What is a DDoS attack?

DDoS Attack on screen
DDoS attack (Image credit: Shutterstock)

Distributed denial of service (DDoS) attacks are widely-considered to be the sledgehammer of cyber attacks. Rather than attempt to quietly infiltrate targeted software and computers, DDoS attacks effectively use brute force to knock target websites and machines offline.

The attack method does this by essentially overwhelming a website or server with more access requests than it can handle, causing it to malfunction and drop offline. Even if an attack fails to take a website or server down, it can lead to the services supported to run a lot slower and see web pages get stuck in loading loops when accessed by legitimate users.

To carry out such an attack, a lot of internet-connected devices are needed. Unfortunately, a huge number of unsecure IoT devices have flooded the market in recent years that simply do not have the capability to ward off attackers - usually due to weak or non-existent default passwords.

This makes it possible for criminals to launch effective and widespread DDoS attacks without exerting too much effort. With the right tools, hackers can break past this weak layer and gain remote control of a device. In just a few clicks, a single criminal can muster an army of internet-enabled devices (such as TVs, webcams, routers and even kitchen appliances) to flood a target website with traffic.

The strength of a DDoS attack depends on how many devices it's able to direct toward a target. Over the past few years the rising popularity of IoT devices, including those connect household appliances to the internet, has provided a steady stream of new recruits for DDoS botnets.

Because DDoS attacks don't obtain unauthorised access to a company's infrastructure or data, it's not considered a 'hack' in the traditional sense. However, that doesn't mean they aren't just as damaging or disruptive. Businesses ranging from e-commerce sites, like eBay, to digital news organisations all stand to suffer if taken deliberately offline.

While inherently damaging in and of themselves, DDoS attacks are also often used as smokescreens for even more invasive attacks. They often serve as a precursor attack, distracting IT teams so that a more invasive cyber attack can occur.

It's because of the potential damage they can cause that DDoS attacks have been made illegal. After a 2006 amendment to the Computer Misuse Act 1990, it's a criminal offence to launch a DDoS attack.

A very brief history of DDoS

The methodology we know today as DDoS is widely considered to have first emerged in 1995 during the Net Strike attacks against sites owned by the French government. Attacks had become somewhat automated by 1997, primarily due to the FloodNet tool created by the Electronic Disturbance Theater (EDT) group.

Following an attack by Anonymous in 2010, the DDoS tactic would be firmly planted on the threat map. Using a tool dubbed the Low Orbit Ion Cannon' (LOIC), the group was able to successfully flood targeted servers with TCP or UDP packets, facilitated through a point and click UI.

Recent DDoS attacks

DDoS has since evolved further, with high-profile attacks demonstrating the ease at which criminals are able to take down targeted servers.

In October 2016, an 18-year-old allegedly configured his Twitter account and website to contain a redirect link that when clicked would automatically make a 911 call. Emergency services in the towns of Surprise and Peoria, Arizona, as well as the Maricopa County Sheriff's Office were inundated with fake calls as a result.

Surprise received over 100 calls in the space of a few minutes, while Peoria PD received a "large volume of these repeated 911 hang up calls", which, given enough data traffic, could have knocked the 911 service offline for the whole of the Maricopa County.

More details of how the attack was actually carried out can be found here.

The second notable incident is the DDoS attack on DNS provider Dyn, which took place at about the same time as the Surprise 911 overload. It's thought that attack was powered by Mirai, a piece of malware that recruits IoT devices into a botnet. Dyn said it had observed tens-of-millions of discrete IP addresses associated with Mirai were part of the attack, with an army of 150,000 internet-connected CCTV cameras thought to have been a core part of the botnet.

More details of the Dyn DDoS attack and Mirai can be found here and here.

Since, DDoS attacks have been growing in size and scale. In June 2020, Amazon Web Services (AWS) claims to have blocked the largest DDoS attack in history. The incident happened in February, hitting 2.3 Tbits/sec at its peak smashing the previous peak record of 1.7 Tbits/sec.

Just days later, Akamai said it had prevented the largest-ever distributed denial of service (DDoS) attack, measured in packets-per-second (PPS), targeting a large European bank. The attack, which the networking and security company registered at 809 million PPS, was recorded on 21 June 2020.

The risks of DDoS attacks are increasing exponentially as more businesses shift to a distributed workforce to cope with the COVID-19 pandemic. Vulnerabilities are more easily exposed and DDoS attackers are doing their best to exploit them. According to Neustar's Cyber Threats & Trends Report, the company's Security Operations Centre saw a 151% increase in DDoS activity for the first half of 2020.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


“These figures are representative of the growing number, volume and intensity of network-type cyberattacks as organisations shifted to remote operations and workers’ reliance on the internet increased,” Neustar noted in its report.

Neustar adds that DDoS attacks are getting bigger, with a “noticeable spike” in volume. While the number of attacks sized 100Gbps and above has grown by a staggering 275%, smaller attacks of 5Gbps and under represented 70% of all attacks mitigated by Neustar in the first half of 2020.

“While large volumetric attacks capture attention and headlines, bad actors increasingly recognise the value of striking at low enough volume to bypass the traffic thresholds that would trigger mitigation to degrade performance or precision target vulnerable infrastructure like a VPN,” said Michael Kaczmarek, Neustar vice president of security products. Kaczmarek believes that "every organisation with an internet presence" is at risk of a DDoS attack.

Who's conducting DDoS attacks?

This varies depending on the target. It could be cyber activists (aka hacktivists) targeting a particular company, organisation or government agency, a commercial rival or even just people with nothing better to do who choose a target at random. DDoS is also sometimes used as a smokescreen for other criminal activity, like when TalkTalk had data on four million customers exfiltrated while it was dealing with one.

DDoS isn't a legitimate form of political protest, either. Impairing the operation of any computer has been a crime in the UK under the Computer Misuse Act since 2006, following changes made under the Police and Justice Act, and DDoS breaches the Computer Fraud and Abuse Act in the US.

How do DDoS attacks work?

DDoS is now almost exclusively the territory of botnets-for-hire, no longer populated just by compromised PCs and laptops: the Mirai botnet last year connected together hundreds of thousands of IoT devices to power a DDoS attack. Devices such as routers and even CCTV cameras have default credentials that often don't get changed by owners, leaving hackers an easy route to infection and control.

A botnet comprising close to 150,000 digital CCTV cameras was thought to be used in the DDoS attack against DNS provider Dyn, an attack that took a swathe of well-known internet services offline.

DDoS attacks come in many technical guises, and some are more common than others. Nearly all, however, involve flooding to some degree or other. Be it a User Diagram Protocol (UDP), Transmission Control Protocol (TCP) Synchronize (SYN), GET/POST or Ping of Death flood, they all involve sending lots of something that eats up server resources in trying to answer or checking for authenticity. The more that are sent, the less resource the server has to respond until eventually it collapses under the strain.

How much does a DDoS attack cost?

That depends if you mean cost to the organisation who has fallen victim, or the perpetrators, of a DDoS attack. Kaspersky Labs reckons the average cost to an organisation is $106,000 (82,000) if you take everything from detection through to mitigation and customer churn into account.

For the attacker, it's less expensive, with DDoS-for-hire services ranging from $5 (3.88) for a few minutes to $500 (388) for a working day.