Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

DDoS attack: meaning, types and protection

Distributed denial-of-service (DDoS) attacks make the target server, service, or network deny access to anyone trying to use them. It’s like a traffic jam, where the main road is congested with cars sent by a hacker, while the legitimate traffic coming from the side road can no longer get in.

Jomilė Nakutavičiūtė

Jomilė Nakutavičiūtė

DDoS attack: meaning, types and protection

How does a DDoS attack work?

DDoS attacks are quite powerful, as they use multiple computers or other devices. A hacker creates a network by infecting devices, turning them into bots, and remotely directing them to a specific IP address all at once. This can cause a service to crash.

DDoS attacks can last over 24 hours and are difficult to trace. Your computer might be a part of a botnet army, secretly responding to malicious commands, and you won’t even know — it’s hard to notice, as the only signs could be marginally decreased performance or an overheating device. The traffic bombarding the target is coming from legitimate (albeit infected) devices. This makes it even harder to distinguish between genuine and malicious traffic.

DDoS attacks can target a specific component of the network connection or a mixture of them. Every connection made over the internet goes through OSI model layers. Most DDoS attacks happen in the following three layers:

  • Network layer (Layer 3). Attacks that are on this layer include Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation.
  • Transport layer (Layer 4). These attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
  • Application layer (Layer 7). Mainly, HTTP-encrypted attacks.

DoS vs. DDoS. What is the difference?

A denial of service attack (DoS) floods a server with traffic and makes a service or website unavailable. DoS is a system-on-system attack that uses a single system to attack a specific service. On the contrary, DDoS uses multiple computers and systems to compromise its target.

While both attacks serve the same purpose, DDoS is more powerful and dangerous.

How to identify a DDoS attack

The sooner you identify a DDoS attack, the higher the chances of stopping it. Here are the main clues a DDoS attack is happening:

  • Slow or unavailable service. It’s usually the first sign of a DDoS attack. However, many other issues can cause slow performance too, so we can’t rely just on this factor when identifying a DDoS attack.
  • A large amount of traffic coming from a single IP address. You can check the traffic by using traffic analytics tools.
  • Unnatural traffic spikes at random hours of the day.
  • A sudden and unexplained surge of requests at a certain page or endpoint.

Types of DDoS attacks

TCP Connection attacks

TCP connection attacks, otherwise known as SYN flood attacks, happen when a three-way TCP handshake between the host and the server is never completed. In this attack, the handshake is initiated, but the hacker leaves the server hanging and the ports open. This means the server cannot take any other requests. The hacker keeps flooding it with more handshakes, eventually making it crash.

Volumetric attacks

Volumetric attacks are the most common type of DDoS attack. It simply consumes all available bandwidth between the target and the internet. This is mostly done by using botnets and directing them to a specific target.

One example of the volumetric attack could be the hacker spoofing the victim's IP and making multiple requests to an open DNS server. The attack is structured so that when DNS server responds, it sends more data to the victim than they can handle.

Fragmentation attacks

Traffic sent over the internet is divided into data packets. They travel and are reassembled in different ways depending on whether the TCP or UDP transport protocol is being used. A fragmentation attack sends fake data packets that distort the flow of data and therefore overwhelm the server.

The “too many packets” exploit is an example of a fragmentation attack. It floods the network with an excessive number of incomplete, fragmented packets.

Application layer attacks

Application layer or layer 7 attacks target, as the name suggests, applications – the layer where the server generates web pages and responds to HTTP requests. Such an attack would seem to the server like someone hitting refresh on the same page multiple times. It will look like legitimate traffic until the server is overflooded and it’s too late. These attacks are also less expensive and more difficult to detect than network layer attacks.

Types of DDoS Amplification

A DDoS amplification attack is one where the cybercriminal specifically targets security vulnerabilities in Domain Name System (DNS) servers. They convert small requests into huge ones (thus the term “amplification”), stifling the victim’s bandwidth and effectively halting the unfortunate target server’s processes. There are two types of amplification attack: DNS Reflection and CharGEN Reflection.

DNS reflection

A DNS server’s job is to look for the IP address of whichever domain name you typed into your search bar. It’s the internet’s address book. A DNS reflection attack is when a hacker copies the victim’s IP address and sends requests to the DNS server, asking for large replies. The replies have been known to be amplified up to 70 times their normal size, overwhelming the victim instantly.

CharGEN reflection

CharGEN is, by internet standards, an ancient protocol created in 1983 for the purposes of debugging or testing. Unfortunately, many internet-connected printers or copy machines still actively use this protocol, allowing hackers to exploit CharGEN’s many age-induced loopholes. The hacker will send many tiny packets of data under the guise of a victim’s IP address to whatever is running on CharGEN. The device then floods the victim’s system with UDP (User Datagram Protocol) reponses, overwhelming the target server and causing it to reboot or cut out altogether.

DDoS attack numbers

As technology marches on, and security systems become increasingly sophisticated each year, so do the tools used to hack through them. If we compare the strength of an attack from the 1990s to the modern standard of DDoS, the difference is staggering.

The average requests in a DDoS attack from the 90s barely went over 150 per second. If we compare these to the biggest recorded successful DDoS attack of recent times, namely, the 2018 GitHub attack, we can see that 1.35 terabits of traffic per second was thrown at the site. The attack crippled the site temporarily and only lasted 8 minutes.

How much does a DDoS attack cost?

The monetary damage a DDoS attack can inflict on a business in just 24 hours is enough justification to take active measures to never let it happen again. According to a 2018 report by Corero Network Security, the disruption caused by a DDoS attack through lost revenue, disruption of employee productivity and the actual security cost of repelling the assault, can cost upwards of $50,000 per attack. But how much does it cost to employ a cybercriminal and their army of bots?

As with most online criminal activities, you’ll have to delve into the dark web for a price list of their services. The cost of this service varies depending on the desired length of the DDoS attack, with basic rates starting at 300 seconds and stretching upwards to 10,800 seconds (3 hours). Obviously, the shorter the attack, the cheaper it will be.

Curiously, many of the criminals providing these services offer a pseudo-subscription service. For example, at the cost of 60 euros per month, you have access to 1 attack lasting 3 hours.

Motivations of DDosing

  • Hacktivism. Hacktivists use DDoS attacks to take down various websites and services they disagree with. For example, they can target websites of governments, public figures, criminal or terrorist organizations, corporations, and other entities. Often hacktivists use DDoS to spread messages and raise awareness.
  • Extortion. Cybercriminals also use DDoS attacks for extortion. They may demand money for stopping or not carrying out an attack.
  • Vandalism. Hackers can initiate DDoS attacks purely for entertainment or to frustrate and annoy others. So-called script kiddies can easily trigger such attacks by using premade tools.
  • Rivalry is another reason for DDosing. A rival company or individual can cripple their competitor’s website or service and cause temporary loss of profit or exposure or simply anger customers.
  • Cyberwarfare. DDoS is a weapon used in cyberwarfare. Nation-state actors employ large-scale DDoS attacks to disrupt critical infrastructures in adversary countries. Governments can also use such attacks to silence opposition forces. State-backed DDoS attacks are usually well-orchestrated and more difficult to mitigate.

The largest DDoS attacks

2017 Google attack

The largest DDoS attack took place in 2017 and targeted Google services. Attackers flooded 180,000 web servers that sent their responses back to Google. The cyberattack reached a size of 2.54 TBps. The attack was allegedly a nation-state effort that came from China.

The 2020 AWS DDoS attack

A massive DDoS attack hit Amazon Web Services in 2020. It targeted an unidentified customer and is regarded as one of the most vicious DDoS attacks. By using third-party servers, attackers managed to amplify the amount of data sent to a single IP address up to 70 times. The attack reached the size of 2.3 TBps.

The 2022 Cloudflare attack

Cloudflare reported and mitigated a 15.3 million request-per-second DDoS attack targeted at a customer operating a crypto launch pad. The attack used a botnet of an estimated 6,000 unique devices from 112 countries. Attackers used a secure and encrypted HTTPS connection to initiate this attack.

Is DDoSing illegal?

DDoSing is considered illegal in many countries. For example, in the US, DDoS can be considered a federal crime and can lead to penalties and imprisonment. In most European countries, DDoSing can lead to arrest, while in the UK, you may be sentenced to up to 10 years of imprisonment.

Can you trace DDoS attacks?

DDoS attacks are pretty difficult to trace because most of them are distributed over hundreds and thousands of other devices. Also, those who initiate such attacks usually make an effort not to be found.

It’s possible to identify DDoS attacks when they happen by using certain cybersecurity tools to analyze the traffic. However, it’s usually too late to stop them. At best, you can analyze the data and make the appropriate cybersecurity changes for the future.

DDoS attack prevention

Here are a few measures for preventing DDoS attacks:

  • Use third-party DDoS prevention tools. Various third-party services can help you to mitigate DDoS risks. Just make sure to use safe and reliable ones. However, none of them can guarantee you total safety.
  • Partner with your ISP for clean bandwidth. ISPs can usually detect malicious packets before they reach your device and reduce risk.
  • Monitor your traffic with traffic monitoring tools and check if you notice any odd patterns.

Does a VPN help prevent DDoS?

DDoSing is mostly used to blackmail developers and publishers or to harm the reputation or sales of a certain person or platform. However, individual users can also be affected. This usually happens to online gamers. Your opponent might try to DDoS you to disrupt your gameplay, which isn’t a security risk per se, but can be really frustrating – especially if you play competitively.

There’s no way for you to prevent an attack against the game server. However, in P2P gaming, when you connect directly to other players, your opponent could look up your IP address and use it to DoS you. You can prevent this by using a VPN for gaming to mask your original IP. If bad actors don’t know your real IP — they simply can’t DoS you.

Online security starts with a click.

Stay safe with the world’s leading VPN


Jomilė Nakutavičiūtė
Jomilė Nakutavičiūtė Jomilė Nakutavičiūtė
Jomilė is a content writer who loves to investigate the latest Internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.