DDoS Attacks - What They Are and How to Guard Against Them

In July of 2021, the IT security service Cloudflare ⇱ withstood a record-breaking DDoS attack. Hackers bombarded the company with over 17 million requests per second. It wasn’t an isolated case: In 2020 alone, there were approximately 10 million DDoS attacks ⇱, and the number of incidents are rising.
The arbitrariness of these attacks is what make them so dangerous. The primary purpose of DDoS attacks is not to steal data; rather, the perpetrators’ goal is to disrupt service and make websites inaccessible. This article covers who is behind DDoS attacks, how they play out, and what you can do to defend against them.
A distributed denial of service (DDoS) attack is a cyber-attack aimed at rendering a service or server unavailable. Thousands of computers attack the same target by sending messages from different locations at the same time. The server crashes due to the volume of requests, making the website or application inaccessible to legitimate users. Visitors to the affected site often see the error message “HTTP 503 Service Unavailable,” or the page will take an unusually long time to load.
How a DDoS attack works.
The computer network perpetrating the attack usually consists of a group of hijacked devices known as a botnet or zombie network. The owners of these computers likely downloaded malware by mistake and may be unaware that their devices are involved; the attack’s mastermind is often located thousands of miles away.
Over the past decade, devices on the Internet of Things (IoT) with weak security, such as network cameras, sensors, smart TVs, and lights, have been increasingly exploited by hackers for DDoS attacks. However, at present, cybercriminals don’t need to distribute malware to build a botnet; they can simply rent “DDoS as a service” botnets at affordable prices on the dark web.
Botnets attack various layers of network protocols in an effort to exploit a network’s vulnerabilities and bring traffic to a standstill. These attacks usually target businesses— such as platforms, cloud services, or banks. There are various reasons for this, such as:
Experts use two parameters to categorize DDoS attacks:
Volume
The amount of data used to flood the targeted system is measured in megabits per second (Mbps), gigabits per second (Gbps), or terabits per second (Tbps). These parameters reflect the amount of data attackers call upon to overwhelm their victims. Although large attacks in the Tbps range have garnered significant media attention in recent years, according to Netscout’s analysis ⇱, most DDoS attacks clock in at less than 1 Gbps.
Speed
This parameter reflects how fast the bots transmit the data packets. Netscout reports ⇱ that most DDoS attacks range between 10 and 100 kpps (thousands of packets per second).
Almost all Internet applications use client-server architecture. A computer (the client) sends a request to another computer (the server). This happens, for example, whenever you type a web address into your browser.
Servers typically have a bandwidth of several gigabits per second (Gbps), allowing them to process thousands of requests simultaneously. However, issues arise when the volume of traffic exceeds what the server is capable of handling. Think of it as a road during rush hour traffic. Even on the widest highways, the sheer volume of cars can lead to congestion.
Regardless of the technique used, a DDoS attack always follows the same steps:
Internet protocols have several layers, each of which regulates a different aspect of data transport. The OSI model (visualized below) illustrates the process by assigning a specific function to each layer. Depending on the type of DDoS attack, different layers and interfaces can be affected. Accordingly, IT experts group DDoS attacks into the following categories:
Depending on the type, DDoS attacks target different layers of Internet protocols.
Below are examples of specific types of DDoS attacks, along with descriptions of how they work.
User datagram protocol, or UDP is a connectionless protocol of the transport layer that works without a three-way handshake. During UDP floods, hackers overwhelm a server’s ports with large UDP packets until the server’s bandwidth is completely exhausted. Firewalls often break down because a status message is created for each request. IP addresses are often spoofed during UDP floods.
Domain name system, or DNS servers translate URLs into IP addresses using a series of numbers, such as 96.92.212.183. When a user types the website experte.com into their browser, the DNS server responds with the corresponding IP address. During DNS reflection attacks, hackers spoof their victim’s IP address and use amplification techniques to inundate a DNS server with requests. The DNS server replies to the requests, flooding the target with information and crashing the system.
Unlike UDP protocol, TCP protocol establishes a connection with a handshake. The client sends a SNY (synchronized) message, the server replies with a SYN-ACK (synchronize acknowledge) confirmation, and an ACK confirmation is returned from the client. If the final ACK confirmation isn’t received, the connection will not be established. Too many open requests of this type can cause a server to collapse.
A SYN flood generates enough incomplete requests to collapse a server.
The Internet control method protocol (ICMP) is used to diagnose network communication issues within Internet Protocol version 4 (IPv4). This protocol uses, among other things, “pings,” to exchange error messages. During a ping of death attack, a server is flooded with massive packets disguised as numerous smaller packets. The sum of small packets exceeds IPv4’s packet size limit of 65,535 bytes, so when the server attempts to put the small packets together, it crashes.
Smurf attacks also entail bots sending massive numbers of ping packets, however, unlike ping of death attacks, the packets are not faulty. Instead, the ping requests go to the network’s broadcast address with the victim’s spoofed IP address. Every computer in the network responds to the fake requests, generating a spike in traffic on the affected server. The significant number of small attacks, capable of exhausting bandwidth, are what gives this type of DDoS attack its name.
During a smurf attack, the victim is overwhelmed by a flood of messages without having started a request.
Internet browsers such as Chrome or Mozilla operate in the application layer of the OSI model. They send GET or POST requests within the HTTP protocol to solicit static or dynamic data (images or videos) from servers. During an HTTP flood, these bot requests are directed to a server, hindering its ability to respond to requests from legitimate users. Since they’re hard to differentiate from genuine requests, identifying and defending against them is challenging.
Slowloris also affects the HTTP protocol at the application level. Unlike HTTP floods, requests are sent with fake headers. The open connections paralyze the server. Slowloris attacks typically take longer to play out than other types of DDoS attacks, however, they can disrupt traffic for an extended period of time.
Increased online activity due to the Covid-19 pandemic witnessed a steep rise in DDoS attacks. According to the IT security company F5 Labs ⇱, between January and March 2020 alone, the number of DDoS attacks increased by 55%. Below, we've listed some notorious DDoS attacks that have made global headlines:
Because DDoS attacks are highly complex, defending against them requires a multi-level approach. Companies and organizations, in particular, should develop a defense strategy early on to ensure they’re prepared for the worst-case scenario. Successful strategies usually include taking the following measures:
DDoS attacks will continue to be one of the biggest cyber threats well into the foreseeable future. That the masterminds behind these attacks use hijacked computers, makes them difficult to prevent or protect against. As such, the best counter to DDoS attacks is creating resilient IT systems that can quickly identify and redirect malicious traffic.
DDoS attacks see hackers flood unsuspecting servers with data packets. They do so using a bot network, which often includes computers located all over the world. The victim's website becomes inaccessible because their servers can no longer process or address legitimate requests.