A Distributed Denial-of-Service (DDoS) attack is an attempt to overwhelm a server, network, or online service with excessive internet traffic, rendering it inaccessible to legitimate users. An evolution from the somewhat simpler “denial of service” attacks, DDoS attacks exploit multiple compromised devices, including IoT devices like routers and cameras, to launch a coordinated assault from numerous sources simultaneously.
A DDoS attack is similar to creating an artificial traffic jam on a busy road, which means that legitimate visitors cannot reach their destination. Overloading the target's system causes disruptions that block users from accessing essential online services like websites and applications.
This type of attack often relies on a botnet, which is a network of compromised devices (like computers, IoT gadgets, routers) that attackers control remotely through malware installed on the devices. These devices, sometimes called “zombies,” are coordinated through Command and Control (C&C) servers.
When attackers deploy the botnet, they direct the compromised devices to send an overwhelming amount of traffic to the target. This attack can take various forms:
A SYN Flood attack uses the TCP handshake process to send numerous SYN requests to a server without completing the handshake. This leaves the server overwhelmed with half-open connections, slowing down or crashing the system.
In the DNS amplification attack, attackers send queries with the target's spoofed IP address to public DNS servers. Due to the fact that the DNS servers respond with large amounts of data to the target, its bandwidth gets saturated, and normal operations are disrupted.
Sometimes, attackers use multi-vector attacks, targeting multiple layers of a network or application simultaneously, making defense much more complicated.
Most businesses are able to identify and neutralize these threats only if they use robust, layered security measures. Why? Because DDoS attacks manipulate standard network protocols and services to blend malicious traffic with legitimate data, which makes it really difficult to trace it and stop it.
DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks have the same goal: disrupting online services by overwhelming them with traffic. There are significant differences, though, and we will go through them one by one.
A DoS attack typically originates from a single source, in other words, it uses one system to flood the target with traffic or exploit vulnerabilities. Using a metaphor, this is like having one person continually knocking on a door – yes, it’s disruptive but manageable with basic defenses. As the source is easily identifiable and isolated, a DoS attack would today cause only a temporary service outage - usually.
A DDoS attack uses a network of compromised devices, also known as a botnet, and launches a coordinated assault from multiple locations. Through hundreds or thousands of infected devices (ranging from computers to IoT gadgets), attackers create a large-scale flood of traffic. This “distributed” approach overwhelms the target’s ability to manage connections and makes it far more difficult to handle, especially considering that the traffic might seem to be coming from legitimate-looking sources from various locations on the globe. This vast amount of traffic can be enough to overwhelm even well-defended networks.
Another thing to note is that these attacks can also target multiple layers of a system - network, transport, application layers, and so on, which makes defense even harder.
|
DoS (Denial of Service) |
DDoS (Distributed Denial of Service) |
|
|
Source |
Single system (one attacker) |
Multiple systems (usually botnet of compromised devices) |
|
Scale |
Limited |
Large-scale (because it uses hundreds or thousands of devices) |
|
Complexity |
Easier to detect and mitigate |
Sophisticated |
|
Target Layers |
Typically targets a single layer (e.g., network) |
Can target multiple layers (network, transport, application) |
|
Defense |
Easier to block (traffic is from one source) |
Challenging (because of its distributed, legitimate-looking traffic) |
To disrupt services, these attacks can target different layers of a network, and, from this point of view, we can consider the following 4 main types:
Volumetric Attacks: Their goal is to overwhelm a target’s bandwidth with large volumes of malicious traffic, often relying on botnets. Common examples: UDP floods (attackers send numerous packets to random ports), DNS amplification attacks (use public DNS servers to multiply traffic directed at the target).
Protocol Attacks: Protocol attacks, also known as state-exhaustion attacks, exploit vulnerabilities in network protocols to deplete server resources or network equipment (like firewalls and load balancers). SYN floods manipulate the TCP handshake process, while the Smurf attack uses ICMP packets to flood the network by tricking devices into responding to spoofed IP addresses – which consumes network resources and disrupts traffic flow.
Application Layer Attacks: Also called Layer 7 attacks, they target the application layer - where web pages and services are processed. These attacks generate seemingly legitimate requests, like, for example, the HTTP flood attack, which overwhelms web servers with continuous HTTP requests. Because they appear to be legitimate user behavior, it can be really difficult to distinguish real traffic from malicious activity.
Hybrid Attacks: Some attacks combine multiple vectors (for example, they can use volumetric, protocol, and application layer techniques) to maximize impact and evade defenses. Attackers may switch methods in the middle of the attack. They could start with a DNS amplification attack and transition to an application layer attack, so that different parts of the infrastructure are overwhelmed simultaneously. Static defenses are much less efficient when facing this type of approach.
The main effect of a DDoS (Distributed Denial of Service) attack is the disruption in network communication and everything that this can entail – usually significant downtimes and productivity losses. Legitimate users are blocked from accessing essential services and information, which cuts off customers, employees, and partners from critical resources. The easiest to understand example is probably e-commerce: a successful attack results in stopping transactions, customer frustration, lost sales and, obviously, a drop in user satisfaction.
For all these reasons, DDoS attacks can lead to substantial financial losses. Not being able to process orders or offer customer support can lead to potential costs of $40,000 per hour or more, when lost sales, recovery expenses, and reduced productivity are aggregated, as in the case of a major VoIP provider who lost approximately $12 million from a prolonged DDoS attack in 2021.
DDoS attacks can also damage your reputation. Repeated service outages erode customer trust, as customers may associate frequent downtime with unreliability and switch to competitors, especially in industries where service is mission critical. In finance, healthcare or e-commerce, this reputational damage can mean long-term revenue loss and decreased customer loyalty. A recent example is the Internet Archive, a beloved (if controversial) organization that is under constant attack and apparently had a data breach affecting 31 million users.
DDoS attacks can also impact business partners and supply chains. In connected industries, outages can delay operations downstream, impacting partners and vendors.
Something that is often not taken seriously into consideration is the morale drop of the internal security and IT teams that face repeated crises, something that can affect both overall productivity and even lead to employee burnout.
And finally, DDoS attacks are being used as smokescreens to distract security teams while attackers try other breaches, like data theft or ransomware deployment.
Recognizing key signs of an attack and responding quickly can greatly limit their impact; below, we offer a checklist of things to watch for and implement internally.
Sudden Traffic Spikes: Unusual surges from unexpected sources or locations, which is often among the first signals of an attack.
Slow Network Performance: Slower-than-normal responses or delays in loading websites and applications.
Frequent 503 Errors: Users reporting “503 Service Unavailable” errors, although there are no scheduled maintenance tasks.
Ping Request Failures: Persistent “Request Timed Out” responses.
Baseline Deviation: When the typical traffic behavior is monitored, it is possible to detect unusual patterns and have a faster response.
A swift response can greatly reduce the impact of an attack:
Detection Systems: Use tools (IDS, NDR, SIEM, XDR, etc.) to identify and filter malicious traffic.
Traffic Filtering: Apply IP filtering or rate limiting to control traffic volume.
Divert Traffic: Route traffic to scrubbing centers or distribute loads across CDNs.
Alert Stakeholders: Communicate with internal teams and, if needed, inform users of potential service disruptions.
After the attack, analyze data to improve your security protocols, focusing on areas of vulnerability.
IP Spoofing: Forged IP's make it hard to trace traffic back to the source.
Botnet Coordination: Attackers launch attacks from multiple locations using devices they control.
Traffic Reflection and Amplification: Attackers might use intermediary servers to amplify their attack, sending small requests to these servers that then respond with larger data packets directed at the target.
Dynamic Attack Patterns: Automated systems allow them to change tactics mid-attack and bypass defenses.
A good protection strategy should use multiple tools and services to detect, mitigate, and prevent. A “layered security” approach can give you full coverage (below are some solutions for a solid defense).
Firewalls and Web Application Firewalls (WAFs): Firewalls are the primary defense against unauthorized traffic, blocking unwanted access at the network perimeter. Web Application Firewalls (WAFs) add a layer of protection against application-layer DDoS attacks by filtering malicious HTTP and HTTPS traffic targeting web applications. Together, they provide protection at both the network and application levels.
DDoS Scrubbing Centers: Scrubbing centers divert traffic to dedicated facilities, where legitimate data is “scrubbed” and separated from malicious traffic. This is highly effective for large-scale attacks, as it can filter data before forwarding clean traffic to the target server so that the services are not interrupted.
Content Delivery Networks (CDNs): CDNs distribute content across multiple global servers, and because traffic is dispersed, CDNs can absorb and redirect malicious requests. This way, service remains available even during high-volume attacks. CDNs are especially valuable for industries with high online activity, like e-commerce and finance.
Cloud-Based DDoS Mitigation: Cloud-based mitigation solutions offer scalability, filtering traffic at the cloud level before it hits your network. They can handle large distributed attacks without using up internal resources, which makes them well-suited for on-demand high-capacity protection.
Automated Monitoring and Advanced Detection Systems: There are advanced tools - such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) - that continuously monitor traffic for anomalies. These systems leverage machine learning to detect early signs of attacks, allowing for automated or rapid responses. Regularly testing these defenses helps ensure readiness and identifies any gaps in protection.
Hybrid DDoS Solutions: Hybrid solutions combine on-premises defenses (for example, firewalls with cloud scrubbing) and give you flexibility whether it's a small, targeted attack or a large-scale volumetric attack. When done right, this flexibility can meet any attack and offer the best protection.
To strengthen resilience against this type of threat, organizations need to combine technological defenses with regular staff training on security best practices.
Limit Exposure: Reduce the attack surface by a.) minimizing internet-facing services and b.) restricting unnecessary network ports. Firewalls and Access Control Lists (ACLs) ensure that only essential traffic reaches your network, which decreases exposure to potential attacks. To use a simple metaphor, think of it as allowing only authorized visitors into a secure building.
Rate Limiting: Putting a rate limit on network devices can offer simple control over the volume of incoming requests. In simpler terms, what rate limiting does is capping the number of requests a server or device can handle within a set timeframe. So, if a surge of requests occurs (a DDoS attack), rate limiting prevents the server from being overwhelmed by excessive traffic. While this can result in slight delays for legitimate users, it keeps the system working and prevents a total crash.
Load Balancing and Redundancy: Distributing traffic across multiple servers prevents any single server from being overwhelmed. Load balancers help maintain service availability by redirecting traffic - like when the human crowds are directed to alternate entrances to prevent congestion.
Use Content Delivery Networks (CDNs): These networks store content copies on multiple servers worldwide. By redirecting traffic to the nearest server, CDNs prevent any single server from becoming overloaded.
Implement Cloud-Based DDoS Mitigation Services: Cloud-based solutions filter malicious traffic before it reaches the network. These scalable defenses are especially effective for high-volume threats without impacting internal infrastructure.
Baseline Monitoring: Regularly monitor network traffic to establish baselines and detect unusual spikes (possible DDoS attacks).
Regular Defenses Testing: Simulated attacks help identify gaps in protection and verify that defenses are properly configured. To prepare for real incidents, regular testing methods can be organized – for example, stress testing, penetration testing, and red team exercises.
Threat Intelligence: Monitoring global DDoS trends can help you proactively adjust defenses and address emerging threats.
Regular training on recognizing phishing attempts, unusual attachments, and other social engineering tactics minimizes accidental exposure. To make employees an essential part of your security strategy, educate staff on security protocols and incident reporting.
The first known attack is considered Panix, one of the oldest internet service providers, which was crippled in 1996 for several days by a SYN flood attack. In the years that followed, attacks grew in scale and sophistication. In 2012, a series of big DDoS waves hit major US banks, including Bank of America and JPMorgan Chase, allegedly by state sponsored actors.
The 2016 Mirai botnet attack is still considered a turning point in DDoS history: by compromising IoT devices like cameras and routers, Mirai launched massive traffic floods that took down popular websites and services, including Twitter and Netflix.
In 2020, Google mitigated a 2.5 Tbps attack, the largest ever recorded, showing just how much bandwidth botnets can command. Then, in 2023, an even bigger attack hit Google and AWS and set a new DDoS benchmark. It exploited a vulnerability in the HTTP/2 protocol's Rapid Reset feature, a new technique that allows attackers to flood servers by opening and closing connections continuously, bypassing rate limiting.
The 2016 Dyn attack is almost a textbook example of a DDoS at scale: a botnet of compromised devices flooded Dyn's infrastructure with traffic, taking down popular platforms like Twitter, Netflix and Reddit. The attack exploited vulnerable Internet of Things (IoT) devices with weak security, proof that almost any connected device can be weaponized to affect millions of users and businesses.
However, since then, DDoSs have evolved to be incredibly complex and adaptive. The dark_nexus botnet, identified in 2020, is an example of a tactic that brought a new level of sophistication. Built on existing frameworks (like Qbot and Mirai), dark_nexus introduced a "killer module" that removed other malware on infected devices so that it could dominate devices more effectively. Designed to exploit IoT devices such as routers and video recorders, dark_nexus specifically targeted regions like South Korea, Brazil, and Russia. Dark_nexus’s creator used advanced techniques like asynchronous Telnet scanning and credential stuffing to exploit weak devices. IP spoofing and traffic masking make it elusive and destructive, as it routes attack traffic through infected devices, complicating detection efforts. Described by researchers as an evolving threat, dark_nexus shows how DDoS attacks are no longer simple traffic floods but sophisticated, adaptive threats demanding robust defenses.
DDoS attacks are illegal in most countries, with about 80% of countries having specific cybercrime laws to tackle these types of threats.
Given the operational and financial impact of such an attack, this is always considered illegal, especially when legislators consider that attackers can disrupt critical services like healthcare or public safety. Courts generally rule these attacks illegal regardless of intent - the intentional disruption of services remains a cybercrime. New laws are created to address evolving tactics (such as IoT-based attacks) so that society can keep up with attackers’ innovations.
DDoS attacks are illegal under laws such as the U.S. Computer Fraud and Abuse Act and the UK's Computer Misuse Act, with penalties including fines and imprisonment. In 2019, for example, a U.S. individual received a 27-month prison sentence and was fined $95,000 for targeting gaming companies. The cross-border nature of DDoS attacks often requires international collaboration between law enforcement agencies. Initiatives like Europol’s “Power OFF” operation and the UK’s use of undercover DDoS-for-hire websites are recent proofs of a proactive global effort to dismantle malicious networks and prosecute offenders.
Perpetrators of DDoS attacks vary, from cybercriminals and hacktivists to DDoS-for-hire customers. Organized cybercriminal groups employ DDoS attacks to extort companies, while some nation-state actors use them as cyber warfare tactics.
Hacktivist groups sometimes argue that DDoS attacks should be recognized as digital protests. Unfortunately, these attacks often disrupt essential services and harm bystanders, much like blocking emergency exits in a building. Despite the fact that some hacktivist groups view DDoS as a form of civil disobedience, most courts maintain that its harm to businesses, services, and individuals outweighs any political motives.
Bitdefender’s GravityZone Platform offers a multi-layered defense against DDoS threats by using Endpoint Detection and Response (EDR) and Advanced Threat Control (ATC) to monitor system behavior for signs of botnet infections, which are often the driving force behind DDoS attacks. ATC’s behavioral analysis helps detect unusual activities that indicate botnet attempts to connect to Command & Control (C&C) servers, enabling timely intervention.
Bitdefender’s endpoint protection includes powerful network security tools such as a web traffic scanner that can prevent access to known malicious IPs and can also detect and block the download of malicious payloads. Within GravityZone, Network Attack Defense acts as a critical layer against network-based DDoS attacks. This feature filters malicious traffic in real-time, blocking attack methods such as brute force, lateral movement, and excessive request spikes, which are common in DDoS incidents. Additionally, Content Control further reduce exposure to botnets by restricting access to known malicious IP addresses and domains, making it harder for DDoS attacks to gain a foothold within the network.
For enhanced situational awareness, Extended Detection and Response (XDR) brings comprehensive visibility across endpoints, networks, cloud, and email, helping teams detect DDoS indicators across the organization. Integrated Anomaly Detection flags unusual traffic patterns, allowing security teams to detect and mitigate irregular data flow indicative of DDoS activity in real-time. HyperDetect further fortifies defenses by detecting and blocking pre-execution DDoS methods that use sophisticated fileless tactics to evade detection.
Bitdefender’s Managed Detection and Response (MDR) offers 24/7 monitoring and active intervention, providing a hands-on solution for DDoS detection and mitigation when in-house teams need additional support. For preventative measures, Patch Management helps close security gaps by automatically identifying and applying critical updates, reducing vulnerabilities that DDoS attackers often exploit. Additionally, Bitdefender’s Advanced Threat Intelligence delivers real-time insights into emerging DDoS threats, empowering organizations to stay resilient as DDoS tactics continue to evolve.
DDoS attacks are usually directed at websites and online systems that play critical roles in business and communication. Financial services, government websites, communication platforms, and online retailers are common targets because even brief disruptions can have massive repercussions like lost money or angry customers. There are also preferred targets due to the fact that they serve millions of customers - such as social media and communication apps. Cloud providers and hosting companies are also targeted because if they go down it affects many businesses at once and that multiplies the impact.
DDoS attacks can last from minutes to days depending on the attacker's goal and resources. Many last 15 to 30 minutes, enough to cause disruption. But some can last hours or days if the attacker sends traffic in waves to exhaust the system's resources. With easily accessible DDoS tools, the attacker can extend the attack and make it harder for the target to get back to normal.
Viruses are malicious programs that infect systems, replicate, and spread to other devices, while DDoS is an attack method where a network or online service is intentionally overwhelmed with excessive traffic. Attackers may use for it a network of compromised devices (called a botnet) infected by malware, but the actual DDoS itself is not a virus, but an attack tactic.