If you run an online business, slow performance and downtime are your worst enemies — they result in lost sales, missed conversions, and a damaged reputation. Often, these website-related issues are due to poor server infrastructure or unusual spikes in traffic. However, sometimes there’s something more sinister at hand.
While new cyberattack methods are constantly developed to outwit improvements in cybersecurity, some tried-and-true methods are likely to stick around for a while. Among the most infamous is the distributed denial-of-service attack, or DDoS attack for short.
DDoS attacks have gone up dramatically in recent years, and this form of attack is responsible for repeated incidents against companies like Amazon and the BBC. However, you don’t need to be a high-profile corporate enterprise to fall victim to a DDoS attack. If you run a website, it’s in your best interest to understand one of the most common cybercrimes.
So, what exactly is a DDoS attack? In this guide, we’ll discuss what DDoS and DoS mean, how DDoS attacks are carried out, and why your business might be targeted.
What is a DDoS Attack?
A distributed denial-of-service (DDoS, often pronounced dee-dos) attack is a cyberattack that attempts to slow or crash a website or web service by overloading its server or network resources with web traffic.
DDoS attacks are usually accomplished with botnets, massive networks of compromised computers, or bots, controlled by hackers. The botnet targets a single web service, overwhelming it with requests. Ultimately, this makes the target service unavailable to its normal users — in other words, it denies them service.
DDoS attacks work because all web services are limited in their ability to handle browser requests. Upon a sudden influx of web traffic, an unprepared web server will experience problems receiving and responding to requests. The effect is similar to that of a traffic spike during a big inciting event, like Cyber Monday or the Super Bowl. The difference is that DDoS attacks are intentional.
DDoS-ing is an especially difficult attack to prevent. Since server requests are arriving from thousands of inconspicuous locations, targeted sites often cannot distinguish normal traffic from malicious traffic. It’s like if you organized 1000 of your friends to call the same takeout restaurant at the same time. It would be impossible for the restaurant to fulfill all of these orders at once, and they wouldn’t be able to tell normal customers apart from those involved in your plan.
What happens after a successful DDoS attempt? Like all cyberattacks, DDoS attacks disrupt business and lead to lost conversions and sales. A typical attack can bring a website down for two to twelve hours, resulting in tens or hundreds of thousands in lost revenue.
Getting DDoS-ed also damages reputation. In our restaurant analogy, customers who can’t get an order will blame the restaurant. They won’t know about your evil plan, but they will know they’re not getting their sandwiches. Similarly, users of an affected website will see that your website is down, and that’s all they’ll care about.
What is the difference between a DoS attack and a DDoS attack?
A DDoS attack is one type of denial-of-service (DoS) attack. A DoS attack is any cyberattack that aims to make an online service inaccessible to users. Often, the term “DoS” refers to attacks from a single perpetrating device. However, because this attack sources from one address, it’s generally easier to thwart. Even a handful of bots probably aren’t enough to take down a web server.
On the other hand, DDoS attacks harness thousands of devices to send requests at once — this makes them distributed DoS attacks. These large attack networks can be incredibly powerful, which is why almost all large-scale DoS events are DDoS attacks.
What Happens During a DDoS Attack?
All DDoS attacks begin with assembling a botnet. Through a variety of means — phishing, malicious downloads, unauthorized logins, etc. — a cybercriminal gains access to and plants malware in thousands or even millions of networked devices, converting them to bots (also called “zombies”) inside the botnet. This malware allows the attacker to control all devices from one controller:
Hackers can turn any device into a bot, from personal computers, to servers, virtual assistants, to microwaves. The rise of the Internet of Things has made these attacks more effective by providing more fodder for botnets which can be hijacked without the device owner realizing it.
With the botnet in place, a hacker can employ one or more DDoS methods to harm their target. There are several types of DDoS attacks, each targeting a different part of the network. We can group these attacks into three broad categories: application layer attacks, protocol layer attacks, and volumetric attacks.
Application Layer DDoS Attack
An application layer DDoS attack exploits the application layer of the OSI model where clients directly interact with the web service. The application layer fields and responds to HTTP requests, which are what browsers send to web servers when they want to view a web page. These attacks are also called layer 7 DDoS attacks, as they target the seventh layer of the OSI model.
The goal of an application layer attack is to overload the target web server with HTTP requests. A single HTTP request is easy for a bot to send, but can be relatively resource-intensive for the server processing the request. Application layer DDoS attacks employ high volumes of simultaneous and complex HTTP requests to slow down or take down a server.
What’s worse, this form of attack is especially elusive since bot traffic looks like normal traffic at first — it’s just devices making HTTP requests, after all. Attackers can strategically increase requests without the target noticing, then suddenly induce a traffic spike which crashes the target.
Some common instances of application layer attacks are HTTP floods, in which a botnet sends thousands or millions of page requests at once. There are also DNS flood attacks, which seek to overwhelm one or more DNS servers and prevent it from converting domain names to IP addresses.
Protocol Layer DDoS Attack
In a protocol layer DDoS attack, the botnet aims deeper into the server’s processes, at layers three and four of the OSI model. These are the layers that handle the connections between networked devices.
A protocol layer attack exploits the protocols that govern how computers talk to each other. It sends a stream of fake requests that the server is unable to process. Servers can handle these faulty requests to some extent, but not thousands or millions at once.
A common iteration of this is a SYN flood attack. A SYN uses the Transmission Control Protocol (TCP), which governs how two computers connect over a network, against itself. According to TCP, the client first sends a request (a SYN) to the server. The server then sends back a response. Finally, the client confirms it received the response from the server, completing the interaction.
Botnets in a SYN flood initiate the TCP with requests containing false IP addresses. The target server replies to each, but never gets a final confirmation from any of the bots. This clogs the request queue and drains the server’s resources.
Volumetric DDoS Attack
Volumetric DDoS attacks take advantage of the target’s limited bandwidth. Put simply, attackers request vast amounts of data from a server, too much for the server to send at once. This means that regular users can’t access pages, since bandwidth is expended by bots. Like application layer attacks, volumetric DDoS traffic appears legitimate at first, but soon escalates with harmful results.
Why Do DDoS Attacks Occur?
DDoS attacks are unique in that they don’t breach the target server’s security layer. Rather, they exploit existing vulnerabilities in the network infrastructure. There’s not necessarily a “break-in” or theft of data (although that can accompany a DDoS attack), which lends more potential motivations for why one might occur.
Some common motivators for conducting a DDoS attack are:
Extortion: Hackers may request payment in exchange for ceasing the DDoS attacks.
Activism: Activist hackers — or “hacktivists” — often employ DDoS attacks to take down a website for a cause or as a form of protest against a business, organization, or governing body.
Diversion: DDoS attacks can serve to distract IT staff from a different attack on the network, like theft or a database injection.
Competition: Discreet DDoS attacks can be launched by a business to temporarily take down a competitor at an inopportune time.
Fun: Some folks just want to wreak havoc.
DDoS Is Developing
One more piece of not-so-great news: DDoS attacks are becoming more elaborate with every passing year. Today’s attacks tend to combine multiple methods described above, assisted by machine learning and artificial intelligence to scope out vulnerable devices and hit them where it hurts most.
However, by keeping a close eye on your traffic levels and staying vigilant to online threats, your business can thwart small-time DDoS attempts and recover from successful ones. Unfortunately, it all comes with the territory, and it’s your responsibility to keep your website up and your visitors happy.
Originally published Jan 29, 2021 7:00:00 AM, updated June 23 2022