What are DDoS attacks and how to protect against them?

What is a DDoS attack?

DDoS is an abbreviation of Distributed Denial-of-Service, which is a type of cybercrime in which the hacker overwhelms a server with an excessive number of requests to prevent legitimate users from accessing the website or any online services.

How does a DDoS attack work?

Most often, DDoS attacks are built around DDoS botnets. A botnet is a group of hundreds or thousands of machines that a hacker has taken control of. These machines are called bots. The attacker forces these bots to send an enormous amount of internet traffic to a victim’s resource.

Example: Let’s imagine there’s a huge call center dedicated to providing technical support. Someone dials the number and asks for assistance. However, they are told that all available agents are currently occupied. The reason is that a spammer has sent thousands of calls from different phones controlled by their bots. The call center’s lines are overloaded, and the legitimate callers are unable to get assistance. DDoS attacks work in the same way, but on the internet: they completely block the end users from reaching the website or online service because of the fraudsters’ traffic.

How a DDoS attack works

What are the types of DDoS attacks?

There are three common types of DDoS attacks.

1. Volumetric attacks (L3). Volumetric DDoS attacks flood internal networks with malicious traffic. These DDoS assaults exhaust bandwidth within or between the target network/service and the internet.

Example: Volumetric attacks happen when a server gets so much traffic that it can’t take any more. One type of volumetric attack is the DNS amplification attack. The attackers make DNS requests in a way that increases the size of the response. They ask for mail servers, subdomains, and other DNS records, as well as the website’s IP addresses. A small DNS request of 10 bytes can lead to a response of 10-20 bytes.

In addition, instead of returning the DNS response to the attacker, it redirects it to the victim’s machine. This is because the attacker spoofs (fakes) the source IP address in DNS requests. This approach hides the attacker’s identity. The result is DNS resolvers “returning” replies to a victim who never requested them in the first place.

2. Connection protocol attacks (L4). Protocol attacks occur when attackers send connection requests from multiple IP addresses to target server weaknesses. This process only requires a few computers. Each connection request requires a response, and the server quickly becomes overloaded.

Example: Protocol attacks try to use up a server’s resources or those of its networking systems, such as firewalls, routing engines, or load balancers. An example of this type of attack is the SYN flood attack.

Before two computers can start talking to each other safely, they have to do a TCP handshake. A TCP handshake allows two parties to share some basic information. An SYN packet is usually the first step of the TCP handshake, telling the server that the client wants to start a new channel. In an SYN flood attack, the attacker sends fake SYN packets to the server. The server responds to each packet (through SYN-ACKs), requesting that the client complete the handshake. The server waits for the client(s) to respond. After too many responses, it crashes.

3. Application layer (L5-L7). Application layer attacks target software delivering a service that includes a web server or cloud-based application. As a result, it drains a website’s resources and bandwidth.

Example: Let’s say an end user accesses www.example.com in their browser to request the web page. The server fetches page-related information, packages it, and sends it to the browser. The application layer is where this information is gathered and put together. The attack happens when a hacker repeatedly uses multiple bots or machines to ask the server for the same resource until the server can’t handle it anymore.

An example of this is HTTP floods, which are widespread application layer attacks. Malicious actors submit HTTP requests with different IP addresses, making requests to the server to, for download text files, applications, or images. The server can’t detect an attack because the IP address and other identifiers vary with each request.

Key differencesApplication layer attacksVolumetric-based attacksConnection protocol attacks
 Overwhelms the layer of the network that generates web pages and responds to application requests.Overwhelms the network equipment, bandwidth, or server with a high volume of traffic.Targets the resources of a network-based service, like website firewalls or server operating systems.

DoS vs. DDoS attacks

It is important to distinguish DDoS from DOS (Denial-of-Service). Even though the only difference is a single letter, there is significant confusion about how the two work. Knowing the basic differences can help you avoid these types of attacks.

Denial-of-service (DoS) attacks are a type of cyber attack in which a malicious actor interrupts a computer or other device’s usual functioning. A DoS attack is described as using a single computer to launch the attack.

Example: There are two ways of executing DoS attacks, which are flooding and crashing. Flood attacks occur when the server receives too much data to a buffer, slowing and stopping it. Crashing attacks exploit vulnerabilities that cause the victims’ systems to crash. By doing this, data is sent to the victim that takes advantage of bugs and later on hits or harshly destabilizes the system so that it no longer be accessed.

Distributed Denial-of-Service (DDoS) attacks occur when multiple systems work together to send a coordinated DoS attack to a single target. The main difference is that instead of being attacked from one place, the target is attacked from many places at once. The spread of hosts making up a DDoS gives the attacker several advantages:

  • They can use a larger number of machines to launch quite an upsetting attack.
  • Because the attacking systems are spread out randomly (often worldwide), it’s hard to figure out where the attack is coming from.
  • It’s hard to find the real attackers because they hide behind many (mostly compromised) systems.
  • As the number of IoT devices increases in the world, the number of attacks will too. The attacker can take over these devices to make them part of botnets.
The difference between a DoS and a DDoS attack

What are the key differences between the two?

Key differenceDoSDDoS
Types of attacks
  • SYN flood
  • Ping of death
  • Buffer overflow
  • Application layer
  • Volumetric attacks
  • Protocol attacks
Attack blockingIt is simpler to defend against the attacks.It is harder to block due to the number of machines utilized.
Source of attackAn attack is initiated from a single host machine and associated IP address.The attack is initiated via a wide variety of sources, including hacked laptops, IP cameras, and Internet of Things devices

How to protect from a DDoS attack

To protect a site from DDoS attacks, you can use a DDoS protection solution. This is a third-party service that detects and blocks malware traffic sent by attackers. Your servers and applications will be safe despite all efforts of detractors.

How does DDoS protection work?

DDoS protection works by meticulously sorting website traffic so that attackers’ requests can’t pass through, but legitimate requests can, without causing the page to load much more slowly. DDoS protection providers will also report attempted DDoS attacks to website owners. This way, the website owner can track when the attack happened, how big it was, and other important details.

Scheme of how a DDoS scrubber center filters traffic and blocks attacker requests

How does DDoS protection identify attackers’ requests?

As an example, we’ll tell you about our DDoS protection solution and its technologies. Here they are:

  1. Resource analysis. Resource load is analyzed in real time for any statistical abnormalities.
  2. Technical analysis. Each new query undergoes a basic technical analysis of the client who sent it (for example, the median size of network packets is analyzed).
  3. Behavioral factor recognition. If a client has sent more than one query within the monitored period of time, then the client’s behavior on the website (for example, the time between queries and subqueries) is analyzed for abnormalities.
  4. Query check. The query is checked against suspicious signatures currently relevant to the resource. Both coincidence and “proximity” can be checked.
  5. Query validity conclusion. As a result, the information is combined into a factor vector that is used to calculate query validity.

Is it possible to protect a server located outside of the provider’s data center?

DDoS protection doesn’t require your servers to be in the provider’s data center. For instance, we protect servers in a client’s data center using a GRE tunnel, a special technology that allows us to connect our scrubber centers to a client’s servers remotely.

Short summary

DDoS attacks are a threat that take down websites and applications by overloading them on L3, L4, or L7 with an excessive amount of internet traffic. They result in resource unavailability, loss of users, and damage to brand reputation.

To stay protected, you can use a DDoS protection solution, a service that identifies attackers’ traffic, blocks it, and notifies you about the attack attempt. At the same time, legitimate users’ traffic still reaches the resource; they can use the protected site or application sites normally. To protect the resource, you don’t need the servers to be in the provider’s data center—the protection can be organized remotely. To do this, providers use GRE tunneling.

Subscribe and discover the newest
updates, news, and features

We value your inbox and are committed to preventing spam