What is a DDoS Attack and How Do DDoS Attacks Work?

Infected servers in smoke and alert icon on a blue background
Click here for a summary of this article
In Short: What is a DDoS Attack and How Do DDoS Attacks Work?

DDoS attacks are launched with the help of a botnet. This network of sleeper cells can be prompted to bombard a specified website or server at the same time. As a result, the website or server will slow down or even go offline completely.

Some of the most common DDoS attacks are:

  1. Ping flood
  2. DNS query flood
  3. HTTP flood
  4. UDP flood
  5. SYN flood
  6. NTP amplification
  7. Ping of death

Hackers may perform these attacks out of revenge, for monetary gain, or even just to flex their muscles and have some fun.

Due to the scale and nature of these attacks, it is virtually impossible for websites to completely protect themselves.

Individuals may be targeted for other reasons: competitors in online gaming tournaments might attack other players to hamper their success. Fortunately, you can protect yourself against this type of individual attack with a good VPN, like NordVPN.

Want to know more about DDoS attacks? In our article below, we’ve gone into detail about the attacks outlined above. We’ll also tell you some of the most common signs of a DDoS attack.

What is a DDoS attack exactly? A DDoS attack (Distributed Denial of Service) involves flooding a website or live service’s network with internet traffic. DDoS attacks can cause a company or organization’s services to become unavailable, as heavy load results in the servers becoming overwhelmed.

To organize a DDoS attack, an attacker needs a botnet. This is a large network of malware-infected devices (computers, laptops, etc.) that can be controlled by the so-called bot herder, the person that has control over the bots. The owners of these devices often don’t know that their machines are being exploited as part of a botnet.

Infographic showing DDoS attack

Hackers can use a botnet to perform a DDoS-attack. Sometimes, they’ll create botnets to sell them to others. This is just one part of the many fraudulent transactions that take place on the dark web, the seedy underbelly of the internet where the general public doesn’t go.

How Does a DDoS Attack Happen?

DDoS attack iconBefore a DDoS attack can occur, an attacker needs access to and control over a botnet. They can either purchase one on the dark web, or create one themselves.

Usually, the quickest way to create a botnet is to infect a network comprising many internet-connected devices with malware. Since the machines are all linked through a common connection, the malicious software can spread quickly throughout the network. In turn, this malware grants the hacker remote access to the infected devices. These devices have become bots (robots, essentially) within a wider botnet.

From here, the hacker is free to launch one of a number of DDoS or other attacks. There are different types of DDoS attacks, but most of them work by using a brute force attack against a network or server. Typically, the process goes as follows:

  1. Through a remote command, the obtained botnet is instructed to flood a targeted server with requests: hundreds or thousands of requests are made simultaneously.
  2. The receiving server cannot handle the sheer volume, which visits the page along with legitimate users.
  3. As a result of being overwhelmed, the server slows down severely or even crashes (goes offline).
  4. The website is (temporarily) inaccessible for real users until the situation is rectified by the company or organization hosting it.

Some companies choose to use hosting companies that have certain measures to defend themselves against DDoS attacks. We’ve explained these a little further down in the article. However, even those specialized companies cannot prevent attacks completely.

DoS VS. DDoS: Key Differences

A DDoS attack is essentially a large-scale DoS attack that involves multiple devices or bots. A DoS (Denial of Service) attack works the same as a DDoS, but on a smaller scale. In a DoS attack, a single computer is used to send a flood of UDP and TCP packets to a server, instead of an entire army of systems.

DoS vs DDoS image

There are key differences between DoS and DDoS attacks in terms of what a hacker can do:

  • DoS attacks are more easily discoverable. As they are launched from a single device and location, tracing the origin of a DoS attack and blocking the connection is relatively simple. On the other hand, DDoS attacks come from multiple IP addresses, and IPs can be spoofed, making these more challenging to deal with.
  • Traffic volumes are higher with DDoS attacks. Due to the use of multiple bots within a botnet, traffic volumes are higher in DDoS attacks than in DoS attacks. This can make DDoS attacks more dangerous and difficult to detect and resolve, as there are many hundreds or thousands of connections involved.
  • DDoS attacks can do damage more quickly. Since the traffic volume is higher and more devices are involved, the speed of DDoS attacks is higher. This means that hackers can do a lot of damage before the attack has even been detected. A DDoS attack from a vast botnet can potentially cripple a server within minutes or less.

Types of DDoS Attacks

There are many types of DDoS attacks, but most of them share the same principle: flooding targeted web servers or services with network traffic in the hope of taking them offline. These are known as volumetric attacks. Below, we explain some of the most common types of DDoS attacks and how they work.

Infographic showing types of DDoS attacks

1. Ping flood attacks

A ping is a utility that allows you to check the availability and response time of an IP address on the internet. A small packet of data is sent to the destination IP address or machine, and the time taken for that packet to be sent back is measured. With a ping flood attack, a cybercriminal sends a vast number of ping packets to a victim’s machine. These are known as ICMP Echo Requests.

Upon receiving these requests, the targeted device responds to each ICMP packet with an ICMP Echo Reply packet of its own. Now, imagine that the attacker inundates the victim’s machine with these requests. As the device attempts to process each individual ICMP Echo Request and send a reply, it’ll consume large amounts of processing power and result in system slowdown.

2. DNS query flood attacks (application layer attacks)

Think of a DNS server as a list of contacts for the internet. Computers can use them to determine where to find certain web content. A DNS flood attack overwhelms a targeted IP’s DNS servers. This allows hackers to interrupt the domain’s ability to look up web content, which can render a website or web application unavailable.

DNS floods are some of the most difficult DDoS attacks to detect and guard your system against, because a spoofed DNS request looks identical to a legitimate request. It’s impossible for the receiving server to tell the difference between attack traffic and normal user traffic.

3. HTTP flood attacks

This type of DDoS attack can be split into HTTP GET attacks and HTTP POST attacks. Each refers to a specific networking command: “GET” and “POST” can be used to retrieve or send information on a network.

With a GET attack, a botnet is instructed to send large numbers of requests for media, files, or other data from a server, slowing down the system and denying legitimate requests. This can be used to cripple a website, for example.

In a POST attack, the botnet targets a server by sending large volumes of data instead, for example through a webform. The underlying background processes involved in sending information from a website to a database are resource-heavy. As a result, the attacker can quickly overload the targeted server with POST requests.

In summary, HTTP flood attacks inundate a targeted server with HTTP requests in one of two ways, rendering the target unable to process new internet traffic. This is what happened to Cloudflare in June of 2022.

4. UDP flood (network-layer)

UDP, or User Datagram Protocol, is a more rapid means of communicating across networks. This is because UDP can allow data transfer before a connection has been properly established between two server endpoints. While this is good for purposes such as video or voice data transmission, it has drawbacks. For one, packets can be lost before they reach their destination. Additionally, UDP allows for exploitation through UDP flood attacks.

In a UDP flood attack, multiple random ports on the victim’s network are flooded with datagrams. Hackers may also specify a server’s IP address and port number within the UDP packets used to launch the attack.

When a datagram is received, the recipient device checks whether any applications support them. When none are found, the host device returns a “Destination Unreachable” data packet. Crucially, since UDP traffic doesn’t require permission from the receiving server, hackers can very quickly overwhelm it by flooding UDP requests.

5. SYN flood

A SYN packet is a connection request that is sent from one machine to a server. The server will typically respond with a SYN/ACK packet, which acknowledges the request. At this point, the server leaves a port open to allow the connection. Ordinarily, the device requesting a connection will respond with an ACK packet of its own, acknowledging the response from the server.

However, in a SYN flood attack, the attacker does not allow their device to acknowledge the response. As a result, the server’s port remains open. The attacker will instead repeatedly send connection requests to the server, which results in more and more ports being utilized. Eventually, the server will run out of ports and be unable to accept new connections.

6. NTP amplification

NTP stands for Network Time Protocol, which is one of the oldest network protocols in use. Computers use it to synchronize their clocks. In some cases, administrators can use NTP to check the traffic volume on an NTP server. With a specific command, the server can tell an administrator the last 600 connections that were made.

In an NTP amplification attack, a malicious actor can spam an NTP server with this request. At the same time, they’ll spoof the IP address of a chosen victim’s server so that it looks like the attack is originating from a targeted device. The NTP server being queried will respond to the requests by sending the list of connections to the spoofed IP, which slows the victim’s network down.

7. Ping of death

In a ping of death (POD) attack, a device is flooded with pings, similar to a ping flood attack. However, with a ping of death attack, the attacker has typically manipulated these data packets so that they are larger than the maximum length allowed.

When correct protocol is followed, ping packets are usually a very small 56 bytes, though IPv4 packets may reach as much as 65,535 bytes. An attacker might intentionally send ping packets larger than this size as part of a ping of death attack.

Due to the maximum permitted size of an IPv4 ping packet, the network splits them into fragments: incomplete packets of data. When the targeted server receives and tries to rebuild these packets, it hogs the network’s resources as the server fails to verify the data packets received. This results in the network slowing to a stop.

Common Reasons Behind DDoS Attacks

DDoS attacks are used for a number of different reasons. Sometimes, it is difficult to find out why a company or organization has been targeted. Attackers often remain anonymous, offering no insight into why they’ve instigated an attack. However, there are some common motivators. Below, we’ve listed some of the common reasons behind DDoS attacks:

  • Extortion: Hackers may attack a big institution, such as a bank, to threaten the institution with an even larger attack afterwards if they do not pay a ransom in bitcoin or another cryptocurrency. The motivation here is money, and thanks to the anonymity offered by crypto, the funds are more difficult, if not impossible, to track.
  • Revenge: An attacker might hold a grudge against a company for poor service or other personal reasons, and choose to attack them with a botnet. Other examples of revenge-based DDoS attacks involve the gaming community. There have been numerous examples of disgruntled players taking down a company’s games services after becoming frustrated for one reason or another.
  • Power play: Hackers might want to show what they are capable of, illustrating this by taking down websites and services belonging to large companies. Moreover, DDoS attacks may be used as a statement: to show that those in power, in the real world, do not have the ability to control the entire internet.
  • Fun: Some hackers are simply engaging in DDoS attacks for fun. In 2018, the Dutch Tax Office and a number of Dutch banks were subject to a DDoS attack. This attack was executed by an 18-year-old boy who later noted he instigated the attack just for the sake of it.

Signs of a DDoS Attack

Infographic showing signs of a DDoS attack

It isn’t too hard to recognize a DDoS attack. It is, however, important to act quickly once you’re a victim. Make sure to educate yourself on the signs of a DDoS attack, some of which are only visible at the network level:

  • An inability to access a website that is usually available.
  • A loss of internet connection that cannot be explained and potentially affects numerous devices.
  • An increase in complaints from service users or customers reporting a service outage.
  • Suspiciously large amounts of requests or data traffic from a single IP address or IP address range.
  • A sudden, unexplained increase in requests to a single port or IP address in your network.
  • Floods of traffic from multiple users who share common traits, such as device type or geographic location.

If you suspect your system is the target of a DDoS attack, you’ll need to take action right away to keep the consequences to a minimum.

Consequences of a DDoS attack

Despite their relative simplicity, DDoS attacks can have serious consequences for established companies and organizations. In a time when so much happens online and consumers are used to the luxury of fast-loading websites, you cannot afford to be offline.

The longer a DDoS attack lasts, the more damaging the consequences can be. An attack might result in one of the following:

  • Website visitors or service users realize that your system is down and move on, which could damage your reputation.
  • You could lose potential revenue resulting from customers who were unable to transact.
  • Employees or authorized system users may be unable to access their workspace.
  • You could face high, increasing costs to rectify the problem and restore normal services.

That’s why it’s important to identify and mitigate DDoS attacks early, and to have a process in place for dealing with external attacks.

Are DDoS attacks illegal?

You might be wondering about the consequences of DDoS attacks for the perpetrators. In the United States, launching a DDoS attack is considered a cybercrime. Those found guilty could face prison sentences of up to 10 years. Similarly, in the UK, DDoS attacks fall under the Computer Misuse Act 1990 according to the National Crime Agency (NCA).

The situation in Europe is no different. In 2018 and 2019, Europol launched an operation to take down a prolific DDoS website. Along with the Joint Cybercrime Action Taskforce (J-Cat), the Dutch Police, and the UK’s NCA, Europol seized information on 151,000 registered users. The UK Police made home visits to those involved, and one man received a three-year prison sentence.

In short: DDoS attacks are illegal in various countries, and one of the possible consequences of organizing one could be a prison sentence.

DDoS Attacks During Online Gaming

Warning signs of a video game addictionDDoS attacks can also be launched at a single IP address. This type of DDoS attack is most common in competitive online gaming. Hackers will launch an attack on their opponent to get them disqualified for their bad connection. This might seem extreme, but happens quite often.

In most games, you play through official severs, and your IP is automatically hidden. However, with some PC games that support third-party servers, this isn’t the case. These third-party servers do not offer the same identity protection as official gaming servers do.

By sending a lot of requests to your IP address, attackers can make it more difficult for you to access the game server and play. All they need for this, is your IP.

To prevent a DDoS attack against your connection, for instance during an online game, you can use a VPN to hide your IP address. We’ll explain more about this below.

How to Defend Your Network Against DDoS Attacks

Protection against DDoS attacks can be classified in two ways. First, you’ve got protection for specific websites, often provided by the website hosting company. Secondly, in some circumstances, it can be wise to protect individual personal devices against DDoS attacks. We’ll explain both below.

DDoS protection for websites

Security and privacy iconMost hosting services offer basic protection against DDoS attacks. They might, for example, spread website traffic across multiple servers, making it difficult to crash any individual server. These servers may be in different locations too, increasing the challenge faced by hackers. Also, hosting companies tend to offer unlimited bandwidth, which is one of the best protective measures against DDoS attacks.

However, it’s impossible to fully protect a website against DDoS attacks. This is due to different reasons:

  • Large botnets comprise many different IP addresses, and hosting services cannot block all of those IPs.
  • The devices that are part of a botnet can seem like normal requests to a website. Your hosting company can’t be sure which of those are real IP addresses and which belong to the botnet.
  • Botnets are becoming bigger, making it even more impossible for websites to guard against them.

If you own a website, you can check with your hosting provider to see what measures they take against DDoS attacks.

DDoS protection for personal devices

VPN-connection-InternetYou can protect yourself and your personal devices from DDoS attacks as well. This can be achieved by hiding your true IP address. A VPN, or Virtual Private Network, encrypts all your internet traffic and hides your IP address. With a VPN, your internet connection is routed through the provider’s servers. As a result, you take on the IP address of those servers.

To launch a DDoS attack against you, an attacker needs to know your real IP address. Thus, with a VPN, nobody will be able to attack your personal devices.

If you’d like to get a VPN to protect yourself, we recommend NordVPN. This provider has an excellent reputation when it comes to security, as well as a bunch of extra options for unblocking the internet. You can check out the NordVPN website by clicking the button below.

Visit NordVPN

However, keep in mind that a VPN cannot stop a DDoS attack if the attacker already knows your real IP address, or if your VPN uses poor encryption. That’s why we recommend NordVPN, which is known for its high standards of encryption.

Finally, VPN provider’s servers can also be the target of a DDoS attack, but most VPNs have systems on place to make sure these attacks aren’t as debilitating as they could be.

New DDoS Attacks on the Rise

DDoS attacks are on the rise, with a recent 2020-2021 Global Threat Analysis Report showing a 37% yearly uptick. According to Radware, retail companies and gaming providers were the most common targets for DDoS attacks. In many cases, it appears that cybercriminals are targeting VPNs, as more and more people work from home. In the first three months of 2021, there was an almost 2,000% increase in attacks against Fortinet, a popular VPN service provider.

Recently, new types of DDoS attacks have emerged, as well. These new forms of attack abuse protocols that have not been used before. Criminals use built-in network protocols in the attacks, which are often the same protocols used by the companies themselves. This makes it even more difficult to distinguish the malicious traffic from regular traffic. What’s more, these attacks are larger in scale. Typically, the attacks target the following protocols:

  • Constrained Application Protocol (CoAP)
  • Web Services Dynamic Discovery (WS-DD)
  • Apple Remote Management Service (ARMS)
  • Jenkins web-based automation software

These protocols are necessary for numerous devices that companies use, such as IoT devices, smartphones, and macs. Therefore, they’re not always disabled to prevent DDoS attacks, which gives cybercriminals an easy way in. It’s anticipated that these protocols will be utilized more often for DDoS attacks in the future.

Other Kinds of Cybercrime and Malware

Although DDoS attacks are becoming more and more common, they aren’t the only online threat. Looking for further reading? Here are a couple of other kinds of cybercrime and malware you might want to protect yourself from.

DDoS Attacks: Frequently Asked Questions

Do you have a question about DDoS attacks? Below you’ll find some frequently asked questions along with their answers. Can’t find an answer? Feel free to comment and we’ll get back to you!

DDoS stands for “Distributed Denial-of-Service.” With most common DDoS attacks, a website or web service is flooded with requests, making the site unavailable for real visitors. While DDoS attacks utilize botnets (large networks of malware-infected devices), DoS attacks (with one D) are smaller in scale, using a single device.

During a DDoS attack, a hacker overloads a website with requests, making it unavailable to regular visitors. To  get this done, the hacker uses a botnet: a large network of infected devices that can be controlled by the hacker. When a botnet attacks a website, for example, this website receives a huge amount of requests that it cannot handle all at once. This can cause the website to slow down significantly or go offline entirely.

Yes! DDoS attacks are illegal in most countries around the world. It is both illegal to launch a DDoS attack and to hire a hacker to do this for you. Unfortunately, it’s very easy for even an unskilled hacker to go on the dark web and purchase the software needed to launch a DDoS attack

Those found guilty of this crime could face a prison sentence of up to 10 years in the US. The United Kingdom classifies DDoS attacks as a cybercrime under the Computer Misuse Act 1990. In Europe, large, multinational operations have been orchestrated by Europol to bring those responsible to justice.

Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. She has broad experience developing rigorous VPN testing procedures and protocols for our VPN review section and has tested dozens of VPNs over the years.