Distributed denial of service (DDoS)

A DDoS attack is a form of cyberattack in which the perpetrators seek to disrupt or crash a website, network or other online service by overloading it with a high volume of fake or junk requests.

5 min read

5 min read

What motivates a DDoS attack?

There are several motivations for a DDoS attack. For cybercriminals, these typically include earning money by selling DDoS attacks as a service, blackmailing potential targets into paying a ransom, hacktivism and gaining a competitive advantage.

Sophisticated threat groups are known to use DDoS attacks mostly as a part of or as a distraction from other, more severe activities such as cyberespionage and cybersabotage.

How do DDoS attacks work?

Perpetrators of DDoS attacks use networks of distributed, compromised devices to disrupt systems by targeting one or more of the components necessary to establish a connection (see the OSI model) to a network resource.

Some of the most common attacks include:

Volumetric attacks are one of the oldest types of DDoS attacks. They utilise large volumes of traffic to fill the bandwidth capacity between the victim’s network and the Internet or the capacity within the victim’s network. The largest volumetric attacks are (currently) measured in Terabits per second (Tbps) equivalent to roughly 9,000 average Internet connections. For example, during a User Datagram Protocol (UDP) flood attack, the attackers overwhelm the targeted remote server by requesting information from an application listening on a specific port. The server checks, and/or replies to, every such demand, ultimately running out of bandwidth and becoming unreachable.

Protocol attacks. Per its name, protocol attacks misuse the design of the underlying communication protocol (OSI model layers 3 and 4) to exhaust the resources of the targeted system. One example of a protocol attack is SYN flood, which sends a large number of specific requests to the targeted server yet leaves replies to those requests without further action, keeping the “three way handshake” incomplete. When the number of unfinished connections exhausts the capacity of the server, it becomes unreachable for legitimate connections. Protocol attacks use specifically crafted packets to achieve their malicious goals and are thus measured in packets per second (PPS). The largest recorded attacks have reached hundreds of millions.

Application layer attacks (OSI model layer 7) target public facing applications via a high volume of spoofed or bogus traffic. An example of an application layer DDoS attack is an HTTP flood, which floods a specific web server with otherwise legitimate HTTP GET and HTTP POST requests. Even though the server might have enough bandwidth, it is forced to process a large number of bogus requests instead of their legitimate counterparts, thus running out of processing capacity. Application layer attacks are measured in tens of millions of requests per second (RPS).

Denial of service (DoS) vs Distributed denial of service (DDoS)

As the name suggests, the difference is mostly in the number of attacking machines. In the case of DoS, the attack typically utilises a script or tool, originates from a single device and targets one specific server or endpoint. In contrast, DDoS attacks are executed by a large network of attacker controlled compromised devices also known as a botnet and can be used to overload selected devices, applications, websites, services or even victims’ whole networks.

How do you know if your organisation is experiencing a DDoS attack?

The most obvious telltale sign of a DDoS attack is poor performance or the unavailability of the targeted system or service. In case of a website, this might translate into long load times or inaccessibility to people inside and outside the organisation. There are also publicly available services monitoring DDoS attacks such as downforeveryoneorjustme.com or downdetector.com

Read more

A DDoS attack can also be identified via the monitoring and analysis of network traffic that identifies bogus or junk requests overloading one or more company systems. In some cases, an extortion message can also point to a possible or ongoing DDoS attack, demanding a ransom for dropping your organisation from the list of future targets or for ceasing an ongoing attack.

7 reasons why your organisation should care about DDoS attacks

  1. An organisation under a DDoS attack will always lose revenue due to its website, services or systems being unresponsive. Mitigating an incident also additionally strains the security budget.
  2. According to several established vendors monitoring the DDoS scene, the number of incidents has been rapidly growing in the last three years.
  3. DDoS attacks are also becoming more powerful; some are even strong enough to disrupt global services. While 2020 saw its largest (network layer) attacks exceed the 1 Tbps threshold, in 2021, a few notable incidents were already well in the 2-3 Tbps area. When counting requests per second (RPS), at least two DDoS attacks in 2021 (reported by Cloudflare and Yandex) have passed into the 15+ million RPS territory.

More reasons

4. Organisations don’t have to be the primary target to feel the impact of a DDoS attack, especially if it disrupts the vital parts of Internet infrastructure such as local or regional ISPs. In 2016, criminals flooded the servers of the major DNS provider Dyn. Other major online services became unavailable due to this DDoS attack, including Twitter, Reddit, Netflix and Spotify.

5. Some cybercriminal actors threaten to use their botnets for a DDoS attack against a specific organisation unless a payment is made. These attacks are called DDoS ransom attacks and do not require the attacker to gain access to their targets’ networks.

6. Since 2020, DDoS attacks against victims’ websites have also become a part of the “triple extortion” scheme used by high profile ransomware gangs, adding DDoS on top of stealing and encrypting targets’ data.

7. There are DDoS for hire services on the dark web that allow even inexperienced actors who have the money and motivation, such as gaining an advantage over a competitor, to organise a DDoS attack.

What can your organisation do to protect itself from DDoS attacks?

DDoS attacks can be hard to mitigate for organisations that don’t have the right resources, such as hardware or sufficient bandwidth. However, there are things even small and medium companies can do to increase their protection:

  • Monitor your network traffic and learn to identify anomalies in the Internet traffic. This way, you can identify bogus or fake requests that are flooding your systems and block them.
  • Have a disaster recovery plan in case a DDoS attack strikes your website or systems. This might include having backup servers, website and alternative communication channels.
  • Consider moving to the cloud. This will not eliminate the threat but it can help mitigate attacks due to the higher bandwidth and resilience of cloud infrastructure.
  • If you have already been targeted with a DDoS or are at risk, consider using DoS and DDoS protection services that can help you mitigate the impact of an attack.
  • Don’t let your devices become part of a botnet that can contribute to a DDoS attack. Make sure you follow the rules of good cyberhygiene, keep all your devices and their software up to date and protect them by installing a multilayered security solution.

Prevent DDoS attacks now


Get effective protection with the capabilities to mitigate the risks related to DDoS attacks. ESET multilayered endpoint security solutions use sophisticated Network attack protection technology with advanced filtering and packet inspection to prevent disruptions.