What is a distributed denial-of-service (DDoS) attack, and what danger it poses for the server?

What is a distributed denial-of-service (DDoS) attack, and what danger it poses for the server?

Read 20 minutes

More and more reports are appearing about hackers' activities and software hacking attempts. DDoS attacks often come up in these reports. Unfortunately, they are often mentioned without explaining what DDoS attacks are and how they may harm servers.

In this article, we will discuss what exactly DDoS attacks are and why they have been a major concern for Internet security professionals up till now. Additionally, you will learn how DDoS attacks work and how to stop them.

What is a DDoS attack?

The term DDoS attack comes from the abbreviation "Distributed Denial of Service", which means a distributed denial of service attack. The purpose of DDoS attack is to disrupt the normal operation of a server, service, or local network. The main purpose of such an attack is to bring your service to failure or make it difficult for regular users to access your service. To accomplish the task, a flood of Internet traffic is generated, which is too much for a regular computing system to handle.

The attack traffic is generated by multiple computers, local networks, and IoT devices. The malicious actions of an individual or group generate many requests to the attacked system, allowing attackers to gain unauthorized access to valuable information. It could be a sensitive database, program code, or a version of software.

In everyday life, a DDoS attack is analogous to a traffic jam caused by multiple vehicles. As a result, ordinary drivers cannot get to their destinations.

How is a distributed denial of service attack carried out?

Only those computing systems that have an Internet connection can be subjected to a DDoS attack. A global network consists of many computers and other devices that have an Internet connection.

There are many ways to bring a malicious (virus) software into a computer network. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines are often referred to as "zombies" in slang, and their groups are respectively called a botnet.

Immediately after creating a botnet system, a hacker gets the opportunity to organize a DDoS attack, which is carried out in the following manner.

  • A special instruction is developed for each individual bot, which is transmitted to it via the network.
  • After receiving it, the managed computer or system begins to form and send requests to the IP addresses of the attacked local network or server.
  • This causes traffic processing to slow down and an overloaded equipment begins to fail. As a result, all traffic is denied service, including that from ordinary users.

The main problem in countering distributed DDoS attacks is that it is extremely difficult to distinguish attacking traffic from normal traffic. Each of the bots used by hackers are legitimate Internet devices and it is extremely difficult to separate malicious requests from ordinary ones.

The main signs of a DDoS attack on the server

A sudden slowdown of the server, lack of access to the service or a separate site may indicate illegal actions of hackers. At the same time, difficulties may arise as a result of natural causes like, for example, a sharp increase in normal traffic.

Publicly available analytics services allow you to identify a DDoS attack by a number of characteristic features:

  • Significant amount of traffic from one or more IP addresses belonging to the same range.
  • A large number of users who receive requests for access to the analyzed web pages have the same behavioral profiles (geolocation, browser version, or device type).
  • A sharp increase in traffic at certain intervals, for example, every two or three hours or according to a different schedule.
  • An explosive increase in the number of requests to one of the Internet services or web pages.

In addition to these, there are other signs inherent in certain types of distributed DDoS attacks. In such cases, the capabilities of conventional Internet analytics tools may not be enough and specialized software will be required to identify them.

Classification of DDoS attacks: the most common types

Hackers use a variety of tools to break into websites. Some types of DDoS attacks target specific components of Internet resources, server, or computers. Getting a sense of how their algorithms work requires understanding how a specific network connection works.

Special software provides the Internet connection, which consists of many components referred to as "layers". Each component is designed to serve a specific purpose and together they are able to form the model. Such as supporting, bearing, and enclosing structures under construction.

The seven-level OSI model is used to describe the network connection structure:

  • The application layerThis level is used by email clients, messengers, and browsers to process data directly.
  • The level of views The purpose of data preparation (compression, translation, and encryption) is to prepare data for use in applications.
  • Session level Establishes a communication channel between two devices in the network and closes it at the end of the session time.
  • Transport level It is responsible for managing data flows and error control between specific devices as well as ensuring end-to-end communication between specific devices.
  • The network layer Facilitates the transfer of data between devices that belong to different networks. This layer provides optimal routing, the separation of information into packets with subsequent assembly at the destination point.
  • The level of the data transmission channel Similarly to the network layer, it facilitates data exchange between devices within a network.
  • The physical level It includes equipment used for data exchange between devices (cables, switches, etc.). At this level, the information packets are transformed into a bit stream, and the signals are matched.

Most DDoS attacks are aimed at overloading a specific server or network. According to the number and nature of attack vectors, these actions can be categorized into three categories:

  • the only one;
  • multiple;
  • cyclic.

The latter is mainly used in response to counter-actions used to protect an Internet resource.

DDoS attacks carried out at the application level

Based on the above model, such attacks are called DDoS attacks of the seventh level. Its purpose is to overload the site and create conditions when servicing normal traffic becomes impossible.

Hacker attacks of this type are carried out at the level at which the web page is formed on the server. The attacks are transmitted in response to HTTP requests. On the client side, such requests do not require huge resources to create and process information. At the same time, the server has to use significant computing resources. In the course of this process, many database requests can be processed on the target server and several files can be downloaded to create the requested web page.
Protecting against 7th-level distributed attacks is difficult due to the fact that it is not easy to distinguish malicious traffic from normal traffic.

HTTP flood

An attack of this type simulates multiple updates to a web browser, which are simultaneously performed on multiple computers. It's as if a lot of users are constantly pressing the reset button, resulting in a large number of HTTP requests. Due to this, the server is overloaded, resulting in service failures. Depending on the level of attack complexity, DDoS attacks of the HTTP flood type can be classified as:

  • Simple ones. In such a DDoS attack, coordinated actions from same-range IP addresses are utilized to provide unauthorized access to the same URL, which are implemented using the same user agents and transition sources.
  • Complex ones. To hack several web pages simultaneously, the attacker uses both IP addresses, taken from random traffic sources, as well as user agents.

Managing complex DDoS attacks requires computers with appropriate characteristics as well as resource-intensive software.

Protocol Attack

Specialists refer to these types of hacks as attacks and exhaustion. By consuming too much server resources or specific network equipment, protocol attacks can disrupt the work of different services. In such cases, attackers usually target load balancers or firewalls.

To make the target web page inaccessible, the protocol attack exploits vulnerabilities at Layer 3 and Layer 4 (protocol stack).


During such an attack, a lot of TCP packets with fake IP addresses are sent from bots. The mentioned SYN packets are intended for initiating network connections. The target machine responds to these requests and waits for their confirmation, which it does not receive. Accordingly, the resources of the attacked web page are exhausted and it stops responding to incoming requests.

SYN-flood can be compared to the work of a large store, in which employees of the supply department receive instructions from the trading floor for the delivery of a particular product. They go to the warehouse, find what they need, but without receiving an order confirmation, they do not understand what to do next. The result is that they stop working until the circumstances are clarified.

DDoS attacks of the bulk type

The actions of hackers in these cases are aimed at creating such a load that the entire available bandwidth of the Internet connection is used. When implementing large-scale DDoS attacks, large data packets are sent to the target resource using various means of generating large traffic or other means of amplification. During the attack, both individual bots and entire botnets are used, from which many requests are generated to the target web page or individual server.

DNS Strengthening

During a hacker attack, requests are sent to public DNS servers containing the IP address of the target device. It responds with a packet supposedly containing big data. As a result, many of these fake requests are generated, causing target overloads and denial of service.

An example of DNS amplification is when a person calls a restaurant or supermarket and asks for delivery of food or goods and asks to call back. In the meantime, he or she receives the neighbor's phone number. A large number of users make such calls to the target, which definitively overloads the delivery service.

Methods of preventing DDoS attacks

In order to provide protection against hacker attacks, it is essential to distinguish between the attacker and normal traffic. In advertising campaigns for new products, many users can visit the developer's website. This can result in an emergency shutdown of traffic and errors. If this web resource has a surge of traffic from known hacker groups, it is necessary to take measures to reduce the impact of a distributed DDoS attack.

Hacking attempts can take a variety of forms, ranging from the simplest with a single source of suspicious traffic to the more complex with multi-vector effects. In the latter case, several different types of DDoS attacks are used simultaneously to force the defending side to disperse its forces and funds.

An example of such a multi-vector impact is a simultaneous DDoS attack that occurs on several levels. Such an effect is achieved by means of DNS strengthening that goes in combination with a large number of HTTP requests. To prevent such attacks, you need to use several counteraction strategies at once.

When attackers use distributed denial-of-service attacks with a combination of different attack methods, the complexity of countering them greatly increases.

Hackers tend to mix attacking traffic with normal traffic as much as possible in order to reduce the effectiveness of protective measures to near-zero indicators.

Attempts to simply disable or restrict traffic without filtering rarely bring a positive result. At the same time, the DDoS attack adapts and looks for ways to bypass the counter-actions taken. In such cases, the best solution is to use a multi-level protection strategy.

Blackhole Routing

One of the most accessible methods of protecting from DDoS for network administrators is to create a "black hole" for suspicious traffic. In its simplest form, Blackhole routing ensures redirecting all requests without dividing them into normal and malicious ones to a zero route, followed by the removal of these requests from the network. If a DDoS attack is detected on a certain site, the provider has the opportunity to cancel all traffic as a protection measure. This solution is not the best, because the attacker achieves his goal and makes all the resources unavailable.

Limiting the speed of a DDoS attack

Each server can receive and process a certain number of requests for a specified period of time. Limiting the speed of a DDoS attack allows you to significantly reduce its effectiveness. At the same time, it should be understood that this method provides a significant slowdown in the theft of content and program code by web parsers and blocks login attempts by using brute force. However, it is not effective enough against complex combined denial-of-service attacks.

Features of using Web application firewalls

The use of special software products can significantly mitigate DDoS attacks of the seventh level. There is a firewall (WAF) between the Internet and the protected server which works as a reverse proxy. It is used to block malicious traffic of certain types. Incoming requests are filtered according to the established rules, which allows you to identify DDoS tools and prevent seventh-level attacks. One of the main advantages of this method is the ability to set your own rules to counter an attack.

Principles of Anycast distribution over the network

This method reduces the harmful consequences of DDoS attacks by redistributing traffic across the server network.

If the same server receives many requests at the same time, it will be overloaded with traffic and will not be able to effectively respond to additional incoming requests. In the Anycast network, instead of a single source server taking the brunt of traffic, the load will be distributed among other available data centers, each of which has servers capable of processing and responding to an incoming request. This routing method can prevent the expansion of the source server's capacity and avoid interrupting the service of clients requesting content from it.

The best analogy of the Anycast distribution method over the network is the separation of the flow of a large river with a strong current along separate branches. As a result of the redistribution of traffic from a DDoS attack, its destructive ability is reduced to a minimum and it becomes completely manageable.