What is A DDoS Attack?

In a distributed denial-of-service (DDoS) attack, an attacker overwhelms its target with unwanted internet traffic so that normal traffic can’t reach its intended destination.

But what does that really mean? Imagine your favorite zombie movie. Swarms of infected creatures all with the same goal — to overwhelm civilization as they spread their “zombie plague.” They swamp the resources of law enforcement organizations, deplete military forces, and take down healthcare services. Then, inevitably, there’s a giant traffic jam sprawling as far as the eye can see, as people flee for safety on the highway. That’s what a DDoS attack is like: a zombie apocalypse online. But instead of zombies, hordes of infected computers go after a targeted website, all at the same time — driving humans and business away.

A DDoS attack on a company’s website, web application, APIs, network, or data center infrastructure can cause downtime and prevent legitimate users from buying products, using a service, getting information, or any other access.

During a DDoS attack, attackers use large numbers of exploited machines and connected devices across the internet. including Internet of Things (IoT) devices, smartphones, personal computers, and network servers to send a flood of traffic to targets.

The application layer is at the top and is closest to the end user. It’s where people interface with computers and devices and where networks connect with applications.

Data encryption and decryption occur on the presentation layer, enabling secure transmission.

The session layer allows devices, computers, or servers to communicate with one another and controls ports and sessions.

At the transport layer, data is communicated via Transmission Control Protocol (TCP), which is built on top of the Internet Protocol (IP), also called TCP/IP.

The network layer determines the physical path that data will take to get to its destination.

The data link layer provides a way to transfer data between network entities. It’s also a means to detect and correct errors that can happen in the physical layer.

The first and lowest layer, Layer 1 is the physical layer where raw bits are transmitted over a physical data link connecting network nodes.

The intent of a volume-based DDoS attack is to overwhelm a network with massive amounts of traffic by saturating the bandwidth of the intended victim resource. The large quantities of attack traffic block legitimate users from accessing the application or service, preventing traffic from flowing in or out. Depending on the target, stopping legitimate traffic could mean a bank customer may be unable to pay a bill on time, ecommerce shoppers are unable to complete online transactions, a hospital patient could be barred from their medical records, or a citizen could find themselves unable to view their tax records from a government agency. No matter the organization, blocking people from a service they expect to use online has a negative impact.

Volumetric attacks use botnets created with armies of individual malware-infected systems and devices. Controlled by an attacker, bots are used to cause congestion between a target and the internet at large with malicious traffic that saturates all available bandwidth.

An unforeseen onslaught of bot traffic can significantly slow down or prevent access to a web resource or internet-facing service. Since bots take over legitimate devices to amplify bandwidth-intensive DDoS assaults, often unknowingly to the user, the malicious traffic is difficult for the victimized organization to detect.

There are a variety of volumetric DDoS attack vectors used by threat actors. Many leverage reflection and amplification techniques to overwhelm a target network or service.

UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users.

DNS reflection attacks are a common type of vector where cybercriminals spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination.

Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol TCP packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

Protocol attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls via malicious connection requests that exploit protocol communications. Synchronize (SYN) floods and Smurf DDoS are two common types of protocol-based DDoS attacks. Protocol attacks can be measured in packets per second (pps) as well as bits per second (bps).

One of the main ways people connect to internet applications is through the Transmission Control Protocol TCP. This connection requires a three-way handshake from a TCP service — like a web server — and involves sending what is called a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, that is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake.

During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections that eventually run out of capacity to accept new connections for services that track connection states. 

A SYN flood attack is like a terrible prank by the entire graduating class of a really big high school, where each student calls the same pizza restaurant and orders a pie during the same time frame. Then, when the delivery person goes to pack up, she realizes that there are too many pizzas to fit in her car and there are no addresses on the orders — so all delivery stops.

The name of this DDoS attack is based on the concept that tiny, numerous attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake.

In a Smurf distributed denial-of-service attack large numbers of Internet Control Message Protocol ICMP packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic.

Conducted by flooding applications with malicious requests, application-layer attacks are measured in requests per second (RPS). Also called Layer 7 DDoS attacks, these attacks target and disrupt specific web applications, not entire networks. While difficult to prevent and mitigate, they are among the easier DDoS attacks to launch.

In comparison, it’s easy to startle a herd of horses into a stampede but almost impossible to get them under control again. Application-layer attacks are like that: easy to implement, hard to slow down or stop, and specific to a target.

In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly.

DDoS mitigation providers filter out malicious traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a DDoS scrubbing service, a cloud-based DNS service, or a CDN-based web protection service. Cloud-based mitigation removes attack traffic before it reaches the target.

DDoS scrubbing can keep your online business up and running, even during an attack. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. Organizations direct their network traffic in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME) to the mitigation provider’s scrubbing infrastructure. Traffic is monitored and inspected for malicious activity, and mitigation is applied if DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response.

A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks. For application layer–specific defense, organizations should look to deploy a web application firewall to combat advanced attacks, including certain types of DDoS attacks like HTTP GET and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model.   

Organizations can reduce their attack surface while also reducing risk of business-impacting downtime and disruption by deploying DDoS-specific security controls. This type of defense can thwart an attack while allowing legitimate visitors to access your organization online as they normally would. DDoS protection prevents malicious traffic from reaching its target, limiting the impact of the attack, while allowing normal traffic to get through for business as usual. 

During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service DDoS attack. As modern attacks become more and more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner.

Akamai provides DDoS defense in depth through a transparent mesh of dedicated edge, distributed DNS, and cloud scrubbing defenses. These purpose-built cloud solutions are designed to strengthen DDoS security postures while reducing attack surfaces, improving the quality of mitigation, and reducing false positives, while increasing resiliency against the largest and most complex attacks.

Moreover, the solutions can be fine-tuned to the specific requirements of your web applications and internet-based services.

Akamai architected its globally distributed intelligent edge platform as a reverse proxy to only accept traffic via ports 80 and 443. All network-layer DDoS attacks are instantly dropped at the edge with a zero-second SLA. That means that attackers launching network-layer DDoS attacks don’t stand a chance.

For application-layer DDoS attacks, including those launched via APIs, Kona Site Defender detects and mitigates the attacks, while simultaneously granting access to legitimate users.

Akamai’s authoritative DNS service, Edge DNS, also filters traffic at the edge. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks. Edge DNS also delivers superior performance, with architectural redundancies at multiple levels, including name servers, points of presence, networks, and even segmented IP Anycast clouds.