Your IP: Unknown · Your Status: Unprotected Protected

Blog In Depth

What is a DDoS attack?

Feb 07, 2020 · 4 min read

What is a DDoS attack?

If 20 customers visit your store, that's good news. If a thousand non-paying customers enter your shop and block the entrance, then you have a problem. That’s what DDoS attacks do in the cyber world. But what is a DDoS attack? Find out below.

What is DoS?

A denial of service (DoS) attack is a malicious attempt to disrupt normal network traffic to a web server, service or network. A hacker can target different parts of the Open Systems Interconnection (OSI) layer to overflow the network and force it to refuse service to legitimate traffic. It’s like a traffic jam where the main road is congested with cars sent by a hacker while the legitimate traffic coming from the side road can no longer get in.

Long ago, DoS attacks were one-man jobs. However, as computers and servers grew more powerful and secure, denial of service attacks have had to up their game too. They evolved into what we now know as DDoS.

What is DDoS and how does it work?

Distributed denial of service (DDoS) attacks seek the same goal as DoS – to make the target server, service or network deny legitimate traffic. However, DDoS attacks are more powerful as they use multiple computers/devices. A hacker creates a network by infecting devices, turning them into bots, and remotely directing them to a specific IP address all at once. This can cause a service crash.

DDoS attacks are difficult to trace. Your computer might be a part of a bot-net army, secretly responding to malicious commands. It’s hard to notice it as the only signs could be marginally decreased performance or an overheating device. The traffic bombarding the target is coming from legitimate (albeit infected) devices. This makes it even harder to distinguish between legitimate and malicious traffic.

DDoS attacks can target a specific component of the network connection or a mixture of them. Every connection made over the internet goes through OSI model layers. Most DDoS attacks happen in the following three layers:

  • Network layer (Layer 3). Attacks that are on this layer include Smurf Attacks, ICMP Floods, and IP/ICMP Fragmentation.
  • Transport layer (Layer 4). These attacks include SYN Floods, UDP Floods, and TCP Connection Exhaustion.
  • Application layer (Layer 7). Mainly, HTTP-encrypted attacks.

Types of DDoS attacks

#1 TCP Connection attacks

TCP connection attacks, otherwise known as SYN flood attacks, happen when a three-way TCP handshake between the host and the server is never completed. In this attack, the handshake is initiated, but the hacker leaves the server hanging and the ports open. This means the server cannot take any other requests. The hacker keeps flooding it with more handshakes, eventually making it crash.

#2 Volumetric attacks

Volumetric attacks are the most common type of DDoS attack. It simply consumes all available bandwidth between the target and the internet. This is mostly done by using botnets and directing them to a specific target.

One example of the volumetric attack could be the hacker spoofing the victim's IP and making multiple requests to an open DNS server. The attack is structured so that when DNS server responds, it sends more data to the victim than they can handle.

#3 Fragmentation attacks

Traffic sent over the internet is divided into data packets. They travel and are reassembled in different ways depending on whether the TCP or UDP transport protocol is being used. A fragmentation attack sends fake data packets that distort the flow of data and therefore overwhelm the server.

#4 Application layer attacks

Application layer or layer 7 attacks target, as the name suggests, applications – the layer where the server generates web pages and responds to HTTP requests. Such an attack would seem to the server like someone hitting refresh on the same page multiple times. It will look like legitimate traffic until the server is overflooded and it’s too late. These attacks are also less expensive and more difficult to detect than network layer attacks.

Is DDoSing illegal?

DDoSing is considered illegal in many countries. For example, in the US, DDoS can be considered a federal crime and can lead to penalties and imprisonment. In most European countries, DDoSing can lead to arrest, while in the UK, you may be sentenced to up to 10 years of imprisonment.

Can you trace DDoS attacks?

DDoS attacks are pretty difficult to trace because most of them are distributed over hundreds and thousands of other devices. Also, those who initiate such attacks usually make an effort not to be found.

It’s possible to identify DDoS attacks when they happen by using certain cybersecurity tools to analyze the traffic. However, it’s usually too late to stop them. At best, you can analyze the data and make the appropriate cybersecurity changes for the future.

Does a VPN help prevent DDoS?

DDoSing is mostly used to blackmail developers and publishers or to harm the reputation or sales of a certain person or platform. However, individual users can also be affected. This usually happens to online gamers. Your opponent might try to DDoS you to disrupt your gameplay, which isn’t a security risk per se, but can be really frustrating – especially if you play competitively.

There’s no way for you to prevent an attack against the game server. However, in P2P gaming, when you connect directly to other players, your opponent could look up your IP address and use it to DoS you. You can prevent this by using a VPN to mask your original IP. If bad actors don’t know your real IP — they simply can’t DoS you.

NordVPN can help protect you from DDoS and other attacks. Try it now with a 30-day money-back guarantee.


Emily Green
Emily Green successVerified author

Emily Green is a content writer who loves to investigate the latest internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.


Subscribe to NordVPN blog