DDoS Attack
Squeezing through a door with so many people, you break the whole building.
What happens when your systems are hit with a flood of traffic so massive, it knocks your services offline? That’s the power of a DDoS attack, and it's one of the most disruptive threats in cybersecurity today. But before diving deeper, it's helpful to understand the distinction between DoS and DDoS attacks:
- A Denial-of-Service (DoS) attack originates from a single source attempting to overwhelm a target with traffic or requests.
- A Distributed Denial-of-Service (DDoS) attack, on the other hand, uses multiple sources (often thousands of compromised devices) to launch a coordinated flood of traffic.
This distributed nature makes DDoS attacks far more powerful, resilient, and difficult to mitigate than their single-source counterparts. A DDoS attack overwhelms a server, service, or network with a flood of internet traffic, rendering it slow, unstable, or completely unavailable.
How DDoS attacks work
- Bandwidth, clogging the digital highways
- Server resources, exhausting memory and compute power
- Connection tables, especially in firewalls and load balancers
Types of DDoS attacks
Application Layer Attacks (Layer 7)
Layer 7 is the topmost layer of the OSI model and is responsible for delivering services to end users. Essentially, it’s where web pages are generated in response to HTTP requests. Attacks at this layer aim to exhaust the server's resources by imitating legitimate user behaviour, making them particularly difficult to detect. A common example is the HTTP Flood, where the attacker sends a massive volume of GET or POST requests, similar to thousands of users refreshing a webpage at the same time. These floods can range from straightforward, repeated requests to more sophisticated versions that use randomized user agents, referrer URLs, and rotating IP addresses to evade detection systems.
Protocol Attacks (Layer 3 and Layer 4)
These attacks, also known as state exhaustion attacks, exploit the underlying network and transport protocols (Layers 3 and 4 of the OSI model) to deplete critical infrastructure resources like firewalls, load balancers, and application servers. One well-known example is the SYN Flood, which takes advantage of the TCP handshake process. In this scenario, the attacker sends a flood of SYN packets with spoofed IP addresses. Each packet prompts the server to allocate resources for a connection that never completes; much like a warehouse worker endlessly preparing boxes for fake orders. Other examples include Ping of Death and Smurf attacks, both of which disrupt services by manipulating standard networking behaviors in abnormal volumes or formats.
Volumetric Attacks
Unlike protocol and application layer attacks, volumetric attacks focus on consuming all available bandwidth between the target and the broader internet. They aim to create sheer volume rather than exploit specific vulnerabilities. One notorious method is DNS Amplification, where small queries are sent to misconfigured DNS servers with a spoofed IP address: that of the target. The servers respond with much larger replies directed at the victim, multiplying the original request size and overwhelming the target. Other volumetric techniques include UDP Floods and NTP Amplification, both of which similarly leverage open services to generate massive traffic spikes. Many of these attacks are launched using botnets composed of compromised IoT devices, such as the infamous Mirai botnet, which harnessed millions of unsecured gadgets to stage some of the largest DDoS attacks ever recorded.
Why DDoS attacks are so dangerous
- Low barrier to entry
DDoS kits and DDoS-for-hire (booter/stresser) services are easy to find on the dark web. Even attackers with minimal skills can launch an attack. - Financial & political motives
DDoS is used in ransom threats (“pay or we’ll attack”), corporate sabotage, hacktivism, and cyberwarfare. - Hard to attribute
Botnets consist of devices around the world, making it nearly impossible to trace the source. - Evolving methods
Attackers often test targets beforehand and adjust their methods in real-time. For example, multi-vector attacks, which can be a combination of volumetric, protocol, and application-layer attacks, are now common. - Exploitation of IoT
As more devices come online, poorly secured IoT endpoints expand the attack surface. Botnets like Mirai exemplify how large-scale attacks can be launched using everyday household gadgets. - Command & Control (C&C) networks
Attackers coordinate these machines via C&C servers, issuing instructions to launch synchronised attacks with precision.
Defensive strategies against DDoS attacks
- 1.Traffic monitoring & anomaly detection
Constantly analysing traffic patterns to detect spikes, irregularities, and known DDoS signatures. - 2.Rate limiting
Restricting the number of requests a server will accept from a single IP in a given time period. - 3.Web Application Firewalls (WAFs)
Especially useful for blocking Layer 7 attacks like HTTP Floods. - 4.Content Delivery Networks (CDNs)
Distribute traffic across multiple servers, reducing strain on the origin server. - 5.DDoS protection services
Cloud-based services like scrubbing centers can filter out malicious traffic before it reaches your infrastructure. - 6.Redundant infrastructure
Diversify your hosting and DNS setups to make single points of failure less vulnerable. - 7.Incident response planning
Having a clear, tested response plan ensures faster mitigation when an attack occurs.
Explore our MDR service
Looking for comprehensive cybersecurity solutions tailored to your organisation's needs? Explore our Managed Detection and Response (MDR) services. Our SOC provides scalability, cost-effectiveness, and access to specialised expertise. Our MDR services help organisations detect, analyse, and respond to cyber threats in real time, leveraging advanced threat intelligence and proactive monitoring to identify and mitigate risks like ransomware and cyber espionage. We also assist in navigating cybersecurity regulations such as NIS2, providing visibility into security telemetry and log retention. With an “assume breach” mindset, we help organisations strengthen their security posture and reduce the impact of potential threats.