academy
Security
Security
See all Security articles
Privacy
Privacy
See all Privacy articles
Performance
Performance
See all Performance articles
Select language
Select language
Avast Academy Security Other Threats What Is a Distributed Denial of Service (DDoS) Attack and How Does It Work?

What Is a Distributed Denial of Service (DDoS) Attack and How Does It Work?

Like an unexpected buildup of traffic on the highway that slows cars to a crawl, a distributed denial of service (DDoS) attack sends more internet traffic to a website than it can handle, making it unusable to normal visitors. Learn more about what DDoS attacks are, how they work, and how a dedicated security tool can prevent your devices from being affected.

DDoS-Distributed_Denial_of_Service-Hero

What is a DDoS attack?

A DDoS (Distributed Denial of Service) attack is a malicious cyberattack that aims to crash websites or servers by flooding them with internet traffic. The sudden rush of traffic overwhelms the targeted site’s infrastructure, which usually causes it to fail. Regular users of the site or service won’t be able to access it until the DDoS attack is resolved.

While multiple types of DDoS attack exist, they mostly all use spam sent from a network of infected devices and seek to disrupt a website’s normal functionality by flooding it with traffic.

Hamburguer menu icon

This article contains:

    What does DDoS mean?

    DDoS means “distributed denial of service.” A DDoS attack is usually distributed across a wide network of infected devices, and the goal is to deny service to regular users of the targeted website or service.

    How does a DDoS attack work?

    Most DDoS attacks are conducted via botnets — large networks of malware-infected computers, smart IoT devices, and other internet-enabled devices that have become controlled by hackers. The attacker instructs the devices in the botnet to send massive amounts of connection requests to a target website or server’s IP address.

    The end result of a successful DDoS attack is to prevent the targeted website or service from serving regular visitors. Anyone attempting to visit the site or use the service during a DDoS attack will be unable to connect.

    DDoS attacks are unleashed through large networks of infected devices.DDoS attacks are conducted from a wide range of devices.

    Think of a DDoS attack like a medieval castle siege. The attacker’s army of zombie computers are the enemy soldiers surrounding the target server’s castle from all sides. While under siege, the castle is unable to conduct business as usual — instead, the drawbridge is raised, and the gates are locked tight.

    Common types of DDoS attacks

    Though all DDoS attacks share the same goal, the techniques used can vary. Different types of DDoS attacks use different methods to target various layers in the Open Systems Interconnection (OSI) model, the framework that governs network connections over the internet.

    • Application layer attacks

      The most common form of DDoS attack, application layer attacks generate crushing amounts of HTTP requests that quickly exhaust the target server’s ability to respond. It’s difficult to distinguish between legitimate and malicious HTTP requests, which makes these attacks hard to counter.

      The seventh and final layer of the OSI model is the application layer, which includes software like web applications, internet-connected apps, and cloud services that people interact with when they use the internet. Application layer attacks are also known as layer 7 attacks.

    • Protocol attacks

      Protocol attacks exploit weaknesses in the protocols, or procedures, that govern internet communications. They can occur on either the third (network) layer or fourth (transport) layer of the OSI model. Since internet protocols are global standards, updating a protocol to repair a weakness takes a long time.

      TCP connection attacks or SYN floods manipulate the TCP handshakes that initiate many internet communications. Attackers send spoofed TCP requests with fake IP addresses. The target responds, then waits for the fake IP address to confirm the handshake. The incomplete handshakes eventually build up and overwhelm the target server.

    • Volumetric attacks

      Volumetric attacks attempt to consume all of the target’s available bandwidth. These attacks create excessive congestion by amplifying data requests to send massive amounts of traffic to a targeted server.

      DNS amplification attacks redirect DNS requests to the victim’s IP address. The attacker submits spoofed DNS requests with the victim’s IP address, and the DNS servers respond to the victim instead, ripping through its bandwidth in the process.

    How to detect a DDoS attack

    If you’re the victim of a DDoS attack, you’ll see a sudden rush of incoming traffic right before your server crashes under the pressure. If you visit a website that’s under a DDoS attack, it’ll load extremely slowly or give you a 503 "service unavailable" error. You’ll likely be unable to use that site until the attack is over or has been rebuffed.

    If your computer is being used in a botnet to carry out a DDoS attack, you may experience these warning signs:

    • Sudden drops in performance

    • Frequent error messages

    • System crashes

    • Severely reduced internet speed

    You can prevent botnets from infecting your devices with a free anti-malware tool. Detect and block incoming malware while scanning and removing anything malicious already on your devices with Avast Free Antivirus.

    DDoS attack examples


    • 2021 VoIP.ms attack

      In September 2021, Canadian VoIP (voice over internet protocol) provider VoIP.ms faced a $4.2 million extortion attempt via DDoS attack. The attackers held the site under siege, demanding a huge ransom payment to stop the attack. It took almost two weeks for the internet provider to update its infrastructure and restore service to its customers.

    • 2021 Yandex attack

      Also in September 2021, the Mēris botnet broke the record for the most requests per second (RPS) when it hit Russian internet firm Yandex with a staggering 21.8 million RPS. The record-setting DDoS attack used a technique known as HTTP pipelining, in which bots issue streams of HTTP requests without waiting for each to complete.

      The Mēris botnet deployed router-hacking malware to compromise MikroTik-brand routers. Since routers and IoT devices tend to have weaker security than computers and smartphones, they are attractive targets for botnet creators. Learn to prevent router hacking to avoid having your router infected by this type of botnet.

    • 2021 Cloudflare attack

      Just a few months before targeting Yandex, the Mēris botnet hit cloud service provider Cloudflare with another massive DDoS attack. The attack came in at 17.2 million RPS — roughly two-thirds of Cloudflare’s typical RPS workload. The attack represented the largest volumetric DDoS ever recorded at the time.

    • 2018 Github attack

      Three years before the emergence of the Mēris botnet, a DDoS attack pummeled coding website GitHub with a record-breaking 1.35 TB of data per second. This attack used DNS amplification methods to trick other servers into connecting with Github.

    You’ll notice all but one of these DDoS attack examples are from 2021 — that’s because DDoS attacks are growing in both scale and frequency. Along with ransomware, they represent one of the most significant cybersecurity threats in recent years.

    Ransomware and DDoS attacks are two of the most significant current cybercrime threats.Ransomware and DDoS attacks are two of the most significant current cybercrime threats.

    Is DDoS illegal?

    DDoS attacks are illegal in most countries that have cybercrime laws. The Computer Fraud and Abuse Act (CFAA) in the US supports prison sentences for DDoS attackers. In the UK, the Computer Misuse Act covers DDoS attacks as well as a wide range of other cybercrimes.

    In September 2021, a jury in California convicted a cybercriminal who’d been running two for-profit websites that allowed others to launch their own DDoS attacks. Documents from the nine-day trial revealed that over 200,000 attacks had been carried out via the websites.

    Reasons for DDoS attacks


    • Extortion

      Hackers can use DDoS attacks to persuade a company to pay a ransom. Some hackers initiate DDoS attacks, then demand a payment to prevent a full-scale attack. Others launch right into the assault and promise to stop only after the victim pays a ransom.

    • Politics

      Sometimes, governments will (allegedly) use DDoS attacks to silence dissent, hamper opposition communications, or even target another country. Alternatively, "hacktivist" groups may use DDoS attacks against government or corporate websites.

    • Corporate sabotage

      DDoS is an attractive, if unethical, tool for companies seeking to gain an edge on a competitor. Even a few minutes of downtime can cause significant financial and reputational damages. DDoS attacks may result in users switching to what they believe are more reliable options.

    • As a distraction

      DDoS attacks are major events that require immediate and concentrated attention — making them ideal for drawing a victim’s focus away from other potential weaknesses. Hackers can use DDoS as a feint to keep victims occupied while they execute their primary attack, such as a financial or data heist.

    • As a test

      DDoS attacks can give hackers insights into how strong a target’s security infrastructure is. Organizations sometimes use DDoS against themselves for the same reason: to stress-test their network and identify potential weak points.

    • As a proof of skill

      A successful DDoS attack against a significant target is no small feat. Some hackers carry out DDoS attacks purely for personal satisfaction and to prove their hacking credibility. There’s no better way to show off a botnet than with a devastating DDoS attack.

    DDoS protection: how to stop DDoS attacks

    While it’s unlikely you’ll be targeted by a DDoS attack, you can prevent your devices from being used in one as part of a botnet. Practice the following smart internet safety habits to keep hackers out of your devices.

    • Be skeptical of strange links or attachments. Cybercriminals try to fool you into downloading their malware with emails and messages that contain malicious links or attachments. If you don’t know the sender, don’t engage with the message. Use an email security tool to check email attachments for safety.

    • Use strong passwords. Create long, unique, and hard-to-guess passwords or passphrases for all your accounts. Then, use one of the best password managers to securely store and sync them across your devices.

    • Update your software. Old software is full of cracks that hackers can exploit to get inside your system. If a software developer releases a patch or update, install it ASAP. These updates are often created to address zero-day threats and other security vulnerabilities.

    • Secure your smart home. If you’re setting up a smart home, make security a priority. IoT devices are often easier to hack than computers and phones, and many botnets target them specifically. Many of the best free antivirus apps will monitor your Wi-Fi network for any suspicious activity that may threaten your smart home.

    • Know what to expect from your device. If you know what typical performance looks like from your computer, you’ll know when it’s faltering. Keep an eye out for any erratic behavior that may indicate the presence of botnet malware (and learn how to remove that malware from your PC).

    • Use a firewall. Firewalls block connections to and from unauthorized sources. A good firewall can prevent a hacker from communicating with your devices if they manage to infect them with botnet malware.

    How to defend against DDoS attacks

    If you’re running a business or managing a network, you may need to guard against DDoS attacks targeting your servers. Since DDoS attacks are carried out from multiple vectors at once, it can be difficult to separate the malicious traffic from authentic sources.

    Avast Business Hub is an all-in-one enterprise cybersecurity solution that keeps your network safe. Detect and respond to threats and incursions from one central dashboard, update all your software, remotely access any device, and more.

    Avast Business Hub lets you monitor your entire network from one easy-to-use dashboard.

    Secure your devices with world-leading cybersecurity

    Keeping hackers and their botnet malware out is essential to preventing your devices from being infected and used in a DDoS attack. 

    Avast Free Antivirus detects and blocks the malware, phishing emails, and other techniques cybercriminals use to get control over your device. Enforce your independence and security with the antivirus solution trusted by over 400 million people around the world.

    Protect your phone against DDoS attacks and other threats with Avast Mobile Security for Android

    FREE INSTALL

    Protect your iPhone against DDoS attacks and other threats with Avast Mobile Security

    FREE INSTALL