What Is a DDoS Attack?

There are many different types of DDoS attacks, and attackers often use more than one type to wreak havoc on their targets. Three key types are volumetric, protocol, and application-layer attacks. The purpose of all attacks is to severely slow down or stop legitimate traffic from reaching its intended destination. For example, this could mean stopping a user from accessing a website, buying a product or service, watching a video, or interacting on social media. Additionally, by making resources unavailable or diminishing performance, DDoS can cause business to grind to a halt. This can result in preventing employees from accessing email or web applications, or conducting business as usual.

To further understand how DDoS attacks work, let’s break down the different pathways attackers can take. The Open Systems Interconnection (OSI) model is a layered framework for various networking standards and contains seven different layers. Each layer of the OSI model has a unique purpose, like the floors of an office building where different functions of a business take place on each floor. Attackers target different layers depending on what type of web or internet-facing asset they’d like to disrupt.

The intent of a volume-based DDoS attack is to overwhelm a network with massive amounts of traffic by saturating the bandwidth of the intended victim resource. The large quantities of attack traffic block legitimate users from accessing the application or service, preventing traffic from flowing in or out. Depending on the target, stopping legitimate traffic could mean a bank customer may be unable to pay a bill on time, ecommerce shoppers are unable to complete online transactions, a hospital patient could be barred from their medical records, or a citizen could find themselves unable to view their tax records from a government agency. No matter the organization, blocking people from a service they expect to use online has a negative impact.

Volumetric attacks use botnets created with armies of individual malware-infected systems and devices. Controlled by an attacker, bots are used to cause congestion between a target and the internet at large with malicious traffic that saturates all available bandwidth.

An unforeseen onslaught of bot traffic can significantly slow down or prevent access to a web resource or internet-facing service. Since bots take over legitimate devices to amplify bandwidth-intensive DDoS assaults, often unknowingly to the user, the malicious traffic is difficult for the victimized organization to detect.

There are a variety of volumetric DDoS attack vectors used by threat actors. Many leverage reflection and amplification attack techniques to overwhelm a target network or service.

UDP floods are frequently chosen for larger-bandwidth DDoS attacks. Attackers attempt to overwhelm ports on the targeted host with IP packets containing the stateless UDP protocol. The victim host then looks for applications that are associated with the UDP packets, and when not found, sends a “Destination Unreachable” back to the sender. The IP addresses are often spoofed to anonymize the attacker, and once the targeted host becomes inundated with attack traffic, the system becomes unresponsive and unavailable to legitimate users.

What is a Domain Name System (DNS) reflection/amplification DDoS attack?

Domain Name System or DNS reflection attacks are a common type of attack vector where cybercriminals or hackers spoof the IP address of their target to send large amounts of requests to open DNS servers. In response, these DNS servers respond back to the malicious requests by the spoofed IP address, thereby creating an attack on the intended target through a flood of DNS replies. Very quickly, the large volume of traffic created from the DNS replies overwhelms the victim organization’s services, making them unavailable and preventing legitimate traffic from reaching its intended destination.

Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany Transmission Control Protocol (TCP) packets that enable application programs and computing devices to exchange messages over a network, when connecting to a server. An ICMP flood is a Layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network’s bandwidth.

Protocol attacks attempt to consume and exhaust compute capacity of various network infrastructure resources like servers or firewalls via malicious connection requests that exploit protocol communications. Synchronization (SYN) floods and Smurf DDoS are two common types of protocol-based DDoS attacks. Protocol attacks can be measured in packets per second (pps) as well as bits per second (bps).

One of the main ways people connect to internet applications is through the Transmission Control Protocol (TCP). This connection requires a three-way handshake from a TCP service — like a web server — and involves sending a SYN (synchronization) packet from where the user connects to the server, which then returns a SYN-ACK (synchronization acknowledgement) packet, which is ultimately answered with a final ACK (acknowledgement) communication back to complete the TCP handshake.

During a SYN flood attack, a malicious client sends a large volume of SYN packets (part one of the usual handshake) but never sends the acknowledgement to complete the handshake. This leaves the server waiting for a response to these half-open TCP connections that eventually run out of capacity to accept new connections for services that track connection states. 

A SYN flood attack is like a terrible prank by the entire graduating class of a really big high school, where each student calls the same pizza restaurant and orders a pie during the same time frame. Then, when the delivery person goes to pack up, she realizes that there are too many pizzas to fit in her car and there are no addresses on the orders — so all delivery stops.

The name of this DDoS attack is based on the concept that numerous tiny attackers can overwhelm a much larger opponent by sheer volume, just like the fictional colony of small blue humanoids that are its namesake.

In a Smurf distributed denial-of-service attack, large numbers of Internet Control Message Protocol (ICMP) packets with an intended target’s spoofed source IP are broadcast to a computer network using an IP broadcast address. By default, most devices on a network will respond by sending a reply to the source IP address. Depending on the number of machines on the network, the victim’s computer may be slowed down to a crawl from being flooded with traffic.

Conducted by flooding applications with malicious requests, application-layer attacks are measured in requests per second (RPS). Also called Layer 7 DDoS attacks, these attacks target and disrupt specific web applications, not entire networks. While difficult to prevent and mitigate, they are among the easier DDoS attacks to launch.

In comparison, it’s easy to startle a herd of horses into a stampede but almost impossible to get them under control again. Application-layer attacks are like that: easy to implement, hard to slow down or stop, and specific to a target.

With a strong DDoS strategy and runbook in place, organizations can protect against and limit disruption from DDoS attacks. The high-capacity, high-performance, and always-on anti-DDoS protection of cloud-based solutions can prevent malicious traffic from reaching a website or interfering with web API communications. A cloud-based scrubbing service can quickly mitigate attacks that target non-web assets, like network infrastructure, at scale.

In a constantly evolving attack landscape, DDoS protection through a mitigation provider that takes a defense-in-depth approach can keep organizations and end users safe. A DDoS mitigation service will detect and block DDoS attacks as quickly as possible, ideally in zero or a few seconds from the time that the attack traffic reaches the mitigation provider’s scrubbing centers. Because attack vectors keep changing and attack sizes keep getting bigger, to achieve the best DDoS protection, a provider must continually invest in defense capacity. To keep up with large, complex attacks, the right technologies are needed to detect malicious traffic and begin robust defensive countermeasures to mitigate attacks quickly.

DDoS mitigation providers filter out malicious traffic to prevent it from reaching the intended targeted asset. Attack traffic is blocked by a DDoS scrubbing service, a cloud-based DNS service, or a CDN-based web protection service. Cloud-based mitigation removes attack traffic before it reaches the target.

DDoS scrubbing can keep your online service or business up and running, even during an attack. Unlike CDN-based mitigation, a DDoS scrubbing service can protect across all ports, protocols, and applications in the data center, including web- and IP-based services. 

Organizations direct their network traffic in one of two ways: via a Border Gateway Protocol (BGP) route advertisement change or DNS redirection (A record or CNAME) to the mitigation provider’s scrubbing infrastructure. Traffic is monitored and inspected for malicious activity, and mitigation is applied if DDoS attacks are identified. Typically, this service can be available in both on-demand and always-on configurations, depending on an organization’s preferred security posture — although more organizations than ever before are moving to an always-on deployment model for the fastest defensive response.

A properly configured advanced content delivery network (CDN) can help defend against DDoS attacks. When a website protection service provider uses its CDN to specifically accelerate traffic using HTTP and HTTPS protocols, all DDoS attacks targeting that URL can then be dropped at the network edge. 

This means that Layer 3 and Layer 4 DDoS attacks are instantly mitigated, as this type of traffic is not destined for web ports 80 and 443. As a cloud-based proxy, the network sits in front of a customer’s IT infrastructure and delivers traffic from end users to the websites and applications. Because these solutions operate in-line, web-facing assets are protected at all times without human interaction from network-layer DDoS attacks. 

For application layer–specific defense, organizations should look to deploy a web application firewall to combat advanced attacks, including certain types of DDoS attacks like http requests, HTTP GET, and HTTP POST floods, which aim to disrupt Layer 7 application processes of the OSI model.

Organizations can reduce their attack surface while also reducing risk of business-impacting downtime and disruption by deploying DDoS-specific cybersecurity controls. This type of defense can thwart an attack while allowing legitimate visitors to access your organization online as they normally would. DDoS protection prevents malicious traffic from reaching its target, limiting the impact of the attack, while allowing normal traffic to get through for business as usual.

During mitigation, your DDoS protection provider will deploy a sequence of countermeasures aimed at stopping and diminishing the impact of a distributed denial-of-service attack. As modern attacks become more advanced, cloud-based DDoS mitigation protection helps to provide defense-in-depth security at scale, keeping back-end infrastructure and internet-facing services available and performing in an optimal manner.

Through DDoS attack protection services, organizations can:

• Reduce the attack surface and business risk associated with DDoS attacks
• Prevent business-impacting downtime
• Guard against web pages from going offline
• Increase speed to respond to a DDoS event and optimize incident response resources
• Shorten the time to understand and investigate a service disruption
• Prevent loss of employee productivity
• More quickly deploy countermeasures to defend against a DDoS attack
• Prevent damage to brand reputation and bottom line
• Maintain application uptime and performance across digital estates
• Minimize costs associated with web security
• Defend against extortion, ransomware, and other new evolving threats

Akamai provides in-depth DDoS defense through a transparent mesh of dedicated edge, distributed DNS, and cloud scrubbing defenses. These purpose-built cloud services are designed to strengthen DDoS security postures while reducing attack surfaces, improving the quality of mitigation, and reducing false positives, while increasing resiliency against the largest and most complex attacks.

Moreover, the solutions can be fine-tuned to the specific requirements of your web applications and internet-based services.

Akamai architected the world’s most distributed edge and cloud platform as a reverse proxy to only accept traffic via ports 80 and 443. All network-layer DDoS attacks are instantly dropped at the edge with a zero-second SLA. That means that attackers launching network-layer DDoS attacks don’t stand a chance.

For application-layer DDoS attacks, including those launched via APIs, Kona Site Defender detects and mitigates the attacks while simultaneously granting access to legitimate users.

Akamai’s authoritative DNS service, Edge DNS, also filters traffic at the edge. Unlike other DNS solutions, Akamai specifically architected Edge DNS for availability and resiliency against DDoS attacks. Edge DNS also delivers superior performance, with architectural redundancies at multiple levels, including name servers, points of presence, networks, and even segmented IP anycast clouds.