What is a Distributed Denial of Service (DDoS) Attack

Recognizing key signs of an attack and responding quickly can greatly limit their impact; below, we offer a checklist of things to watch for and implement internally.

A good protection strategy should use multiple tools and services to detect, mitigate, and prevent. A “layered security” approach can give you full coverage  (below are some solutions for a solid defense).

• Firewalls and Web Application Firewalls (WAFs): Firewalls are the primary defense against unauthorized traffic, blocking unwanted access at the network perimeter. Web Application Firewalls (WAFs) add a layer of protection against application-layer DDoS attacks by filtering malicious HTTP and HTTPS traffic targeting web applications. Together, they provide protection at both the network and application levels.
• DDoS Scrubbing Centers: Scrubbing centers divert traffic to dedicated facilities, where legitimate data is “scrubbed”  and separated from malicious traffic. This is highly effective for large-scale attacks, as it can filter data before forwarding clean traffic to the target server so that the services are not interrupted.
• Content Delivery Networks (CDNs): CDNs distribute content across multiple global servers, and because traffic is dispersed, CDNs can absorb and redirect malicious requests. This way, service remains available even during high-volume attacks. CDNs are especially valuable for industries with high online activity, like e-commerce and finance.
• Cloud-Based DDoS Mitigation: Cloud-based mitigation solutions offer scalability, filtering traffic at the cloud level before it hits your network. They can handle large distributed attacks without using up internal resources, which makes them well-suited for on-demand high-capacity protection.
• Automated Monitoring and Advanced Detection Systems: There are advanced tools - such as Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) - that continuously monitor traffic for anomalies. These systems leverage machine learning to detect early signs of attacks, allowing for automated or rapid responses. Regularly testing these defenses helps ensure readiness and identifies any gaps in protection.
• Hybrid DDoS Solutions: Hybrid solutions combine on-premises defenses (for example, firewalls with cloud scrubbing) and give you flexibility whether it's a small, targeted attack or a large-scale volumetric attack. When done right, this flexibility can meet any attack and offer the best protection.

To strengthen resilience against this type of threat, organizations need to combine technological defenses with regular staff training on security best practices.

1. Limit Exposure: Reduce the attack surface by a.) minimizing internet-facing services and b.) restricting unnecessary network ports. Firewalls and Access Control Lists (ACLs) ensure that only essential traffic reaches your network, which decreases exposure to potential attacks. To use a simple metaphor, think of it as allowing only authorized visitors into a secure building.
2. Rate Limiting: Putting a rate limit on network devices can offer simple control over the volume of incoming requests. In simpler terms, what rate limiting does is capping the number of requests a server or device can handle within a set timeframe. So, if a surge of requests occurs (a  DDoS attack), rate limiting prevents the server from being overwhelmed by excessive traffic. While this can result in slight delays for legitimate users, it keeps the system working and prevents a total crash.
3. Load Balancing and Redundancy: Distributing traffic across multiple servers prevents any single server from being overwhelmed. Load balancers help maintain service availability by redirecting traffic - like when the human crowds are directed to alternate entrances to prevent congestion.
4. Use Content Delivery Networks (CDNs): These networks store content copies on multiple servers worldwide. By redirecting traffic to the nearest server, CDNs prevent any single server from becoming overloaded.
5. Implement Cloud-Based DDoS Mitigation Services: Cloud-based solutions filter malicious traffic before it reaches the network. These scalable defenses are especially effective for high-volume threats without impacting internal infrastructure.

1. Baseline Monitoring: Regularly monitor network traffic to establish baselines and detect unusual spikes (possible DDoS attacks).
2. Regular Defenses Testing: Simulated attacks help identify gaps in protection and verify that defenses are properly configured. To prepare for real incidents, regular testing methods can be organized – for example, stress testing, penetration testing, and red team exercises.
3. Threat Intelligence: Monitoring global DDoS trends can help you proactively adjust defenses and address emerging threats.

Regular training on recognizing phishing attempts, unusual attachments, and other social engineering tactics minimizes accidental exposure. To make employees an essential part of your security strategy, educate staff on security protocols and incident reporting.

The first known attack is considered Panix, one of the oldest internet service providers, which was crippled in 1996 for several days by a SYN flood attack. In the years that followed, attacks grew in scale and sophistication. In 2012, a series of big DDoS waves hit major US banks, including Bank of America and JPMorgan Chase, allegedly by state sponsored actors.

The 2016 Mirai botnet attack is still considered a turning point in DDoS history: by compromising IoT devices like cameras and routers, Mirai launched massive traffic floods that took down popular websites and services, including Twitter and Netflix.

In 2020, Google mitigated a 2.5 Tbps attack, the largest ever recorded, showing just how much bandwidth botnets can command. Then, in 2023, an even bigger attack hit Google and AWS and set a new DDoS benchmark. It exploited a vulnerability in the HTTP/2 protocol's Rapid Reset feature, a new technique that allows attackers to flood servers by opening and closing connections continuously, bypassing rate limiting.

The 2016 Dyn attack is almost a textbook example of a DDoS at scale: a botnet of compromised devices flooded Dyn's infrastructure with traffic, taking down popular platforms like Twitter, Netflix and Reddit. The attack exploited vulnerable Internet of Things (IoT) devices with weak security, proof that almost any connected device can be weaponized to affect millions of users and businesses.

However, since then, DDoSs have evolved to be incredibly complex and adaptive. The dark_nexus botnet, identified in 2020, is an example of a tactic that brought a new level of sophistication. Built on existing frameworks (like Qbot and Mirai), dark_nexus introduced a "killer module" that removed other malware on infected devices so that it could dominate devices more effectively. Designed to exploit IoT devices such as routers and video recorders, dark_nexus specifically targeted regions like South Korea, Brazil, and Russia. Dark_nexus’s creator used advanced techniques like asynchronous Telnet scanning and credential stuffing to exploit weak devices. IP spoofing and traffic masking make it elusive and destructive, as it routes attack traffic through infected devices, complicating detection efforts. Described by researchers as an evolving threat, dark_nexus shows how DDoS attacks are no longer simple traffic floods but sophisticated, adaptive threats demanding robust defenses.

DDoS attacks are illegal in most countries, with about 80% of countries having specific cybercrime laws to tackle these types of threats.

Given the operational and financial impact of such an attack, this is always considered illegal, especially when legislators consider that attackers can disrupt critical services like healthcare or public safety. Courts generally rule these attacks illegal regardless of intent - the intentional disruption of services remains a cybercrime. New laws are created to address evolving tactics (such as IoT-based attacks) so that society can keep up with attackers’ innovations.

DDoS attacks are illegal under laws such as the U.S. Computer Fraud and Abuse Act and the UK's Computer Misuse Act, with penalties including fines and imprisonment. In 2019, for example, a U.S. individual received a 27-month prison sentence and was fined $95,000 for targeting gaming companies. The cross-border nature of DDoS attacks often requires international collaboration between law enforcement agencies. Initiatives like Europol’s “Power OFF” operation and the UK’s use of undercover DDoS-for-hire websites are recent proofs of a proactive global effort to dismantle malicious networks and prosecute offenders.

Perpetrators of DDoS attacks vary, from cybercriminals and hacktivists to DDoS-for-hire customers. Organized cybercriminal groups employ DDoS attacks to extort companies, while some nation-state actors use them as cyber warfare tactics.