DDoS Attack 101: Definition, Techniques, Risks & Prevention

A distributed-denial-of-service (or DDoS) attack involves a network of computers all connecting with your server at the same time. They overwhelm the system, and eventually, it goes down. Even legitimate traffic can't capture the attention of a server overwhelmed with a flood of requests. 

DDoS problems aren't new. Companies have dealt with them for years. In 2013, for example, a coordinated attack took down all the servers in China, and the outage lasted for about four hours. 

But experts say the technique is on the rise. For example, there were about 50 percent more DDoS attacks in the third quarter of 2020 than the year prior. 

It's not always easy to spot a DDoS attack in progress. And once hackers launch it, cleaning up the damage is difficult. But investing in prevention could lower your risk of becoming a hacker's dream target.

How does a DDoS attack work?

Every server is built to both accept and respond to requests. A DDoS attack exploits that vulnerability by overwhelming the server with so much work that it simply can't keep up with the volume. 

Hackers begin by developing a network of connected devices. They might target computers and laptops. But they could also focus on internet-connected devices, like doorbells or refrigerators. Attackers can infect anything with a connection with malware. And when they infect it, they can put it to use in an attack. 

Experts say infected devices often continue to do their work, so owners may never know about the problem. And cleaning up an infected device is difficult, especially if owners never think to update software or download security patches. 

Spotting bots isn't easy for a network administrator, either. Each one has a separate IP address and looks legitimate. When a problem strikes, it's hard to know where it originates. 

But with an army of bots, an attacker can point them to your server and wreak havoc.

3 main types of DDoS attacks

All DDoS attacks begin by the hacker overwhelming the system. But programmers can achieve that goal in many ways. Three basic types of attacks exist, but they all have important variants. 

1. Application-layer attacks

Hackers that use this technique focus their work on the part of the server that generates web pages when users ask it to. An attacker directs bots to request the page over and over again, overwhelming the server. 

HTTP flood attacks are among the most common application-layer attacks. A hacker will direct bots to:

  • Call up a specific URL
  • Ask for specific images within a web page
  • Ask for documents via GET requests 
  • Ask for frequent refreshes of pages.

Regular users may make these same requests as they visit your site and browse your resources. It's very difficult to separate the malignant traffic from legitimate work. 

2. Protocol attacks

Hackers flood parts of your system, such as load balancers, with multiple requests that come quickly from all directions.

A SYN flood attack is an example of a protocol attack. A hacker sends many initial connection requests to the server and includes a spoofed IP address as the source. The server:

  • Accepts the requests to connect
  • Sends a response, asking to complete the connection 
  • Waits for that response
  • Crashes after waiting for too many responses

3. Volumetric attacks

Experts say that about 50 percent of DDoS attacks launched are volumetric attacks. They're designed to flood your bandwidth and take the server down due to a lack of available space. 

DNS amplification is a common form of volumetric attack. Hackers direct bots to make information requests that take up large amounts of data. They then direct that data back to the origin server. A hacker can create a large amount of chaos very quickly with an attack like this.

Common DDoS symptoms

If your servers are working properly, they're accepting requests and responding to them. Each server will tackle the same task when you're under a DDoS attack. So what's the difference?

Experts say telltale signs include:

  • Suspicious location. You notice several devices clustered in one spot, and you may not normally get visitors from there. 
  • Unusual traffic spikes. You may see multiple requests every five minutes, for example, or you get hundreds in one minute. 
  • Poor performance. Your site loads very slowly, or it's inaccessible.
  • Long-lasting outage. If your site goes down for a legitimate reason, the problem typically lasts for just a moment or two. If the issue persists for days, you could be dealing with a DDoS. 
  • Ongoing demands. Some hackers launch attacks for amusement. But others may contact you to ask for a payout before they'll stop their work. 

It pays to watch your server performance carefully. The sooner you spot the problem, the better. 

How to respo