What Is A DDoS Attack?

What Is A DDoS Attack
Illustration of a DDoS attack - Wikimedia

Date First Published: 23rd June 2022

Topic: Cybersecurity

Subtopic: Threats To Systems, Data & Information

Article Type: Computer Terms & Definitions

Difficulty: Medium

Difficulty Level: 5/10

Learn more about what a DDoS attack is in this article.

Stands for a Distributed Denial Of Service Attack. A DDoS attack occurs when an attacker floods a network or server with so much malicious traffic that it cannot operate and becomes unresponsive. Whilst DDoS attacks are usually aimed at web servers, any type of server or network can be DDoSed, such as mail servers, private networks, nameservers, database servers, and more. Engaging in a DDoS attack is known as DDoSing.

DDoS attacks are quite harmful, especially when they cause large websites to go down during high-traffic times. In addition, they put excessive loads on the servers and cause financial losses for businesses, particularly businesses that greatly rely on networks or servers.

Signs Of A DDoS Attack

The signs of a DDoS attack are:

  • Suspicious amounts of traffic coming from one IP address.
  • An inability for a server to respond to requests for extended periods of time.
  • A suspicious flood of traffic coming from a single device type, web browser version, or geographic location.
  • Odd traffic patterns, such as spikes of traffic occurring every 30 minutes or at odd hours of the day.

How To Protect Against DDoS Attacks?

Web servers can be protected against DDoS attacks by CDNs, such as Cloudflare. Cloudflare helps protect websites against DDoS attacks by hiding the real IP address of the server with the Cloudflare IP address, preventing it from being targeted. Cloudflare can automatically detect and mitigate DDoS attacks. In addition, if a user tried to target an IP address of a website that uses Cloudflare, they would only be able to DDoS Cloudflare’s servers.

Also, IP addresses that the DDoS attack is coming from can be blocked in Cloudflare. However, blocking one IP address is usually not enough to mitigate a DDoS attack as attackers usually use multiple computers to carry out DDoS attacks.

SYN Flood Attacks

An SYN flood is a type of DDoS attack where an attacker tries to make a server unavailable by constantly sending connection request (SYN) data packets without finalising the connection. This type of DDoS attack exploits a vulnerability in the TCP/IP handshake process and causes the targeted server to respond to legitimate traffic slowly or not at all.

In the third step of the TCP/IP protocol handshake process, when the server waits for the final ACK packet, which never arrives, the attacker continues to send more ACK packets. Every time a new ACK packet arrives, the server temporarily maintains a new open port connection for a certain period of time. Once all the available ports have been used, the server is unable to function properly.

In this type of DDoS attack, the targeted server is constantly leaving open connections and waiting for each connection to time out before the ports become available again. When a server is leaving a connection open, but the computer on the other side is not, the connection is considered half-open.

HTTP Flood Attacks

A HTTP flood is a type of DDoS attack where large numbers of HTTP requests flood the server, causing it to become unresponsive. This is often accomplished using multiple computers and is similar to pressing refresh in a web browser over and over again on lots of different computers at once.

Difference Between A DoS Attack and A DDoS Attack

DoS attacks and DDoS attacks look similar, but they are slightly different types of cyberattacks. A DDoS attack uses multiple computers to flood a network or server with data packets and bring it down. DDoS attacks are more common than DoS attacks.

DoS attacks only come from one computer and are less harmful than DDoS attacks. Individual computers can easily be blocked due to servers and networks having firewalls and other security software installed on them. That is the reason why most attackers use multiple computers to carry out a DDoS attack. Attackers may use a botnet to control multiple computers at once. This makes it much harder to differentiate the DDoS attack traffic from legitimate traffic.

When the victim’s server or network is targeted by the botnet, excessive amounts of the requests are sent. If the server or network cannot respond to the large number of requests, they will eventually be queued, causing a slow response time or no response at all. When the network or server has gone down and is unable to respond to legitimate requests, the DDoS attack has been successful. Web servers may respond with a 503 error when they are under a DDoS attack, which means that the server is unavailable. DDoS attacks can last for several hours or days.

Why Do Attackers DDoS?

Attackers often DDoS for the following reasons:

Wanting to cause trouble

There are some people out there that enjoy causing trouble for others. DDoS attacks can bring down websites for large businesses, causing hours or days of downtime and the havoc that they create by performing these DDoS attacks encourages them to DDoS even more servers or networks.

Financial reasons

DDoS attacks may be performed for financial reasons. It could be that the attacker is DDoSing a competitor in the marketplace to harm their reputation.

Political reasons

DDoS attacks may be performed for political reasons. It could be that they dislike the beliefs of the targeted organisation and want to DDoS their network or server to spite them.

How Does The Attacker Get Other Computers Involved In The DDoS Attack?

In order to get multiple computers involved in the DDoS attack, attackers often use malware and distribute it over a network or through email attachments. When a user opens the email attachment or malicious program, they will be infected without them knowing that it has been installed on their computer. This causes their computer to be infected with an army of other infected computers to perform a DDoS attack, which is called a botnet.

The botnet can then be controlled by the attacker. The attacker can then send commands to all the computers to request them to DDoS at a certain date and time. Once that set time and date have been reached, the DDoS attack will begin.

Note: Info Icon

Botnets are not limited to just a few computers. Botnets could be hundreds or even thousands of computers located all around the world.

History

The first known DoS attack took place on 6th September 1996 when Panix, one of the oldest ISPs received an SYN flood attack, which caused it to go offline for several days.


Feedback

  • Is there anything that you disagree with on this page?
  • Are there any spelling, grammatical, or punctuation errors on this page?
  • Are there any broken links or design errors on this page?

If so, it is important that you tell me as soon as possible on this page.


Comments