What is a DDoS attack? Everything you need to know about Distributed Denial-of-Service attacks and how to protect against them

DDoS attacks are one of the crudest forms of cyberattacks, but they're also one of the most powerful and can be difficult to stop. Learn how to identify and protect against DDoS attacks with this guide.
Written by Danny Palmer, Senior Writer

What is a DDoS attack?

A distributed denial-of-service attack (DDoS attack) sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.

While a DDoS attack is one of the least sophisticated categories of cyberattack, it also has the potential to be one of the most disruptive and most powerful by taking websites and digital services offline for significant periods of time that can range from seconds to even weeks at a time.

How does a DDoS attack work?

DDoS attacks are carried out using a network of internet-connected machines – PCs, laptops, servers, Internet of Things devices – all controlled by the attacker. These could be anywhere (hence the term 'distributed') and it's unlikely the owners of the devices realise what they are being used for as they are likely to have been hijacked by hackers.

Common ways in which cyber criminals take control of machines include malware attacks and gaining access by using the default user name and password the product is issued with – if the device has a password at all. 

Once the attackers have breached the device, it becomes part of a botnet – a group of machines under their control. Botnets can be used for all manner of malicious activities, including distributing phishing emails, malware or ransomware, or in the case of a DDoS attack, as the source of a flood of internet traffic.

SEE: Security Awareness and Training policy (TechRepublic Premium)

The size of a botnet can range from a relatively small number of zombie devices, to millions of them. Either way the botnet's controllers can turn the web traffic generated towards a target and conduct a DDoS attack.

Servers, networks and online services are designed to cope with a certain amount of internet traffic but, if they're flooded with additional traffic in a DDoS attack, they become overwhelmed. The high amounts of traffic being sent by the DDoS attack clogs up or takes down the systems' capabilities, while also preventing legitimate users from accessing services (which is the 'denial of service' element).

A DDoS attack is launched with the intention of taking services offline in this way, although it's also possible for online services to be overwhelmed by regular traffic by non-malicious users – for example, if hundreds of thousands of people are trying to access a website to buy concert tickets as soon as they go on sale. However, this is usually only short, temporary and accidental, while DDoS attacks can be sustained for long periods of time.


DDoS attacks can be extremely powerful online weapons.

What is an IP stresser and how does it relate to DDoS attacks?

An IP stresser is a service that can be used by organisations to test the robustness of their networks and servers. The goal of this test is to find out if the existing bandwidth and network capacity are enough to handle additional traffic. An IT department using a stresser to test their own network is a perfectly legitimate application of an IP stresser.

However, using an IP stresser against a network that you don't operate is illegal in many parts of the world – because the end result could be a DDoS attack. However, there are cyber-criminal groups and individuals that will actively use IP stressers as part of a DDoS attack.

What was the first DDoS attack?

What's widely regarded as the first malicious DDoS attack occurred in July 1999 when the computer network at the University of Minnesota was taken down for two days.

A network of 114 computers infected with Trin00 malware all directed their traffic at a computer at the university, overwhelming the network with traffic and blocking legitimate use. No effort was made to hide the IP address of the computers launching the traffic – and the owners of the attacking systems had no idea their computers were infected with malware and were causing an outage elsewhere.

Trin00 might not have been a large botnet, but it's the first recorded incident of cyber attackers taking over machines that didn't belong to them and using the web traffic to disrupt the network of an particular target. And in the two decades since, DDoS attacks have only become bigger and more disruptive.

Famous DDoS attacks: MafiaBoy – February 2000

The world didn't have to wait long after the University of Minnesota incident to see how disruptive DDoS attacks could be. By February 2000, 15-year-old Canadian Michael Calce – online alias MafiaBoy – had managed to take over a number of university networks, roping a large number of computers into a botnet.

He used this for a DDoS attack that took down some of the biggest websites at the start of the new millennium, including Yahoo! – which at the time was the biggest search engine in the world – eBay, Amazon, CNN, and more. 

Calce was arrested and served eight months in a youth detection centre after pleading guilty to charges against him. He was also fined C$1,000 ($660) for conducting the attacks – which it's estimated caused over $1.7 billion in damages – and went on to become a computer security analyst.

Famous DDoS attacks: Estonia – April 2007

By the mid 2000s, it was apparent that DDoS attacks could be a potent tool in the cyber-criminal arsenal, but the world was about to see a new example of how disruptive DDoS attacks could be; by taking down the internet services of an entire country.

In April 2007, Estonia was – and still is – one of the most digitally advanced countries in the world, with almost every government service accessible online to the country's 1.3 million citizens through an online ID system.

But from 27 April, Estonia was hit with a series of DDoS attacks disrupting all online services in the country, as well as parliament, banks, ministries, newspapers and broadcasters. People weren't able to access the services they needed on a daily basis.

SEE: Network security policy (TechRepublic Premium)

Attacks were launched on multiple occasions, including during a particularly intense period of 24 hours on 9 May – the day Russia celebrates Victory in Europe day for World War II, before eventually falling away later in the month.

The DDoS campaigns came at a time when Estonia was involved in a political dispute with Russia over the relocation of a Soviet statue in Tallinn. 

Some members of Estonian leadership have accused Russia of orchestrating the attacks, something that the Kremlin has always denied.

Landscape image of Tallinn Estonia on a clear day

Estonia was the victim of a massive DDoS attack.

Image: Getty Images/iStockphoto

Famous DDoS attacks: Spamhaus – March 2013

The Spamhaus Project's goal is to track the activity of spammers on the web in order to help internet providers and email services with a real-time list of common spam emails, posts and messages in order to prevent users from seeing them and potentially being scammed.

But in March 2013, Spamhaus itself fell victim to cyber criminals when 300 billion bits of data a second was launched at it in what was at the time the biggest DDoS attack ever, and one that lasted for almost two weeks.

Cloudflare dubbed it 'The DDoS' attack that almost broke the internet' after the web infrastructure and web-security company stepped in to mitigate the attack against Spamhaus – and then found cyber attackers attempting to take Cloudflare itself offline. But the impact of the attack was much greater because the sheer scale of the attack caused congestion across the internet.

Famous DDoS attacks: Mirai – October 2016

In probably the most famous DDoS attack to date, the Mirai botnet took down vast swathes of online services across much of Europe and North America. News websites, Spotify, Reddit, Twitter, the PlayStation Network and many other digital services were either slowed down to a crawl or completely inaccessible to millions of people. Fortunately, the outages lasted for less than one day.

Described as the biggest online blackout in history, the downtime was caused by a DDoS attack against Dyn, the domain name system provider for hundreds of major websites. The attacks was explicitly designed to overload its capability.

What helped make the attack so powerful was the Mirai botnet had taken control of millions of IoT devices, including cameras, routers, smart TVs and printers, often just by brute-forcing default credentials, if the devices had a password at all. And while the traffic generated by individual IoT devices is small, the sheer number of devices in the botnet was overwhelming to Dyn. And Mirai still lives on.


The Mirai botnet attack took down a large number of online services. 

Image: Level 3

How do I know if I'm under DDoS attack?

Any business or organisation that has a web-facing element needs to think about the regular web traffic it receives and provision for it accordingly; large amounts of legitimate traffic can overwhelm servers, leading to slow or no service, something that could potentially drive customers and consumers away.

But organisations also need to be able to differentiate between legitimate web traffic and DDoS attack traffic.

Capacity planning is, therefore, a key element of running a website, with thought put into determining what's an expected, regular amount of traffic and what unusually high or unanticipated volumes of legitimate traffic could look like, so as to avoid causing disruption to users – either by taking out the site due to high demands, or mistakenly blocking access due to a DDoS false alarm.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

So how can organisations differentiate between a legitimate increase in demand and a DDoS attack?

In general, an outage caused my legitimate traffic will only last for a very short period of time and often there might be an obvious reason for the outage, such as an online retailer experiencing high demand for a new item, or a new video game's online servers getting very high traffic from gamers eager to play.

But in the case of a DDoS attack, there are some tell-tale signs that it's a malicious and targeted campaign. Often DDoS attacks are designed to cause disruption over a sustained period of time, which could mean sudden spikes in malicious traffic at intervals causing regular outages.

The other key sign that your organisation has likely been hit with a DDoS attack is that services suddenly slow down or go offline for days at a time, which would indicate the services are being targeted by attackers who just want to cause as much disruption as possible. Some of these attackers might be doing it just to cause chaos; some may be paid to attack a particular site or service. Others might be trying to run some kind of extortion racket, promising to drop the attack in exchange for a pay-off.

What do I do if I'm under DDoS attack?

Once it's become clear that you're being targeted by DDoS attack, you should piece together a timeline of when the problems started and how long they've been going on for, as well as identifying which assets like applications, services and servers are impacted – and how that's negatively impacting users, customers and the business as a whole.

It's also important that organisations notify their web-hosting provider – it's likely that they will have also seen the DDoS attack, but contacting them directly may help curtail the impacts of a DDoS campaign – especially if it's possible for the provider to switch your IP address. Switching the IP to a new address will mean that the DDoS attack won't have the impact it did because the attack will be pointing in the wrong direction.

If your security provider provides a DDoS mitigation service, it should help reduce the impact of the attack, but as seen with attacks like Mirai, especially large attacks that can still cause disruption despite the presence of preventative measures. The unfortunate thing about DDoS attacks is that while they're very simple to conduct, they're also very effective, so it's still possible that even with measures in place that services could be taken offline for some time.

It's also important to notify users of the service about what is happening, because otherwise they could be left confused and frustrated by a lack of information. Businesses should consider putting up a temporary site explaining that there are problems and provide users with information they should follow if they need the service. Social-media platforms like Twitter and Facebook can also be used to promote this message.

How do I protect against DDoS attacks?

What makes DDoS attacks effective is the ability to direct a large amount of traffic at a particular target. If all of an organisations' online resources are in one location, the attackers only need to go after one particular target to cause disruption with large amounts of traffic. If possible, it's therefore useful to spread systems out, so it's more difficult – although not impossible – for attackers to direct resources towards everything at once.

Monitoring web traffic and having an accurate idea about what regular traffic looks like, and what is abnormal traffic, can also play a vital role in helping to protect against or spotting DDoS attacks. Some security personnel recommend setting up alerts that notify you if the number of requests is above a certain threshold. While this might not necessarily indicate malicious activity, it does at least provide a potential early warning that something might be on the way.

It's also useful to plan for scale and spikes in web traffic, which is something that using a cloud-based hosting provider can aid with.

Firewalls and routers can play an important role in mitigating the potential damage of a DDoS attack. If configured correctly, they can deflect bogus traffic by analysing it as potentially dangerous and blocking it before it arrives. However, it's also import to note that in order for this to be effective, firewall and security software needs to be patched with the latest updates to remain as effective as possible.

Using an IP stresser service can be an effective way of testing your own bandwidth capability. There are also specialist DDoS mitigation service providers that can help organisations deal with a sudden large upsurge in web traffic, helping to prevent damage by attacks.

What is a DDoS mitigation service?

DDoS attack mitigation services protect the network from DDoS attacks by re-routing malicious traffic away from the network of the victim. High profile DDoS mitigation service providers include Cloudflare, Akamai, Radware and many others.

The first job of a mitigation service is to be able to detect a DDoS attack and distinguish what's actually a malicious event from what's just a regular – if unusually high – volume of traffic.

Common means of DDoS mitigation services doing this include judging the reputation of the IP the majority of traffic is coming from. If it's from somewhere unusual or known to be malicious, it could indicate an attack – while another way is looking out for common patterns associated with malicious traffic, often based on what's been learned from previous incidents.

Once an attack has been identified as legitimate, a DDoS protection service will move to respond by absorbing and deflecting the malicious traffic as much as possible. This is helped along by routing the traffic into manageable chunks that will ease the mitigation process and help prevent denial-of-service.

How do I choose a DDoS mitigation service?

Like any IT procurement, choosing a DDoS mitigation service isn't as simple as just selecting the first solution that appears. Organisations will need to choose a service based on their needs and circumstances. For example, a small business probably isn't going to have any reason to fork out for the DDoS mitigation capabilities required by a global conglomerate.

However, if the organisation looking for a DDoS mitigation service is a large business, then they're probably correct to look at large overflow capacities to help mitigate attacks. Looking at a network that has two or three times more capacity than the largest attacks known to date should be more than enough to keep operations online, even during a large DDoS attack.

While DDoS attacks can cause disruption from anywhere in the world, the geography and location of a DDoS mitigation service provider can be a factor. A European-based company could have an effective US DDoS protection provider, but if that provider doesn't have servers or scrubbing centres based in Europe, the latency of the response time could prove to be a problem, especially if it causes a problem for re-routing traffic.

When deciding on a service provider, organisations should, therefore, consider if the DDoS protection network will be effective in their region of the world. For example, a European company should probably consider a DDoS mitigation provider with a European scrubbing centre to help remove or redirect malicious traffic as quickly as possible.  

However, despite all the ways to potentially prevent a DDoS attack, sometimes attackers will still be successful anyway – because if attackers really want to take down a service and have enough resources, they'll do their best to be successful at it. But if an organisation is aware of the warning signs of a DDoS attack, it's possible to be prepared for when it happens.  

Editorial standards