Networking - DDoS (Distributed Denial of Service)

1. Introduction

A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt the normal functioning of a targeted server, service, or network by overwhelming it with a massive flood of internet traffic from multiple sources.
The main goal of a DDoS attack is to make a website or online service unavailable to legitimate users by exhausting its resources, such as bandwidth, memory, or processing power.

Unlike a regular DoS (Denial of Service) attack, which uses a single system or internet connection, a DDoS attack uses multiple computers or devices (often part of a botnet) to launch a coordinated assault, making it much more powerful and harder to stop.

2. Definition

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA):

“A Distributed Denial-of-Service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.”

In simple terms, it’s like hundreds of people crowding the entrance of a store, preventing legitimate customers from entering and buying something.

3. How a DDoS Attack Works

A DDoS attack typically follows three main steps:

  1. Infection Phase (Botnet Creation):
    The attacker infects thousands (or even millions) of computers, IoT devices, or servers with malware, turning them into bots or zombies. Collectively, these compromised devices form a botnet (a network of bots).

  2. Command and Control (C&C):
    The attacker uses a Command and Control server to send instructions to all bots simultaneously, directing them toward the target.

  3. Attack Phase:
    The bots begin sending massive amounts of data packets, requests, or fake traffic to the target server, causing it to slow down, crash, or become completely inaccessible to legitimate users.

4. Types of DDoS Attacks

DDoS attacks can be classified into three major categories based on the part of the network they target:

A. Volume-Based Attacks

These attacks focus on consuming the bandwidth of the target system.

  • Examples: UDP flood, ICMP (ping) flood.

  • Goal: Overwhelm the target’s internet connection.

  • Measurement: Bits per second (bps).

Example:
A UDP flood attack sends a huge number of random UDP packets to random ports, forcing the target server to check each request, eventually exhausting its resources.

B. Protocol-Based Attacks

These exploit weaknesses in network protocols or server resources.

  • Examples: SYN flood, Ping of Death, Smurf attack.

  • Goal: Exhaust the target’s CPU, memory, or connection tables.

  • Measurement: Packets per second (pps).

Example:
In an SYN flood attack, the attacker sends a large number of TCP connection requests but never completes the handshake, leaving the server waiting for responses and filling up its connection queue.

C. Application Layer Attacks

These target the application layer (Layer 7) of the OSI model — where websites, APIs, and services operate.

  • Examples: HTTP flood, Slowloris attack, DNS query flood.

  • Goal: Crash web servers or disrupt specific applications.

  • Measurement: Requests per second (rps).

Example:
An HTTP flood attack sends a massive number of legitimate-looking web requests to a website, forcing the web server to process each one, eventually overloading it.

5. Common Tools and Techniques Used in DDoS Attacks

  • Botnets: Networks of compromised computers or IoT devices (e.g., Mirai botnet).

  • Amplification Attacks: Using public servers (like DNS or NTP) to amplify the attack traffic.

  • Reflection Attacks: Attackers spoof the victim’s IP, causing third-party servers to send responses to the target.

  • Zombie Computers: Ordinary devices (often unaware of infection) used to carry out attacks.

6. Effects of a DDoS Attack

A successful DDoS attack can cause severe damage, including:

  • Service Downtime: Websites or services become unavailable to users.

  • Financial Loss: Companies lose revenue due to downtime.

  • Reputation Damage: Customers may lose trust in the organization.

  • Operational Disruption: Network and IT systems become unstable.

  • Security Diversion: Attackers may use DDoS as a distraction for other cyberattacks (e.g., data theft).

7. Detection and Symptoms

Possible signs of a DDoS attack include:

  • Unusually slow network performance.

  • Inaccessible websites or services.

  • Excessive increase in traffic from many IP addresses.

  • Server crashes or frequent timeouts.

  • Network logs showing large volumes of requests or unusual traffic patterns.

8. Prevention and Mitigation Strategies

  1. Increase Bandwidth Capacity:
    Having more bandwidth can help absorb sudden traffic spikes, though it doesn’t stop the attack itself.

  2. Use Firewalls and Intrusion Detection Systems (IDS/IPS):
    These can filter out malicious traffic and block suspicious IP addresses.

  3. Deploy DDoS Protection Services:
    Cloud-based services like Cloudflare, Akamai, or AWS Shield specialize in detecting and mitigating DDoS traffic.

  4. Rate Limiting:
    Restrict the number of requests from a single IP address within a given time.

  5. Traffic Analysis and Filtering:
    Analyze incoming traffic patterns to identify abnormal behavior.

  6. Anycast Network Distribution:
    Distribute traffic across multiple servers and data centers to reduce the load on a single target.

  7. Regular Security Updates:
    Keep systems, software, and IoT devices patched to prevent them from being recruited into botnets.

  8. Incident Response Plan:
    Prepare an emergency strategy to quickly respond when an attack occurs.

9. Real-World Examples of DDoS Attacks

  • GitHub Attack (2018):
    GitHub experienced one of the largest recorded DDoS attacks, peaking at 1.35 terabits per second (Tbps). It used memcached servers for amplification.

  • Dyn DNS Attack (2016):
    The Mirai botnet, consisting of hundreds of thousands of IoT devices, targeted Dyn’s DNS infrastructure, disrupting major websites like Twitter, Netflix, and Reddit.

  • AWS Attack (2020):
    Amazon Web Services mitigated a 2.3 Tbps DDoS attack, one of the biggest ever recorded.

10. Conclusion

A DDoS (Distributed Denial of Service) attack is one of the most disruptive and common cyber threats today.
By flooding a target with traffic from multiple sources, attackers can take down websites, applications, or entire networks, causing financial loss and reputational damage.

To defend against such attacks, organizations must implement layered security, real-time monitoring, and DDoS protection systems that can detect and mitigate malicious traffic before it causes harm. In the modern digital era, DDoS resilience is a crucial part of maintaining business continuity and user trust.