HackPath — Learn Hacking the Right Way

Cybersecurity Fundamentals/Distributed Denial-of-Service (DDoS) Attacks

What Is a DDoS Attack?

The internet depends on the ability of servers to process requests from legitimate users. A Distributed Denial-of-Service (DDoS) Attack exploits this by flooding a target with so much traffic that it can't process legitimate requests.

Unlike a traditional Denial of Service (DoS) attack—which comes from a single source—a DDoS attack originates from many sources simultaneously. The attacker controls thousands of compromised computers and devices, often called a botnet, and directs them all to attack the same target.

The goal is simple: overwhelm the target's capacity so that legitimate users experience delays or complete outages. The target doesn't get attacked in a traditional sense—it just gets crushed under the weight of meaningless traffic.

Key concept

For penetration testers: DDoS testing is highly specialized and legally restricted. Authorized testing requires explicit written permission, careful scope definition, and coordination with the target organization. Unauthorized DDoS is a serious federal crime. Understanding DDoS mechanics is important; actually launching one without authorization is not.

How DDoS Attacks Work

A DDoS attack has three essential components Working together:

The Attacker

The attacker is the orchestrator—the person or group that plans and directs the attack. They decide:

Which target to attack
When to launch the attack
What type of attack to use
How long to maintain the attack

The attacker doesn't necessarily have technical skills. They might purchase DDoS services from criminal organizations that maintain botnets and rent them out like an attack-as-a-service business.

The Botnet (Amplification Network)

A botnet is a network of compromised devices under the attacker's control. These devices include:

Computers — Personal computers infected with malware
Servers — Breached web servers or cloud instances
IoT devices — Smart cameras, routers, thermostats, and other internet-connected devices with weak security

Botnets can range from hundreds to millions of devices spread globally. The Mirai botnet (used in the 2016 attack against Dyn) compromised hundreds of thousands of IoT devices by exploiting default credentials and vulnerabilities.

Botnet devices are compromised through:

Malware — Downloaded unknowingly by users
Exploits — Attackers exploit unpatched vulnerabilities
Weak credentials — Default passwords never changed
Social engineering — Tricking users into installing malware

Device owners often don't know their systems are compromised. A personal computer might be part of a botnet for months, infected by malware, sending attack traffic while the owner uses it normally.

The Victim

The victim is the targeted service—typically a website, online service, or network. When attacked, the victim experiences:

Bandwidth exhaustion — The target's internet connection becomes saturated with meaningless traffic
Resource exhaustion — Servers struggle to process millions of requests, consuming CPU and memory
Service degradation — Legitimate users experience slow response times or timeouts
Complete outage — The service becomes completely inaccessible

How the Attack Unfolds

The Attack sequence is straightforward:

Attacker issues command — The attacker sends instructions to the botnet: "Attack www.example.com with HTTP requests"
Botnet activates — Thousands of compromised devices receive and execute the command
Traffic flood — All botnet devices simultaneously send traffic to the victim:
- HTTP requests to the website
- DNS queries to the domain
- TCP connection attempts
- UDP packets to network services
Victim overwhelmed — The sheer volume of traffic exhausts the victim's capacity:
- Bandwidth is saturated (no room for legitimate traffic)
- Servers become resource-starved (can't process requests)
- Network equipment may crash under load
Legitimate users blocked — Real users trying to access the service encounter:
- Timeouts (requests never reach the server)
- Slow responses (queue behind attack traffic)
- Complete unavailability (service offline)
Attack ends — The attacker stops sending commands, the botnet stops attacking, and the victim gradually recovers

The entire attack might last minutes to hours to days, depending on the attacker's goal and persistence.

Types of DDoS Attacks

DDoS Attacks can be categorized by their method:

Diagram categorizing DDoS attacks into volumetric, protocol, and application-layer attacks, with examples and what each type exhausts. — Different layers, different bottlenecks.

Volumetric Attacks

Volumetric attacks focus on sheer traffic volume. The attacker sends enormous amounts of data consuming all available bandwidth.

UDP Flood — Attacker sends millions of User Datagram Protocol packets to the victim, each packet consuming bandwidth.

ICMP Flood — Attacker sends millions of Internet Control Message Protocol requests (ping), flooding the network with echoes.

DNS Amplification — Attacker exploits DNS servers. They send DNS queries (with a spoofed source address pointing to the victim) to public DNS servers. The servers respond with large answers, and all responses are directed at the victim, amplifying the attack.

Volumetric attacks are straightforward and powerful—they simply overwhelm capacity.

Protocol Attacks

Protocol attacks exploit weaknesses in network protocols, targeting the victim's ability to process legitimate requests.

SYN Flood — Attacker sends millions of TCP SYN packets (connection requests) to the victim. The victim allocates resources for each request, waiting for the SYN-ACK handshake to complete. When no response comes, the resources remain allocated until timeout. Eventually, the victim's connection table fills and it can't accept legitimate connections.

Fragmented Packet Attack — Attacker sends packets that are fragmented, forcing the victim to spend processing power reassembling them. With millions of fragments coming from botnets, processing becomes overwhelming.

Ping of Death — Attacker sends oversized ping packets that exceed protocol limits. Some devices crash or become unstable when processing malformed packets.

Protocol attacks exploit the rules of network communication to cause disruption.

Application Layer Attacks

Application layer attacks target the application itself, sending requests that appear legitimate but are designed to consume resources.

HTTP Flood — Attacker sends massive numbers of HTTP requests to a web application. Each request might request a resource that's expensive to compute, consuming CPU and memory. The requests appear legitimate so firewalls don't block them.

Slowloris Attack — Attacker sends HTTP requests very slowly, intentionally never completing them. The victim's web server allocates resources for each connection. With thousands of slow connections, the server's connection pool fills and legitimate users can't connect.

Database Query Attack — Attacker sends requests designed to trigger expensive database queries. A simple request might trigger a database operation that takes seconds. With thousands of such requests, the database becomes bottlenecked.

Application layer attacks are harder to detect and mitigate because the traffic appears legitimate at first glance.

Real-World Impact: The Dyn Attack

In October 2016, Attackers launched a massive DDoS attack against Dyn, a company providing DNS services. DNS is fundamental to the internet—it translates domain names (like twitter.com) into IP addresses.

The attack used the Mirai botnet, which had compromised hundreds of thousands of IoT devices. Smart cameras, home routers, baby monitors, and other devices with default credentials and unpatched vulnerabilities were weaponized.

The impact was staggering:

Major websites were inaccessible: Twitter, Netflix, Reddit, Spotify, GitHub, and dozens more
The outage affected millions of users across the United States and Europe
Some services were offline for hours
Businesses lost revenue; users lost access to critical services
The attack exposed how vulnerable IoT devices could threaten internet infrastructure

The Dyn attack demonstrated that DDoS threats aren't theoretical. Consumer devices, often overlooked by security teams, could be weaponized to attack critical infrastructure.

Consequences of DDoS Attacks

DDoS Attacks cause real damage:

Financial Loss

Downtime costs money — E-commerce sites lose sales. Online banks can't serve customers. Streaming services lose subscriptions. SaaS companies lose uptime credits to paying customers. Depending on the business, an hour of outage might cost thousands or millions.

Incident response costs — Teams must respond, mitigate, and recover from the attack. DDoS mitigation services cost money. Recovery takes time and resources.

Reputational Damage

Loss of trust — Customers trust companies to keep services available. Frequent or prolonged outages erode that trust. Users abandon services that frequently go offline.

Competitive disadvantage — Competitors without outages gain market share. Customers migrate to reliable alternatives.

Operational Disruption

Service interruption — Critical services become unavailable. Hospitals relying on online systems experience delays. Banks can't process transactions. Utilities managing infrastructure go blind.

Cascading failures — When critical infrastructure like DNS becomes unavailable, dependent services fail in cascade. Attacks on DNS can break internet access globally.

Security Smokescreen

Cover for other attacks — This is particularly insidious. While security teams scramble to respond to DDoS attacks and restore services, attackers may be simultaneously:

Breaching networks
Stealing data
Installing backdoors and malware
Gaining persistent access

The DDoS attack is the distraction. The real attack happens while attention is diverted.

Defending Against DDoS Attacks

Organizations defend Against DDoS through multiple approaches:

Detection and Alerting

Monitor for abnormal traffic patterns — Sudden spikes in traffic from many sources indicate possible attack.

Geographic analysis — Traffic from unexpected geographic locations might indicate botnet activity.

Traffic analysis — Analyze traffic patterns. DDoS traffic often has characteristics (all from the same ports, similar packet sizes) that distinguish it from legitimate traffic.

Mitigation Strategies

DDoS mitigation services — Companies like Cloudflare, Akamai, and others provide DDoS protection. They absorb attack traffic at their large infrastructure, filtering it before it reaches the target.

Bandwidth overprovisioning — Having more bandwidth than necessary provides some buffer. If an attack sends 10 Gbps of traffic and you have 100 Gbps capacity, you might survive.

Rate limiting — Limit requests from individual sources. If one IP sends more than N requests per second, block it.

Anycast routing — Distribute services across multiple data centers so attack traffic gets distributed rather than concentrated.

Application-level filtering — Analyze requests at the application layer, distinguishing attack traffic from legitimate traffic and filtering accordingly.

Incident response procedures — Document procedures for responding to DDoS attacks. Who gets notified? When do you activate mitigation? How do you communicate with customers?

Reducing Botnet Growth

Secure IoT devices — Change default credentials, patch vulnerabilities, and disable unnecessary services. The Dyn attack succeeded because so many IoT devices were easily compromised.

Endpoint security — Antivirus, anti-malware, and security monitoring help detect compromised devices.

User awareness — Training users to recognize malware and avoid downloading malicious files helps prevent botnet infections.

DDoS Is a Persistent Threat

DDoS attacks are common and evolving:

Frequency increasing — DDoS attacks occur constantly against organizations worldwide
Scale growing — Attacks are getting larger as botnets grow and techniques improve
Sophistication rising — Attackers combine DDoS with other attacks, use multiple attack types simultaneously, and adapt techniques in real-time
Availability of services — Criminals rent DDoS services, making attacks accessible to non-technical attackers
IoT expansion — Growing numbers of poorly-secured IoT devices create ever-larger potential botnets

Organizations must assume they'll face DDoS attacks. The question isn't if but when and what mitigation capabilities they have ready.

Flashcards

Flashcard

What is a Distributed Denial-of-Service (DDoS) attack?

Flashcard

How does a DDoS attack differ from a DoS attack?

Flashcard

What is a botnet?

Flashcard

How are IoT devices used in botnets?

Flashcard

What is a volumetric DDoS attack?

Flashcard

What is a SYN flood attack?

Flashcard

What is an HTTP flood attack?

Flashcard

Why might attackers use DDoS as a smokescreen?

Flashcard

What is DDoS mitigation?

Flashcard

What was the impact of the 2016 Mirai attack on Dyn?

Exercises

Exercise 1 — Choose mitigations for a DDoS scenario

A public website is hit by a traffic flood. List:

Two likely DDoS categories (volumetric / protocol / application)
One mitigation per category (high level)
One metric you would monitor during the incident

Open questions

Question 1 — Why is DDoS difficult to stop at a single point in your infrastructure?

Next Lesson

Now that you understand volumetric attacks targeting availability, it's time to explore ransomware—attacks that target data confidentiality and integrity through encryption and extortion.

Next: Ransomware Threat Landscape

Cybersecurity Fundamentals/Distributed Denial-of-Service (DDoS) Attacks

What Is a DDoS Attack?

Key concept

How DDoS Attacks Work

A DDoS attack has three essential components Working together:

The Attacker

The attacker is the orchestrator—the person or group that plans and directs the attack. They decide:

Which target to attack
When to launch the attack
What type of attack to use
How long to maintain the attack

The attacker doesn't necessarily have technical skills. They might purchase DDoS services from criminal organizations that maintain botnets and rent them out like an attack-as-a-service business.

The Botnet (Amplification Network)

A botnet is a network of compromised devices under the attacker's control. These devices include:

Computers — Personal computers infected with malware
Servers — Breached web servers or cloud instances
IoT devices — Smart cameras, routers, thermostats, and other internet-connected devices with weak security

Botnet devices are compromised through:

Malware — Downloaded unknowingly by users
Exploits — Attackers exploit unpatched vulnerabilities
Weak credentials — Default passwords never changed
Social engineering — Tricking users into installing malware

Device owners often don't know their systems are compromised. A personal computer might be part of a botnet for months, infected by malware, sending attack traffic while the owner uses it normally.

The Victim

The victim is the targeted service—typically a website, online service, or network. When attacked, the victim experiences:

Bandwidth exhaustion — The target's internet connection becomes saturated with meaningless traffic
Resource exhaustion — Servers struggle to process millions of requests, consuming CPU and memory
Service degradation — Legitimate users experience slow response times or timeouts
Complete outage — The service becomes completely inaccessible

How the Attack Unfolds

The Attack sequence is straightforward:

Attacker issues command — The attacker sends instructions to the botnet: "Attack www.example.com with HTTP requests"
Botnet activates — Thousands of compromised devices receive and execute the command
Traffic flood — All botnet devices simultaneously send traffic to the victim:
- HTTP requests to the website
- DNS queries to the domain
- TCP connection attempts
- UDP packets to network services
Victim overwhelmed — The sheer volume of traffic exhausts the victim's capacity:
- Bandwidth is saturated (no room for legitimate traffic)
- Servers become resource-starved (can't process requests)
- Network equipment may crash under load
Legitimate users blocked — Real users trying to access the service encounter:
- Timeouts (requests never reach the server)
- Slow responses (queue behind attack traffic)
- Complete unavailability (service offline)
Attack ends — The attacker stops sending commands, the botnet stops attacking, and the victim gradually recovers

The entire attack might last minutes to hours to days, depending on the attacker's goal and persistence.

Types of DDoS Attacks

DDoS Attacks can be categorized by their method:

Volumetric Attacks

Volumetric attacks focus on sheer traffic volume. The attacker sends enormous amounts of data consuming all available bandwidth.

UDP Flood — Attacker sends millions of User Datagram Protocol packets to the victim, each packet consuming bandwidth.

ICMP Flood — Attacker sends millions of Internet Control Message Protocol requests (ping), flooding the network with echoes.

Volumetric attacks are straightforward and powerful—they simply overwhelm capacity.

Protocol Attacks

Protocol attacks exploit weaknesses in network protocols, targeting the victim's ability to process legitimate requests.

Ping of Death — Attacker sends oversized ping packets that exceed protocol limits. Some devices crash or become unstable when processing malformed packets.

Protocol attacks exploit the rules of network communication to cause disruption.

Application Layer Attacks

Application layer attacks target the application itself, sending requests that appear legitimate but are designed to consume resources.

Application layer attacks are harder to detect and mitigate because the traffic appears legitimate at first glance.

Real-World Impact: The Dyn Attack

The impact was staggering:

Major websites were inaccessible: Twitter, Netflix, Reddit, Spotify, GitHub, and dozens more
The outage affected millions of users across the United States and Europe
Some services were offline for hours
Businesses lost revenue; users lost access to critical services
The attack exposed how vulnerable IoT devices could threaten internet infrastructure

The Dyn attack demonstrated that DDoS threats aren't theoretical. Consumer devices, often overlooked by security teams, could be weaponized to attack critical infrastructure.

Consequences of DDoS Attacks

DDoS Attacks cause real damage:

Financial Loss

Incident response costs — Teams must respond, mitigate, and recover from the attack. DDoS mitigation services cost money. Recovery takes time and resources.

Reputational Damage

Loss of trust — Customers trust companies to keep services available. Frequent or prolonged outages erode that trust. Users abandon services that frequently go offline.

Competitive disadvantage — Competitors without outages gain market share. Customers migrate to reliable alternatives.

Operational Disruption

Service interruption — Critical services become unavailable. Hospitals relying on online systems experience delays. Banks can't process transactions. Utilities managing infrastructure go blind.

Cascading failures — When critical infrastructure like DNS becomes unavailable, dependent services fail in cascade. Attacks on DNS can break internet access globally.

Security Smokescreen

Cover for other attacks — This is particularly insidious. While security teams scramble to respond to DDoS attacks and restore services, attackers may be simultaneously:

Breaching networks
Stealing data
Installing backdoors and malware
Gaining persistent access

The DDoS attack is the distraction. The real attack happens while attention is diverted.

Defending Against DDoS Attacks

Organizations defend Against DDoS through multiple approaches:

Detection and Alerting

Monitor for abnormal traffic patterns — Sudden spikes in traffic from many sources indicate possible attack.

Geographic analysis — Traffic from unexpected geographic locations might indicate botnet activity.

Traffic analysis — Analyze traffic patterns. DDoS traffic often has characteristics (all from the same ports, similar packet sizes) that distinguish it from legitimate traffic.

Mitigation Strategies

Bandwidth overprovisioning — Having more bandwidth than necessary provides some buffer. If an attack sends 10 Gbps of traffic and you have 100 Gbps capacity, you might survive.

Rate limiting — Limit requests from individual sources. If one IP sends more than N requests per second, block it.

Anycast routing — Distribute services across multiple data centers so attack traffic gets distributed rather than concentrated.

Application-level filtering — Analyze requests at the application layer, distinguishing attack traffic from legitimate traffic and filtering accordingly.

Incident response procedures — Document procedures for responding to DDoS attacks. Who gets notified? When do you activate mitigation? How do you communicate with customers?

Reducing Botnet Growth

Secure IoT devices — Change default credentials, patch vulnerabilities, and disable unnecessary services. The Dyn attack succeeded because so many IoT devices were easily compromised.

Endpoint security — Antivirus, anti-malware, and security monitoring help detect compromised devices.

User awareness — Training users to recognize malware and avoid downloading malicious files helps prevent botnet infections.

DDoS Is a Persistent Threat

DDoS attacks are common and evolving:

Frequency increasing — DDoS attacks occur constantly against organizations worldwide
Scale growing — Attacks are getting larger as botnets grow and techniques improve
Sophistication rising — Attackers combine DDoS with other attacks, use multiple attack types simultaneously, and adapt techniques in real-time
Availability of services — Criminals rent DDoS services, making attacks accessible to non-technical attackers
IoT expansion — Growing numbers of poorly-secured IoT devices create ever-larger potential botnets

Organizations must assume they'll face DDoS attacks. The question isn't if but when and what mitigation capabilities they have ready.

Flashcards

Flashcard

What is a Distributed Denial-of-Service (DDoS) attack?

Flashcard

How does a DDoS attack differ from a DoS attack?

Flashcard

What is a botnet?

Flashcard

How are IoT devices used in botnets?

Flashcard

What is a volumetric DDoS attack?

Flashcard

What is a SYN flood attack?

Flashcard

What is an HTTP flood attack?

Flashcard

Why might attackers use DDoS as a smokescreen?

Flashcard

What is DDoS mitigation?

Flashcard

What was the impact of the 2016 Mirai attack on Dyn?

Exercises

Exercise 1 — Choose mitigations for a DDoS scenario

A public website is hit by a traffic flood. List:

Two likely DDoS categories (volumetric / protocol / application)
One mitigation per category (high level)
One metric you would monitor during the incident

Open questions

Question 1 — Why is DDoS difficult to stop at a single point in your infrastructure?

Next Lesson

Now that you understand volumetric attacks targeting availability, it's time to explore ransomware—attacks that target data confidentiality and integrity through encryption and extortion.

Next: Ransomware Threat Landscape

What Is a DDoS Attack?

Key concept

How DDoS Attacks Work

The Attacker

The Botnet (Amplification Network)

The Victim

How the Attack Unfolds

Types of DDoS Attacks

Volumetric Attacks

Protocol Attacks

Application Layer Attacks

Real-World Impact: The Dyn Attack

Consequences of DDoS Attacks

Financial Loss

Reputational Damage

Operational Disruption

Security Smokescreen

Defending Against DDoS Attacks

Detection and Alerting

Mitigation Strategies

Reducing Botnet Growth

DDoS Is a Persistent Threat

Exercise 1 — Choose mitigations for a DDoS scenario

Solution

Question 1 — Why is DDoS difficult to stop at a single point in your infrastructure?

Solution

Next Lesson

What Is a DDoS Attack?

Key concept

How DDoS Attacks Work

The Attacker

The Botnet (Amplification Network)

The Victim

How the Attack Unfolds

Types of DDoS Attacks

Volumetric Attacks

Protocol Attacks

Application Layer Attacks

Real-World Impact: The Dyn Attack

Consequences of DDoS Attacks

Financial Loss

Reputational Damage

Operational Disruption

Security Smokescreen

Defending Against DDoS Attacks

Detection and Alerting

Mitigation Strategies

Reducing Botnet Growth

DDoS Is a Persistent Threat

Exercise 1 — Choose mitigations for a DDoS scenario

Solution

Question 1 — Why is DDoS difficult to stop at a single point in your infrastructure?

Solution

Next Lesson