 
  enterprise networking
In a distributed denial of service (DDoS) attack, massive amounts of illegitimate traffic is sent to a specific website or server to overwhelm its bandwidth and cause it to shut down. At their core, DDoS attacks work by overwhelming a target system or network with a large volume of requests from multiple sources. These requests […]
 
  In a distributed denial of service (DDoS) attack, massive amounts of illegitimate traffic is sent to a specific website or server to overwhelm its bandwidth and cause it to shut down. At their core, DDoS attacks work by overwhelming a target system or network with a large volume of requests from multiple sources.
These requests can originate from an array of different devices, including computers, smartphones, and even internet-connected household appliances like smart TVs. These devices are collectively referred to as a botnet when used for a DDoS attack.
In the last 12 months, there has been a significant increase in the frequency and severity of distributed denial-of-service (DDoS) attacks, with many organizations struggling to keep up with their growing complexity.
Some recent prominent attacks include the attack on Amazon in February 2020 DDoS attack that peaked at 2.3 terabits per second (Tbps) and an attack on Russia’s Yandex in late 2021 that reached 21.8 million web page requests per second. A distributed denial-of-service attack also hit Microsoft’s Azure cloud service in the second half of 2021.
In 2022, some of the attacks were political, focusing on Russia’s war in Ukraine. According to Kaspersky, the pro-Russian group Killnet was responsible for several DDoS attacks directed at Estonia, Lithuania, the U.S. Electronic Federal Tax Payment System, and the U.S. Congress website.
Most DDoS attacks exploit common vulnerabilities in the target system’s firewall or other security measures. And the severity of DDoS attacks can vary widely, from simple website defacement to the complete shutdown of an entire network.
As a result, targeted organizations lose revenue, suffer reputational damage, and may even face legal or regulatory consequences due to DDoS attacks. According to the Ponemon Institute, it costs an average of $22,000 per minute, with an attack that lasts an hour costing approximately $1 million USD.
Also see: Best DDoS Protection Services for 2023
Despite significant advances in cybersecurity, DDoS attacks are still common due to several key factors.
Also see: 5 Best Practices for DDoS Mitigation
Before launching any kind of attack, attackers typically need to gain access to multiple systems by exploiting vulnerabilities or stealing credentials from unsuspecting victims. Once they have control over those systems, they can use them as part of their botnet — a network of compromised computers that can be used for malicious activities.
Creating a botnet involves several steps. First, attackers must find vulnerable systems that can be compromised using exploits such as phishing emails or malicious links.
Once they have gained access to these systems, they will install malware on them, which gives them remote access and control over those machines. This malware also allows them to turn these computers into “zombies” or “bots” which can then be used for nefarious purposes, such as launching DDoS attacks or sending spam emails.
The attacker then uses these bots to form a network, which they can use to amplify their efforts when attacking another system or network. They may also use the bots in the botnet for other malicious activities, such as stealing confidential data or extorting money from victims by threatening them with data deletion or leakage.
Also see: 7 Enterprise Networking ChallengesAll DDoS attacks involve overwhelming the target system, network, or application with a flood of malicious traffic. However, DDoS attacks can be categorized into three main types based on the open systems interconnection (OSI) layer they target.
DDoS application layer attacks take advantage of the seventh layer of the OSI model, the application layer, to deny service to legitimate users. These attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests.
The attacker’s goal is to exhaust the target’s resources and bandwidth, making it impossible for legitimate users to access the website or service. To accomplish this, attackers may employ techniques such as slowloris attacks, which send incomplete requests to keep connections open and consume additional server resources. Or they may use HTTP floods, where thousands of requests per second are sent to overwhelm the target’s capacity. Additionally, attackers may use Layer 7 DDoS attacks to exploit vulnerabilities in web applications, such as SQL injections or cross-site scripting (XSS).
DDoS protocol attacks mainly take advantage of the OSI model’s weaknesses in Layer 3 and 4, namely the network layer and transport layer.
At the network layer (Layer 3), attackers flood their targets with bogus packets to jam up their networks. This technique is referred to as a “denial-of-service” attack because it effectively denies legitimate users access to the target’s network. Examples of such methods include IP spoofing and ICMP flooding.
With IP spoofing, attackers send data packets with forged source IP addresses. These packets will be accepted by the target but cannot be replied to, leading to an increase in traffic and resource exhaustion on the server side as it processes them. ICMP flooding requires attackers to send a high volume of small data packets or pings that contain no actual data except for control messages meant to elicit responses from their intended victim.
At the transport layer (Layer 4), attackers gain access to various protocols like TCP or UDP, which they can use to launch numerous connection attempts or initiate malicious transactions that may cause instability or depletion of available resources on the server side.
Common examples include SYN floods, which involve sending multiple incomplete connection requests with falsified source IPs. This floods both incoming ports used for connecting and outgoing ports used for transmitting data out of its victims’ servers, resulting in heightened latency and service disruptions.
Another example is DNS (Domain Name System) amplification attacks, which involve sending massive amounts of DNS lookups queries using spoofed source IP addresses. This causes those requests to be relayed through unsuspecting third-party DNS servers, which respond with excessively large answers back toward their intended victim’s servers, thus exhausting their resources due to the sheer volume.
DDoS volumetric attacks, also known as bandwidth consumption attacks, use a variety of methods to flood the target system with an overwhelming amount of traffic. The goal is to consume all available bandwidth between the target and the larger internet in order to create a bottleneck and prevent legitimate traffic from reaching its destination. Malicious actors can do this by sending massive amounts of data or requests from a botnet.
One example of a volumetric attack is DNS amplification, which works by making a request to an open DNS server with a spoofed IP address. This means the server will respond back to the victim’s IP address, even though they never made the request in the first place. A good analogy is someone calling a restaurant and ordering the entire menu and then asking them to call back and repeat the entire order – but where the callback number given is, in fact, the restaurant’s number.
So while it requires little effort on the part of the attacker to generate this traffic, it can quickly overwhelm network resources and cause performance issues or even downtime for legitimate users.
Also see: Top Enterprise Networking Companies
Not all sudden spikes in network activity or latency necessarily indicate you are under a DDoS attack. However, there are some telltale signs to look out for if you suspect you may be under attack:
Mitigation pivots on the adoption of basic preparation, response, and recovery principles.
Some actions and best practices to prepare for DDoS attacks include:
When you are under a DDoS attack, your immediate response should be to:
After a DDoS attack has settled, it is vital to look back and reflect on the events leading up to the attack, your response and how future attacks could be prevented or handled more effectively. Recovery measures may include:
Also see: Steps to Building a Zero Trust Network
Dozens of DDoS software solutions and protection services can help you prevent, detect, and mitigate DDoS attacks more effectively. Some of the most popular include:
By implementing these software solutions and services, as well as adopting DDoS best practices and strategies, you can effectively protect your network from DDoS attacks and keep your systems, data, and services safe from malicious intruders.
 
  Kihara Kimachia is a writer and digital marketing consultant with over a decade of experience covering issues in emerging technology and innovation. In addition to appearing regularly in Enterprise Networking Planet, his work has been published in many leading technology publications, including TechRepublic, eSecurity Planet, Server Watch, Channel Insider, IT Business Edge, and Enterprise Storage Forum.
 
  Enterprise Networking Planet aims to educate and assist IT administrators in building strong network infrastructures for their enterprise companies. Enterprise Networking Planet contributors write about relevant and useful topics on the cutting edge of enterprise networking based on years of personal experience in the field.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.