A DDoS attack aims to disable or take down a web site, web application, cloud service or other online resource by overwhelming it with pointless connection requests, fake packets or other malicious traffic. Unable to handle the volume of illegitimate traffic, the target slows to a crawl or crashes altogether, making it unavailable to legitimate users.
DDoS attacks are part of the broader category, denial-of-service attacks (DoS attacks), which includes all cyberattacks that slow or stop applications or network services. DDoS attacks are unique in that they send attack traffic from multiple sources at once—which puts the “distributed” in “distributed denial-of-service.”
Cybercriminals have been using DDoS attacks to disrupt network operations for more than 20 years, but recently their frequency and power have spiked. According to one report, DDoS attacks rose by 203 percent in the first half of 2022, compared to the same period in 2021 (link resides outside ibm.com).
Unlike other cyberattacks, DDoS attacks don’t exploit vulnerabilities in network resources to breach computer systems. Instead, they use standard network connection protocols like Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) to flood endpoints, apps, and other assets with more traffic than they can handle. Web servers, routers, and other network infrastructure can only process a finite number of requests and sustain a limited number of connections at any given time. By using up a resource’s available bandwidth, DDoS attacks prevent these resources from responding to legitimate connection requests and packets.
In broad terms, a DDoS attack has three stages.
The choice of DDoS attack target stems from the attacker’s motivation, which can range widely. Hackers have used DDoS attacks to extort money from organizations, demanding a ransom to end the attack. Some hackers use DDoS for activism, targeting organizations and institutions they disagree with. Unscrupulous actors have used DDoS attacks to shut down competing businesses, and some nation states have used DDoS tactics in cyber warfare.
Some of the most common DDoS attack targets include:
Online retailers. DDoS attacks can cause significant financial harm to retailers by bringing down their digital stores, making it impossible for customers to shop for a period of time.
Cloud service providers. Cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform are popular targets for DDoS attacks. Because these services host data and apps for other businesses, hackers can cause widespread outages with a single attack. In 2020, AWS was hit with a massive DDoS attack (link resides outside ibm.com). At its peak, malicious traffic poured in at 2.3 terabits per second.
Financial institutions. DDoS attacks can knock banking services offline, preventing customers from accessing their accounts. In 2012, six major US banks were hit with coordinated DDoS attacks in what may have been a politically motivated act (link resides outside ibm.com).
Software-as-a-Service (SaaS) providers. As with cloud service providers, SaaS providers like Salesforce, GitHub, and Oracle are attractive targets because they allow hackers to disrupt multiple organizations at once. In 2018, GitHub suffered what was, at the time, the largest DDoS attack on record (link resides outside ibm.com).
A DDoS attack usually requires a botnet—a network of internet-connected devices that have been infected with malware that allows hackers to control the devices remotely. Botnets can include laptop and desktop computers, mobile phones, IoT devices, and other consumer or commercial endpoints. The owners of these compromised devices are typically unaware they have been infected or are being used for a DDoS attack.
Some cybercriminals build their botnets from scratch, while others purchase or rent preestablished botnets under a model referred to as “denial-of-service as a service.”
(NOTE: Not all DDoS attacks use botnets; some exploit the normal operations of uninfected devices for malicious ends. See ‘Smurf attacks,’ below.)
Hackers command the devices in the botnet to send connection requests or other packets to the IP address of the target server, device, or service. Most DDoS attacks rely on brute force, sending a large number of requests to eat up all of the target’s bandwidth; some DDoS attacks send a smaller number of more complicated requests that require the target to expend a lot of resources in responding. In either case, the result is the same: The attack traffic overwhelms the target system, causing a denial of service and preventing legitimate traffic from accessing the website, web application, API, or network.
Hackers often obscure the source of their attacks through IP spoofing, a technique by which cybercriminals forge fake source IP addresses for packets sent from the botnet. In one form of IP spoofing, called “reflection,” hackers make it look like the malicious traffic was sent from the victim’s own IP address.
DDoS attack types are often named or described based on the terminology of the Open Systems Interconnection (OSI) Reference Model, a conceptual framework that defines seven network ‘layers’ (and is sometimes called the OSI 7-Layer Model).
As the name suggests, application layer attacks target the application layer (layer 7) of the OSI model—the layer at which web pages are generated in response to user requests. Application layer attacks disrupt web applications by flooding them with malicious requests.
One of the most common application layer attacks is the HTTP flood attack, in which an attacker continuously sends a large number of HTTP requests from multiple devices to the same website. The website cannot keep up with all of the HTTP requests, and it slows down significantly or crashes entirely. HTTP flood attacks are akin to hundreds or thousands of web browsers repeatedly refreshing the same webpage.
Application layer attacks are relatively easy to launch but can be difficult to prevent and mitigate. As more companies transition to using microservices and container-based applications, the risk of application layer attacks disabling critical web and cloud services increases.
Protocol attacks target the network layer (layer 3) and the transport layer (layer 4) of the OSI model. They aim to overwhelm critical network resources, such as firewalls, load balancers, and web servers, with malicious connection requests.
Common protocol attacks include:
SYN flood attacks. A SYN flood attack takes advantage of the TCP handshake, the process by which two devices establish a connection with one another.
In a typical TCP handshake, one device sends a SYN packet to initiate the connection, the other responds with a SYN/ACK packet to acknowledge the request, and the original device sends back an ACK packet to finalize the connection.
In a SYN flood attack, the attacker sends the target server a large number of SYN packets with spoofed source IP addresses. The server sends its response to the spoofed IP address and waits for the final ACK packet. Because the source IP address was spoofed, these packets never arrive. The server is tied up in a large number of unfinished connections, leaving it unavailable for legitimate TCP handshakes.
Smurf attacks. A smurf attack takes advantage of the Internet Control Message Protocol (ICMP), a communication protocol used to assess the status of a connection between two devices. In a typical ICMP exchange, one device sends an ICMP echo request to another, and the latter device responds with an ICMP echo reply.
In a smurf attack, the attacker sends an ICMP echo request from a spoofed IP address that matches the victim’s IP address. This ICMP echo request is sent to an IP broadcast network that forwards the request to every device on a given network. Every device that receives the ICMP echo request — potentially hundreds or thousands of devices — responds by sending an ICMP echo reply back to the victim’s IP address, flooding the device with more information than it can handle. Unlike many other types of DDoS attacks, smurf attacks do not necessarily require a botnet.
Volumetric DDoS attacks consume all available bandwidth within a target network or between a target service and the rest of the internet, thereby preventing legitimate users from connecting to network resources. Volumetric attacks often flood networks and resources with very high amounts of traffic, even compared to other types of DDoS attacks. Volumetric attacks have been known to overwhelm DDoS protection measures like scrubbing centers, which are designed to filter malicious traffic from legitimate traffic.
Common types of volumetric attacks include:
UDP floods. These attacks send fake User Datagram Protocol (UDP) packets to a target host’s ports, prompting the host to look for an application to receive these packets. Because the UDP packets are fake, there is no application to receive them, and the host must send an ICMP “Destination Unreachable” message back to the sender. The hosts’ resources become tied up in responding to the constant stream of fake UDP packets, leaving the host unavailable to respond to legitimate packets.
ICMP floods. Also called “ping flood attacks,” these attacks bombard targets with ICMP echo requests from multiple spoofed IP addresses. The targeted server must respond to all of these requests and becomes overloaded and unable to process valid ICMP echo requests. ICMP floods are distinguished from smurf attacks in that attackers send large numbers of ICMP requests from their botnets rather than tricking network devices into sending ICMP responses to the victim’s IP address.
DNS amplification attacks. Here, the attacker sends several Domain Name System (DNS) lookup requests to one or many public DNS servers. These lookup requests use a spoofed IP address belonging to the victim and ask the DNS servers to return a large amount of information per request. The DNS server then replies to the requests by flooding the victim’s IP address with large amounts of data.
As the name implies, multivector attacks exploit multiple attack vectors, to maximize damage and frustrate DDoS mitigation efforts. Attackers may use multiple vectors simultaneously or switch between vectors mid-attack, when one vector is thwarted. For example, hackers may begin with a smurf attack, but once the traffic from network devices is shut down, they may launch a UDP flood from their botnet.
DDoS threats may also be used in tandem with other cyberattacks. For example, ransomware attackers may pressure their victims by threatening to mount a DDoS attack if the ransom is not paid.
DDoS attacks have persisted for so long, and become increasing popular with cybercriminals over time, because
DDoS attacks are becoming more sophisticated as hackers adopt artificial intelligence (AI) and machine learning (ML) tools to help direct their attacks. This has led to a rise in adaptive DDoS attacks, which use AI and ML to find the most vulnerable aspects of systems and automatically shift attack vectors and strategies in response to a cybersecurity team’s DDoS mitigation efforts.
The purpose of a DDoS attack is to disrupt system operations, which can carry a high cost for organizations. According to IBM’s Cost of a Data Breach 2022 report, service disruptions, system downtime, and other business interruptions caused by a cyberattack cost organizations USD 1.42 million on average. In 2021, a DDoS attack cost a VoIP provider nearly USD 12 million (link resides outside ibm.com).
The largest DDoS attack on record, which generated 3.47 terabits of malicious traffic per second, targeted a Microsoft Azure customer in November 2021 (link resides outside ibm.com). Attackers used a botnet of 10,000 devices from around the world to bombard the victim with 340 million packets per second.
DDoS attacks have also been used against governments, including a 2021 attack on Belgium (link resides outside ibm.com). Hackers targeted a government-run internet service provider (ISP) to sever the internet connections of more than 200 government agencies, universities, and research institutes.
Increasingly, hackers are using DDoS not as the primary attack, but to distract the victim from a more serious cybercrime—e.g., exfiltrating data or deploying ransomware to a network while the cybersecurity team is occupied with fending off the DDoS attack.
DDoS mitigation and protection efforts typically rest on diverting the flow of malicious traffic as quickly as possible, such as by routing network traffic to scrubbing centers or using load balancers to redistribute attack traffic. Toward that end, companies aiming to shore up their defenses against DDoS attacks may adopt technologies that can identify and intercept malicious traffic, including:
Content delivery networks (CDNs). A CDN is a network of distributed servers that can help users access online services more quickly and reliably. With a CDN in place, users’ requests don’t travel all the way back to the service’s origin server. Instead, they are routed to a geographically closer CDN server that delivers the content. CDNs can help protect against DDoS attacks by increasing a service’s overall capacity for traffic. In the event that a CDN server is taken down by a DDoS attack, user traffic can be routed to other available server resources in the network.
Catch hidden threats lurking in your network, before it’s too late. IBM Security® QRadar® Network Detection and Response (NDR) helps your security teams by analyzing network activity in real time. It combines depth and breadth of visibility with high-quality data and analytics to fuel actionable insights and response.
Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.
Combine expertise with threat intelligence to enrich your threat analysis and automate your cyberthreat platform.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.