What is a distributed denial of service attack (DDoS)?

A denial of service attack or DoS attack can take down web­sites and online services. But how do denial of service attacks work? And how are DoS attacks different from DDoS attacks? Read more to find out.

What does DoS mean?

The term DoS stands for Denial of Service, which is a type of cyber attack where the target, such as a web­site, is flooded with traffic in order to disrupt its normal operations. Two of the general goals of DoS attacks are flood attacks where the target is flooded with traffic and attacks where the goal is to crash the targeted service.

Signs of a denial of service attack include:

  • slow internet connection or poor net­work performance
  • crashing of the device or online service
  • an unusual amount of traffic to a single target
  • difficulties in accessing or using an online service, such as a web­store

Although a slow internet connection, crashing and difficulties in using certain services can be indicators of a denial of service attack, there can be a harm­less explanation for these things as well. A web­site may slow down or crash when it suddenly receives more traffic than it is prepared for. For example, an online store is probably well prepared for a large number of shoppers during special sales, so the unusually high number of legitimate users is unlikely to have a negative impact on the site’s performance. A denial of service attack on the other hand happens unexpectedly and is some­thing the site is unlikely to expect.

A simple denial of service attack can also be used in online gaming to gain an unfair advantage against opponents by disrupting their internet connection. In a situation like this, one way to prevent a denial of service attack from happening is by changing your IP-address.

Distributed Denial of Service (DDoS)

Whereas a denial of service attack can be carried out by a single device, distributed denial of service attacks, or DDoS attacks, use multiple devices to attack their target. Because of this, DDoS attacks are able to over­whelm their targets with even greater amount of requests than a regular DoS attack. One way that DDoS attacks are able to use multiple sources at the same time is with some­thing known as a botnet.

What is a botnet?

Simply put, botnets are net­works of devices that have been hi­jacked to be used in a distributed denial of service attack. The devices in a botnet are infected with a piece of malware that takes over its victim. When the DDoS attack begins, the devices in a botnet all flood the attack’s target with requests simultaneously. As a consequence, the targeted service, such as a web­site reaches its capacity and its performance is greatly hindered.

Nowadays, all sorts of devices can be connected to the internet, including web­cams, home appliances, speakers and even smart toilets. This refers to Internet of Things or IoT. Although IoT provides numerous opportunities, it poses some threats as well. When devices are connected to the internet they are also susceptible to malware and can thus be used to carry out DDoS attacks as a part of a botnet.

One notable example of a botnet that exploited IoT devices is Mirai. It is responsible for one of the largest and best-known DDoS attacks on many large and widely used web­sites such as Twitter and Net­flix. The devices used in the Mirai-botnet attack included routers and web­cams.

What is the difference between a DoS and DDoS attack?

Although DoS and DDoS attacks are used for much of the same purpose, there are some notable differences between these two.

  • Amount of traffic: A distributed denial of service attack can send much more traffic to its target than a simpler DoS attack carried out by a single user and device.
  • The extent of damages: With a greater amount of traffic comes a larger impact on the target. At worst, a massive DDoS attack can even cause physical damage to its target, such as the server itself.
  • Protection and detection: As a distributed denial of service attack has multiple sources, its source is much more difficult to trace. The large flood of traffic from multiple sources also makes it more difficult to defend against a DDoS attack.

Normal denial of service attacks that do not require an expansive botnet are on the rise as the tools to pull off a DoS attack have become more accessible. With a user-friendly user inter­face, using these tools to flood servers with traffic does not require expert-level technical skills.

Three types of DDoS attacks

We can make a general distinction between three types of DDoS attacks. These are volumetric, application layer and protocol attacks. Let’s look at these three types of DDoS attacks in more detail.

Volumetric attacks

A volumetric DDoS attack aims to consume as much band­width with traffic as possible. The amount of traffic can be hundreds of giga­bytes or even tera­bytes every second. The goal of such an attack is to cause congestion on the targeted service or web­site. How­ever, volumetric attacks can also act as a way to hide other types of suspicious activity.

Application layer attacks

Application layer attacks (also known as layer 7 attacks) target specific points in the application layer. What makes an application layer attack different is that it is not targeted at the system as a whole but a specific point in it.

Protocol attacks

Whereas an application layer attack takes place in the so-called 7th layer, a protocol DDoS attack targets layers 3 and 4. This is the target server’s net­working layer. Protocol DDoS attacks are used to use up resources of the target’s fire­wall, for instance.

Stay protected from DDoS-bots with F‑Secure TOTAL

DDoS bots are malware just like any other. That’s why private persons should also take action to defend them­selves against them. F‑Secure TOTAL comes with an anti­virus that keeps you safe from malware that can make your device a part of a bot­net. Mean­while, F‑Secure’s versatile VPN allows you to browse online safely and in private. Read more about F‑Secure TOTAL and try it for free.

Read more