A distributed denial-of-service (DDoS) attack is a type of cyberattack where multiple computers are used to overwhelm a targeted system, preventing it from functioning properly for its intended users. Approximately 2.9 million DDoS attacks were launched in 2021 – a 31% increase from 2020, which already saw DDoS attacks hit a historic high due to the digital shift during COVID-19 lockdowns.
Unlike a denial-of-service (DoS) attack, which uses one computer and its Internet connection to flood a targeted system with packets, a DDoS attack involves a single entity or bad actor using multiple infected computers, known as bots or zombies, to generate excessive traffic directed at the target. This disrupts the targeted network, web server, computer, or application by bombarding it with an overwhelming amount of traffic from multiple sources. This traffic spike then overwhelms the resources of the targeted system so legitimate users can’t access it.
Is a DDoS Attack a Crime?
DDoS attacks are illegal in many parts of the world, including the United Kingdom, the European Union, and the United States.
In the United States, the Computer and Fraud Abuse Act (CFAA) makes it illegal to access a computer:
- Without authorization
- To exceed the authorized accessor
- With the intent to cause damage
Perpetrators can face serious criminal charges, penalties, fines, prison time, and other sanctions. If you are the victim of a DDoS attack, it is advised to contact law enforcement.
What Is an Example of a DDoS Attack?
In March 2018, GitHub was the victim of a massive DDoS attack where infected computers bombarded the developer platform with a request rate that peaked at 1.35 terabits of traffic per second. GitHub struggled with intermittent outages as the attack was mitigated thanks to the site’s sophisticated DDoS defense system.
What Are the Three Types of DDoS Attacks?
DDoS attacks commonly target components of a network connection. To better understand the attacks and affected areas, let’s take a quick look at the layers of a basic network connection.
DDoS attacks primarily fall into these three categories:
Application-layer attacks – Also known as layer 7 (L7) attacks, these attacks use specific packet types or connection requests in an attempt to consume a finite amount of resources, such as occupying the maximum number of open connections, available memory, or CPU time. A typical L7 attack sends carefully-crafted HTTP requests traffic to consume resources and hamper an application or website’s ability to deliver content, temporarily disabling it – or causing it to crash – with the goal of making the target inaccessible to users. These attacks are difficult to detect because they typically use less bandwidth than other types of attacks, and therefore don’t always display a sudden increase in traffic.
L7 attacks are also the most pernicious because they look like genuine application traffic, yet seek to exploit weaknesses in common web applications. Additionally, bad actors are increasingly using new technology (e.g., machine learning and AI) to infiltrate targets . This means deploying adaptive and dynamic defenses are the best way to mitigate an application-layer DDoS attack.
Common L7 DDoS attacks include Slowloris, Slow POST, HTTP flood attacks, and Challenger Collapsar (CC).
Protocol attacks – Sometimes called computational or network attacks, protocol attacks deny service by exhausting the computational capabilities of network devices at layer 3 and layer 4. Typically, they deliver a high packet rate with many, very small packets. The attacker then attempts to overwhelm CPUs (or devices like firewalls) by sending too many packets, keeping the bandwidth volume low so the attack can remain under the radar of cloud services.
Protocol attacks attempt to consume resources by exploiting bugs or weaknesses in Internet protocols, such as the Internet Control Message Protocol (ICMP) in the network layer and the Transmission Control Protocol (TCP) in the transport layer. The best mitigation methods are to fully patch and correctly configure your network devices.
Common protocol attacks include SYN flood, Ping-of-Death, and Smurf.
Volumetric attacks – Also known as floods, volumetric attacks are the most common type of DDoS attack. Floods send a massive amount of traffic (typically, big packets) to the targeted victim’s network with the goal of consuming so much bandwidth that users are denied access. Attackers often use botnets to increase the volume of traffic hitting the target network or server. They can also be invoked by using vulnerable protocol implementations such as Domain Name System (DNS) amplification.
Massive DDoS attacks like these can be well beyond the capacity that most organizations can handle on their own networks. These attacks are best dealt with using downstream firewalling and globally distributed, high-capacity Points of Presence (POPs).
Common volumetric attacks include User Datagram Protocol (UDP) and ICMP flood (or ping flood).
What Are the Signs of a DDoS Attack?
Traffic analysis tools can help identify a DDoS attack, based on these patterns:
- Sudden traffic spikes from a single IP address or IP range
- Traffic spikes from users in the same geolocation, on similar device types or using the same web browser version
- Unexplained surge in requests to the same page or endpoint
- Spikes at odd hours of the day or timed coordination (at consistent, but recurring, intervals)
Security measures against such attacks include firewalls, web application firewalls, denial of service attack tools, intrusion detection, prevention, and traffic filtering systems.
What Happens if My System Isn’t Protected from DDoS Attacks?
The business impact of a DDoS attack has long tail costs and can vary widely based on the attack’s size, duration, and the nature of the victim’s business. A single DDoS attack can create several layers of direct business impact on any organization: immediately, in the short term, and in the long term.
- The immediate impact of a DDoS attack is financial loss. Websites or applications that are highly dependent on the Internet for revenue (e.g., a heavily trafficked ecommerce site) can lose hundreds of thousands of dollars each minute their site is down. Additionally, within the organization, loss of productivity and risk of further compromise can be directly felt.
- The short-term impact is remediation and compensatory costs. All organizations will experience some amount of remediation costs. For example, a web hosting provider, whose outage affects thousands of its own customers, could have significant compensatory costs to pay. Short-term impact also includes legal and compliance fees.
- The long-term impact is loss of customers and customer confidence. This can be the most damaging. When customers abandon a poorly performing or even unreachable site, the loss isn’t just in immediate revenue – it’s the potential loss of loyal customers who might go to a competitor’s site and never return. Long-term impact can also be felt in damage to the brand’s reputation and goodwill, along with threat of potential legal action.
Best Practices to Protect Against DDoS Attacks
Organizations can significantly reduce their risk of DDoS attacks and other security threats to their applications with the following best practices.
- Rate limiting – By using rate limiting, you can restrict the number of requests a client can make to an application within a certain time period. This can prevent DDoS attacks by limiting the amount of traffic an attacker can send to your application.
- TCP and UDP request management – Enabling Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) request management ensures only legitimate requests are being processed.
- Attack tool specification – Use DDoS prevention tools specifically designed to thwart certain types of DDoS attacks that are either application-layer, volumetric, protocol-based.
- Web application firewall (WAF) – Implement a WAF, which can be configured to block malicious requests based on an IP address, request headers, and behavioral parameters.
- Monitor logs – Regular monitoring helps detect attacks early and can mitigate any negative impacts. Patterns of increased traffic, errors, or unusual activity can trigger alerts for further investigation.
- Content delivery network (CDN) – Using a CDN helps distribute traffic and reduce the load on your application, making it more difficult for a successful DDoS attack launch.
- Secure Sockets Layer (SSL)/TLS encryption – Encrypting traffic between your application and clients can make it more difficult for an attacker to intercept and modify traffic.
- Stay up-to-date – Regular software updates ensure you are protected by the latest security features and patches to mitigate known threats, including DDoS attacks.
How Can NGINX Help?
NGINX offers several application and API security solutions that protect against DDoS attacks:
- NGINX Plus is a cloud‑native, easy-to-use reverse proxy, load balancer, and API gateway. It provides DDoS protection through its built-in rate limiting capabilities, as well as TCP and UDP request management.
- NGINX App Protect Denial of Service (DoS) is a dynamic software security module designed for DevOps environments that runs natively on NGINX Plus and uses eBPF technology to accelerate mitigation of modern app and API DDoS attacks at layer 7.
- NGINX Web Application Firewall (WAF) is a lightweight, modern application and API security solution designed for DevOps environments that runs natively on NGINX Plus and goes beyond basic OWASP Top 10 protection providing advanced security that includes over 7,500 threat signatures, bot signatures, and threat campaign protection.