){kind=icon}
What is a distributed denial of service attack (DDoS)?
A Distributed Denial of Service (DDoS) attack is a cyber attack designed to make a computer or network resource unavailable to its intended users by overwhelming it with excessive internet traffic. Unlike a simple Denial of Service (DoS) attack, which can be executed by a single device, a DDoS attack leverages multiple compromised devices, known as a botnet, to launch a coordinated assault.
A DDoS attack is essentially a more sophisticated form of a DoS attack, intended to disrupt the normal functioning of a targeted system or network. By coming from multiple sources, DDoS attacks are more powerful and harder to stop, draining a system’s resources and making it difficult or even impossible for legitimate users to access the service.
Want a simple way to stay safe online?
F-Secure Total protects you from malware, scams, and more.
DoS attacks: definition and meaning
DoS, or Denial of Service, is a type of cyberattack designed to disrupt a target’s normal operations — often a website — by overwhelming it with excessive traffic. These attacks generally fall into two categories: flood attacks, which inundate the target with high traffic volumes, and attacks that aim to crash the targeted service. DoS attacks can severely hinder legitimate traffic, negatively affecting business operations and reputation.
Signs of a DoS attack include:
slow internet connection or poor network performance
crashing of the device or online service
an unusual amount of traffic to a single target
difficulties in accessing or using an online service, such as a webstore
A slow internet connection, crashes, or difficulty using certain services can indicate a DoS attack, though they may also have harmless explanations. For instance, a website might slow down or crash due to an unexpected surge in legitimate traffic. An online store, for example, is often prepared for high traffic during special sales, making performance disruptions less likely. In contrast, a DoS attack strikes without warning, catching the target website unprepared.
This type of attack could also be used in online gaming to gain an unfair advantage by disrupting an opponent's internet connection. In such cases, one effective way to prevent a DoS attack is by changing your IP address.
DDoS attacks: definition and significance
While a denial-of-service (DoS) attack can be carried out by a single device, a distributed denial-of-service (DDoS) attack involves multiple devices targeting the same system. As a result, DDoS attacks can overwhelm their targets with far more requests than a typical DoS attack. These attacks often target high-profile web servers, such as those of banks or payment gateways, to disrupt critical services. DDoS attacks achieve this scale by utilizing a botnet — a network of compromised devices working together.
What’s a botnet?
A botnet is a network of devices that have been hijacked and used in a DDoS attack. These devices are infected with malware that gives attackers control over them. During a DDoS attack, all the devices in a botnet flood the target with requests simultaneously. This overwhelms the targeted service — such as a website — causing it to reach its capacity and significantly hindering its performance.
Today, all kinds of devices can connect to the internet, including webcams, home appliances, speakers, and even smart toilets. Collectively referred to as the Internet of Things (IoT), these devices offer many opportunities but also introduce vulnerabilities. When connected to the internet, IoT devices are susceptible to malware, making them potential participants in botnet-driven DDoS attacks.
One notable example of a botnet exploiting IoT devices is Mirai, responsible for one of the largest and most well-known DDoS attacks. This attack targeted major websites like Twitter and Netflix, using devices such as routers and webcams to carry out its assault. To mitigate the impact of botnet-driven attacks, implementing robust antivirus software, such as F-Secure Total, is essential.
Differences between DoS and DDoS attacks
Although DoS and DDoS attacks share a similar purpose, there are notable differences between them:
Amount of traffic: a DDoS attack can send significantly more traffic to its target compared to a simpler DoS attack, which is typically carried out by a single user and device.
Extent of damage: the larger volume of traffic in a DDoS attack results in a greater impact on the target. In extreme cases, a massive DDoS attack can even cause physical damage, such as harming the server hardware.
Protection and detection: DDoS attacks are harder to trace because they originate from multiple sources. This distributed nature, combined with the sheer volume of traffic, also makes them more difficult to defend against compared to DoS attacks.
Traditional denial of service attacks are on the rise due to the increased accessibility of tools designed to execute them. These tools often feature user-friendly interfaces, enabling individuals with minimal technical expertise to flood servers with traffic.
How DDoS attacks work
DDoS attacks work by inundating a targeted system with a massive amount of traffic from multiple sources, making it challenging for the system to differentiate between legitimate and malicious traffic. This flood of requests can cause the system to slow down, become unresponsive, or even crash entirely. Network layer attacks, for instance, are characterized by high traffic volumes and target the network infrastructure itself.
DDoS attacks are generally categorized into three types: volumetric attacks, application-layer attacks, and protocol attacks.
Volumetric attacks
A volumetric DDoS attack aims to consume as much bandwidth with traffic as possible. The amount of traffic can be hundreds of gigabytes or even terabytes every second. The goal of such an attack is to cause congestion on the targeted service or website. However, volumetric attacks can also act as a way to hide other types of suspicious activity.
Application layer attacks
Application layer attacks (also known as layer 7 attacks) target specific points in the application layer. What makes an application layer attack different is that it’s not targeted at the system as a whole but a specific point in it.
Protocol attacks
Whereas an application layer attack takes place in the so-called 7th layer, a protocol attack — one of the primary types of DDoS attacks — targets layers 3 and 4, which are the target server’s networking layers. Protocol attacks aim to exhaust server resources, like firewalls, and disrupt communication.
Reasons for DDoS attacks
DDoS attacks can be motivated by a variety of reasons, including:
Extortion: attackers may use DDoS attacks to extort money from an organization by threatening to disrupt their online services unless a ransom is paid.
Hacktivism: hacktivists often deploy DDoS attacks to make political or social statements, targeting organizations they oppose to disrupt their operations.
Business competition: rival businesses may use DDoS attacks to sabotage a competitor’s online services, seeking to gain an unfair advantage in the market.
Cyber vandalism: some individuals or groups launch DDoS attacks simply to create chaos and disruption online, often without financial or political motives.
DDoS-for-hire
DDoS-for-hire platforms, known as booter or stresser services, offer DDoS attacks for a fee, allowing anyone to target websites, networks, or applications without technical expertise. Operating on a subscription model, customers can select attack types, durations, and intensities.
These services pose serious risks to businesses, causing downtime, lost revenue, and reputational harm. Often hosted on the dark web, they are difficult for law enforcement to track and shut down.
To counter these threats, organizations should deploy robust DDoS protection that detects and mitigates attacks in real time. Monitoring for suspicious activity and reporting it to authorities can further strengthen defenses against these malicious platforms.
DDoS attack detection and response
Detecting and responding to a DDoS attack requires a combination of technical and non-technical measures. Common signs of a DDoS attack include:
Unusual traffic patterns: a sudden, unexpected spike in traffic can signal a potential DDoS attack.
Slow or unresponsive systems: if a system becomes unusually slow or unresponsive, it may be under attack.
Error messages: alerts or error messages from security systems may indicate a DDoS attack is in progress.
To effectively respond to a DDoS attack, organizations should have an incident response plan that includes:
Activating DDoS protection solutions: implementing solutions that can detect and mitigate attacks is critical.
Notifying stakeholders: keeping customers, employees, and other stakeholders informed about the attack and response efforts is essential.
Collaborating with law enforcement: coordinating with law enforcement can help identify and prosecute the attackers.
DDoS mitigation and protection
DDoS mitigation is essential for protecting your online presence against cyber threats. A robust DDoS protection solution can detect and mitigate attacks in real time, ensuring legitimate traffic flows uninterrupted. Key techniques include traffic filtering, rate limiting, and IP blocking, often implemented with tools like firewalls, intrusion detection systems, and content delivery networks (CDNs).
To effectively mitigate DDoS attacks, organizations should use a multi-layered defense strategy, including:
Network infrastructure protection: secure devices like routers and switches.
Application layer protection: shield web applications from specific vulnerabilities.
Traffic filtering: block malicious traffic to prevent system overload.
Rate limiting: control traffic flow to avoid excessive load.
IP blocking: block traffic from malicious IP addresses to cut off attack traffic at its source.
An incident response plan is also crucial, outlining procedures to detect and mitigate attacks and minimize their impact. By implementing these measures, organizations can safeguard against DDoS attacks and ensure business continuity.
)