Your IP: Unknown · Your Status: Protected
Blog In Depth

What is a DDoS attack?

If 20 customers visit your store, that's good news. If a thousand non-paying customers enter your shop and block the entrance, then you have a problem. That’s what DDoS attacks do in the cyber world. But what is a DDoS attack? Find out below.

Emily Green

Emily Green

Feb 07, 2020 · 5 min read

What is a DDoS attack?

What is DDoS and how does it work?

Distributed denial-of-service (DDoS) attacks make the target server, service, or network deny access to anyone trying to use them. It’s like a traffic jam, where the main road is congested with cars sent by a hacker, while the legitimate traffic coming from the side road can no longer get in.

DDoS attacks are quite powerful, as they use multiple computers or other devices. A hacker creates a network by infecting devices, turning them into bots, and remotely directing them to a specific IP address all at once. This can cause a service to crash.

DDoS attacks can last over 24 hours and are difficult to trace. Your computer might be a part of a botnet army, secretly responding to malicious commands, and you won’t even know — it’s hard to notice, as the only signs could be marginally decreased performance or an overheating device. The traffic bombarding the target is coming from legitimate (albeit infected) devices. This makes it even harder to distinguish between genuine and malicious traffic.

DDoS attacks can target a specific component of the network connection or a mixture of them. Every connection made over the internet goes through OSI model layers. Most DDoS attacks happen in the following three layers:

  • Network layer (Layer 3). Attacks that are on this layer include Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation.
  • Transport layer (Layer 4). These attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
  • Application layer (Layer 7). Mainly, HTTP-encrypted attacks.

Types of DDoS attacks

#1 TCP Connection attacks

TCP connection attacks, otherwise known as SYN flood attacks, happen when a three-way TCP handshake between the host and the server is never completed. In this attack, the handshake is initiated, but the hacker leaves the server hanging and the ports open. This means the server cannot take any other requests. The hacker keeps flooding it with more handshakes, eventually making it crash.

#2 Volumetric attacks

Volumetric attacks are the most common type of DDoS attack. It simply consumes all available bandwidth between the target and the internet. This is mostly done by using botnets and directing them to a specific target.

One example of the volumetric attack could be the hacker spoofing the victim's IP and making multiple requests to an open DNS server. The attack is structured so that when DNS server responds, it sends more data to the victim than they can handle.

#3 Fragmentation attacks

Traffic sent over the internet is divided into data packets. They travel and are reassembled in different ways depending on whether the TCP or UDP transport protocol is being used. A fragmentation attack sends fake data packets that distort the flow of data and therefore overwhelm the server.

#4 Application layer attacks

Application layer or layer 7 attacks target, as the name suggests, applications – the layer where the server generates web pages and responds to HTTP requests. Such an attack would seem to the server like someone hitting refresh on the same page multiple times. It will look like legitimate traffic until the server is overflooded and it’s too late. These attacks are also less expensive and more difficult to detect than network layer attacks.

Types of DDoS Amplification

A DDoS amplification attack is one where the cybercriminal specifically targets security vulnerabilities in Domain Name System (DNS) servers. They convert small requests into huge ones (thus the term “amplification”), stifling the victim’s bandwidth and effectively halting the unfortunate target server’s processes. There are two types of amplification attack: DNS Reflection and CharGEN Reflection.

DNS reflection

A DNS server’s job is to look for the IP address of whichever domain name you typed into your search bar. It’s the internet’s address book. A DNS reflection attack is when a hacker copies the victim’s IP address and sends requests to the DNS server, asking for large replies. The replies have been known to be amplified up to 70 times their normal size, overwhelming the victim instantly.

CharGEN reflection

CharGEN is, by internet standards, an ancient protocol created in 1983 for the purposes of debugging or testing. Unfortunately, many internet-connected printers or copy machines still actively use this protocol, allowing hackers to exploit CharGEN’s many age-induced loopholes. The hacker will send many tiny packets of data under the guise of a victim’s IP address to whatever is running on CharGEN. The device then floods the victim’s system with UDP (User Datagram Protocol) reponses, overwhelming the target server and causing it to reboot or cut out altogether.

DDoS attack numbers

As technology marches on, and security systems become increasingly sophisticated each year, so do the tools used to hack through them. If we compare the strength of an attack from the 1990s to the modern standard of DDoS, the difference is staggering.

The average requests in a DDoS attack from the 90s barely went over 150 per second. If we compare these to the biggest recorded successful DDoS attack of recent times, namely, the 2018 GitHub attack, we can see that 1.35 terabits of traffic per second was thrown at the site. The attack crippled the site temporarily and only lasted 8 minutes.

How much does a DDoS attack cost?

The monetary damage a DDoS attack can inflict on a business in just 24 hours is enough justification to take active measures to never let it happen again. According to a 2018 report by Corero Network Security, the disruption caused by a DDoS attack through lost revenue, disruption of employee productivity and the actual security cost of repelling the assault, can cost upwards of $50,000 per attack. But how much does it cost to employ a cybercriminal and their army of bots?

As with most online criminal activities, you’ll have to delve into the dark web for a price list of their services. The cost of this service varies depending on the desired length of the DDoS attack, with basic rates starting at 300 seconds and stretching upwards to 10,800 seconds (3 hours). Obviously, the shorter the attack, the cheaper it will be.

Curiously, many of the criminals providing these services offer a pseudo-subscription service. For example, at the cost of 60 euros per month, you have access to 1 attack lasting 3 hours.

Is DDoSing illegal?

DDoSing is considered illegal in many countries. For example, in the US, DDoS can be considered a federal crime and can lead to penalties and imprisonment. In most European countries, DDoSing can lead to arrest, while in the UK, you may be sentenced to up to 10 years of imprisonment.

Can you trace DDoS attacks?

DDoS attacks are pretty difficult to trace because most of them are distributed over hundreds and thousands of other devices. Also, those who initiate such attacks usually make an effort not to be found.

It’s possible to identify DDoS attacks when they happen by using certain cybersecurity tools to analyze the traffic. However, it’s usually too late to stop them. At best, you can analyze the data and make the appropriate cybersecurity changes for the future.

Does a VPN help prevent DDoS?

DDoSing is mostly used to blackmail developers and publishers or to harm the reputation or sales of a certain person or platform. However, individual users can also be affected. This usually happens to online gamers. Your opponent might try to DDoS you to disrupt your gameplay, which isn’t a security risk per se, but can be really frustrating – especially if you play competitively.

There’s no way for you to prevent an attack against the game server. However, in P2P gaming, when you connect directly to other players, your opponent could look up your IP address and use it to DoS you. You can prevent this by using a VPN to mask your original IP. If bad actors don’t know your real IP — they simply can’t DoS you.

NordVPN can help protect you from DDoS and other attacks. Try it now with a 30-day money-back guarantee.