Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Distributed Denial of Service (DDoS)

Overview

A Distributed Denial of Service (DDoS) attack is when many computers flood a website, server, or online service with so much traffic that real users can’t get through. Instead of breaking in, the attacker overwhelms the system so it slows to a crawl or stops responding entirely.

In plain terms: a DDoS attack is like thousands of fake customers filling up a store so real customers can’t get in the door.

How a DDoS Attack Works

Most DDoS attacks involve three main pieces:

  • Attacker (the controller)

    • The person or group that coordinates the attack.

  • Botnet (the crowd of attacking machines)

    • A large number of infected computers, servers, or IoT devices (like cameras or routers) controlled remotely without their owners’ knowledge.

    • Each device sends traffic or requests toward the target at the same time.

  • Target (the victim system)

    • A website, API, game server, payment gateway, VPN endpoint, or other online service.

By coordinating thousands—or even millions—of devices to send bogus traffic, the attacker can consume the target’s bandwidth, server capacity, or application resources until legitimate users can’t be served.

Common Types of DDoS Attacks

There are several main flavors:

  • Volume‑based attacks

    • Goal: overwhelm the network bandwidth.

    • Example: massive floods of junk data (Gbps/Tbps of traffic) aimed at the victim’s internet connection.

  • Protocol attacks

    • Goal: exhaust resources in network devices (routers, firewalls, load balancers) by abusing how internet protocols work.

    • Example: SYN floods, ping floods, or other tricks that tie up connection tables and processing power.

  • Application‑layer (Layer 7) attacks

    • Goal: overload the actual service or application (like a web server) with what look like normal requests.

    • Example: sending huge numbers of fake search queries or page loads that require more CPU/database work than usual.

    • These can be lower volume but very targeted and harder to distinguish from real users.

What Attackers Want

Motivations behind DDoS attacks can include:

  • Extortion

    • “Pay us or we’ll keep your site down.”

  • Disruption and damage

    • Hurting a company’s operations, reputation, or revenues (for example, during sales events).

  • Ideological or political reasons

    • Hacktivism against organizations or governments.

  • Distraction

    • Drawing defenders’ attention to the outage while other, more subtle attacks (like data theft or account takeover) happen elsewhere.

Business Impact

A successful DDoS attack can cause:

  • Service downtime

    • Customers can’t access websites, apps, or APIs.

  • Lost revenue and productivity

    • E‑commerce, bookings, or core services become unavailable; staff can’t use key systems.

  • Reputation damage

    • Customers may see the company as unreliable or insecure.

  • Increased costs

    • Emergency mitigation services, overtime for staff, potential infrastructure scale‑up, and longer‑term investments in protection.

How to Recognize a Possible DDoS Attack

Signs of a DDoS attack may include:

  • Websites or apps suddenly becoming very slow or completely unavailable.

  • Spikes in traffic from unusual locations, networks, or device types.

  • Sudden overload on specific services (for example, login API) without a normal business reason.

  • Network devices or firewalls hitting capacity or generating flood‑related alerts.

Note that some spikes may be legitimate (for example, marketing campaigns, product launches), so context matters.

Key Prevention and Protection Measures (Plain‑Language)

While you can’t fully “prevent” anyone from sending traffic at you, you can reduce the damage:

  1. Use DDoS protection services

    • Many cloud and network providers offer DDoS mitigation that can absorb or filter large attacks before they reach your servers.

  2. Overprovision and scale where it makes sense

    • Design systems to handle higher‑than‑normal loads, and use auto‑scaling where appropriate so you can temporarily handle surges.

  3. Network and application tuning

    • Rate‑limit certain types of requests (for example, logins per IP).

    • Use web application firewalls (WAFs) and smart rules to filter suspicious patterns.

  4. Segment critical services

    • Don’t expose everything directly to the internet.

    • Separate public‑facing components from internal systems so an attack on one doesn’t take down everything.

  5. Work with your ISP and cloud providers

    • Ensure you know what protections and support they offer and how to reach them quickly during an attack.

What To Do During a DDoS Attack

If you suspect you’re under a DDoS attack:

  1. Confirm and triage

    • Check monitoring dashboards and logs to distinguish between legitimate traffic spikes and attack traffic.

  2. Engage mitigation resources

    • Activate your DDoS protection service, or contact your ISP / cloud provider’s security support.

  3. Prioritize critical services

    • If needed, shed non‑essential traffic or features to keep core functions alive.

  4. Communicate clearly

    • Inform internal stakeholders and, if prolonged, provide status updates to customers (for example, via status pages or social media).

  5. Collect data for later analysis

    • Keep logs and metrics; they will help you understand the attack and strengthen defenses afterward.