attack if the companies fail to meet their demands.


There have been cases where hackers launch DDoS attacks against a company or organization for revenge. For example, when a disgruntled employee gets angry for whatever reason and decides to attack former employers via a botnet. DDoS attacks are easy to launch because individuals with the right technical skills can visit the dark web and buy a botnet.

Power Play

Some cybercriminals attack large companies and take down websites just to know what they're capable of. At times, they might do it to send a message to the corporate world.


Some hackers launch DDoS attacks and take down websites for fun. They might do it to simply test their hacking skills.

Online Gaming DDoS Attacks

During competitive massively multiplayer online role-playing (MMORPG) games, hackers might launch a DDoS attack against their opponents to get them disqualified from the competition due to a bad connection. In such a case, the only thing the attacker needs is the IP address of the victim.

With this kind of information, the hackers then send lots of requests to the IP address, making it difficult for the victim to access the game server.

The best way to prevent a DDoS attack is by using a VPN, which hides your real IP address from attackers.

New Forms of DDoS Attacks

Recently, new forms of DDoS attacks have emerged, involving built-in network protocols never used before in such attacks. This makes it incredibly difficult to mitigate DDoS attacks and separate legitimate traffic from illegitimate ones. The network protocols used include the following:

  • Constrained Application Protocol (CoAP).
  • Apple Remote Management Service (ARMS).
  • Web Services Dynamic Discovery (WS-DD).

These protocols are often used in companies' internal networks and IoT devices. For this reason, they can't be disabled to prevent or mitigate DDoS attacks.

DDoS attacks have become much bigger; in the 90's they consisted of about 150 requests per second, but nowadays, an attack can launch up to a million requests per second.

In 2016, the Mirai botnet aided one of the biggest DDoS attacks in recent times by infecting thousands of insecure IoT devices with malware in a rather simple way. The botnet scanned for open Telnet ports and logged in using default passwords, and ended up amassing an army of bots.

Mirai isn't the only IoT-powered botnet; a similar-sized botnet called WireX infected 100,000 Android devices across 100 countries. The botnet targeted content providers and delivery networks by sending requests from Android devices of unsuspecting users.

There's even an advanced IoT-powered botnet called Torii, considered more dangerous than Mirai, and can take control over a range of IoT devices.

Cybercriminals have also learned new ways to exploit servers using the Memcached memory caching system. During a DDoS attack, the servers then send a large chunk of data when responding to simple requests.

Memcached servers usually run on internal networks and are not equipped with the security to prevent hackers from spoofing IP addresses and sending huge volumes of traffic to unsuspecting victims.

Another new trend is the use of Advanced Persistent Denial-of-Service (APDoS), a multiple attack vector within a DDoS attack, involving the application layer. APDoS can be used to launch attacks against databases, applications, and the server.

Real-life Examples of DDoS Attacks

DDoS attacks continue to evolve and cause greater damage than before. Below are real-life examples of DDoS attacks:


The Mafiaboy attack took place on February 7, 2000, disrupting big-name websites such as CNN, Amazon, eBay, and Yahoo. The attack was orchestrated by a 16-year-old called Michael Calce, alias Mafiaboy.

Estonia Cyberattack

The Estonia cyberattack took place in April 2007, targeting major government, financial, and media services in Estonia.

Frequently Asked Questions About DDoS Attacks

What Are DDoS Attack Tools?

The primary attack tool for DDoS cybercriminals is a botnet, a collection of malware-infected devices. Botnets can be computers, servers, IoT devices, and mobile devices.

How Can I Protect a Network From DDoS Attacks?

There's no foolproof security system that can prevent DDoS attacks. But you can take preventive measures and have a DDoS mitigation plan to secure your network. A great example is connecting to a reliable VPN to hide the network's IP address.

Why Are DDoS Attacks Often Successful?

DDoS attacks often succeed because they're distributed in nature, and it's difficult to discern between a real user and fake traffic. 

What Are the Common Signs of a DDoS Attack?

The major indication of a DDoS attack is the degradation in network performance and unavailability of a specific website that was up and running earlier. Another common manifestation is receiving an excessive volume of spam emails.


DDoS attacks flood a target site with illegitimate requests, which makes it incapable of handling legitimate requests. Unfortunately, it is difficult to differentiate between legitimate and illegitimate requests and impossible to stop or prevent a DDoS attack. However, you can always find ways to protect your device or network from such an attack. Using a reliable premium VPN is a great example of a possible

Leave a Reply

Your email address will not be published. Required fields are marked *