Visit us at it-sa 2024!

What is "DDoS"?

What is a DDoS attack?

“7 out of 10 organizations expect serious damage from DDoS attacks.” – Lünendonk 2023

For more than 20 years, criminals have been using DDoS attacks to deliberately harm companies and institutions. Due to their immensely powerful nature, they are an incalculable and very serious threat. Thanks to Myra DDoS protection, your IT infrastructure is safe.

Explore the Myra DDoS Protection

At one look

1. What is „DDoS“?
2. What Does a DDoS Attack Look Like?
3. Distributed Reflection Denial of Service Attack (DRDoS)
4. Who Are the Attackers?
5. What Methods Do Attackers Use?
1. 5.1 DDoS Attacks on Layers 3 and 4
2. 5.2 DDoS Attacks on Layer 7
6. When is DoS/DDoS a criminal offense?
7. What Are the Consequences of an Attack?
8. Why the IoT is a DDoS accelerator
9. Which Industries Are Affected?
10. How to prevent DDoS attacks
11. Evolution of DDoS attacks

Explanation graphic in which 3 layers DDoS attacks are defended against by Myra.

What is „DDoS“?

A DDoS attack is a special type of cybercrime. As its name says, a Distributed Denial of Service (DDoS) attack is a Denial of Service (DoS) attack that is “distributed.” This means that a requested service is no longer available or only to a very limited extent. In most cases, this is caused by an intentional overloading of the IT infrastructure. Attackers use this kind of cybercrime to extort money from unprotected organizations or to carry out, cover up, or prepare for other criminal activities.

What Does a DDoS Attack Look Like?

During a DDoS attack, the attackers target a service or server to make it unavailable. One of the ways they do this is by infecting multiple computers with malware, which they then use to take control of these computers unnoticed. The attackers misuse this infected computer network—also called a botnet—to carry out remote-controlled DDoS attacks. Via the botnet, they launch simultaneous attacks on their target, bombarding its infrastructure with countless requests.

The more computers are linked together, the more potent the attack is. When vulnerable servers are attacked, they are overwhelmed by the enormous number of requests, and their Internet connection is overloaded. As a result, websites only operate very slowly or are no longer available at all.

Distributed Reflection Denial of Service Attack (DRDoS)

A Distributed Reflection Denial of Service attack is a special form of DoS. In this case, malicious requests do not originate from e.g. a botnet, but from normal internet services. Via IP spoofing (sending IP packets with forged IP sender addresses), attackers manipulate these services to direct traffic towards the target. This approach make it possible to conceal attacks. DRDoS attacks take place e.g. via DNS services, as DNS amplification attacks, in which massive amounts of data flood the victim. In an attack on the anti-spam organization spamhaus.org, one such DNS amplification attack led to peak loads of 300 Gbit/s.

Who Are the Attackers?

Attackers’ motives for carrying out a DDoS attack are varied: extortion, harming the competition, envy, or political protest. The goal, however, is always the same: causing the victim organization as much damage as possible.

Individual criminals or groups
Political activists
Competitors
Dissatisfied users

What Methods Do Attackers Use?

Cybercriminals use different kinds of DDoS attacks. The methods used can be divided into different categories based on what layers (according to the Open System Interconnection model for network protocols, or OSI model for short) are the focus of the attack.

One of the most common methods is to overload system resources or network bandwidths (layers 3 and 4). In the last few years, there has been a trend among cybercriminals to shift attacks to the user level (layer 7). But the patterns and bandwidths of DDoS attacks change on a daily basis. With the right DDoS security measures, you are protected against all attack patterns.

DDoS Attacks on Layers 3 and 4

CP SYN floods and UDP-based reflection attacks are among the most frequent attacks on the network and transport layer (layers 3 and 4). Other typical methods of attack include ICMP flood, UDP fragmentation, UDP amplification via DNS, NTP, rpcbind, SSDP, ACK flood, and RST flood. All of these attacks either overload the target with very high bandwidth or enormous packet rates. Legitimate attempts to access the data channel to establish communication are no longer possible.

In a SYN-ACK flood attack (or SYN and ACK floods), for example, a botnet remotely controlled by attackers bombards a server with SYN packets. They are usually part of what is called at three-way handshake, which occurs when a TCP connection is established between client and server. A SYN/ACK attack produces a huge number of half-open connections by sending many SYN, but none of the ACK packets needed to establish a full connection. As a result, no new connections can be established and the website is no longer accessible.

Myra Cloud Scrubbing protects IT infrastructure against such volumetric attacks on the network and transport layers. Detailed traffic analyses are provided by automatic flow monitoring. The failover of affected networks in case of an attack is fully automated.

DDoS Attacks on Layer 7

DDoS attacks on the application layer (layer 7) are based on connections that have already been established and have become one of the most common forms of attack. HTTP GET, POST, and other flood attacks as well as low and slow attacks are particularly popular with cybercriminals. They seek to penetrate the weakest component of an infrastructure, causing an overload of the web application.

For example, an attacker uses an HTTP GET flood attack to flood a web server with HTTP requests that specifically request pages with a large load volume. This causes the server to overload and it is no longer able to process legitimate requests. As a result, the website is no longer accessible to users.

Attacks on the application layer are usually not detected by the sensors used to protect the network and transport layers. Since they consist of standard URL requests, flood attacks are difficult to distinguish from normal traffic. Layer 3 and 4 protection systems, for example, cannot distinguish between an HTTP GET flood attack and a valid download. Accordingly, securing a web application requires IT security on all relevant layers. Specifically, attacks aimed at stealing sensitive data can only be detected and fended off by using Layer 7 protection.

Myra DDoS Web Protection protects web applications on layer 7 fully automatically. With full traffic visibility, Myra enables intelligent load balancing and site failover with high reliability and minimal response times.

Person on laptop and with cell phone in hand writing code

When is DoS/DDoS a criminal offense?

In general, DoS/DDoS attacks on a service on the internet are to be regarded as computer sabotage in Germany pursuant to Section 303b of the Criminal Code (StGB) and are hence prosecutable under criminal law. It is irrelevant whether the attack has a criminal intent (e.g. for ransom demands) or takes place as part of a politically motivated act of protest. In some countries, downloading or possessing DoS or DDoS software is itself a criminal offense. Such attacks may generally only be within the law when applied to one’s own hardware on one’s own network. Exceptions apply to hired security auditors as part of penetration testing.

What Are the Consequences of an Attack?

An attack always harms affected companies and institutions, regardless of which method is chosen. Victim organizations still suffer from the consequences even years later. It is therefore extremely important to be adequately protected against DDoS attacks.

Economic Damages

A few minutes offline can quickly cost thousands of euros. Lost profits and wasted marketing budgets are only one example of the financial damages suffered.

Image Damage

The extent of damage to a company’s reputation caused by a successful DDoS attack is incalculable. Recovery costs a great deal of resources and may take years.

Data Theft

During a DDoS attack, systems no longer operate normally. The heavy load or overload causes some systems to suddenly become vulnerable and opens up new vectors of attack.

Why the IoT is a DDoS accelerator

The collective term IoT (Internet of Things) encompasses a variety of networked devices, e.g. from private households, such as IP cameras, but also networked industrial production systems, as well as intelligent control elements in public infrastructure. These devices connected to the internet make an attractive target for cybercriminals, since they can be used as tools for DDoS and other attacks. In order to gain control over IoT devices, cybercriminals employ special malware which spreads independently in networks. The goal is usually to compromise as many systems as possible in order to use them for botnet attacks. One popular example of this kind of malicious software is the malware Mirai, used by cybercriminals to set up botnets. Mirai is associated with the attack on the internet service provider Dyn in 2016. A network of several thousand IP cameras, printers, smart TVs and other devices carried out the attack as a DDoS network and crippled Dyn’s servers for hours on end.

Which Industries Are Affected?

Any industry and any company can be the victim of a DDoS attack, regardless of its size. The question is when—not whether—an attack will be leveled against your company and how quickly it will be discovered. The main targets of cybercriminals and extortionists are e-commerce businesses, banks, FinTech companies and insurance companies, manufacturing companies, media, and the health sector. Data centers and public sector organizations are also preferred targets of DDoS attackers. The motives of these criminals go way beyond demanding money: With their attacks, they want to paralyze production plants and processes, interrupt the supply of power or energy, and influence reporting.

How to prevent DDoS attacks

DDoS mitigation requires the use of special protection technologies. These are available both as an appliance for use on premises as well as a SECaaS service. The latter variant is not throttled by the available bandwidth of the company’s own connection and can therefore be used much more agilely. Anti-DDoS solutions filter incoming traffic and thus differentiate between valid requests and malicious access. Companies that are particularly frequent targets of DDoS attacks leave their security measures permanently enabled, whereas others only use the solutions when necessary to reduce the costs and work involved.

Evolution of DDoS attacks

The frequency and intensity of DDoS attacks have increased exponentially over the past 10 years. Above all, the intensity of attacks increased massively in the year 2013, since at that time a growing number of DNS servers were employed in DRDoS attacks. For instance, an attack on the anti-spam organization spamhaus.org resulted in load peaks of 300 Gbit/s. The first attacks to reach the 500 Gbit/s mark occurred in the following year. In 2016, Mirai malware caused another record-breaking attack. The malware created a botnet spread across more than 100,000 IoT devices, which in concert launched a 1.2 Tbit/s attack on the service provider Dyn. The most massive DDoS attacks to date took place in 2018. Back then, the GitHub coding platform was overloaded with traffic peaks of 1.35 Tbit/s. In the same year, security researchers also recorded an attack on a US company measuring over 1.7 Tbit/s. Meanwhile, the frequency of DDoS attacks also steadily increased over the years. Between 2014 to 2017 alone, the frequency of DDoS attacks increased more than 2.5-fold.

Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.

Go to download section

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions