Distributed Denial-of-Service (DDoS) Attacks: Types, Consequences, and Prevention

What is a Distributed Denial-of-Service (DDoS) Attack? 

 

A DDoS attack is a cyberattack where attackers disrupt normal operations by overwhelming servers, systems or networks. They accomplish this by using up the limited bandwidth and processing power of these Information Technology (IT) infrastructures, preventing them from responding to legitimate users’ connection requests and data packets.  

 

DDoS attacks are a subset of Denial-of-Service (DoS) attacks. While DoS attacks originate from a single source, DDoS attacks employ multiple coordinated sources on the target, amplifying the impact achieved. 

 

While Distributed Denial-of-Service (DDoS) attacks are no longer headline news, they remain a critical part of the modern attacker’s playbook—often serving as a smokescreen for more damaging breaches. Today’s cybercriminals don’t just aim to disrupt; they aim to distract. A well-timed DDoS can mask lateral movements, exfiltrate data unnoticed, or even delay incident response. So even if it seems like an ‘old-school’ tactic, ignoring DDoS opens the door to more serious compromises.

 

How Do DDoS Attacks Work? 

 

DDoS attacks primarily operate through botnets, which are networks of compromised devices, such as computers and Internet-of-Things (IoT) devices, that have been infected with malware without the owners' knowledge. Botnets can be created or easily acquired through the dark web, open-source tools, or DDoS-for-Hire Services.  

 

Attackers control these botnets via Command and Control (C&C) servers to coordinate the timing, targets, and methods of attacks. The botnets either flood the target infrastructure with excessive traffic or exploit vulnerabilities to deplete resources, causing systems, servers, or networks to slow down or crash. The increase in unsecured IoT devices like appliances or sensors, has made botnets more prevalent and accessible, allowing even those with minimal technical expertise to execute DDoS attacks. 

 

 

Types of DDoS Attacks 

 

DDoS attacks are generally classified into three main types: volumetric attacks, network protocol attacks and application layer attacks. Note that attackers can employ multiple attack vectors synchronously to increase their effectiveness and complicate mitigation efforts. 

 

 

Volumetric Attacks 

 

Volumetric attacks, the most common type of DDoS attacks, target the network and transport layers (Layers 3 and 4 of the OSI Model). These attacks flood a network with excessive traffic, overwhelming its capacity and blocking legitimate requests. Botnets are often used to generate this traffic, employing IP spoofing to disguise the source of the attacks, making them harder to trace and block. Common examples include: 

 

• Internet Control Message Protocol (ICMP) flood attacks: Attackers send a large volume of ICMP echo requests, otherwise called ping requests, to the target, requiring the target to respond with an equal number of echo-reply packets. ICMP flood attacks are also known as Ping flood attacks. 
• User Datagram Protocol (UDP) flood attacks: Attackers send numerous fake UDP packers to ports on the target server. The target server then responds with ICMP Destination Unreachable messages, creating an excess of redundant traffic. 
• Domain Name System (DNS) amplification attacks: Attackers send DNS look-up requests to unsecured DNS resolvers, spoofing the source IP address to appear as if the requests are coming from the target's IP address. These queries are designed to elicit significantly larger responses from the servers, which are then sent to the victim’s IP address. A few initial queries can generate substantial traffic volumes. 
• Network Time Protocol (NTP) amplification attack: In a manner akin to DNS amplification attacks, attackers send UDP packets to NTP servers using a spoofed IP address of the target. The servers respond with an amplified number of responses directed to the victim’s IP address. 

 

 

Network Protocols Attacks 

 

Network protocol attacks exploit vulnerabilities in protocols like ICMP and UDP at the network and transport layers (Layers 3 and 4 of the OSI Model) to overwhelm target resources. Unlike volumetric attacks, which focus on generating massive traffic, protocol attacks manipulate network behaviour. Some examples include: 

 

• SYN flood attacks: Attackers flood servers with incomplete TCP handshake requests, leaving them overwhelmed with half-open connections. 
• Smurf attacks: Attackers send ICMP echo request packets with the victim’s spoofed source address to the broadcast address of a network. Multiple devices on the network respond to the spoofed IP address, flooding the target with ICMP Echo Replies. 

 

 

Application Layer Attacks 

 

• Application layer DDoS attacks target the application layer (Layer 7 of the OSI Model), overwhelming servers with seemingly legitimate requests that mimic normal user behaviour, making detection difficult. These attacks cause disruption with minimal traffic. Examples include: 
• HTTP floods: Attackers send many HTTP GET requests to a targeted server. The aim is to exhaust the server’s resources, such as Central Processing Unit (CPU), memory, or bandwidth, by overwhelming it with more requests than it can handle. 

 

Slowloris attack: Attackers send small and incomplete HTTP requests to the target server slowly over an extended period. This exhausts the server’s memory and CPU by keeping all connections open, gradually consuming resources until the server can no longer function. 

 

What Are the Implications of DDoS Attacks? 

 

Financial Losses: 

 

• Revenue loss: For businesses dependent on online operations, such as e-commerce, banking, or service providers. DDoS attacks can directly halt revenue generation by making websites or services unavailable. The inability to process transactions or provide services can result in significant financial setbacks. 
• Incident response costs: Organisations must invest in cybersecurity professionals and tools to contain and mitigate the attack. This includes deploying anti-DDoS services, hiring incident response teams, and conducting post-attack forensics. These efforts can be costly, particularly if the attack persists over several hours or days. 

 

Service Disruptions: 

 

• Critical sectors affected: DDoS attacks can disrupt essential services, particularly in industries like healthcare, financial services, or government, where system downtime can have life-threatening or severe economic consequences. 
• User dissatisfaction: When customers or clients cannot access services, frustration grows, leading to a potential churn in user base. This not only causes short-term issues but may push users toward competitors if the disruption is prolonged. 

 

Reputational Damage: 

 

• Loss of trust: Prolonged outages or repeated DDoS attacks can diminish the trust that customers, clients, or partners place in a business. In sectors like finance or government, where trust is paramount, such damage can be difficult to recover from. 
• Public relations consequences: News of an attack, especially if it impacts a significant number of users, can spread rapidly through social media and news outlets. Negative publicity, even if the attack is mitigated quickly, can harm the company’s reputation and brand image, making it harder to attract new customers and retain existing ones. 

 

Motivations Behind DDoS Attacks 

 

Organisations that heavily depend on their networks and websites, possess high-value assets, or operate critical infrastructures are particularly vulnerable. Understanding the motivations helps organisations better prepare and defend against potential DDoS threats.  

 

• Financial Extortion: Attackers may launch DDoS attacks to extort money from businesses, demanding ransom payments in exchange for stopping the attack. 
• Competitor Disruption: Companies may target competitors to disrupt their services, potentially gaining market share or damaging their reputation. 
• Hacktivism: Political or social motivations drive some attackers to target organizations or governments to protest their actions or policies. 
• Cyber Warfare: Nation-states may use DDoS attacks as part of broader strategies to destabilize or disrupt critical infrastructure of rival countries. 

 

Common targets of these attacks include financial institutions, e-commerce sites, government agencies, cloud service providers, SaaS companies, and gaming platforms. 

 

 

Spotting the Signs of DDoS Attacks 

 

These symptoms often indicate a DDoS attack, though they can also stem from stem from server malfunctions, network problems, or genuine high traffic volumes. 

 

• Slow or Inconsistent Service Access: Users experience delays or disruptions when trying to access websites or services. 
• Network or Server Inaccessibility: Websites, networks, or servers become completely unavailable. 
• Increased Latency: Noticeable lag in network performance. 
• Unusual Traffic Spikes: A sudden surge in traffic from multiple sources, often overwhelming the network. 
• Frequent Server Crashes: Servers fail or crash repeatedly due to overload. 

 

 

Typical Ways to Defend Against DDoS Attacks

 

In the face of DDoS attacks, the incident response should aim to divert the flow of malicious traffic as quickly as possible. However, once an attack has occurred, damage is inevitable. As such, establishing a strong defence to prevent DDoS attacks from happening in the first place is crucial. Here are some measures organisations can implement to prevent and mitigate DDoS attacks: 

 

1. Network Traffic Analysis (NTA) 

 

Network Traffic Analysis (NTA) continuously monitors real-time traffic to detect anomalies or surges that may indicate a DDoS attack. Integrated with Security Information and Event Management (SIEM) systems, NTA alerts security teams for prompt action.  

Machine learning enhances NTA by identifying complex patterns and adapting to new attack methods, improving detection speed and accuracy. By analysing data from multiple sources, including DDoS attack maps, these proactive measures help reduce false positives and keep organisations ahead of evolving threats. 

 

2. Web Application Firewall (WAF) 

 

WAFs, which specialises in defending against Layer 7 threats, verify the safety and legitimacy of data packets before allowing them to reach the servers or applications. This ensures that only authorised and benign traffic is allowed. 

 

3. Network Intrusion Detection and Prevention Systems (NIDPS) 

 

NIDPS detect and respond to malicious network traffic by detecting known threat patterns and anomalies, employing heuristic-based techniques to identify deviations from normal behaviours. These systems are particularly effective against known threats and can quickly take action to block DDoS attempts and implement countermeasures to safeguard the servers or networks. 

 

4. Content Delivery Networks (CDNs) 

 

CDNs distribute incoming traffic across numerous servers globally. This reduces the burden on one server and helps absorb large volumes of malicious traffic, preventing the main server from being overwhelmed. 

 

5. Rate Limiting  

 

Rate limiting involves limiting the number of requests from a specific user or IP address. In volumetric DDoS attacks, the server can block additional requests, effectively stopping the attack. 

 

 

Don’t Let a DDoS Be the Opening Act to a Bigger Breach.

 

DDoS attacks not only disrupt services but also camouflage other breaches, making detection and mitigation a daunting task. To effectively counteract the evolving Tactics, Techniques, and Procedures used in DDoS attacks, it is crucial to implement a solid and dynamic defence strategy. 

 

Ensign’s Managed Security Services go beyond basic detection to offer proactive defence against DDoS and the stealthier attacks that often follow. Our SOC teams provide 24/7 monitoring, automated traffic diversion, and threat correlation across vectors—so your business stays resilient even when the attackers play dirty. Speak to an advisor today.