What’s a Distributed Denial-of-Service (DDoS) Attack?

A DDoS attack degrades infrastructure by flooding the target resource with traffic, overloading it to the point of inoperability, or by sending a specifically crafted message that impairs application performance. DDoS attacks can target network infrastructure such as firewall state tables, as well as application resources such as servers and CPUs. DDoS attacks can have severe consequences, compromising the availability and integrity of online services and causing significant disruption, with the potential for financial losses and reputational damage. These attacks can also be used as a smokescreen to distract security and risk teams from data exfiltration. 

A DDoS attack is like thousands of people trying to cram through a doorway all at the same time. The result is that no one can get through the doorway, including people who have a legitimate reason to pass through to the other side. Or, the attack can be like a single person with a key that locks the door after passing through, preventing anybody else from entering. 

Attacks like this are usually coordinated across a large number of client computers and other network-connected devices. These attacker-controlled resources may have been set up for this express purpose, or more likely have been infected with malware that lets the attacker remotely control the device and enlist it in attacks.

Because the attack is coming from so many different sources, it can be extremely difficult to block. Imagine, again, the hoard of people cramming the doorway. Simply blocking one illegitimate person (or malicious traffic source) from getting through won’t help since there are thousands of others to take its place. Advances in automation frameworks allow attacks to spoof IP addresses, autonomous system numbers (ASNs), browser user-agents, and other telemetry to bypass traditional security controls. 

It’s important to distinguish between Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. Both are types of cyberattacks aimed at disrupting the availability of a target system or network, but they differ in how the attacks are carried out. 

A DoS attack is typically launched from a single source or a small number of sources, with the attacker overwhelming the target system or network with a flood of traffic or requests, exceeding its capacity to handle them.

DDoS attacks, on the other hand, involve multiple sources or a botnet, which is a network of compromised computers or devices under the control of the attacker. The attacker coordinates these multiple sources to simultaneously launch the attack against the target. DDoS attacks are generally more difficult to mitigate than DoS attacks because they come from multiple sources, making it challenging to distinguish legitimate traffic from malicious traffic.

While the DDoS threat landscape is constantly evolving, F5 has found that most attacks fall into the following broad categories. 

Volumetric attacks are among the most common types of DDoS attacks. These attacks aim to overwhelm the target's network bandwidth by flooding it with a massive volume of data or traffic. Such techniques include UDP (User Datagram Protocol) floods, ICMP (Internet Control Message Protocol) floods, and reflection attacks leveraging protocols such as NTP (Network Time Protocol), Memcached, and DNS to amplify the amount of traffic received by the target. The sheer magnitude of traffic saturates the target's network infrastructure, causing it to become unavailable to legitimate users. Flood-based attacks often target layers 3, 4, or 7, with SYN flood being a very common attack that can overwhelm network firewalls and other critical network infrastructure. 

• As an example of a volumetric DDoS attack, in 2018 GitHub, the software development platform, experienced a massive volumetric DDoS attack that disrupted its services. The attack peaked at an unprecedented rate of 1.35 TBps, making it one of the largest DDoS attacks ever recorded at that time. As a result, GitHub's website and services experienced intermittent outages and performance degradation.  

Protocol attacks, such as those that target weaknesses in the TCP/IP protocol stack, which is the foundation of Internet communication. These attacks specifically target the ability of network infrastructure to track and handle traffic. For example, SYN flood attacks inundate the target with a barrage of TCP SYN packets, overwhelming the target's ability to establish legitimate connections. These are also known as “computational” attacks, since they often overload the compute capacity of network devices, such as routers and firewalls.

• In November 2021, F5 observed and mitigated the largest protocol attack the company had ever seen. The onslaught, targeting a financial services customer, lasted just four minutes and reached its maximum attack bandwidth of almost 1.4 TBps in only 1.5 minutes. 

Application vulnerability attacks, also known as Layer 7 attacks, specifically target the application layer of the network stack. These attacks focus on exploiting software vulnerabilities in the applications or services running on the target server to exhaust the server's resources, such as CPU, memory, or database connections. Examples of application layer attacks include HTTP GET floods (sending a large number of HTTP requests), slowloris attacks (holding connections open with partial requests), HTTP POST floods, TLS renegotiation, and DNS queries.

• A prominent pro-Russian hacktivist group known as Killnet launched a sophisticated L7 DDoS attack on a large European organization in February, 2023. The attack aimed to overwhelm the company’s servers with massive amounts of traffic, making it difficult for users to access the website with attack traffic peaking at 120,000 requests per second. This specific DDoS attack was distributed across 35 different IP addresses and 19 countries and focused on the application layer. 

Asymmetric attacks, also known as reflective or amplification attacks, exploit the functionality of certain network protocols to amplify the volume of attack traffic. In an asymmetric DDoS attack, the attacker sends a small amount of specially crafted network packets to a vulnerable network or service, typically using a forged source IP address. These packets trigger the generation of much larger responses from the targeted system or network, resulting in a significant amplification effect.  

• In February 2021, threat actors threatened a technology company that provides information security services for gaming and gambling organizations with a DDoS attack if the company did not pay a ransom. The attackers immediately launched a 4 Gbps SYN flood attack as a warning shot; within five days of this, the DDoS siege began. Lasting almost an entire month, attack after attack kept coming, with the threat actors adding more and more vectors. Eventually, the attacks peaked at 500 Gbps and included a multi-vector barrage of volumetric UDP, LDAP reflection, DNS reflection, NTP reflection, and UDP fragmentation attacks.

Multi-vector attacks, which leverage more than one of the above methods, are becoming increasingly common. By employing more than one attack technique, attackers are able to amplify the impact and increase the difficulty of defending against multiple attack vectors simultaneously.

• In October 2016, Dyn, a DNS provider that manages and directs Internet traffic, experienced a massive DDoS attack that disrupted numerous popular websites and services, including Twitter, Reddit, Netflix, and Spotify. The attackers employed a combination of different DDoS techniques, including DNS reflection and amplification attacks, as well as botnets. The attack exploited vulnerable IoT devices, such as webcams and routers, which had weak security measures or default login credentials. By compromising these devices, the attackers created a massive botnet network capable of generating enormous volumes of traffic.

Following are several key concepts and definitions related to DDoS attacks, mitigation, and prevention.

• Botnets are networks of compromised computers, servers, or devices that are under the control of an attacker. These compromised devices, often referred to as bots or zombies, are used to launch DDoS attacks collectively. The attacker can remotely command the botnet to flood the target with traffic or requests, amplifying the impact of the attack.
• Spoofing involves falsifying or disguising the true source or identity of network packets or communications. In DDoS attacks, spoofing is often used to hide the origin of the attack traffic. 
• SYN flooding is a DDoS attack that exploits the three-way handshake process of the TCP to overwhelm the target's resources. The attacker sends a high volume of SYN packets to the target, but either does not respond to the SYN-ACK packets or spoofs the source IP addresses. This causes the target system to wait for ACK packets that never arrive, tying up its resources and preventing legitimate connections from being established.
• UDP (User Datagram Protocol) flooding is a type of DDoS attack that targets the UDP protocol, which is connectionless and does not require a handshake. In this attack, the attacker sends a high volume of UDP packets to the target's network or services, overwhelming its resources. 
• DNS (Domain Name System) amplification is a type of DDoS attack that exploits vulnerabilities in DNS servers to generate a significant volume of attack traffic. The attacker sends small DNS queries with spoofed source IP addresses to vulnerable open DNS resolvers. These resolvers, unaware of the spoofing, respond with larger DNS responses, amplifying the volume of traffic directed at the target, and overwhelming the target's resources and potentially causing service disruptions. 
• DDoS mitigation refers to the strategies and techniques employed to defend against and minimize the impact of DDoS attacks. Mitigation solutions can involve a combination of network infrastructure upgrades, traffic filtering, rate limiting, anomaly detection, and traffic diversion to absorb and mitigate the attack traffic. Cloud-delivered DDoS mitigation solutions are particularly effective for detecting and mitigating attacks before they reach network infrastructure and applications. However, given recent increases in application/L7 DoS, security controls also need to be deployed close to the protected resources. 
• Incident response refers to the process of detecting, analyzing, and responding to DDoS attacks. It involves identifying signs of an ongoing attack, investigating the source and nature of the attack, implementing mitigation measures, and restoring normal operations. Incident response plans help organizations effectively handle DDoS attacks and minimize their impact.

DDoS attacks can have severe implications for businesses, organizations, and individuals. 

DDoS attacks can lead to significant financial losses. When services are disrupted or inaccessible, businesses may experience revenue impact due to interrupted transactions, decreased customer engagement, or missed opportunities. Additionally, organizations may incur costs associated with mitigating the attack, conducting incident response and recovery activities, and potential regulatory penalties.

Successful DDoS attacks can damage an organization's reputation and erode customer trust. If a company's services are repeatedly disrupted or unavailable, customers may lose confidence in the organization's ability to deliver reliable services. Rebuilding trust and restoring a damaged reputation can be a challenging and time-consuming process.

DDoS attacks can cause severe operational disruptions. Organizations heavily dependent on online services may face productivity losses, as employees are unable to access critical systems or collaborate effectively. Service disruptions can impact supply chains, customer support, and overall business operations, leading to delays, inefficiencies, and increased operational costs.

By investing in robust DDoS mitigation strategies and engaging cybersecurity professionals to design and implement security measures, organizations can significantly reduce the risk and impact of successful DDoS attacks, safeguard their financial stability and reputation, and ensure the continuity of their operations.

Following are some common DDoS mitigation techniques used to defend against attacks. Organizations often employ a combination of these methodologies to create a layered defense strategy that can effectively mitigate the impact of DDoS attacks. Early detection is also key to initiating prompt incident response and mitigation measures, allowing organizations to contain the impact before it escalates.

Traffic filtering involves examining incoming network traffic and applying filters to block or allow specific types of traffic. This technique can be employed at different levels, such as network edge routers, firewalls, or dedicated DDoS mitigation appliances. By filtering out malicious or unwanted traffic, organizations can reduce the impact of DDoS attacks and help ensure that legitimate traffic reaches the intended destination.

Rate limiting restricts the number of incoming requests or packets from a particular source or within a specified time frame. By enforcing rate limits, organizations can mitigate the impact of DDoS attacks by preventing an overwhelming influx of traffic. 

Anomaly detection involves monitoring network traffic patterns and behavior to identify deviations from normal patterns. It utilizes statistical analysis and machine learning algorithms to establish baseline behavior and detect anomalous activities that may indicate a DDoS attack. Anomaly detection systems can identify unusual traffic spikes, packet flooding, or other patterns that are indicative of an ongoing attack. 

Behavioral analysis focuses on monitoring the behavior of users, systems, or network entities to detect and identify suspicious or malicious activities. Behavioral analysis techniques can help in differentiating between legitimate traffic and attack traffic, allowing organizations to respond effectively to DDoS attacks while minimizing false positives. This analysis can be performed on the client-side as well as server-side through intelligent proxies that detect system stress that may be indicative of a denial-of-service attack. 

Deploying a content delivery network (CDN) can help mitigate the impact of volumetric attacks and provide enhanced availability and performance. CDNs can use their distributed network infrastructure to identify and block malicious traffic, ensuring that legitimate requests reach the target.

Load balancers and application delivery controllers (ADCs) can also act as a defense mechanism against DDoS attacks by intelligently distributing and managing traffic. Load balancers can detect and mitigate DDoS attacks by applying various techniques such as rate limiting, traffic shaping, or redirecting traffic to specialized DDoS protection solutions. 

Implementing cloud-based DDoS protection services can help provide dedicated and scalable mitigation capabilities to defend against DDoS attacks. By redirecting traffic through these services, organizations can benefit from advanced mitigation techniques, real-time threat intelligence, and the expertise of specialized providers.

Other best practices to protect against DDoS attacks include enabling Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) request management to ensure only legitimate requests are being processed. Regular monitoring and logging helps detect attacks early and can mitigate any negative impacts. Patterns of increased traffic, errors, or unusual activity can trigger alerts for further investigation. Encrypting traffic between applications and clients can make it more difficult for an attacker to intercept and modify traffic. Regular software updates ensure your systems are protected by the latest security features and patches to mitigate known threats, including DDoS attacks.

As DDoS attacks continue to grow in scale and complexity, organizations need multiple layers of protection to stop these attacks before they reach the enterprise network. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools. As the frequency of these attacks and the cost of outages continue to escalate, the importance of a holistic, layered defense to mitigate these attacks is now mission-critical.

Learn about real-life DDoS attacks and how they were mitigated by watching or reading the following case studies.

• Learn how F5 stopped a 26 Gbps volumetric DDoS attack at an email provider.
• Read how Australia’s Heritage Bank deployed a suite of F5 products that delivers 24/7 DDoS protection and meets the bank’s regulatory guidelines.

As DDoS attacks continue to evolve, organizations need to stay updated on the latest trends and developments. 

A recent trend has been the growing prevalence of Internet of Things (IoT) botnets. IoT devices, such as smart cameras, routers, and connected appliances, often have weak security measures and are susceptible to compromise. Attackers exploit vulnerabilities in these devices to infect them with malware and enlist them as part of a botnet. The combined computing power of thousands of compromised IoT devices can generate massive volumes of DDoS attack traffic. 

Application-layer attacks, which aim to exhaust server resources or exploit vulnerabilities in specific applications, often mimic legitimate user behavior, making them harder to detect and mitigate. Application-layer attacks are particularly challenging to defend against because they require a deeper understanding of application behavior and require specialized protection mechanisms.

The emergence of DDoS-as-a-Service platforms has made launching DDoS attacks more accessible to less technically skilled individuals. These platforms are found on the Dark Web and provide easy-to-use interfaces that allow users to rent and deploy DDoS attack resources, often utilizing botnets-for-hire.