Skip to main content
diversification.com
← Back to D Definitions

Distributed denial of service

What Is Distributed Denial of Service?

A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. This type of cyberattack falls under the umbrella of cybersecurity risk, specifically targeting the availability of online resources. DDoS attacks achieve their effect by utilizing multiple compromised computer systems as sources of attack traffic, making them highly effective and difficult to mitigate. These exploited machines, often referred to as "bots," form a network known as a botnet. When directed by an attacker, each bot sends requests to the target's IP address, potentially causing the server or network to become overwhelmed and unavailable to legitimate users.

History and Origin

The concept of denying service to a target existed before the "distributed" element became prevalent. The first known denial-of-service attack occurred in 1996, but the true distributed nature emerged later. In February 2000, a series of high-profile DDoS attacks, orchestrated by a Canadian teenager, targeted major websites like Yahoo, Amazon, eBay, and CNN, causing significant disruptions and financial losses. These incidents brought the concept of distributed denial of service into public consciousness and underscored the vulnerability of the nascent internet infrastructure. The financial services industry, in particular, has been a frequent target. For example, in 2012, several major U.S. banks, including Bank of America and JPMorgan Chase, faced persistent DDoS campaigns that disrupted their online services and prevented customers from accessing accounts. These attacks highlighted the evolving threat landscape and the need for robust information security measures within the financial services industry.6

Key Takeaways

  • A distributed denial of service (DDoS) attack aims to make an online service or network unavailable by overwhelming it with traffic from multiple sources.
  • DDoS attacks utilize networks of compromised computers, known as botnets, to generate a massive flood of requests.
  • The distributed nature of these attacks makes them challenging to identify and block compared to single-source attacks.
  • Financial institutions and critical infrastructure are frequent targets due to their reliance on continuous online availability.
  • Mitigation strategies involve specialized tools, increased bandwidth, traffic filtering, and comprehensive business continuity planning.

Interpreting the Distributed Denial of Service Attack

A distributed denial of service attack is a measure of an adversary's capability to disrupt online operations. When an organization experiences a DDoS attack, it indicates a successful compromise of network availability, which can lead to service outages, reputational damage, and financial losses. The severity of a DDoS attack is often interpreted by the volume of traffic (e.g., gigabits per second, requests per second) and its duration. High-volume attacks aim to saturate the target's network infrastructure, while other types might target specific application vulnerabilities. The presence of a DDoS attack also signals a potential underlying security weakness or a targeted campaign, requiring immediate incident response and a thorough risk management assessment.

Hypothetical Example

Consider a hypothetical online brokerage firm, "InvestRight," which relies heavily on its web portal for client trading and account management. One morning, InvestRight's IT team notices an unprecedented surge in traffic to their web servers, far exceeding typical peak loads. Simultaneously, clients begin reporting that the website is extremely slow, unresponsive, or completely inaccessible, preventing them from logging in to manage their digital assets.

Upon investigation, the team identifies that the traffic is originating from hundreds of thousands of seemingly disparate IP addresses worldwide, all sending high volumes of connection requests and data packets. This simultaneous, coordinated flood of junk traffic indicates a distributed denial of service attack. The attack overwhelms InvestRight's servers and internet bandwidth, making it impossible for legitimate clients to access their services. The firm's Internet Service Provider (ISP) and cybersecurity team quickly activate their DDoS mitigation plan, rerouting traffic through scrubbing centers and blocking malicious IPs to restore service.

Practical Applications

Distributed denial of service attacks have significant practical implications across various sectors, particularly in finance and critical infrastructure. They are deployed to:

  • Disrupt Trading and Financial Operations: DDoS attacks can bring down trading platforms, online banking services, and payment gateways, causing immediate financial losses and undermining market confidence. The FBI encourages victims of such cyberattacks to report them to the Internet Crime Complaint Center (IC3).5,4
  • Extortion: Attackers sometimes launch DDoS attacks and demand a ransom, typically in cryptocurrency, to stop the assault. This tactic, known as "ransom DDoS," forces organizations to pay to restore service.
  • Distraction for Other Attacks: A DDoS attack can serve as a smokescreen, diverting an organization's security resources and attention while attackers simultaneously attempt to breach data security or inject malware into systems.
  • Political or Ideological Motivations: Hacktivist groups or nation-state actors often use DDoS attacks to protest, retaliate, or disrupt government services and infrastructure. For instance, in February 2022, Ukrainian government and banking sector websites were hit by significant DDoS attacks.3
  • Competitive Disruption: Though illegal and unethical, some entities might use DDoS to disrupt a competitor's online services, particularly in e-commerce or online gaming, to gain a temporary advantage.

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued joint guidance to help government entities and organizations understand and respond to distributed denial of service attacks.2

Limitations and Criticisms

While highly disruptive, distributed denial of service attacks have limitations from an attacker's perspective and pose ongoing challenges for defense. A primary limitation is that DDoS attacks typically aim for disruption rather than direct data theft. They primarily impact service availability, meaning they don't inherently compromise data security or intellectual property, though they can be used as a diversion for such attempts.

From a defensive standpoint, a key criticism is the difficulty in distinguishing legitimate user traffic from malicious attack traffic, particularly for sophisticated DDoS attacks that mimic normal user behavior. Defending against a distributed denial of service attack often requires significant investment in specialized hardware and services, such as content delivery networks (CDNs) and cloud-based DDoS mitigation services. Relying solely on on-premise solutions like a firewall or basic intrusion detection system may be insufficient against large-scale, volumetric attacks. Organizations also face the challenge of continuously updating their defenses as attack methods evolve. The National Institute of Standards and Technology (NIST) defines a distributed denial of service (DDoS) as "a denial of service technique that uses numerous hosts to perform the attack," emphasizing the multi-source nature that complicates defense.1

Distributed Denial of Service (DDoS) vs. Denial of Service (DoS)

While often used interchangeably by the general public, Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks have a fundamental difference in their source. A Denial of Service (DoS) attack involves a single source, typically one computer, attempting to overwhelm a target system with traffic or resource-consuming requests. The goal is to make the target system unavailable to its intended users. In contrast, a Distributed Denial of Service (DDoS) attack leverages multiple compromised systems, forming a botnet, to launch the attack simultaneously. This distributed nature makes DDoS attacks far more powerful and difficult to mitigate, as the malicious traffic originates from numerous, often geographically dispersed, sources, making it challenging to filter or block them effectively. The sheer volume and distributed origin of a DDoS attack significantly amplify its impact compared to a single-source DoS attack.

FAQs

What are the common signs of a Distributed Denial of Service attack?

The most obvious signs include a sudden and inexplicable slowdown or unavailability of a website or online service. Other indicators can be a suspicious flood of traffic from a single IP address or range, an unusual increase in requests from users sharing a similar behavioral profile (e.g., device type, web browser), or a spike in resource consumption on servers.

How can organizations protect themselves from Distributed Denial of Service attacks?

Protection involves a multi-layered approach. Key strategies include implementing traffic monitoring to detect unusual patterns, using content delivery networks (CDNs) to distribute traffic, configuring firewall rules to filter malicious traffic, and having a comprehensive incident response plan. Collaborating with your Internet Service Provider or a specialized DDoS mitigation service provider is also crucial, especially for larger organizations.

Can individuals be targeted by Distributed Denial of Service attacks?

While large organizations are the primary targets, individuals can also experience DoS or smaller-scale DDoS attacks, often aimed at disrupting their internet connection or online gaming experiences. Tools and services for launching such attacks are sometimes available on the dark web. If you suspect you are a victim of any cyberattack, reporting it to law enforcement, such as the FBI's Internet Crime Complaint Center (IC3), is recommended.

What is a "botnet" in the context of a Distributed Denial of Service attack?

A botnet is a network of internet-connected devices, such as computers, servers, or IoT (Internet of Things) devices, that have been infected with malware and are controlled by a single attacker without the owners' knowledge. These "bots" are then used in concert to launch large-scale attacks, like a distributed denial of service attack, by flooding a target with massive amounts of traffic.

Is Distributed Denial of Service illegal?

Yes, launching a distributed denial of service attack is illegal in many jurisdictions, including the United States, where it can be prosecuted under laws like the Computer Fraud and Abuse Act. Participating in or even paying for "booter" or "stresser" services that facilitate DDoS attacks can lead to severe penalties, including fines and imprisonment.