What is a distributed denial of service (DDos) attack?
Explore IBM's DDoS solution Subscribe to Security Topic Updates
Illustration with collage of pictograms of clouds, mobile phone, fingerprint, check mark
What is a DDoS attack?

A DDoS attack aims to disable or take down a web site, web application, cloud service or other online resource by overwhelming it with pointless connection requests, fake packets or other malicious traffic.

A DDoS attack floods websites with malicious traffic, making applications and other services unavailable to legitimate users. Unable to handle the volume of illegitimate traffic, the target slows to a crawl or crashes altogether, making it unavailable to legitimate users.

DDoS attacks are part of the broader category, denial-of-service attacks (DoS attacks), which includes all cyberattacks that slow or stop applications or network services. DDoS attacks are unique in that they send attack traffic from multiple sources at once—which puts the “distributed” in “distributed denial-of-service.”

Cybercriminals have been using DDoS attacks to disrupt network operations for more than 20 years, but recently their frequency and power have spiked. According to one report, DDoS attacks rose by 203 percent in the first half of 2022, compared to the same period in 2021 (link resides outside ibm.com).

IBM Security X-Force Threat Intelligence Index

Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM Security X-Force Threat Intelligence Index.

Related content

Register for the Cost of a Data Breach report

How DDoS attacks work

Unlike other cyberattacks, DDoS attacks don’t exploit vulnerabilities in network resources to breach computer systems. Instead, they use standard network connection protocols like Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) to flood endpoints, apps, and other assets with more traffic than they can handle. Web servers, routers, and other network infrastructure can only process a finite number of requests and sustain a limited number of connections at any given time. By using up a resource’s available bandwidth, DDoS attacks prevent these resources from responding to legitimate connection requests and packets.

In broad terms, a DDoS attack has three stages.

Stage 1: Selecting the target

The choice of DDoS attack target stems from the attacker’s motivation, which can range widely. Hackers have used DDoS attacks to extort money from organizations, demanding a ransom to end the attack. Some hackers use DDoS for activism, targeting organizations and institutions they disagree with. Unscrupulous actors have used DDoS attacks to shut down competing businesses, and some nation states have used DDoS tactics in cyber warfare. 

Some of the most common DDoS attack targets include:

  • Online retailers. DDoS attacks can cause significant financial harm to retailers by bringing down their digital stores, making it impossible for customers to shop for a period of time.

  • Cloud service providers. Cloud service providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform are popular targets for DDoS attacks. Because these services host data and apps for other businesses, hackers can cause widespread outages with a single attack. In 2020, AWS was hit with a massive DDoS attack (link resides outside ibm.com). At its peak, malicious traffic poured in at 2.3 terabits per second.

  • Financial institutions. DDoS attacks can knock banking services offline, preventing customers from accessing their accounts. In 2012, six major US banks were hit with coordinated DDoS attacks in what may have been a politically motivated act (link resides outside ibm.com).

  • Software-as-a-Service (SaaS) providers. As with cloud service providers, SaaS providers like Salesforce, GitHub, and Oracle are attractive targets because they allow hackers to disrupt multiple organizations at once. In 2018, GitHub suffered what was, at the time, the largest DDoS attack on record (link resides outside ibm.com).

  • Gaming companies. DDoS attacks can disrupt online games by flooding their servers with traffic. These attacks are often launched by disgruntled players with personal vendettas, as was the case with the Mirai botnet that was originally built to target Minecraft servers (link resides outside ibm.com).
Stage 2: Creating (or renting or buying) a botnet

A DDoS attack usually requires a botnet—a network of internet-connected devices that have been infected with malware that allows hackers to control the devices remotely. Botnets can include laptop and desktop computers, mobile phones, IoT devices, and other consumer or commercial endpoints. The owners of these compromised devices are typically unaware they have been infected or are being used for a DDoS attack. 

Some cybercriminals build their botnets from scratch, while others purchase or rent preestablished botnets under a model referred to as “denial-of-service as a service”.

(NOTE: Not all DDoS attacks use botnets; some exploit the normal operations of uninfected devices for malicious ends. See ‘Smurf attacks,’ below.)

Stage 3: Launching the attack

Hackers command the devices in the botnet to send connection requests or other packets to the IP address of the target server, device, or service. Most DDoS attacks rely on brute force, sending a large number of requests to eat up all of the target’s bandwidth; some DDoS attacks send a smaller number of more complicated requests that require the target to expend a lot of resources in responding. In either case, the result is the same: The attack traffic overwhelms the target system, causing a denial of service and preventing legitimate traffic from accessing the website, web application, API, or network.

Hackers often obscure the source of their attacks through IP spoofing, a technique by which cybercriminals forge fake source IP addresses for packets sent from the botnet. In one form of IP spoofing, called “reflection,” hackers make it look like the malicious traffic was sent from the victim’s own IP address. 

Types of DDoS attacks

DDoS attack types are often named or described based on the terminology of the Open Systems Interconnection (OSI) Reference Model, a conceptual framework that defines seven network ‘layers’ (and is sometimes called the OSI 7-Layer Model).

Application layer attacks

As the name suggests, application layer attacks target the application layer (layer 7) of the OSI model—the layer at which web pages are generated in response to user requests. Application layer attacks disrupt web applications by flooding them with malicious requests.

One of the most common application layer attacks is the HTTP flood attack, in which an attacker continuously sends a large number of HTTP requests from multiple devices to the same website. The website cannot keep up with all of the HTTP requests, and it slows down significantly or crashes entirely. HTTP flood attacks are akin to hundreds or thousands of web browsers repeatedly refreshing the same webpage. 

Application layer attacks are relatively easy to launch but can be difficult to prevent and mitigate. As more companies transition to using microservices and container-based applications, the risk of application layer attacks disabling critical web and cloud services increases. 

Protocol attacks

Protocol attacks target the network layer (layer 3) and the transport layer (layer 4) of the OSI model. They aim to overwhelm critical network resources, such as firewalls, load balancers, and web servers, with malicious connection requests.

Common protocol attacks include:

SYN flood attacks. A SYN flood attack takes advantage of the TCP handshake, the process by which two devices establish a connection with one another.

In a typical TCP handshake, one device sends a SYN packet to initiate the connection, the other responds with a SYN/ACK packet to acknowledge the request, and the original device sends back an ACK packet to finalize the connection.

In a SYN flood attack, the attacker sends the target server a large number of SYN packets with spoofed source IP addresses. The server sends its response to the spoofed IP address and waits for the final ACK packet. Because the source IP address was spoofed, these packets never arrive. The server is tied up in a large number of unfinished connections, leaving it unavailable for legitimate TCP handshakes.

Smurf attacks. A smurf attack takes advantage of the Internet Control Message Protocol (ICMP), a communication protocol used to assess the status of a connection between two devices. In a typical ICMP exchange, one device sends an ICMP echo request to another, and the latter device responds with an ICMP echo reply.

In a smurf attack, the attacker sends an ICMP echo request from a spoofed IP address that matches the victim’s IP address. This ICMP echo request is sent to an IP broadcast network that forwards the request to every device on a given network. Every device that receives the ICMP echo request — potentially hundreds or thousands of devices — responds by sending an ICMP echo reply back to the victim’s IP address, flooding the device with more information than it can handle. Unlike many other types of DDoS attacks, smurf attacks do not necessarily require a botnet. 

Volumetric attacks

Volumetric DDoS attacks consume all available bandwidth within a target network or between a target service and the rest of the internet, thereby preventing legitimate users from connecting to network resources. Volumetric attacks often flood networks and resources with very high amounts of traffic, even compared to other types of DDoS attacks. Volumetric attacks have been known to overwhelm DDoS protection measures like scrubbing centers, which are designed to filter malicious traffic from legitimate traffic.

Common types of volumetric attacks include:

UDP floods. These attacks send fake User Datagram Protocol (UDP) packets to a target host’s ports, prompting the host to look for an application to receive these packets. Because the UDP packets are fake, there is no application to receive them, and the host must send an ICMP “Destination Unreachable” message back to the sender. The hosts’ resources become tied up in responding to the constant stream of fake UDP packets, leaving the host unavailable to respond to legitimate packets.

ICMP floods. Also called “ping flood attacks,” these attacks bombard targets with ICMP echo requests from multiple spoofed IP addresses. The targeted server must respond to all of these requests and becomes overloaded and unable to process valid ICMP echo requests. ICMP floods are distinguished from smurf attacks in that attackers send large numbers of ICMP requests from their botnets rather than tricking network devices into sending ICMP responses to the victim’s IP address. 

DNS amplification attacks. Here, the attacker sends several Domain Name System (DNS) lookup requests to one or many public DNS servers. These lookup requests use a spoofed IP address belonging to the victim and ask the DNS servers to return a large amount of information per request. The DNS server then replies to the requests by flooding the victim’s IP address with large amounts of data.  

Multivector attacks

As the name implies, multivector attacks exploit multiple attack vectors, to maximize damage and frustrate DDoS mitigation efforts. Attackers may use multiple vectors simultaneously or switch between vectors mid-attack, when one vector is thwarted. For example, hackers may begin with a smurf attack, but once the traffic from network devices is shut down, they may launch a UDP flood from their botnet. 

DDoS threats may also be used in tandem with other cyberattacks. For example, ransomware attackers may pressure their victims by threatening to mount a DDoS attack if the ransom is not paid. 

Why DDoS attacks are so pervasive

DDoS attacks have persisted for so long, and become increasing popular with cybercriminals over time, because

  • They require little or no skill to carry out. By hiring ready-made botnets from other hackers, cybercriminals can easily launch DDoS attacks on their own with little preparation or planning.

  • They are difficult to detect. Because botnets are comprised largely of consumer and commercial devices, it can be difficult for organizations to separate malicious traffic from real users. Moreover, the symptoms of DDoS attacks—slow service and temporarily unavailable sites and apps—can also be caused by sudden spikes in legitimate traffic, making it hard to detect DDoS attacks in their earliest stages.

  • They are difficult to mitigate. Once a DDoS attack has been identified, the distributed nature of the cyberattack means organizations cannot simply block the attack by shutting down a single traffic source. Standard network security controls intended to thwart DDoS attacks, such as rate limiting, can also slow down operations for legitimate users.

  • There are more potential botnet devices than ever. The rise of the Internet of Things (IoT) has given hackers a rich source of devices to turn into bots. Internet-enabled appliances, tools, and gadgets—including operational technology (OT) like healthcare devices and manufacturing systems—are often sold and operated with universal defaults and weak or nonexistent security controls, making them particularly vulnerable to malware infection. It can be difficult for the owners of these devices to notice they have been compromised, as IoT and OT devices are often used passively or infrequently.

DDoS attacks are becoming more sophisticated as hackers adopt artificial intelligence (AI) and machine learning (ML) tools to help direct their attacks. This has led to a rise in adaptive DDoS attacks, which use AI and ML to find the most vulnerable aspects of systems and automatically shift attack vectors and strategies in response to a cybersecurity team’s DDoS mitigation efforts. 

The growing cost, size and impact of DDoS attacks

The purpose of a DDoS attack is to disrupt system operations, which can carry a high cost for organizations. According to IBM’s Cost of a Data Breach 2022 report, service disruptions, system downtime, and other business interruptions caused by a cyberattack cost organizations USD 1.42 million on average. In 2021, a DDoS attack cost a VoIP provider nearly USD 12 million (link resides outside ibm.com).

The largest DDoS attack on record, which generated 3.47 terabits of malicious traffic per second, targeted a Microsoft Azure customer in November 2021 (link resides outside ibm.com). Attackers used a botnet of 10,000 devices from around the world to bombard the victim with 340 million packets per second.

DDoS attacks have also been used against governments, including a 2021 attack on Belgium (link resides outside ibm.com). Hackers targeted a government-run internet service provider (ISP) to sever the internet connections of more than 200 government agencies, universities, and research institutes.

Increasingly, hackers are using DDoS not as the primary attack, but to distract the victim from a more serious cybercrime—e.g., exfiltrating data or deploying ransomware to a network while the cybersecurity team is occupied with fending off the DDoS attack. 

DDoS protection, detection, and mitigation

DDoS mitigation and protection efforts typically rest on diverting the flow of malicious traffic as quickly as possible, such as by routing network traffic to scrubbing centers or using load balancers to redistribute attack traffic. Toward that end, companies aiming to shore up their defenses against DDoS attacks may adopt technologies that can identify and intercept malicious traffic, including:

  • Web application firewalls. Most organizations today use perimeter and web application firewalls (WAFs) to protect their networks and applications from malicious activity. While standard firewalls protect at the port level, WAFs ensure requests are safe before forwarding them to web servers. The WAF knows which types of requests are legitimate and which are not, allowing it to drop malicious traffic and prevent application-layer attacks.

  • Content delivery networks (CDNs). A CDN is a network of distributed servers that can help users access online services more quickly and reliably. With a CDN in place, users’ requests don’t travel all the way back to the service’s origin server. Instead, they are routed to a geographically closer CDN server that delivers the content. CDNs can help protect against DDoS attacks by increasing a service’s overall capacity for traffic. In the event that a CDN server is taken down by a DDoS attack, user traffic can be routed to other available server resources in the network.

  • SIEM (security information and event management). SIEM systems offer a range of functions for detecting DDoS attacks and other cyberattacks early in their lifecycles, including log management and network insights. SIEM solutions provide centralized management of security data generated by on-premises and cloud-based security tools. SIEMs can monitor connected devices and applications for security incidents and abnormal behavior, such as excessive pings or illegitimate connection requests. The SIEM then flags these anomalies for the cybersecurity team to take appropriate action.

  • Detection and response technologies. Endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR) solutions all use advanced analytics and AI to monitor network infrastructure for indicators of compromise—such as abnormal traffic patterns that may signify DDoS attacks—and automation capabilities for responding to ongoing attacks in real-time (e.g., terminating suspicious network connections). 
Related solutions
IBM Security QRadar NDR

Catch hidden threats lurking in your network, before it’s too late. IBM Security® QRadar® Network Detection and Response (NDR) helps your security teams by analyzing network activity in real time. It combines depth and breadth of visibility with high-quality data and analytics to fuel actionable insights and response.

Explore QRadar NDR
X-Force Incident Response Team

Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.

Explore incident response services
Threat intelligence services

Combine expertise with threat intelligence to enrich your threat analysis and automate your cyberthreat platform.             

Explore threat intelligence services
Resources What is a cyberattack?

A cyberattack attempts to steal sensitive information or disable critical systems through unauthorized access to computer networks or devices.

What is ransomware?

Ransomware is malware that holds victims' devices and data hostage until a ransom is paid.

What is incident response?

A formal incident response plan enables cybersecurity teams to limit or prevent damage from cyberattacks or security breaches.

Take the next step

Cybersecurity threats are becoming more advanced, more persistent and are demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM helps you remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others miss.

Explore QRadar SIEM Book a live demo