How DDoS Works: Beginners Guide

Pavel Klachan Solutions Engineer @ GlobalDots
12 Min read

Distributed Denial of Service (DDoS) is usually performed by bombarding the targeted computer or resource with unnecessary requests to overload systems and prevent some or all legitimate requests from being completed.

The traffic overloading the target in a DDoS attack comes from a variety of sources. This option effectively makes stopping the attack by blocking a single source difficult. A DDoS attack is a set of cybercriminal operations intended at compromising a company’s equipment and client operations.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

With the average cost of downtime hitting $336,000 per hour, businesses must secure themselves from the DDoS perspective to reduce their threat surface.

Get the eBook: 8 Best Practices for a DDoS Protection Plan

What is a distributed denial-of-service (DDOS) attack?

So, what is a DDoS attack? Let’s look at Wikipedia:

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

In simple words, a DDoS attack is the actions of cybercriminals aimed at disrupting the performance of a company’s infrastructure and client services.

How much does DDoS cost?

The average cost of a DDoS assault is $120,000. Furthermore, a huge corporation may end up paying more than $2 million.

DDoS attacks centered on ransom and extortion have been on the rise. Many clients wind up paying hackers a substantial price only to prevent or stop the attack. Furthermore, even after paying, there is no guarantee that the hackers will keep their word.

Meanwhile, someone can purchase DDoS attacks for only $10 USD per hour. This substantial difference in the cost of purchasing a DDoS attack versus the effects of a DDoS attack makes them fairly common.

DDoS attack symptoms

A web service becomes unreliable or, in the worst-case scenario, completely inaccessible during a DDoS attack. One will notice either a large number of requests hitting the domain or a large volume of unsolicited traffic that users do not expect to see.

How long can a DDoS last?

Every DDoS assault is unique and has its objectives. One episode can last as little as 5 minutes, while others can persist for days. How long an attack can last depends entirely on the individual attack.

How do DDoS attacks work?

A dispersed denial of service attack is an attempt to cause a server to slow down or crash completely. It aims to disconnect users from a server or network resource by flooding it with service requests. While a single attack computer and one victim are involved in simple denial of service, distributed denials of service rely on legions of infected or bot computers capable of performing tasks simultaneously.

What are Botnets (if there are anything else relevant, add here)

To identify a botnet, one must first identify the source of its attacks. In most situations, these are computers and IoT devices like IP cameras and home WiFi routers. Still, people can manipulate these gadgets even though they get infected with malware. A Botnet has all of these devices.

A hacker creates a botnet to take advantage of a flaw in a system and turns it into a botmaster. The botmaster looks for other computers that are susceptible and infects them with malware. When a sufficient number of devices have gotten infected, the hacker instructs them to launch an attack; each machine sends a torrent of requests to the target server or network, overloading it and causing slowdowns or failure.

Common Types of DDoS attacks

A common website can be DDoS-ed in multiple ways. But there are three common options:

  1. Volumetric attack – you will receive a high amount of unwanted traffic.
  2. Application attack – you will receive a high number of requests to your website.
  3. Protocol attack – your server receives high amounts of unprocessable requests.

According to statistics, the ratio between volumetric and application DDoS is about 50/50. So, it’s quite obvious that the owner of a web service should be prepared to mitigate both types of attacks.

Volume Based Attacks.

A volumetric attack is one of the cheapest and easiest types of DDoS attacks. The main goal of this attack is to hammer the internet link to your web service. Let’s say, you have a website and an uplink of 1gbps. In case of this type of attack – you will receive 10gbps of incoming traffic or even more.

How will it affect your website?

It will become unavailable. Because your internet link is congested, all requests (including both regular user’s requests and volumetric attacks) can’t be delivered to your website. In most cases (but not always), these attacks can easily be mitigated with the help of your ISP. This attack is trying to congest your Internet link with UDP flood or DNS or NTP amplification.

Application Layer Attacks.

Application Layer attacks are more complex. The main goal of this attack is to make your web server defunct. Before an attacker can use an application layer attack, they need to conduct a fairly in-depth analysis of your website. Let’s say, you have a webpage that requires more computer resources on your server than other web pages (e.g., some analytical info, which should be calculated on your web service). Every request to this page will add some load to the CPU on the server. So, generating quite a lot of requests to this page – will congest your computing capacity. The effect of this attack? Slow page response to the clients or complete inaccessibility of the website.

Protocol Attacks.

Protocol attacks are similar in goal and methodology to the application layer attack. The difference, however, is that a protocol DDoS attack exploits the very architecture of internet communication protocols. For instance, every time a genuine user connects to your site or app, a three-way TCP handshake occurs. The client first reaches out with a SYN, or initial request, which is bounced back from the server via a SYN-ACK. The client ends with an ACK, starting off the data transfer process.

Imagine going in for a handshake, only for your partner to not offer their hand. Your arm would remain outstretched, lingering only a fraction of a second until the awkwardness set in. Servers are guilty of just the same – minus the social embarrassment. The receiving server expects a quick response to its SYN-ACK – but an attacker would withhold the final ACK, making the server wait a fraction longer for its predetermined timeout period.

Scaled up, the SYN DDoS attack forces the server to dedicate vast swathes of computing power to simply handling – and waiting for – SYN-ACK requests. This makes it unable to serve genuine server clients.

More specific types:

Volume-based attacks and application-layer attacks, while the most common types of DDoS attacks are not the only types of DDoS attacks. Here are a few of the more specific types of DDoS attacks that are less common, but still occur:

  • ACK Flood: Similarly to a SYN flood, they recognize session requests that were never received and do not exist. Unnecessary lookups in the state tables get generated by packets that do not correspond to any existing session on the victim’s firewall or any security device along the path.
  • DNS Flood: A DNS Flood makes falsified DNS requests to the target network at a high packet rate and from a wide range of source IP addresses. The victim’s DNS servers reply to all faked queries since they appear authentic, and the massive requests might overload their capacity.
  • Ping Flood: In a Ping Flood, an attacker sends many fake ICMP echo request packets from random source IP ranges or the victim’s IP address. By default, most network devices respond to pings by sending a reply to the source IP address.

What are DDoS attacks today?

In just the first half of 2021, a recorded 5.4 million DDoS attacks occurred representing an increase of 11% compared to last year which were already record numbers of DDoS attacks.

This pattern is likely to persist. Within an attack, another tendency is the employment of several attack paths. This pattern alters the impact of DDoS assaults on businesses and increases their risk.

How did DDoS attacks evolve?

The first known DDoS attack occurred in 1996 targeting an Internet Service Provider in New York. This attack utilized an old form of a DDoS attack called an SYN attack. The attack overloaded the ISP by flooding the network with SYN packets resulting in about 36 hours of downtime. These early forms of DDoS attacks were rudimentary and uncommon until the year 2000.

In 2000, DDoS attacks were beginning to develop into a more serious threat. The first major attack occurred in February of 2000 attacking Amazon, eBay, Yahoo, Dell, CNN, and FIFA. With this attack, the world realized how easy DDoS attacks were to conduct as a young teenager from Canada took down these major corporations using a volume-based attack.

As these attacks began to grow in frequency and severity, the tactics used for DDoS attacks also grew. Eventually, in 2007, DDoS attackers began targeting nation-states throughout Europe. These attacks continued to occur and in 2009, DDoS attackers began taking down major U.S. government sites including the Pentagon, the Department of Defense, and even the White House. While the source of these attacks is still unknown, they were believed to have occurred in North Korea.

2016 was the next major advancement in DDoS attacks with the use of botnets. Then, in 2018, these DDoS attackers realized they could ransom the sites they take down through DDoS to begin earning money. To this day, DDoS attacks continue to be a threat to any online infrastructure.

Who Performs DDoS Attacks

In the modern-day, almost anyone can perform a DDoS attack by hiring hackers. These underground hackers put their DDoS services up for sale on encrypted marketplaces typically found on the darknet. The ease of access to DDoS attacks makes them a commonplace threat.

How do hackers do DDoS attacks?

Hackers use a variety of methods to conduct DDoS attacks including volume-based attacks, application-layer attacks, ACK flood attacks, DNS flood attacks, and Ping flood attacks.

Reasons Behind a DDoS Attack

Political motivations, revenge, financial interests, criminality, or even activism can be factors in DDoS attacks, prompting many to blame governments, terrorist groups, angry employees, and even thrill-seeking lone hackers.

Attackers use DDoS assaults for a variety of reasons:

  • To interrupt the operation of a service, such as online lessons or tests.
  • For extortion.
  • As a weapon against rivals.
  • To divert attention away from the attack to deploy ransomware infections and steal company information.

The tactics attackers use to avoid detection

DDoS attackers combine a variety of methods to avoid detection and remain anonymous. These tactics include spoofing, reflection, and amplification. Spoofing allows the attacker to provide fake source addresses so the actual source address cannot be detected. Reflection utilizes thousands of different servers to mask the origin of the attack. Amplification sends a single forged packet to a website that causes legit services to send an overwhelming number of replies to the victim’s network or website.

Can you DDos Anonymously?

DDoS attacks can be conducted completely anonymously. This makes up a major component to the illicit marketplaces that DDoS attacks operate within. Traditionally, bots would all be controlled via a single command and control server that could be traced to a guilty party – this is how Evgeniy Mikhailovich Bogachev, creator of the Zeus GameOver botnet, was caught and brought to justice. However, botnet operators are now able to almost completely obfuscate their involvement by splintering the C2 infrastructure into dozens of different servers. Specific black market niches also allow for coordinated attacks from dozens of bot herders and ransomers – each of which are afforded the protection to DDoS anonymously.

Is DDoS illegal?

Almost always – yes, but in some cases DDoS attacks can also be legal. Why and when can it be legal? Sometimes you want to receive a DDoS attack to understand how good you are protected from these types of attacks. Or, you have your own solution and want to test it. There are some companies which can make a DDoS attack to your web service and provide a full report after. But all these attacks (time, destination, duration, capacity) were approved by all parties before. If the attack is not approved by all parties before the attack takes place, it is illegal.

Can you go to jail for DDoS?

Yes, DDoS attackers can go to jail under the Computer Fraud and Abuse Act which can result in up to 10 years of jail time.

Is a DDoS attack permanent?

No, but someone can attack your site every week for a few hours or even more often.

Every DDoS attack costs money. Volumetric attacks are cheaper, while application attacks – are more expensive but more difficult to stop.

Can your ISP stop a DDoS attack?

Depending on the ISP you are using, it can help you with the DDoS attack or make it even worse. What does that mean? Well, a common ISP has a lot of clients. In case of a massive DDoS attack, an ISP may not be capable of blocking the attack giving the attacker the opportunity to blackhole your web service. ISP need to choose between:

  1. Keep trying to mitigate this attack, while it affects other clients
  2. Turn off you service (disable from the Internet)

And to be honest, when an attack is massive, most ISPs will choose option 2, just to make other clients available.

Can a firewall stop a DDoS attack?

A firewall cannot stop a DDoS Attack. Admins built firewalls to protect networks from a range of security threats, and they still do, but there are gaps in DDoS and malicious server targeted attacks.

Can a VPN stop DDoS?

A VPN masks the IP address and keeps the actual location hidden by routing data traffic through remote servers. One can switch to remote servers at any time using a VPN, so even if attacked, the business does not have to halt.

Does changing IP stop DDoS?

Yes, changing your IP and DNS name can stop a DDoS attack.

Can DDoS attacks steal information?

DDoS assaults cannot steal information from website visitors. A DDoS attack’s main objective is to overwhelm a website’s resources. DDoS assaults, on the other hand, can be used for extortion and blackmail.

Can you DDoS someone with their IP?

Yes, someone can DDoS you with just your IP address. With your IP address, a hacker can overwhelm your device with fraudulent traffic causing your device to disconnect from the internet and even shut down completely.

Can you DDoS an IP using CMD?

The command prompt allows an administrative user to command a device to make continued connection requests to a specific IP address. This makes it a valuable tool in the DDoSer’s arsenal. The specific function surrounding the DDoS IP CMD is ‘ping’. Usually completely innocuous, ping offers real utility in checking connectivity with an IP network. This, however, can be abused to pull off volumetric DDoS attacks, should the bot master be able to access CMD across hundreds of thousands of devices. With a few lines of simple code – and by establishing the scope of DDoS IP addresses – the device can soon start sending infinite quantities of data packets at the victim’s servers.

How should you deal with DDoS attacks?

A DDoS mitigation plan in place can mean the difference between hours or days of disruption for an organization and a smooth and prompt response that keeps things running smoothly.

DDoS Protection should be:

  • Scalable and Volumetric
  • Agile and Cost-Effective
  • End-User Friendly
  • IoT Ready

Web application firewalls allow users to defend against web threats in seconds without slowing down the website. Contact GlobalDots now to ensure your safety!

Get the eBook: 8 Best Practices for a DDoS Protection Plan


It is important to ensure system safety to avoid compromise. Not all DDoS defenses are created equal, and tailoring them to the specific demands of a company takes experience. GlobalDots relies on years of experience to create a DDoS protection strategy specific to your business.

Contact us today to discuss how we can help create a DDoS protection strategy based on your business needs.

Latest Articles

An expert’s analysis: Here’s what we need to build a better IoT

Eduardo Rocha, Senior Solutions Engineer at GlobalDots, contributed a guest post to BuiltIn, the online community for startups and tech companies.  In the article, he outlined his approach for creating an IoT infrastructure that is both durable and secure. Here are some of the main takeaways: How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
28th February, 2023
DDoS (Distributed Denial of Service) Explained

DDoS Mitigation & Protections services are a crucial part of any internet business strategy. At GlobalDots we analyze, implement and maintain Security for variety of companies, from Fortune 500 to startups and small-to-medium enterprises. Since the topic is broad and many of our customers ask very specific questions, we decided to put together this resource […]

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
21st April, 2021
Forrester Wave™ DDoS Mitigation Solutions, Q1 2021

The recent Forrester Wave report has named GlobalDots’ prominent partners Akamai Technologies, Radware, Cloudflare & Imperva as leaders in the Bot Mitigation product category. Vendors were evaluated by 28 criteria concerning current offering, strategy, and market presence. How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48% Read Now What are the core strengths of […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
11th April, 2021

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential